Risk domain register¶
12 governance domains covering all regulatory obligations across NZ and AU. Each domain owns a set of policies. Each policy must be satisfied by at least one system module. The full obligation chain is: regulation → risk domain → policy → module → satisfaction mode.
See the traceability matrix to trace any obligation end-to-end.
Summary¶
| ID | Domain | Owner | Jurisdiction | Policies | Applicability |
|---|---|---|---|---|---|
| D01 | Capital & Liquidity | Chief Risk Officer / Chief Financial Officer | NZ + AU | 6 | Platform |
| D02 | Credit Risk | Chief Risk Officer | NZ + AU | 9 | Platform |
| D03 | AML / Financial Crime | Chief Compliance Officer | NZ + AU | 13 | Platform |
| D04 | Customer & Conduct | Chief Compliance Officer / Head of Customer | NZ + AU | 9 | Platform |
| D05 | Data & Technology | Chief Technology Officer / Chief Information Security Officer | NZ + AU | 13 | Platform |
| D06 | Payments & Settlement | Head of Payments | NZ + AU | 10 | Platform |
| D07 | Regulatory Reporting | Chief Financial Officer / Chief Risk Officer | NZ + AU | 11 | Platform |
| D08 | Governance & Accountability | Chair, Board / Chief Executive Officer | NZ + AU | 10 | Platform |
| D09 | Operational Resilience | Chief Technology Officer / Chief Operating Officer | NZ + AU | 7 | Platform |
| D10 | Privacy & Data Rights | Data Protection Officer / Privacy Officer | NZ + AU | 6 | Platform |
| D11 | People & Culture | Chief People Officer | NZ + AU | 6 | External |
| D12 | Climate & ESG Risk | Chief Risk Officer | NZ + AU | 2 | Platform |
Total policies: 102
Domain detail¶
D01 Capital & Liquidity¶
| Owner | Chief Risk Officer / Chief Financial Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 6 |
Platform delivery: SD06 delivers LCR/NSFR (MOD-032), RWA/capital ratios (MOD-033), stress testing (MOD-034), IRRBB model (MOD-035), and prudential return builder (MOD-036) for both Track 1 and Track 2 tenants.
Policies in this domain:
- CLQ-001 Capital Adequacy Policy (Draft)
- CLQ-002 Liquidity Risk Management Policy (Draft)
- CLQ-003 Capital Planning & Stress Testing Policy (Draft)
- CLQ-004 Interest Rate Risk in the Banking Book (IRRBB) Policy (Draft)
- CLQ-005 Internal Capital Adequacy Assessment Process (ICAAP) Policy (Draft)
- CLQ-006 Capital Disclosure & Reporting Policy (Draft)
D02 Credit Risk¶
| Owner | Chief Risk Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 9 |
Platform delivery: SD05 delivers affordability calculation (MOD-027), credit scoring (MOD-028), pre-approval (MOD-029), stage allocation (MOD-030), and ECL calculation (MOD-031). In Track 2 tenants hold the lending licences; the platform delivers the decisioning and impairment infrastructure.
Policies in this domain:
- CRE-001 Credit Risk Management Policy (Draft)
- CRE-002 Responsible Lending Policy (Draft)
- CRE-003 Credit Decisioning & Scorecard Policy (Draft)
- CRE-004 Loan Origination Standards (Draft)
- CRE-005 Concentration Risk Policy (Draft)
- CRE-006 Impairment & Provisioning Policy (Draft)
- CRE-007 Collections & Hardship Policy (Draft)
- CRE-008 Product Design & Distribution Policy (Draft)
D03 AML / Financial Crime¶
| Owner | Chief Compliance Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 13 |
Platform delivery: SD02 delivers eIDV, CDD, KYC review, and sanctions screening. SD03 delivers the typology engine, ML behavioural scoring, alert case management, and regulatory report submission. In Track 2 tenants are the reporting entities; the platform enables their AML/CFT programme.
Policies in this domain:
- AML-001 AML/CFT Programme Policy (Draft)
- AML-002 Customer Due Diligence (CDD) Policy (Draft)
- AML-003 Know Your Customer (KYC) & Identity Verification Policy (Draft)
- AML-004 Politically Exposed Persons (PEP) Policy (Draft)
- AML-005 Transaction Monitoring Policy (Draft)
- AML-006 Suspicious Activity Reporting Policy (Draft)
- AML-007 Sanctions Screening Policy (Draft)
- AML-008 Cross-Border Transfer Reporting Policy (Draft)
- AML-009 Correspondent Banking & Payments Policy (Draft)
- AML-010 AML Training & Awareness Policy (Draft)
- AML-011 Customer Acceptance Policy (Draft)
- AML-012 Customer Risk Rating Policy (Draft)
- AML-013 Onboarding Fraud & Identity Integrity Policy (Draft)
D04 Customer & Conduct¶
| Owner | Chief Compliance Officer / Head of Customer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 9 |
Platform delivery: SD08 delivers consent capture (MOD-049), disclosure enforcement (MOD-050), and case and complaint management (MOD-053). In Track 2 tenants use these modules to meet their own customer conduct obligations.
Policies in this domain:
- CON-001 Customer Fairness & Conduct Policy (Draft)
- CON-002 Complaints & Internal Dispute Resolution Policy (Draft)
- CON-003 Vulnerable Customer Policy (Draft)
- CON-004 Product Disclosure & Sales Practice Policy (Draft)
- CON-005 Fee & Pricing Transparency Policy (Draft)
- CON-006 Product suitability and governance (Draft)
- CON-007 Consumer Data Right (CDR) Policy (Draft)
- CON-008 Financial Hardship Policy (Draft)
- CON-009 NZ DTA Key Information Summary Disclosure Policy (Draft)
D05 Data & Technology¶
| Owner | Chief Technology Officer / Chief Information Security Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 13 |
Platform delivery: All system domains contribute. SD07 delivers the core data governance infrastructure: CDC pipeline, RBAC, secrets management, privileged access management, and audit trail.
Policies in this domain:
- DT-001 Information Security Policy (Draft)
- DT-002 Cybersecurity Policy (Draft)
- DT-003 Technology Risk Management Policy (Draft)
- DT-004 Data Governance Policy (Draft)
- DT-005 Model Risk Management Policy (Draft)
- DT-006 Cloud & Infrastructure Policy (Draft)
- DT-007 Change and release management (Draft)
- DT-008 Third-Party & Outsourcing Risk Policy (Draft)
- DT-009 AI & algorithm policy (Draft)
- DT-010 Environments and deployment standards (Draft)
- DT-011 AI development guardrails (Draft)
- DT-012 Ledger Data Contracts & Event Publication Policy (Draft)
D06 Payments & Settlement¶
| Owner | Head of Payments |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 10 |
Platform delivery: SD04 delivers pre-payment validation (MOD-020), payment limit control (MOD-021), fraud scoring (MOD-023), FX rate lock (MOD-025), and IFTI/CMIR trigger (MOD-026). In Track 2 the tenant holds scheme membership; the platform processes payments on their behalf.
Policies in this domain:
- PAY-001 Payment Operations Policy (Draft)
- PAY-002 Settlement Risk Policy (Draft)
- PAY-003 Card Scheme Compliance Policy (Draft)
- PAY-004 Cross-Border Payments & FX Policy (Draft)
- PAY-005 Payment Fraud Prevention Policy (Draft)
- PAY-006 PCI DSS Compliance Policy (Draft)
- PAY-007 Ledger Posting & Account Integrity Policy (Draft)
- PAY-008 Payment Routing, Sponsor & Card-Scheme Abstraction Policy (Draft)
- PAY-009 Payment Exceptions, Returns & Reversals Policy (Draft)
- PAY-010 Open Banking & API access (Draft)
D07 Regulatory Reporting¶
| Owner | Chief Financial Officer / Chief Risk Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 11 |
Platform delivery: SD06 delivers the prudential return builder (MOD-036) and AML reporting pipeline (MOD-037). SD03 delivers regulatory report submission (MOD-019). The platform generates the reports; in Track 2 the tenant signs off and lodges with their regulator.
Policies in this domain:
- REP-001 Regulatory Reporting Policy (Draft)
- REP-002 Prudential Reporting Policy (Draft)
- REP-003 AML Compliance Reporting Policy (Draft)
- REP-004 Financial Statements Policy (Draft)
- REP-005 Data Quality & Assurance Policy (Draft)
- REP-006 Regulatory Change Management Policy (Draft)
- REP-007 DCS & Depositor Reporting Policy (Draft)
- REP-008 Statistical & survey reporting (Draft)
- REP-009 Regulatory incident & breach notification (Draft)
- REP-010 Credit reporting & bureau submission (Draft)
- REP-011 Tax & information reporting (FATCA/CRS/AEOI) (Draft)
D08 Governance & Accountability¶
| Owner | Chair, Board / Chief Executive Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 10 |
Platform delivery: Platform delivers the technical governance infrastructure: agent action logger (MOD-047), system decision log (MOD-048), and role-scoped data access (MOD-052). Board governance, risk committees, fit and proper processes, and accountability frameworks are human and administrative processes external to any system — this applies in both tracks.
Policies in this domain:
- GOV-001 Board Charter (Draft)
- GOV-002 Risk Appetite Statement Policy (Draft)
- GOV-003 Three Lines of Defence Policy (Draft)
- GOV-004 Fit & Proper Policy (Draft)
- GOV-005 Financial Accountability Regime (FAR) Policy (Draft)
- GOV-006 Internal Audit Policy (Draft)
- GOV-007 Conflicts of Interest Policy (Draft)
- GOV-008 Whistleblower Protection Policy (Draft)
- GOV-009 Related Party Transactions Policy (Draft)
- GOV-010 Restricted Activities Policy (Draft)
D09 Operational Resilience¶
| Owner | Chief Technology Officer / Chief Operating Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 7 |
Platform delivery: The platform IS the resilience service delivered to tenants. BCP, DR, incident management, and change management underpin the service level commitments the SaaS provider makes to Track 2 tenants.
Policies in this domain:
- OPS-001 Business Continuity Policy (Draft)
- OPS-002 Disaster Recovery Policy (Draft)
- OPS-003 Incident Management Policy (Draft)
- OPS-004 Operational Risk Policy (Draft)
- OPS-005 Third-Party & Critical Service Provider Policy (Draft)
- OPS-006 Change Management Policy (Draft)
- OPS-007 Financial Processing Resilience & Idempotency Policy (Draft)
D10 Privacy & Data Rights¶
| Owner | Data Protection Officer / Privacy Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 6 |
Platform delivery: Platform handles PII governance, consent management (MOD-049), and data retention enforcement across SD07. In Track 2 the platform processes tenant customer data under data processing agreements.
Policies in this domain:
- PRI-001 Privacy Policy (Draft)
- PRI-002 Data Breach Response Policy (Draft)
- PRI-003 Personal Information Retention & Destruction Policy (Draft)
- PRI-004 FATCA & CRS Compliance Policy (Draft)
- PRI-005 Privacy Impact Assessment Policy (Draft)
- PRI-006 Customer Data Access & Correction Policy (Draft)
D11 People & Culture¶
| Owner | Chief People Officer |
| Jurisdiction | NZ + AU |
| Applicability | External |
| Policies | 6 |
Platform delivery: HR, payroll, and people management are delivered through external tooling in both tracks. Track 2 tenants manage their own employees through their own HR systems. The platform does not include workforce management modules.
Policies in this domain:
- PPL-001 Code of Conduct Policy (Draft)
- PPL-002 Remuneration & Variable Pay Policy (Draft)
- PPL-003 Training & Competency Policy (Draft)
- PPL-004 Background Screening & Fit and Proper Policy (Draft)
- PPL-005 Health, Safety & Wellbeing Policy (Draft)
- PPL-006 Whistleblower & Protected Disclosure Policy (Draft)
D12 Climate & ESG Risk¶
| Owner | Chief Risk Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform |
| Policies | 2 |
Platform delivery: Climate risk is delivered primarily through SD06 (Risk Platform): MOD-152 provides physical risk assessment for mortgage collateral, transition risk portfolio analysis, climate stress scenarios, and automated TCFD disclosure generation. The NZ Climate-related Disclosures Act 2021 applies to NZ-licensed institutions from FY2023; APRA CPG 229 sets AU supervisory expectations. This domain is built to known consultation requirements; CLQ-007 and REP-012 will be updated when binding standards are finalised.
Policies in this domain:
Auto-generated 2026-05-22 by scripts/compile.py. Do not edit directly.