Back-office customer 360¶
| ID | MOD-074 |
| System | SD08 |
| Repo | bank-app |
| Build status | Deployed |
| Deployed | Yes |
| Last commit | c98d4214fd3e613d6a3c873f68551d129ff1a485 |
The back-office customer 360 view is the primary workspace for bank operations, compliance, and support staff when working on a specific customer. It aggregates data from across the platform — identity and KYC status, all accounts and balances, transaction history, credit profile, risk scores, open cases, recent communications, and document vault — into a single screen, eliminating the need to navigate multiple back-end systems during a customer interaction.
The view is read-only by default; specific action tools are available to operators whose role grants the relevant permission. Available actions include updating account limits, changing account state (freeze, block, close), overriding an automated decision with a documented reason, and adding case notes. All actions are gated by the role-scoped access module and logged immutably — the audit trail shows exactly what was viewed, what was changed, and why.
Designed to reduce average handle time for customer support calls and compliance reviews: the operator sees everything relevant on a single screen within two seconds of searching by customer name, email, phone, or account number. The view is also used by the AML and fraud teams during alert investigation.
Build notes¶
has_postgres: false — MOD-074 owns no Postgres tables and ships no Flyway migrations. All data is read from published views in the consolidated Neon DB (ADR-064); all access audit is delegated to MOD-047 via staff.action_taken on the bank-platform EventBridge bus.
Customer search — implemented as a direct SQL query against kyc.party_search_view in the consolidated Neon DB. No inter-service API hop. Requires GRANT SELECT ON kyc.party_search_view TO app_readonly (tracked in issue #32; blocks deployment).
AI summary (FR-368) — return {is_available: false, reason: "MOD-083 not yet deployed"} until MOD-083 reaches Deployed status.
staff.action_taken — publish to bank-platform EventBridge bus reusing the cross-bus grant established by MOD-053. No new IAM grant required.
Performance — aggregate all data sources in parallel within a single Lambda invocation; p99 ≤2 s per FR-365; no caching in v1.
Field masking matrix¶
Role × data section access for the customer 360 view. Roles correspond to cognito:groups claims defined in MOD-044 / MOD-052; exact Cognito group names are implementation constants in MOD-052. Implement as constants in the MOD-052 enforcement library.
| Data section | customer-support | operations | compliance | senior |
|---|---|---|---|---|
| Full name, DOB, nationality | Full | Full | Full | Full |
| Government ID (NZ IRD / AU TFN) | Last 4 only | Last 4 only | Full | Full |
| Contact (email, phone, address) | Full | Full | Full | Full |
| Account number | Last 4 only | Full | Full | Full |
| Balances & transaction summary | Full | Full | Full | Full |
| KYC status & CDD tier | Read | Read | Full | Full |
| Risk score & flags | Hidden | Read | Full | Full |
| AML cases & open alerts | Hidden | Hidden | Full | Full |
| SAR data | Hidden | Hidden | Full (compliance / legal only) | Full |
| Credit profile (limits, arrears) | Hidden | Read | Read | Full |
| Document vault | Read | Read | Full | Full |
| Action — add case note | Allowed | Allowed | Allowed | Allowed |
| Action — update account limits | Forbidden | Allowed | Forbidden | Allowed |
| Action — change account state | Forbidden | Allowed | Forbidden | Allowed |
| Action — override CDD decision | Forbidden | Forbidden | Allowed | Allowed |
Hidden = field not returned in API response (not masked with placeholder). Read = displayed read-only, no edit. Full = displayed with full value, editable where the action permission is granted.
SAR data visibility is also subject to AML-006 (GATE, MOD-052) — the compliance.officer and legal.officer Cognito groups only.
Cross-schema read dependencies¶
MOD-074 reads from published views across four schemas. All four require GRANT SELECT to app_readonly before first deployment (tracked in GitLab issue #32, to::bank-platform):
| Schema | View / table | Owning system | Status |
|---|---|---|---|
kyc |
party_search_view |
SD02 / bank-kyc | Pending grant (issue #32) |
kyc |
cdd_tier_assignments |
SD02 / bank-kyc | Pending grant (issue #32) |
kyc |
party_regulatory_profiles |
SD02 / bank-kyc | Pending grant (issue #32) |
banking |
customer_relationships |
SD01 / bank-core | Pending grant (issue #32) |
banking |
customer_contact_readable |
SD01 / bank-core | Pending grant (issue #32) |
Module dependencies¶
Depends on¶
| Module | Title | Required? | Contract | Reason |
|---|---|---|---|---|
| MOD-044 | JWT role-based access control | Required | — | Back-office access is gated by JWT role validation — operator scopes are enforced before any customer data is returned. |
| MOD-047 | Agent action logger | Required | — | All operator actions in the 360 view are logged via the agent action logger. |
| MOD-052 | Role-scoped data access | Required | — | Role-scoped data access library gates field-level masking on every 360 view response — no customer attribute is returned outside the operator's permitted scope. |
| MOD-010 | CDD tier assignment engine | Optional | contract/api/ |
KYC status and CDD tier from the tier assignment engine are displayed in the customer 360 view. |
| MOD-104 | AWS shared infrastructure bootstrap | Required | — | AWS shared infrastructure provisioned by MOD-104 (EventBridge buses, S3, KMS, Kinesis, Cognito) is required before this module can be deployed. |
| MOD-103 | Neon database platform bootstrap | Required | — | Neon database and schema provisioned by MOD-103 must exist before this module can read from Postgres; cross-schema SELECT grants on kyc. and banking. published views must also be provisioned before deployment. |
Required by¶
| Module | Title | As | Contract |
|---|---|---|---|
| MOD-083 | Agent assist & compliance coaching panel | Hard dependency | — |
Policies satisfied¶
| Policy | Title | Mode | How |
|---|---|---|---|
| GOV-002 | Risk Appetite Statement Policy | LOG |
All back-office access to customer data and all manual actions taken on customer accounts are logged with operator identity and timestamp. |
| PRI-003 | Personal Information Retention & Destruction Policy | GATE |
Back-office access to customer records requires an active authorised session with a role that includes customer data access — no anonymous or unscoped access. |
Capabilities satisfied¶
| Capability | Title | Mode | How |
|---|---|---|---|
| CAP-119 | Customer 360 view (back-office) | AUTO |
Aggregates identity, account, product, transaction, risk score, KYC status, open cases, and communication history into a single operator view without the operator switching systems. |
| CAP-120 | Manual account action toolkit | GATE |
Provides authorised operators with tools to update account limits, change account state, override a decision, and add case notes — all actions require the operator's role to include the specific action permission. |
Part of SD08 — Customer App & Back Office Platform
Compiled 2026-05-22 from source/entities/modules/MOD-074.yaml