AP-003 — Compliance by design¶
Regulatory obligations are satisfied by the system, not by humans following checklists.
This is not idealism. It is the only approach that scales. A bank with ten employees cannot maintain a manual compliance programme as it grows to a hundred thousand customers. The controls must be in the code.
Every policy in the governance register maps to at least one system module with a documented satisfaction mode. No account activates, no payment proceeds, no credit is extended without the relevant checks passing automatically. The audit trail is the system log — not a separate compliance database that someone has to keep in sync.
This extends to risk management and governance. The three lines of defence are implemented in system roles and access controls. First-line controls are automated. Second-line monitoring is automated. Third-line audit has read access to the immutable log.
The five satisfaction modes:
| Mode | What it means |
|---|---|
| GATE | Hard stop. Process cannot proceed without passing. No bypass, no override. |
| AUTO | System executes automatically. No human action required or permitted. |
| CALC | System calculates continuously from live data. Always current. |
| ALERT | System detects the condition and escalates. Human receives the signal, not the problem. |
| LOG | System generates an immutable, timestamped evidence record. |
KISS check: Each compliance control must be justified by a specific policy obligation in the register. Speculative compliance controls do not belong here.
Relationship to other principles¶
| Principle | Relationship |
|---|---|
| AP-001 KISS | Every compliance control must be justified — no speculative controls, no compliance theatre. |
| AP-002 Data governance | Data lineage and retention are compliance obligations — the two principles are inseparable. |
| AP-004 Security by design | The three lines of defence are implemented in system roles; security and compliance controls overlap. |
| AP-010 Modular by design | Regulatory perimeters map to domain boundaries — compliance gates are enforced at module contracts. |
See the full architectural principles index.