Skip to content

Configuration manifest

Resolves: GAP-D03 — No configuration manifest.

This is the exhaustive list of every configuration value that must be set for a deployment. Grouped by domain. For each item: the config key, where it is stored, what it controls, whether it is required or optional, and whether a change requires a redeploy or takes effect at runtime (hot-reload).

Related: secrets manifest · provisioning playbook · deployment sequence

Storage conventions

SSM Parameter Store is used for non-secret configuration: paths, identifiers, cron schedules, and flags that are not sensitive. Path pattern: /bank/{env}/{service}/{parameter}. Changes to SSM values require a module redeploy to take effect unless the module explicitly polls SSM at runtime.

AppConfig is used for runtime feature flags and operational thresholds. Stored as JSON profiles, one per application. Changes take effect at runtime without a redeploy — modules poll AppConfig on a configurable interval (default: 60 seconds). Marked hot-reload in the table below.

Secrets Manager is for sensitive credentials. Not listed here — see the secrets manifest. The distinction matters: a value that appears sensitive but is used as a config key (e.g. a BIC code) goes in SSM, not Secrets Manager.

Deployment identity

Storage: AppConfig, deployment profile
Hot-reload: No — changes require a redeployment of all modules that read deployment identity (which is nearly all of them). Set once at provisioning time and do not change.

Config key Required Description
deployment.client_id Required Unique short identifier for this client. Lowercase letters and hyphens only. Used in AWS resource names, S3 bucket prefixes, and log group names. Example: acorn.
deployment.jurisdiction Required NZ | AU | NZ+AU. Controls which jurisdiction-specific modules activate, which payment rails are available, and which regulatory rules apply. This value is also asserted in the Cognito custom:jurisdiction JWT claim.
deployment.institution_type Required bank | building_society | credit_union. Controls the module activation profile and which product types are available.
deployment.institution_name Required Human-readable display name of the institution. Used in disclosure documents, customer-facing copy, and regulatory reports. Example: Acorn Bank.
deployment.environment Required dev | uat | prod. Controls logging verbosity, data retention policies, and whether synthetic test data is allowed.

Core banking thresholds

Storage: AppConfig, core-banking profile
Hot-reload: Yes — threshold changes take effect within 60 seconds without a redeploy.

Config key Required Default Description
core.overdraft.default_limit Required 0 Default overdraft limit in local currency (NZD or AUD) for accounts not explicitly configured with an overdraft product. Set to 0 to disable unarranged overdraft by default.
core.overdraft.unarranged_allowed Required false Whether unarranged overdrafts are permitted. Regulatory advice required before setting true.
core.balance.reconciliation_schedule Required 0 2 * * * Cron expression for the daily balance reconciliation job. UTC. Default is 2:00 AM UTC daily.
core.ledger.currency_default Required NZD or AUD The default currency for new accounts. Must match deployment.jurisdiction.
core.statement.generation_schedule Required 0 3 1 * * Cron for monthly statement generation. UTC.
core.account.closure_notice_days Required 30 Minimum notice period (days) before an account can be closed at the institution's request. Check applicable consumer law.
core.interest.accrual_schedule Required 0 23 * * * Cron for daily interest accrual. Run before end-of-day, after transactions close.

Storage note: core.balance.reconciliation_schedule and core.interest.accrual_schedule are stored in SSM Parameter Store (not AppConfig) because they configure scheduled Lambda triggers. Path: /bank/{env}/core/{parameter}. Changes require a Lambda event source mapping update (handled by the CI pipeline on next deploy).

AML / financial crime

Storage: AppConfig, aml profile
Hot-reload: Yes — threshold changes take effect at runtime. Schedule changes require a redeploy (see note).

Config key Required Default Description
aml.cash_threshold_nzd NZ only 10000 Threshold (NZD) above which cash transactions must be reported. Set per NZ AML/CFT Act requirements. Do not set below 10000 without regulatory guidance.
aml.cash_threshold_aud AU only 10000 Threshold (AUD) for AUSTRAC cash reports. Set per AU AML/CTF Act.
aml.sanctions.update_schedule Required 0 4 * * * Cron for automated sanctions list refresh. UTC. Run daily; the sanctions list provider publishes updates at approximately 03:00 UTC.
aml.sanctions.provider Required Sanctions list provider identifier. Options: ofac, un, nz-police, dfat-au (multiple allowed as a list).
aml.str.auto_submit_enabled Required false Whether STRs are submitted automatically to the regulator without human review. Set false until the compliance team has reviewed the rules and signed off on automated submission.
aml.transaction_monitoring.lookback_days Required 90 How many days of transaction history the monitoring rules look back over when evaluating patterns. Higher values increase accuracy but increase compute cost.
aml.pep_screening.enabled Required true Whether politically exposed person screening is active. Must be true for all deployments.
aml.risk_scoring.default_risk_band Required medium Default risk band assigned to customers before a full risk score is available. Options: low | medium | high.

Storage note: aml.sanctions.update_schedule controls a scheduled Lambda. Path: /bank/{env}/aml/sanctions-update-schedule in SSM. Change via the bank-aml pipeline.

Credit

Storage: AppConfig, credit profile
Hot-reload: Yes for thresholds; No for disclosure_required (compliance-critical; redeploy to change).

Config key Required Default Description
credit.responsible_lending.disclosure_required Required true Whether responsible lending disclosures must be generated before credit is extended. Always true — required by CCCFA (NZ) and NCCP (AU). Never set to false.
credit.responsible_lending.hardship_policy_url Required URL to the institution's hardship policy document. Included in disclosures.
credit.default.max_loan_term_months Required 360 Default maximum loan term in months (360 = 30 years). Can be overridden per product.
credit.default.max_loan_amount Required Default maximum unsecured loan amount in local currency. Set per the institution's risk appetite.
credit.bureau.equifax_au.enabled AU only false Whether Equifax AU credit bureau calls are active. Requires credentials in Secrets Manager.
credit.bureau.centrix_nz.enabled NZ only false Whether Centrix NZ bureau calls are active. Requires credentials in Secrets Manager.
credit.bureau.ifax_nz.enabled NZ optional false Whether ifax NZ bureau calls are active. Alternative to Centrix.
credit.assessment.comprehensive_reporting_enabled AU only true Whether comprehensive credit reporting (CCR) data is used in AU assessments.
credit.default.interest_rate_cap_pct Optional Maximum interest rate (annual %). Enforced if set. Check applicable consumer credit law for mandatory caps.
credit.collections.auto_default_days Required 90 Days past due before an account is automatically classified as in default.

Payments

Storage: AppConfig, payments profile
Hot-reload: Yes for enable/disable flags; No for BIC/BSB/FII identifiers (infrastructure-level; redeploy required).

BPAY (AU only)

Config key Required Default Description
payments.bpay.enabled AU only false Whether BPAY is active for this deployment. Requires sponsor bank agreement and credentials in Secrets Manager.
payments.bpay.inbound.enabled AU only false Whether inbound BPAY payments are accepted.
payments.bpay.outbound.enabled AU only false Whether outbound BPAY payments are sent.
payments.bpay.sponsor_bank.bic AU, if BPAY enabled BIC of the sponsor bank through which BPAY settlement flows. Set in SSM: /bank/{env}/payments/bpay-sponsor-bic.
payments.bpay.bsb AU, if BPAY enabled Institution's BSB. Set in SSM: /bank/{env}/payments/bpay-bsb.

NPP (AU only)

Config key Required Default Description
payments.npp.enabled AU only false Whether NPP (New Payments Platform) is active. Requires NPP FII and credentials.
payments.npp.financial_institution_identifier AU, if NPP enabled FII assigned by NPPA. Set in SSM: /bank/{env}/payments/npp-fii.
payments.cop.enabled AU only false Whether Confirmation of Payee (CoP) is enforced on NPP payments. Strongly recommended.

NZ faster payments (NZ only)

Config key Required Default Description
payments.nz_faster_payments.enabled NZ only false Whether NZ faster payments (Payments NZ real-time network) is active.
payments.nz_faster_payments.institution_id NZ, if enabled Institution identifier assigned by Payments NZ. Set in SSM: /bank/{env}/payments/nz-faster-payments-id.

SWIFT / correspondent banking

Config key Required Default Description
payments.swift.enabled Optional false Whether SWIFT cross-border payments are active. Requires SWIFT BIC and correspondent bank agreements.
payments.swift.bic If SWIFT enabled Institution's SWIFT BIC. Set in SSM: /bank/{env}/payments/swift-bic.

General payments

Config key Required Default Description
payments.daily_transfer_limit_default Required Default daily outbound transfer limit per customer in local currency. Overridable per customer.
payments.international_transfer_limit_default Optional Default daily outbound international transfer limit. Only relevant if SWIFT is enabled.

Scam controls (AU only)

Storage: AppConfig, payments profile (same profile as payments)
Hot-reload: Yes — threshold changes take effect within 60 seconds.

Config key Required Default Description
payments.scam.enabled AU only true Whether the scam friction layer is active. Should always be true for AU deployments following ASIC / ABA scam guidance.
payments.scam.hold_threshold_aud AU only AUD amount above which a soft scam hold is applied. Customer must confirm before payment proceeds. Consult compliance team for the correct value.
payments.scam.hard_hold_threshold_aud AU only AUD amount above which a hard hold is applied. Hard holds require human review before release.
payments.scam.auto_release_hours AU only 24 Hours after which a soft hold is automatically released if not acted on.
payments.scam.first_time_payee_warning_enabled AU only true Whether a warning is shown to customers paying a new payee for the first time.

Open banking

Storage: AppConfig, openbanking profile
Hot-reload: Yes for profile enable/disable; No for CDR registration identifiers.

Config key Required Default Description
openbanking.profiles.enabled Required [] List of open banking profiles to activate. Options: au-cdr, nz-consumer-data. Empty list disables open banking APIs entirely.
openbanking.cdr.software_product_id AU, if CDR enabled UUID assigned by the CDR Register for this software product. Required for CDR API calls. Set in SSM: /bank/{env}/openbanking/cdr-software-product-id.
openbanking.cdr.data_holder_brand_id AU, if CDR enabled Data Holder Brand ID from the CDR Register. Set in SSM: /bank/{env}/openbanking/cdr-data-holder-brand-id.
openbanking.consent.max_sharing_duration_days If open banking enabled 365 Maximum duration (days) for which a customer can grant data sharing consent.
openbanking.rate_limiting.requests_per_minute If open banking enabled 300 API rate limit for open banking endpoints. Adjust per CDR/NZ consumer data standards.

Prudential thresholds

Storage: AppConfig, prudential profile
Hot-reload: Yes — thresholds are evaluated at runtime. Changes take effect within 60 seconds.

These thresholds must be reviewed and signed off by the compliance officer before go-live. Defaults are conservative starting points.

Config key Required Default Description
prudential.related_party.warning_pct_tier1 Required 10 Related party exposure as a percentage of Tier 1 capital at which a warning alert is raised.
prudential.related_party.breach_pct_tier1 Required 15 Related party exposure percentage at which a breach alert is raised and further exposure is blocked.
prudential.concentration.single_name_warning_pct Required 10 Single-name credit concentration as a % of total credit portfolio at which a warning is raised.
prudential.concentration.single_name_breach_pct Required 15 Single-name concentration percentage at which a breach is raised.
prudential.obr.haircut_pct NZ only, Required Open Bank Resolution frozen portion percentage. Set per RBNZ OBR policy for this institution. No default — must be explicitly set for NZ deployments.
prudential.obr.threshold_balance_nzd NZ only, Required Minimum balance threshold below which OBR does not apply. Set per RBNZ OBR policy.
prudential.dcs.coverage_limit_nzd NZ only, Required 100000 Deposit Compensation Scheme coverage limit per depositor. Currently NZD 100,000 per RBNZ DCS policy. Do not change without regulatory guidance.
prudential.capital.minimum_ratio_pct Required 8 Minimum capital adequacy ratio (%). Monitored continuously; breach triggers an immediate alert to the RBNZ / APRA liaison.
prudential.liquidity.lcr_minimum_pct Required 100 Minimum Liquidity Coverage Ratio (%). Breach triggers an alert.

Observability

Storage: AppConfig, observability profile
Hot-reload: Yes — alert threshold changes take effect at runtime without a redeploy.

Config key Required Default Description
obs.alerting.p99_latency_ms_threshold Required 1000 P99 latency threshold (milliseconds) above which a latency alert fires. Applies to all API endpoints.
obs.alerting.p95_latency_ms_threshold Optional 500 P95 latency threshold (ms). Use for early warning before P99 breaches.
obs.alerting.error_rate_threshold_pct Required 1.0 HTTP 5xx error rate (%) above which an error rate alert fires.
obs.alerting.balance_discrepancy_tolerance Required 0 Acceptable discrepancy (in minor currency units) between ledger balance and reconciliation total. Zero tolerance: any discrepancy fires an immediate alert. Do not change without sign-off from finance.
obs.alerting.aml_queue_depth_threshold Required 1000 AML processing queue depth above which a lag alert fires. Indicates the monitoring pipeline is falling behind real-time.
obs.log_retention_days Required 2557 CloudWatch log group retention in days. Default is 7 years (2557 days) to satisfy NZ/AU financial records retention obligations.
obs.trace_sampling_rate Required 0.05 Fraction of requests sampled for distributed tracing. 0.05 = 5%. Increase to 1.0 in dev and uat for full trace visibility.
obs.alerting.notification_channel Required ARN of the SNS topic or PagerDuty integration endpoint for operational alerts.
obs.alerting.compliance_notification_channel Required Separate channel for compliance-critical alerts (AML, KYC, prudential breaches). Often routes to a different on-call team.
obs.dashboards.enabled Required true Whether CloudWatch dashboards are provisioned. Set false only in local environment.

Identity and authentication

Storage: SSM Parameter Store (/bank/{env}/identity/) for structural config; AppConfig identity profile for runtime flags.
Hot-reload: SSM values require a Cognito configuration update (triggered by the bank-platform pipeline). AppConfig flags are hot-reload.

Config key Storage Required Default Description
identity.mfa_policy SSM Required required required | optional. Strongly recommended required for all production deployments.
identity.session_timeout_minutes SSM Required 15 Idle session timeout in minutes. Banking standards typically require ≤15 minutes.
identity.password_policy SSM Required strong strong (min 12 chars, uppercase, lowercase, number, symbol) or standard. Use strong.
identity.refresh_token_expiry_days SSM Required 30 How long refresh tokens are valid. Balance UX against security.
identity.step_up_auth_required_for AppConfig Required payments,settings Comma-separated list of action categories that require step-up authentication. At minimum: payments and settings.
identity.lockout_after_failures SSM Required 5 Number of failed login attempts before the account is temporarily locked.
identity.lockout_duration_minutes SSM Required 30 Duration of temporary lockout after exceeding failure threshold.

Data retention

Storage: AppConfig, data profile
Hot-reload: No — retention policy changes require a redeployment of the data lifecycle lambdas.

Config key Required Default Description
data.transaction_retention_years Required 7 Years to retain transaction records. NZ AML/CFT Act and AU AML/CTF Act require at least 5 years; 7 is recommended.
data.customer_data_retention_years Required 7 Years to retain customer PII after account closure. Check applicable privacy law.
data.audit_log_retention_years Required 7 Years to retain audit logs (CloudTrail, application audit events).
data.kyc_document_retention_years Required 7 Years to retain KYC documents (identity document images, biometric data).
data.aml_report_retention_years Required 7 Years to retain AML reports and STRs.
data.backup_retention_days Required 35 Days to retain automated database backups (supports point-in-time recovery). Minimum 35 days recommended.

Feature flags (module activation)

Storage: AppConfig, features profile
Hot-reload: Yes — module activation changes take effect within 60 seconds, but note that a newly activated module may need to be deployed if it was not included in the original deployment.

Module activation flags follow the pattern features.{module_slug}.enabled. The definitive list is in the module activation matrix. Key flags:

Config key Required Notes
features.card-issuance.enabled Optional Activates card bureau integration and card management flows.
features.open-banking-apis.enabled Optional Activates CDR / NZ consumer data APIs.
features.cross-border-payments.enabled Optional Activates SWIFT module.
features.obr-module.enabled NZ only Open Bank Resolution module. Jurisdiction-gated.
features.dcs-module.enabled NZ only Deposit Compensation Scheme module. Jurisdiction-gated.
features.scam-friction.enabled AU only Scam friction layer. Jurisdiction-gated.
features.comprehensive-credit-reporting.enabled AU only CCR data in credit assessments. Jurisdiction-gated.
features.atm-network.enabled Optional ATM network connectivity.

Configuration change management

Procedure for changing a configuration value in production:

  1. Update the value in the relevant AppConfig profile or SSM parameter in the uat environment first.
  2. Verify the change behaves as expected via the smoke test suite.
  3. If the change is a threshold value (e.g. AML cash threshold, prudential limit), obtain compliance sign-off before applying to prod.
  4. Apply to prod via the bank-platform configuration pipeline — not manually via the AWS console.
  5. If the change requires a redeploy, trigger the affected module's pipeline.
  6. Record the change in the deployment log with the approver's name, the old value, and the new value.

Never change configuration values directly in the AWS console except in a declared incident where the pipeline is unavailable. All console changes must be reconciled back to the pipeline configuration within 24 hours.