Governance framework¶
Philosophy¶
Compliance is structural, not procedural. Every regulatory obligation is satisfied by a system module — not a manual process, spreadsheet, or annual attestation. The audit trail is the system log. Regulators can query compliance evidence programmatically.
This approach is called bottom-up governance: we start from regulations, derive policies, derive system obligations, and build modules that satisfy those obligations automatically.
The three-layer structure¶
Regulations (external mandate)
↓ derive
Policies (internal obligation — 100 policies across 12 governance domains)
↓ require
System modules (automated satisfaction — 150 modules, each with a satisfaction mode)
Governance domains (12)¶
| Domain | Code | Primary regulator |
|---|---|---|
| Capital & Liquidity | D01 | RBNZ, APRA |
| Credit Risk | D02 | APRA, ASIC, RBNZ |
| AML / Financial Crime | D03 | RBNZ, AUSTRAC |
| Customer & Conduct | D04 | FMA, ASIC, AFCA, FSCL |
| Data & Technology | D05 | RBNZ, APRA, GCSB |
| Payments & Settlement | D06 | RBNZ, RBA, NPPA |
| Regulatory Reporting | D07 | RBNZ, APRA, AUSTRAC |
| Governance & Accountability | D08 | RBNZ, APRA, ASIC |
| Operational Resilience | D09 | RBNZ, APRA |
| Privacy & Data Rights | D10 | OPC, OAIC |
| People & Culture | D11 | MBIE, FWC |
| Climate & ESG Risk | D12 | RBNZ, APRA |
Policy register¶
100 policies across 12 governance domains. See policies/index.md for the full policy register.
Policy codes follow the pattern: [DOMAIN_CODE]-[NNN] e.g. AML-003, CAP-001, CRE-002.
Satisfaction modes¶
Every policy must be satisfied by at least one system module. The module documents the mode:
- GATE — cannot proceed without passing (e.g. eIDV before account activation)
- AUTO — executed automatically without human action (e.g. interest accrual)
- CALC — calculated from live data (e.g. LCR from live ledger)
- ALERT — detects and escalates automatically (e.g. capital threshold breach)
- LOG — generates immutable evidence (e.g. KYC audit trail)
NFR-011 requires zero policies with no automated satisfaction.
Key sections¶
- regulations/nz-regulatory-landscape.md
- regulations/au-regulatory-landscape.md
- policies/index.md — all 100 policy pages
Risk domain pages¶
| Domain | File |
|---|---|
| D01 Capital & Liquidity | risk-domains/D01-capital-liquidity.md |
| D02 Credit Risk | risk-domains/D02-credit-risk.md |
| D03 AML / Financial Crime | risk-domains/D03-aml-financial-crime.md |
| D04 Customer & Conduct | risk-domains/D04-customer-conduct.md |
| D05 Data & Technology | risk-domains/D05-data-technology.md |
| D06 Payments & Settlement | risk-domains/D06-payments-settlement.md |
| D07 Regulatory Reporting | risk-domains/D07-regulatory-reporting.md |
| D08 Governance & Accountability | risk-domains/D08-governance-accountability.md |
| D09 Operational Resilience | risk-domains/D09-operational-resilience.md |
| D10 Privacy & Data Rights | risk-domains/D10-privacy-data-rights.md |
| D11 People & Culture | risk-domains/D11-people-culture.md |
| D12 Climate & ESG Risk | risk-domains/D12-climate-esg-risk.md |
Regulatory standards¶
Detailed pages for each applicable regulatory and industry standard:
NZ (RBNZ / FMA / MBIE)¶
| Standard | Status | Page |
|---|---|---|
| DTA Capital Standard | Live | nz-dta-capital.md |
| DTA Liquidity Standard | Live | nz-dta-liquidity.md |
| DTA Governance Standard | Live | nz-dta-governance.md |
| DTA Disclosure Standard | Draft | nz-dta-disclosure.md |
| DTA Outsourcing Standard | Draft | nz-dta-outsourcing.md |
| DTA Technology Risk Standard | Draft | nz-dta-technology-risk.md |
| DTA IRRBB Standard | Draft | nz-dta-irrbb.md |
| AML/CFT Act 2009 | Live | nz-amlcft-act.md |
| CCCFA 2003 | Live | nz-cccfa.md |
| Privacy Act 2020 | Live | nz-privacy-act.md |
| CoFI Act 2022 | Live | nz-cofi-act.md |
AU (APRA / ASIC / AUSTRAC)¶
| Standard | Status | Page |
|---|---|---|
| APS 110 Capital Adequacy | Live | au-aps-110.md |
| APS 210 Liquidity | Live | au-aps-210.md |
| APS 220 Credit Quality | Live | au-aps-220.md |
| APS 117 IRRBB | Live | au-aps-117.md |
| APS 330 Public Disclosure | Live | au-aps-330.md |
| CPS 220 Risk Management | Live | au-cps-220.md |
| CPS 230 Operational Risk | Live (from July 2025) | au-cps-230.md |
| CPS 231 Outsourcing | Superseded | au-cps-231.md |
| CPS 232 Business Continuity | Superseded | au-cps-232.md |
| CPS 234 Information Security | Live | au-cps-234.md |
| CPS 520 Fit and Proper | Live | au-cps-520.md |
| NCC Act 2009 | Live | au-nccp.md |
| AML/CTF Act 2006 | Live | au-amlctf-act.md |
| Privacy Act 1988 | Live | au-privacy-act.md |
| Financial Accountability Regime | Live | au-far.md |
| Consumer Data Right (CDR) | Live | au-cdr.md |
Industry and non-regulatory¶
See regulations/industry-standards.md for ISO 20022, PCI DSS, FATF, Basel III, OWASP ASVS, and CDR.