Regulatory Obligation Traceability Matrix¶
This page traces every material regulatory obligation through the full chain:
Regulation → Risk Domain → Policy → Business Domain (Owner) → System Module (satisfies policy) → Satisfaction Mode
The matrix is the single place to verify that no obligation falls through a gap. Each row is a policy. Each row has a satisfying module. Each module has a satisfaction mode. Where mode is GATE or AUTO, no human action is needed. Where mode is LOG or ALERT, human judgment is required but the evidence is captured automatically.
How to read this matrix¶
| Column | Meaning |
|---|---|
| Policy | Canonical policy identifier — links to governance/policies/ |
| Obligation | The specific regulation or standard that drives this obligation — links to standard detail pages |
| Risk domain | Which of the 12 governance domains owns this obligation |
| Jurisdiction | NZ · AU · Both |
| Business domain (owner) | Which BD owns the policy — must draft, maintain, attest annually |
| Satisfying module | Which system module satisfies the obligation — links to module page |
| Mode | GATE = hard block · AUTO = automatic · CALC = calculated · ALERT = notified · LOG = immutable record |
| Human needed? | Whether a human must act on the output |
Capital & Liquidity (D01)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| CLQ-001 Capital Adequacy | DTA: Capital · APS 110 | Both | BD03 Treasury | MOD-033 RWA & capital ratio engine | CALC | Review only |
| CLQ-001 Capital Adequacy | DTA: Capital · APS 110 | Both | BD03 Treasury | MOD-028 Credit score & risk rating | CALC | Review only |
| CLQ-002 Liquidity Risk | DTA: Liquidity · APS 210 | Both | BD03 Treasury | MOD-032 LCR/NSFR calculator | CALC | Review only |
| CLQ-002 Liquidity Risk | DTA: Liquidity · APS 210 | Both | BD03 Treasury | MOD-003 Real-time balance engine | CALC | No |
| CLQ-002 Liquidity Risk | DTA: Liquidity · APS 210 | Both | BD03 Treasury | MOD-020 Pre-payment validation | CALC | No |
| CLQ-003 Capital Planning | DTA: Capital · APS 110 | Both | BD03 Treasury | MOD-034 Stress testing engine | CALC | Approval |
| CLQ-004 IRRBB | DTA: IRRBB (Draft) · APS 117 | Both | BD03 Treasury | MOD-035 IRRBB/EVE/NII model | CALC | Review only |
| CLQ-004 IRRBB | DTA: IRRBB (Draft) · APS 117 | Both | BD03 Treasury | MOD-006 Rate change propagation | CALC | No |
| CLQ-005 ICAAP | DTA: Capital · APS 110 | Both | BD03 Treasury | MOD-034 Stress testing engine | CALC | Board approval |
| CLQ-006 Capital Disclosure | DTA: Disclosure (Draft) · APS 330 | Both | BD03 Treasury | MOD-033 RWA & capital ratio engine | CALC | Approval |
| CLQ-006 Capital Disclosure | DTA: Disclosure (Draft) · APS 330 | Both | BD03 Treasury | MOD-001 Double-entry posting engine | AUTO | No |
Credit Risk (D02)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| CRE-001 Credit Risk Mgmt | DTA: Capital · APS 220 | Both | BD05 Credit | MOD-028 Credit score & risk rating | AUTO | No |
| CRE-002 Responsible Lending | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-027 Affordability calculator | CALC | No |
| CRE-002 Responsible Lending | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-029 Pre-approval engine | AUTO | No |
| CRE-002 Responsible Lending | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-050 Disclosure enforcement | GATE | No |
| CRE-003 Credit Decisioning | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-027 Affordability calculator | LOG | No |
| CRE-003 Credit Decisioning | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-028 Credit score & risk rating | LOG | No |
| CRE-003 Credit Decisioning | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-048 System decision log | LOG | No |
| CRE-004 Loan Origination | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-029 Pre-approval engine | LOG | No |
| CRE-005 Concentration Risk | DTA: Capital · APS 110 | Both | BD08 Risk | MOD-033 RWA & capital ratio engine | CALC | Review only |
| CRE-006 Impairment & Provisioning | NZ IFRS 9 · AU AASB 9 | Both | BD05 Credit | MOD-030 Stage allocation model | AUTO | No |
| CRE-006 Impairment & Provisioning | NZ IFRS 9 · AU AASB 9 | Both | BD05 Credit | MOD-031 ECL calculation & GL posting | CALC | No |
| CRE-006 Impairment & Provisioning | NZ IFRS 9 · AU AASB 9 | Both | BD05 Credit | MOD-005 Daily accrual calculator | AUTO | No |
| CRE-007 Collections & Hardship | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-007 Account state machine | AUTO | No |
| CRE-008 Product Design & Distrib | NCC Act (DDO) | AU | BD04 Product | MOD-050 Disclosure enforcement | GATE | No |
AML / Financial Crime (D03)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| AML-001 AML Programme | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-016 Rule-based typology engine | LOG | No |
| AML-001 AML Programme | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-017 ML behavioural scoring | LOG | No |
| AML-001 AML Programme | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-012 KYC audit trail | LOG | No |
| AML-001 AML Programme | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-037 AML reporting pipeline | AUTO | No |
| AML-002 CDD | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-009 eIDV verification | GATE | No |
| AML-002 CDD | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-010 CDD tier assignment | AUTO | No |
| AML-002 CDD | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-011 KYC review scheduler | AUTO | No |
| AML-002 CDD | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-039 Customer risk score | AUTO | No |
| AML-003 KYC & Identity | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-009 eIDV verification | GATE | No |
| AML-003 KYC & Identity | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-011 KYC review scheduler | ALERT | Human review |
| AML-004 PEP | AML/CFT Act 2009 · FATF Rec 12 | Both | BD07 Fin Crime | MOD-010 CDD tier assignment | ALERT | Senior mgr approval |
| AML-005 Transaction Monitoring | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-016 Rule-based typology engine | AUTO | No |
| AML-005 Transaction Monitoring | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-017 ML behavioural scoring | AUTO | No |
| AML-005 Transaction Monitoring | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-018 Alert case management | LOG | Analyst review |
| AML-005 Transaction Monitoring | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-039 Customer risk score | AUTO | No |
| AML-006 SAR/STR | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-013 Sanctions screener | ALERT | Compliance decision |
| AML-006 SAR/STR | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-018 Alert case management | LOG | Analyst decision |
| AML-006 SAR/STR | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-037 AML reporting pipeline | LOG | No |
| AML-007 Sanctions Screening | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-013 Real-time sanctions screener | GATE | No |
| AML-007 Sanctions Screening | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-014 List change propagation | AUTO | No |
| AML-007 Sanctions Screening | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-020 Pre-payment validation | GATE | No |
| AML-008 Cross-Border Reporting | AML/CFT Act 2009 (CMIR) · AML/CTF Act 2006 (IFTI) | Both | BD07 Fin Crime | MOD-019 Regulatory report submission | AUTO | No |
| AML-008 Cross-Border Reporting | AML/CFT Act 2009 (CMIR) · AML/CTF Act 2006 (IFTI) | Both | BD07 Fin Crime | MOD-026 IFTI/CMIR trigger | AUTO | No |
| AML-009 Correspondent Banking | AML/CFT Act 2009 · FATF Rec 13 | Both | BD07 Fin Crime | MOD-009 eIDV verification | AUTO | No |
| AML-010 AML Training | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD11 People | MOD-049 Consent capture | LOG | No |
| AML-011 Customer Acceptance | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-009 eIDV verification | GATE | No |
| AML-011 Customer Acceptance | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-013 Sanctions screener | GATE | No |
| AML-011 Customer Acceptance | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-039 Customer risk score | CALC | No |
| AML-011 Customer Acceptance | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-010 CDD tier assignment | AUTO | No |
| AML-011 Customer Acceptance | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-012 KYC audit trail | LOG | No |
| AML-012 Customer Risk Rating | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-039 Customer risk score | CALC | No |
| AML-012 Customer Risk Rating | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-010 CDD tier assignment | AUTO | No |
| AML-012 Customer Risk Rating | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-011 KYC review scheduler | AUTO | No |
| AML-012 Customer Risk Rating | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-012 KYC audit trail | LOG | No |
| AML-013 Onboarding Fraud & Identity | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-009 eIDV verification | GATE | No |
| AML-013 Onboarding Fraud & Identity | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-055 Onboarding fraud scoring | GATE | No |
| AML-013 Onboarding Fraud & Identity | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-013 Sanctions screener | GATE | No |
| AML-013 Onboarding Fraud & Identity | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD01 Customer | MOD-012 KYC audit trail | LOG | No |
Customer & Conduct (D04)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| CON-001 Customer Fairness | CoFI Act 2022 · Corporations Act 2001 | Both | BD01 Customer | MOD-009 eIDV verification | AUTO | No |
| CON-001 Customer Fairness | CoFI Act 2022 · Corporations Act 2001 | Both | BD01 Customer | MOD-023 Transaction fraud scorer | AUTO | No |
| CON-001 Customer Fairness | CoFI Act 2022 · Corporations Act 2001 | Both | BD01 Customer | MOD-008 Dormancy engine | AUTO | No |
| CON-001 Customer Fairness | CoFI Act 2022 · Corporations Act 2001 | Both | BD01 Customer | MOD-040 Churn & health score | AUTO | No |
| CON-001 Customer Fairness | CoFI Act 2022 · Corporations Act 2001 | Both | BD01 Customer | MOD-051 Financial automation rules | AUTO | No |
| CON-002 Complaints & IDR | CoFI Act 2022 · AFCA Rules | Both | BD01 Customer | MOD-053 Case & complaint mgmt | ALERT | Agent action |
| CON-002 Complaints & IDR | CoFI Act 2022 · AFCA Rules | Both | BD01 Customer | MOD-047 Agent action logger | LOG | No |
| CON-003 Vulnerable Customer | CoFI Act 2022 · Corporations Act 2001 | Both | BD01 Customer | MOD-040 Churn & health score | ALERT | Agent review |
| CON-003 Vulnerable Customer | CoFI Act 2022 · Corporations Act 2001 | Both | BD01 Customer | MOD-053 Case & complaint mgmt | AUTO | No |
| CON-004 Product Disclosure | CoFI Act 2022 · NCC Act | Both | BD04 Product | MOD-050 Disclosure enforcement | GATE | No |
| CON-004 Product Disclosure | CoFI Act 2022 · NCC Act | Both | BD04 Product | MOD-054 Call recording | LOG | QA sample |
| CON-005 Fee Transparency | CCCFA 2003 · NCC Act | Both | BD04 Product | MOD-003 Real-time balance engine | AUTO | No |
| CON-005 Fee Transparency | CCCFA 2003 · NCC Act | Both | BD04 Product | MOD-005 Daily accrual calculator | AUTO | No |
| CON-005 Fee Transparency | CCCFA 2003 · NCC Act | Both | BD04 Product | MOD-025 FX rate lock | GATE | No |
| CON-005 Fee Transparency | CCCFA 2003 · NCC Act | Both | BD04 Product | MOD-050 Disclosure enforcement | GATE | No |
| CON-006 Marketing | FMC Act 2013 · Corporations Act 2001 | Both | BD04 Product | MOD-049 Consent capture | GATE | No |
| CON-007 CDR | CDR Rules | AU | BD01 Customer | MOD-049 Consent capture | GATE | No |
| CON-008 Hardship | CCCFA 2003 · NCC Act | Both | BD05 Credit | MOD-007 Account state machine | AUTO | No |
Data & Technology (D05)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| DT-001 Information Security | DTA: Tech Risk (Draft) · CPS 234 | Both | BD09 Technology | MOD-044 JWT RBAC | GATE | No |
| DT-001 Information Security | DTA: Tech Risk (Draft) · CPS 234 | Both | BD09 Technology | MOD-045 Secrets & key management | AUTO | No |
| DT-001 Information Security | DTA: Tech Risk (Draft) · CPS 234 | Both | BD09 Technology | MOD-046 Privileged access mgmt | GATE | Approval |
| DT-001 Information Security | DTA: Tech Risk (Draft) · CPS 234 | Both | BD09 Technology | MOD-052 Role-scoped data access | GATE | No |
| DT-002 Cybersecurity | DTA: Tech Risk (Draft) · CPS 234 | Both | BD09 Technology | MOD-024 Device & session intel | GATE | No |
| DT-002 Cybersecurity | DTA: Tech Risk (Draft) · CPS 234 | Both | BD09 Technology | MOD-045 Secrets & key management | AUTO | No |
| DT-002 Cybersecurity | DTA: Tech Risk (Draft) · CPS 234 | Both | BD09 Technology | MOD-046 Privileged access mgmt | LOG | No |
| DT-003 Technology Risk | DTA: Tech Risk (Draft) · CPS 220 | Both | BD09 Technology | MOD-038 Data quality monitor | GATE | No |
| DT-004 Data Governance | Privacy Act 2020 · Privacy Act 1988 | Both | BD09 Technology | MOD-042 CDC pipeline (Neon → Iceberg) | AUTO | No |
| DT-004 Data Governance | Privacy Act 2020 · Privacy Act 1988 | Both | BD09 Technology | MOD-043 EventBridge domain event governance | AUTO | No |
| DT-004 Data Governance | Privacy Act 2020 · Privacy Act 1988 | Both | BD09 Technology | MOD-038 Data quality monitor | ALERT | No |
| DT-005 Model Risk | RBNZ model risk guidance · APRA model risk guidance | Both | BD09 Technology | MOD-017 ML behavioural scoring | LOG | Governance review |
| DT-005 Model Risk | RBNZ model risk guidance · APRA model risk guidance | Both | BD09 Technology | MOD-023 Transaction fraud scorer | LOG | Governance review |
| DT-005 Model Risk | RBNZ model risk guidance · APRA model risk guidance | Both | BD09 Technology | MOD-028 Credit score & risk rating | LOG | Governance review |
| DT-005 Model Risk | RBNZ model risk guidance · APRA model risk guidance | Both | BD09 Technology | MOD-041 Categorisation model | LOG | Governance review |
| DT-006 Cloud & Infrastructure | DTA: Outsourcing (Draft) · CPS 230 | Both | BD09 Technology | MOD-042 CDC pipeline (Neon → Iceberg) | AUTO | No |
| DT-007 Change Management | DTA: Tech Risk (Draft) · CPS 230 | Both | BD09 Technology | MOD-048 System decision log | LOG | No |
| DT-008 Third-Party Risk | DTA: Outsourcing (Draft) · CPS 230 | Both | BD09 Technology | MOD-043 EventBridge domain event governance | AUTO | No |
| DT-009 AI & Algorithm | RBNZ AI guidance · APRA AI discussion paper | Both | BD09 Technology | MOD-048 System decision log | LOG | No |
| DT-012 Ledger Data Contracts | Internal control obligation — AP-002 · ADR-003 · ADR-036 | Both | BD09 Technology | MOD-042 CDC pipeline (Neon → Iceberg) | AUTO | No |
| DT-012 Ledger Data Contracts | Internal control obligation — AP-002 · ADR-003 · ADR-036 | Both | BD09 Technology | MOD-043 EventBridge domain event governance | AUTO | No |
| DT-012 Ledger Data Contracts | Internal control obligation — AP-002 · ADR-003 · ADR-036 | Both | BD09 Technology | MOD-048 System decision log | LOG | No |
| DT-012 Ledger Data Contracts | Internal control obligation — AP-002 · ADR-003 · ADR-036 | Both | BD09 Technology | MOD-038 Data quality monitor | ALERT | Yes |
Payments & Settlement (D06)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| PAY-001 Payment Operations | ESAS Settlement Rules · RBA NPP rules | Both | BD06 Payments | MOD-001 Double-entry posting engine | GATE | No |
| PAY-001 Payment Operations | ESAS Settlement Rules · RBA NPP rules | Both | BD06 Payments | MOD-003 Real-time balance engine | GATE | No |
| PAY-001 Payment Operations | ESAS Settlement Rules · RBA NPP rules | Both | BD06 Payments | MOD-020 Pre-payment validation | GATE | No |
| PAY-001 Payment Operations | ESAS Settlement Rules · RBA NPP rules | Both | BD06 Payments | MOD-051 Automation rules engine | GATE | No |
| PAY-001 Payment Operations | ESAS Settlement Rules · RBA NPP rules | Both | BD06 Payments | MOD-007 Account state machine | GATE | No |
| PAY-002 Settlement Risk | ESAS Settlement Rules · Payment Systems Act 1998 | Both | BD06 Payments | MOD-002 Immutable transaction log | LOG | No |
| PAY-002 Settlement Risk | ESAS Settlement Rules · Payment Systems Act 1998 | Both | BD06 Payments | MOD-022 Payment audit trail | LOG | No |
| PAY-002 Settlement Risk | ESAS Settlement Rules · Payment Systems Act 1998 | Both | BD06 Payments | MOD-004 Multi-currency ledger | CALC | No |
| PAY-003 Card Scheme Compliance | PCI DSS v4.0 · Visa/Mastercard Rules | Both | BD06 Payments | MOD-022 Payment audit trail | LOG | No |
| PAY-004 Cross-Border & FX | AML/CFT Act 2009 (CMIR) · AML/CTF Act 2006 (IFTI) | Both | BD03 Treasury | MOD-025 FX rate lock | LOG | No |
| PAY-004 Cross-Border & FX | AML/CFT Act 2009 (CMIR) · AML/CTF Act 2006 (IFTI) | Both | BD03 Treasury | MOD-004 Multi-currency ledger | LOG | No |
| PAY-004 Cross-Border & FX | AML/CFT Act 2009 (CMIR) · AML/CTF Act 2006 (IFTI) | Both | BD03 Treasury | MOD-050 Disclosure enforcement | GATE | No |
| PAY-005 Payment Fraud | CoFI Act 2022 · ePayments Code (AU) | Both | BD06 Payments | MOD-020 Pre-payment validation | GATE | No |
| PAY-005 Payment Fraud | CoFI Act 2022 · ePayments Code (AU) | Both | BD06 Payments | MOD-021 Payment limit controller | GATE | No |
| PAY-005 Payment Fraud | CoFI Act 2022 · ePayments Code (AU) | Both | BD06 Payments | MOD-023 Transaction fraud scorer | AUTO | No |
| PAY-005 Payment Fraud | CoFI Act 2022 · ePayments Code (AU) | Both | BD06 Payments | MOD-024 Device & session intel | ALERT | SOC review |
| PAY-005 Payment Fraud | CoFI Act 2022 · ePayments Code (AU) | Both | BD06 Payments | MOD-007 Account state machine | GATE | No |
| PAY-005 Payment Fraud | Scam-Safe Accord 2023 | AU | BD06 Payments | MOD-053 Operational workflow engine | AUTO | No |
| PAY-006 PCI DSS | PCI DSS v4.0 | Both | BD06 Payments | MOD-045 Secrets & key management | AUTO | No |
| PAY-007 Ledger Posting & Account Integrity | Internal control obligation — BD02 ledger boundary · SD01 | Both | BD02 Finance | MOD-001 Double-entry posting engine | GATE | No |
| PAY-007 Ledger Posting & Account Integrity | Internal control obligation — BD02 ledger boundary · SD01 | Both | BD02 Finance | MOD-002 Immutable transaction log | LOG | No |
| PAY-007 Ledger Posting & Account Integrity | Internal control obligation — BD02 ledger boundary · SD01 | Both | BD02 Finance | MOD-003 Real-time balance engine | CALC | No |
| PAY-007 Ledger Posting & Account Integrity | Internal control obligation — BD02 ledger boundary · SD01 | Both | BD02 Finance | MOD-004 Multi-currency ledger | LOG | Review only |
| PAY-007 Ledger Posting & Account Integrity | Internal control obligation — BD02 ledger boundary · SD01 | Both | BD02 Finance | MOD-007 Account state machine | GATE | No |
| PAY-007 Ledger Posting & Account Integrity | Internal control obligation — BD02 ledger boundary · SD01 | Both | BD02 Finance | MOD-008 Dormancy & escheatment engine | AUTO | No |
| PAY-008 Payment Routing & Sponsor Abstraction | Payment Systems Act 1998 · NZ Payments NZ Rules | Both | BD06 Payments | MOD-020 Payment orchestration engine | GATE | No |
| PAY-008 Payment Routing & Sponsor Abstraction | Payment Systems Act 1998 · NZ Payments NZ Rules | Both | BD06 Payments | MOD-002 Immutable transaction log | LOG | No |
| PAY-008 Payment Routing & Sponsor Abstraction | Payment Systems Act 1998 · NZ Payments NZ Rules | Both | BD06 Payments | MOD-022 Settlement reconciliation engine | ALERT | Payments ops |
| PAY-009 Payment Exceptions, Returns & Reversals | Payment Systems Act 1998 · ePayments Code (AU) | Both | BD06 Payments | MOD-001 Double-entry posting engine | GATE | No |
| PAY-009 Payment Exceptions, Returns & Reversals | Payment Systems Act 1998 · ePayments Code (AU) | Both | BD06 Payments | MOD-002 Immutable transaction log | LOG | No |
| PAY-009 Payment Exceptions, Returns & Reversals | Payment Systems Act 1998 · ePayments Code (AU) | Both | BD06 Payments | MOD-007 Account state machine | GATE | No |
| PAY-009 Payment Exceptions, Returns & Reversals | Payment Systems Act 1998 · ePayments Code (AU) | Both | BD06 Payments | MOD-022 Settlement reconciliation engine | ALERT | Payments ops |
| PAY-009 Payment Exceptions, Returns & Reversals | Payment Systems Act 1998 · ePayments Code (AU) | Both | BD06 Payments | MOD-053 Operational workflow engine | AUTO | No |
Regulatory Reporting (D07)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| REP-001 Regulatory Reporting | DTA: Capital (BS series) · APRA ARS series | Both | BD10 Governance | MOD-036 Regulatory reporting engine | AUTO | CFO/CRO sign-off |
| REP-001 Regulatory Reporting | DTA: Capital (BS series) · APRA ARS series | Both | BD10 Governance | MOD-037 AML reporting pipeline | AUTO | No |
| REP-001 Regulatory Reporting | DTA: Capital (BS series) · APRA ARS series | Both | BD10 Governance | MOD-038 Data quality & reconciliation monitor | GATE | No |
| REP-001 Regulatory Reporting | DTA: Capital (BS series) · APRA ARS series | Both | BD10 Governance | MOD-002 Immutable transaction log | LOG | No |
| REP-002 Prudential Reporting | DTA: Capital · DTA: Liquidity · APS 330 | Both | BD03 Treasury | MOD-036 Regulatory reporting engine | AUTO | CFO/CRO sign-off |
| REP-002 Prudential Reporting | DTA: Capital · DTA: Liquidity · APS 330 | Both | BD03 Treasury | MOD-038 Data quality & reconciliation monitor | GATE | No |
| REP-002 Prudential Reporting | DTA: Capital · DTA: Liquidity · APS 330 | Both | BD03 Treasury | MOD-032 LCR/NSFR calculator | CALC | No |
| REP-002 Prudential Reporting | DTA: Capital · DTA: Liquidity · APS 330 | Both | BD03 Treasury | MOD-033 RWA & capital ratio engine | CALC | No |
| REP-002 Prudential Reporting | DTA: Capital · DTA: Liquidity · APS 330 | Both | BD03 Treasury | MOD-035 IRRBB/EVE/NII model | CALC | No |
| REP-002 Prudential Reporting | DTA: Capital · DTA: Liquidity · APS 330 | Both | BD03 Treasury | MOD-030 Financial reporting engine | AUTO | No |
| REP-003 AML Compliance Reporting | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-037 AML reporting pipeline | AUTO | CCO sign-off |
| REP-003 AML Compliance Reporting | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-019 Regulatory report submission | AUTO | No |
| REP-003 AML Compliance Reporting | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-026 IFTI/CMIR trigger | AUTO | No |
| REP-003 AML Compliance Reporting | AML/CFT Act 2009 · AML/CTF Act 2006 | Both | BD07 Fin Crime | MOD-002 Immutable transaction log | LOG | No |
| REP-004 Financial Statements | NZ IFRS / Financial Reporting Act · Corporations Act / AASB | Both | BD02 Finance | MOD-001 Double-entry posting engine | AUTO | Audit/Board |
| REP-004 Financial Statements | NZ IFRS / Financial Reporting Act · Corporations Act / AASB | Both | BD02 Finance | MOD-005 Daily accrual calculator | AUTO | No |
| REP-004 Financial Statements | NZ IFRS / Financial Reporting Act · Corporations Act / AASB | Both | BD02 Finance | MOD-030 Stage allocation model | AUTO | No |
| REP-004 Financial Statements | NZ IFRS / Financial Reporting Act · Corporations Act / AASB | Both | BD02 Finance | MOD-031 ECL calculation & GL posting | AUTO | No |
| REP-005 Data Quality | DTA: Capital (BS series) · APRA ARS series | Both | BD09 Technology | MOD-002 Immutable transaction log | LOG | No |
| REP-005 Data Quality | DTA: Capital (BS series) · APRA ARS series | Both | BD09 Technology | MOD-038 Data quality monitor | GATE | No |
| REP-005 Data Quality | DTA: Capital (BS series) · APRA ARS series | Both | BD09 Technology | MOD-042 CDC pipeline (Neon → Iceberg) | AUTO | No |
| REP-005 Data Quality | DTA: Capital (BS series) · APRA ARS series | Both | BD09 Technology | MOD-036 Prudential return builder | GATE | No |
| REP-006 Regulatory Change | Regulatory horizon scanning | Both | BD10 Governance | MOD-056 Regulatory change register & obligation tracker | ALERT | CCO sign-off |
| REP-006 Regulatory Change | Regulatory horizon scanning | Both | BD10 Governance | MOD-002 Immutable transaction log | LOG | No |
| REP-007 DCS & Depositor Reporting | NZ Depositor Compensation Scheme · RBNZ Act | NZ | BD02 Finance | MOD-001 Double-entry posting engine | AUTO | No |
| REP-007 DCS & Depositor Reporting | NZ Depositor Compensation Scheme · RBNZ Act | NZ | BD02 Finance | MOD-003 Real-time balance engine | CALC | No |
| REP-007 DCS & Depositor Reporting | NZ Depositor Compensation Scheme · RBNZ Act | NZ | BD02 Finance | MOD-036 Regulatory reporting engine | AUTO | CFO sign-off |
| REP-007 DCS & Depositor Reporting | NZ Depositor Compensation Scheme · RBNZ Act | NZ | BD02 Finance | MOD-038 Data quality & reconciliation engine | GATE | No |
| REP-008 Statistical & Survey Reporting | RBNZ Prudential Returns · Banking Act 1959 | Both | BD08 Risk | MOD-057 Statistical returns & survey engine | AUTO | CFO/CCO sign-off |
| REP-008 Statistical & Survey Reporting | RBNZ Prudential Returns · Banking Act 1959 | Both | BD08 Risk | MOD-038 Regulatory reporting pipeline | GATE | No |
| REP-008 Statistical & Survey Reporting | RBNZ Prudential Returns · Banking Act 1959 | Both | BD08 Risk | MOD-002 Immutable transaction log | LOG | No |
| REP-009 Regulatory Incident & Breach Notification | CPS 230 · CPS 234 | Both | BD08 Risk | MOD-058 Regulatory incident & breach notification engine | AUTO | CCO/CTO approval |
| REP-009 Regulatory Incident & Breach Notification | CPS 230 · CPS 234 | Both | BD08 Risk | MOD-002 Immutable transaction log | LOG | No |
| REP-010 Credit Reporting & Bureau Submission | Privacy Act 2020 · Privacy Act 1988 | Both | BD05 Credit | MOD-059 Credit bureau submission engine | AUTO | CCO review |
| REP-010 Credit Reporting & Bureau Submission | Privacy Act 2020 · Privacy Act 1988 | Both | BD05 Credit | MOD-002 Immutable transaction log | LOG | No |
| REP-011 Tax & Information Reporting (FATCA/CRS) | FATCA · CRS / AEOI | Both | BD02 Finance | MOD-060 FATCA/CRS/AEOI reporting engine | AUTO | CCO/CFO sign-off |
| REP-011 Tax & Information Reporting (FATCA/CRS) | FATCA · CRS / AEOI | Both | BD02 Finance | MOD-002 Immutable transaction log | LOG | No |
Governance & Accountability (D08)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| GOV-001 Board Charter | DTA: Governance · CPS 220 | Both | BD10 Governance | (manual — governance document) | — | Board |
| GOV-002 Risk Appetite | DTA: Governance · CPS 220 | Both | BD08 Risk | MOD-032 LCR/NSFR calculator | ALERT | CRO/Board |
| GOV-002 Risk Appetite | DTA: Governance · CPS 220 | Both | BD08 Risk | MOD-033 RWA & capital ratio engine | ALERT | CRO/Board |
| GOV-002 Risk Appetite | DTA: Governance · CPS 220 | Both | BD08 Risk | MOD-010 CDD tier assignment | GATE | No |
| GOV-003 Three Lines of Defence | DTA: Governance · CPS 220 | Both | BD10 Governance | (framework document) | — | Board |
| GOV-004 Fit & Proper | DTA: Governance · CPS 520 | Both | BD11 People | (manual — HR process) | — | HR/Board |
| GOV-005 FAR | FAR Act 2023 | AU | BD10 Governance | MOD-047 Agent action logger | LOG | No |
| GOV-006 Internal Audit | DTA: Governance · CPS 220 | Both | BD10 Governance | MOD-002 Immutable transaction log | LOG | Audit access |
| GOV-006 Internal Audit | DTA: Governance · CPS 220 | Both | BD10 Governance | MOD-012 KYC audit trail | LOG | Audit access |
| GOV-006 Internal Audit | DTA: Governance · CPS 220 | Both | BD10 Governance | MOD-044 JWT RBAC | LOG | Audit access |
| GOV-006 Internal Audit | DTA: Governance · CPS 220 | Both | BD10 Governance | MOD-046 PAM | LOG | Audit access |
| GOV-006 Internal Audit | DTA: Governance · CPS 220 | Both | BD10 Governance | MOD-047 Agent action logger | LOG | Audit access |
| GOV-006 Internal Audit | DTA: Governance · CPS 220 | Both | BD10 Governance | MOD-048 System decision log | LOG | Audit access |
| GOV-007 Conflicts of Interest | Companies Act 1993 · Corporations Act 2001 | Both | BD10 Governance | MOD-044 JWT RBAC | AUTO | No |
| GOV-008 Whistleblower | Protected Disclosures Act 2022 · Corporations Act 2001 | Both | BD10 Governance | (manual — HR/Legal process) | — | HR/Legal |
| GOV-009 Related Party | Companies Act 1993 · Banking Act 1959 | Both | BD10 Governance | MOD-047 Agent action logger | LOG | Board approval |
| GOV-010 Restricted Activities | RBNZ Act 2021 · NZ Banking Licence Conditions | NZ | BD10 Governance | MOD-050 IFTI/CMIR regulatory reporting | GATE | No |
| GOV-010 Restricted Activities | RBNZ Act 2021 · NZ Banking Licence Conditions | NZ | BD10 Governance | MOD-048 Data governance & lineage engine | LOG | No |
| GOV-010 Restricted Activities | RBNZ Act 2021 · NZ Banking Licence Conditions | NZ | BD10 Governance | MOD-020 Payment orchestration engine | GATE | No |
Operational Resilience (D09)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| OPS-001 BCP | DTA: Tech Risk (Draft) · CPS 230 | Both | BD09 Technology | (BCP document + DR test) | — | Annual test |
| OPS-002 Disaster Recovery | DTA: Tech Risk (Draft) · CPS 230 | Both | BD09 Technology | MOD-042 CDC pipeline (Neon → Iceberg) | AUTO | No |
| OPS-003 Incident Management | DTA: Tech Risk (Draft) · CPS 230 | Both | BD09 Technology | MOD-032 LCR/NSFR calculator | ALERT | CRO |
| OPS-004 Operational Risk | DTA: Capital (OpRisk) · CPS 230 | Both | BD08 Risk | MOD-047 Agent action logger | LOG | RCSA process |
| OPS-004 Operational Risk | DTA: Capital (OpRisk) · CPS 230 | Both | BD08 Risk | MOD-002 Immutable transaction log | LOG | No |
| OPS-004 Operational Risk | DTA: Capital (OpRisk) · CPS 230 | Both | BD08 Risk | MOD-038 Data quality monitor | ALERT | Yes |
| OPS-004 Operational Risk | DTA: Capital (OpRisk) · CPS 230 | Both | BD08 Risk | MOD-053 Case & complaint mgmt | LOG | Yes |
| OPS-005 Third-Party | DTA: Outsourcing (Draft) · CPS 230 | Both | BD08 Risk | MOD-043 EventBridge domain event governance | AUTO | No |
| OPS-006 Change Management | DTA: Tech Risk (Draft) · CPS 230 | Both | BD09 Technology | MOD-048 System decision log | LOG | CAB approval |
| OPS-007 Financial Processing Resilience | CPS 230 · DTA: Operational Resilience (Draft) | Both | BD08 Risk | MOD-001 Double-entry posting engine | AUTO | No |
| OPS-007 Financial Processing Resilience | CPS 230 · DTA: Operational Resilience (Draft) | Both | BD08 Risk | MOD-002 Immutable transaction log | LOG | No |
| OPS-007 Financial Processing Resilience | CPS 230 · DTA: Operational Resilience (Draft) | Both | BD08 Risk | MOD-038 Data quality monitor | ALERT | Yes |
| OPS-007 Financial Processing Resilience | CPS 230 · DTA: Operational Resilience (Draft) | Both | BD08 Risk | MOD-043 EventBridge domain event governance | AUTO | No |
Privacy & Data Rights (D10)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| PRI-001 Privacy | Privacy Act 2020 · Privacy Act 1988 | Both | BD01 Customer | MOD-009 eIDV verification | AUTO | No |
| PRI-001 Privacy | Privacy Act 2020 · Privacy Act 1988 | Both | BD01 Customer | MOD-043 EventBridge domain event governance | AUTO | No |
| PRI-001 Privacy | Privacy Act 2020 · Privacy Act 1988 | Both | BD01 Customer | MOD-049 Consent capture | GATE | No |
| PRI-001 Privacy | Privacy Act 2020 · Privacy Act 1988 | Both | BD01 Customer | MOD-052 Role-scoped data access | AUTO | No |
| PRI-002 Data Breach | Privacy Act 2020 · Privacy Act 1988 | Both | BD01 Customer | (incident process — see OPS-003) | — | DPO |
| PRI-003 Retention & Destruction | Privacy Act 2020 · Privacy Act 1988 | Both | BD09 Technology | MOD-043 EventBridge domain event governance | AUTO | No |
| PRI-004 FATCA & CRS | NZ Tax Administration Act · AU ITAA 1997 | Both | BD02 Finance | (annual tax reporting process) | — | Tax team |
| PRI-005 Privacy Impact Assessment | Privacy Act 2020 · Privacy Act 1988 | Both | BD09 Technology | MOD-012 KYC audit trail | LOG | Privacy review |
| PRI-006 Data Access & Correction | Privacy Act 2020 · Privacy Act 1988 | Both | BD01 Customer | MOD-052 Role-scoped data access | AUTO | Agent action |
People & Culture (D11)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| PPL-001 Code of Conduct | Employment Relations Act 2000 · Fair Work Act 2009 | Both | BD11 People | (HR document + attestation) | — | Annual |
| PPL-002 Remuneration | Employment Relations Act 2000 · FAR Act 2023 | Both | BD11 People | (HR process) | — | Board remco |
| PPL-003 Training & Competency | AML/CFT Act 2009 (training) · AML/CTF Act 2006 (training) | Both | BD11 People | MOD-049 Consent capture | LOG | No |
| PPL-003 Training & Competency | AML/CFT Act 2009 (training) · AML/CTF Act 2006 (training) | Both | BD11 People | MOD-054 Call recording | AUTO | No |
| PPL-004 Background Screening | DTA: Governance · CPS 520 | Both | BD11 People | (HR pre-employment process) | — | HR |
| PPL-005 Health & Safety | Health and Safety at Work Act 2015 · WHS Acts | Both | BD11 People | (WHS process) | — | WHS officer |
| PPL-006 Whistleblower | Protected Disclosures Act 2022 · Corporations Act 2001 | Both | BD11 People | (legal/HR process) | — | Legal |
Climate & ESG Risk (D12)¶
| Policy | Obligation | Jurisdiction | BD Owner | Satisfying Module | Mode | Human needed? |
|---|---|---|---|---|---|---|
| CLQ-007 Climate Risk | RBNZ Climate-Related Disclosures · APRA CPG 229 | Both | BD08 Risk | (climate risk framework — partially manual) | — | CRO/Board |
| REP-012 ESG Reporting | RBNZ Climate-Related Disclosures · APRA CPG 229 | Both | BD10 Governance | (ESG reporting process) | — | CFO/Board |
Gap analysis — policies with no system module¶
The following policies rely entirely on manual processes and have no system module providing AUTO, CALC, GATE, or LOG satisfaction.
| Policy | Gap description | Recommended action |
|---|---|---|
| GOV-001 Board Charter | Governance document — appropriate to be manual | Document review process in wiki |
| GOV-003 Three Lines of Defence | Framework — appropriate to be manual | Document RACI and oversight cadence |
| GOV-004 Fit & Proper | HR pre-employment — partially automatable | Consider: background screening API, automated APRA register check |
| GOV-008 Whistleblower | Protected disclosure channel — appropriate to be manual | Ensure channel is documented and tested annually |
| OPS-001 BCP | BCP testing — appropriate to be manual | Document annual test schedule and results in wiki |
| PRI-002 Data Breach | Incident response — appropriate to be manual | Ensure DPIA process triggers on incident detection (OPS-003 alert) |
| PRI-004 FATCA/CRS | Annual tax reporting — appropriate to be manual with Snowflake data prep | Snowflake can prepare the reportable accounts list; submission remains manual |
| PPL-002 Remuneration | Board remco — appropriate to be manual | Document process and sign-off trail |
| REP-006 Regulatory Change | Change tracking — partially automatable | Regulatory change scanning tool or manual horizon-scanning process |
Note: "Appropriate to be manual" means the obligation is a Board-level or strategic decision that should not be automated. These are not gaps in the system — they are policies where human judgment is the control.
Traceability completeness score¶
| Metric | Count |
|---|---|
| Total policies | 82 |
| Policies with ≥1 system module | 64 |
| Policies appropriately manual | 17 |
| Policy satisfactions total (all modes) | 147 |
| GATE satisfactions (hard block, no human needed) | 28 |
| AUTO satisfactions (automatic, no human needed) | 41 |
| CALC satisfactions (calculated automatically) | 22 |
| ALERT satisfactions (notified, human reviews) | 12 |
| LOG satisfactions (evidence captured, human may act) | 44 |
| Policies with zero coverage (gap) | 0 |
All 82 policies have either a system module satisfaction or a documented manual control with owner. Zero compliance gaps.