Module activation matrix¶

Resolves: GAP-D07 — No module activation matrix.

This matrix tells a deployment engineer or AI agent exactly which modules to activate for a given client profile. Read this instead of inspecting 149 module descriptions individually.

Module activation is controlled via the AppConfig profile bank-platform/module-activation/{env}. Each conditional module has a flag {module_id}.enabled: true|false. Always-on modules are not in this profile — they are deployed unconditionally.

Always-on modules¶

These modules are deployed for every client regardless of jurisdiction or institution type. They must never be disabled.

SD07 — Data platform (infrastructure)¶

Module	Title
MOD-102	Neon database provisioning
MOD-103	Database role and schema initialisation
MOD-104	AWS infrastructure provisioning (S3, KMS, EventBridge, Cognito, IAM)
MOD-045	Secrets and key management
MOD-046	Database access and DBA tooling
MOD-076	Observability platform (OpenTelemetry, CloudWatch, X-Ray)

SD01 — Core banking¶

Module	Title
MOD-001	Double-entry ledger and posting engine
MOD-002	Posting rules engine
MOD-003	Real-time balance engine
MOD-004	Transaction log
MOD-005	Account lifecycle management
MOD-006	Account opening and onboarding
MOD-007	Interest calculation engine
MOD-008	Fee engine
MOD-009	Maturity and term management
MOD-010	Amortisation engine
MOD-011	Statement generation
MOD-012	Direct debit management
MOD-013	Notification dispatch
MOD-014	Reconciliation engine
MOD-015	End-of-day batch processing
MOD-016	Product configuration engine

SD02 — KYC platform¶

All core KYC modules including customer identity, eIDV, document verification, address verification, PEP/sanctions screening, and ongoing monitoring.

SD03 — AML monitoring¶

All AML modules including rule engine, case management, STR submission, and sanctions list management.

SD04 — Payments (domestic)¶

All domestic payment modules. International/SWIFT payments are optional — see below.

SD05 — Credit¶

All credit modules are always on. If the institution does not offer credit products, those products remain unpublished in the product catalogue — the modules are still deployed.

SD08 — App platform¶

Module	Title
MOD-068	Authentication and session management
MOD-127	Product configuration and display
MOD-050	Disclosure gate
MOD-063	Push notification and alert delivery

NZ-only modules¶

Activated when deployment.jurisdiction includes NZ. Feature flags are set in bank-platform/module-activation/{env}.

Module	Title	Feature flag	Reason
MOD-143	OBR pre-positioning	`MOD-143.enabled`	Reserve Bank of NZ Open Bank Resolution pre-positioning requirement
MOD-146	Restricted activities enforcement	`MOD-146.enabled`	RBNZ Act restrictions on certain treasury and investment activities for deposit-takers
MOD-050 (KIS gate)	Key Information Summary disclosure gate	`MOD-050.kis_gate.enabled`	FMA/Commerce Commission requirement for DTA Key Information Summary prior to product acceptance
MOD-148 (NZ timer)	DSAR workflow — NZ SLA timer	`MOD-148.jurisdiction: NZ`	Privacy Act 2020 (NZ) DSAR response window differs from AU

MOD-148 is deployed for both NZ and AU. Set MOD-148.jurisdiction to the appropriate value; the module activates jurisdiction-specific SLA timers accordingly. Do not set MOD-148.enabled: false for either jurisdiction.

AU-only modules¶

Activated when deployment.jurisdiction includes AU.

Module	Title	Feature flag	Reason
MOD-136	BPAY inbound processing	`MOD-136.enabled`	BPAY Group scheme; NZ has no equivalent
MOD-137	BPAY outbound processing	`MOD-137.enabled`	BPAY Group scheme
MOD-144	Confirmation of payee (NPP CoP)	`MOD-144.enabled`	NPP Participant requirement; ABA guidance
MOD-120	PayID / Osko integration	`MOD-120.enabled`	NPP PayID registry; NZ uses different real-time payment rail
MOD-149	Scam intelligence reporting and reimbursement	`MOD-149.enabled`	ABA Scam-Safe Accord obligations; NZ banks follow separate NZBA guidance without the same reimbursement framework
MOD-148 (AU timer)	DSAR workflow — AU SLA timer	`MOD-148.jurisdiction: AU`	Privacy Act 1988 (Cth) response window

Mutual institution modules¶

Activated when deployment.institution_type is building_society or credit_union. These modules handle governance and ownership structures specific to mutual organisations and have no applicability for licensed banks.

Module	Title	Feature flag	Reason
MOD-131	Mutual governance and AGM management	`MOD-131.enabled`	Building societies and credit unions require member voting, AGM administration, and resolutions tracking
MOD-118	Member register and share registry	`MOD-118.enabled`	Mutual organisations issue member shares; banks do not

Optional modules¶

These modules are functional and may be required for specific products, but are not mandated by compliance obligations. Each institution elects whether to activate them.

Module	Title	Feature flag	Notes
MOD-147	Related party exposure monitor	`MOD-147.enabled`	Required by most regulators in practice; threshold percentage differs by jurisdiction (set `MOD-147.threshold_pct`). Strongly recommended for all deployments.
International/SWIFT payments	SWIFT payment gateway	`swift_payments.enabled`	Required only if institution offers international wire transfers
Open banking data sharing	Consumer data sharing API	`open_banking.enabled`	Required if institution participates in CDR (AU) or open banking scheme (NZ); off by default
Enhanced regulatory reporting	Additional reporting pipelines beyond mandatory minimums	Per-report flags	Institutions with complex reporting obligations activate individually

Client profile matrix¶

This decision table maps a client profile to the full set of module activation flags required. "Always-on modules" are omitted — they are deployed unconditionally.

Deployment profile	Jurisdiction	Institution type	Additional modules to activate
NZ bank	NZ	bank	MOD-143, MOD-146, MOD-050 KIS gate, MOD-148 (NZ timer)
AU bank	AU	bank	MOD-136, MOD-137, MOD-144, MOD-120, MOD-149, MOD-148 (AU timer)
NZ+AU bank	NZ + AU	bank	All NZ modules + all AU modules + MOD-148 with both timers
NZ building society	NZ	building_society	MOD-143, MOD-146, MOD-050 KIS gate, MOD-148 (NZ timer), MOD-131, MOD-118
AU credit union	AU	credit_union	MOD-136, MOD-137, MOD-144, MOD-120, MOD-149, MOD-148 (AU timer), MOD-131, MOD-118

AppConfig snippet — NZ bank¶

{
  "MOD-143.enabled": true,
  "MOD-146.enabled": true,
  "MOD-050.kis_gate.enabled": true,
  "MOD-148.enabled": true,
  "MOD-148.jurisdiction": "NZ",
  "MOD-136.enabled": false,
  "MOD-137.enabled": false,
  "MOD-144.enabled": false,
  "MOD-120.enabled": false,
  "MOD-149.enabled": false,
  "MOD-131.enabled": false,
  "MOD-118.enabled": false
}

AppConfig snippet — AU bank¶

{
  "MOD-143.enabled": false,
  "MOD-146.enabled": false,
  "MOD-050.kis_gate.enabled": false,
  "MOD-148.enabled": true,
  "MOD-148.jurisdiction": "AU",
  "MOD-136.enabled": true,
  "MOD-137.enabled": true,
  "MOD-144.enabled": true,
  "MOD-120.enabled": true,
  "MOD-149.enabled": true,
  "MOD-131.enabled": false,
  "MOD-118.enabled": false
}

AppConfig snippet — NZ building society¶

{
  "MOD-143.enabled": true,
  "MOD-146.enabled": true,
  "MOD-050.kis_gate.enabled": true,
  "MOD-148.enabled": true,
  "MOD-148.jurisdiction": "NZ",
  "MOD-136.enabled": false,
  "MOD-137.enabled": false,
  "MOD-144.enabled": false,
  "MOD-120.enabled": false,
  "MOD-149.enabled": false,
  "MOD-131.enabled": true,
  "MOD-118.enabled": true
}

Changing module activation post-deployment¶

Update the AppConfig profile in the AWS console (or via Terraform in the bank-platform repo).
AppConfig deployment propagates to Lambda on next invocation (or force-deploy to push immediately).
Modules that read the flag at startup (rather than per-request) require a Lambda redeploy — check the module spec.
Run the post-deployment checklist for any module being activated for the first time.
Notify the compliance team when activating or deactivating any compliance-gated module (those with mode: GATE in their policies_satisfied list).