Global Compliance — AegisOS Comply

🇮🇳

India

South Asia

✓ RBI Compliant

✓ SEBI Aligned

✓ IT Act Compatible

Export format

RBI JSON / CSV

🏠

RBI Guidelines on AI/ML

Reserve Bank of India · Effective 2024

The Reserve Bank of India mandates that financial entities using AI or ML models for customer-facing or automated financial decisions maintain explainable, auditable records of every model output and the rationale behind it.

✓Full audit trail of every AI-driven spend decision with timestamps and policy match

✓Human-in-the-loop escalation pathway for high-value or high-risk transactions

✓Model explainability — which rule fired, at what priority, on what inputs

✓Minimum 7-year retention of financial transaction audit records

✓Export in structured format suitable for RBI inspection

Audit trailExplainability7-year retentionHuman oversight

📈

SEBI Circular on Algorithmic Systems

Securities and Exchange Board of India

SEBI requires broker-dealers and financial intermediaries using algorithmic or AI-driven systems for order placement or financial decisions to maintain detailed logs of every system-generated action.

✓System-generated flag on every AI-initiated transaction

✓Risk parameter documentation and override audit log

✓End-to-end traceability from agent decision to payment execution

Algo auditSystem flagRisk parameters

🇪🇺

European Union

Europe · 27 member states

✓ EU AI Act

✓ GDPR Compatible

✓ PSD2 Aligned

Export format

EU AI Act JSON / CSV

🏴

EU Artificial Intelligence Act

European Parliament · In force August 2024

The EU AI Act classifies AI systems used in credit scoring, insurance risk assessment, and financial decisioning as high-risk, triggering mandatory requirements under Articles 9–15 and Article 13 (transparency).

✓Article 13: Human-readable explanation of every AI decision made about a natural person

✓Article 9: Risk management system with logged risk scores per transaction

✓Article 12: Automatic event logging with timestamps, inputs, and outputs

✓Article 14: Human oversight mechanism — approval workflows with documented responses

✓Article 17: Quality management system records retained for 10 years post-deployment

High-risk AIArt. 13 transparencyArt. 14 oversight10-year retention

🔒

GDPR — Data Processing Records

General Data Protection Regulation · Article 30

GDPR Article 30 requires data controllers and processors to maintain records of processing activities involving personal data. AI-driven financial decisioning that processes personal data falls under this obligation.

✓Records of processing activities with data categories, purpose, and retention

✓Automated decision-making disclosure under Article 22 — right to human review

✓Data minimisation — only necessary data attributes logged per intent

Art. 30 recordsArt. 22 rightsData minimisation

🇺🇸

United States

North America

✓ SOX Ready

✓ SOC 2 Type II

✓ SEC Aligned

Export formats

SOX JSON / CSV

💼

Sarbanes-Oxley Act (SOX)

Sections 302 & 404 · Public Companies

SOX Sections 302 and 404 require public companies to maintain and evaluate internal controls over financial reporting. AI-driven spend decisions that affect financial statements must be traceable, controlled, and auditable.

✓Control reference on every automated financial transaction

✓System-generated vs. human-approved distinction clearly logged

✓Approval status and approver identity recorded with timestamp

✓Audit trail ID for cross-referencing with financial statement line items

✓Immutable logs — retroactive modification cryptographically detectable

S. 302/404ICFRControl referenceApprover log

🔓

SOC 2 Type II

AICPA Trust Service Criteria

SOC 2 evaluates controls across Security, Availability, Processing Integrity, Confidentiality, and Privacy. AI spend governance platforms must demonstrate that automated processing is complete, accurate, and authorised.

✓Processing Integrity: every intent evaluated, decision recorded, no dropped transactions

✓Availability: policy engine SLA documented and measured

✓Security: cryptographic chain integrity, API key hashing, no plaintext secrets

✓Change management: policy version history with author and timestamp

Trust criteriaProcessing integrityAvailability SLA

🏭

SEC AI Governance Guidance

Securities and Exchange Commission · 2024

The SEC has issued guidance requiring investment advisers and broker-dealers to document and disclose conflicts of interest arising from AI-driven decisioning, and to maintain records of all AI-assisted investment or spend decisions.

✓Documentation of AI model inputs and outputs for SEC exam readiness

✓Conflict-of-interest audit trail for AI-recommended spend decisions

✓3-year retention of AI decision records under Rule 17a-4

SEC Rule 17a-4AI disclosure3-year retention

🇬🇧

United Kingdom

Europe

✓ FCA Compliant

✓ SMCR Ready

✓ ICO Aligned

Export format

Generic JSON / CSV

🔨

FCA Consumer Duty

Financial Conduct Authority · In force July 2023

The FCA Consumer Duty requires firms to deliver good outcomes for retail customers, including ensuring AI-driven systems do not cause foreseeable harm. Firms must monitor, evidence, and report on AI outcomes.

✓Outcome monitoring: documented record of every AI decision and its result

✓Foreseeable harm prevention: policy engine blocks high-risk spend categories

✓Board MI: analytics dashboard provides aggregate spend and denial statistics

✓Complaints traceability: every disputed AI decision traceable in the audit log

Consumer outcomesHarm preventionBoard MI

👤

Senior Managers & Certification Regime (SMCR)

FCA / PRA · Accountability for AI outcomes

Under SMCR, a named Senior Manager must own accountability for AI-driven systems that affect regulated activities. AegisOS Comply's role-based approval trails support clear accountability mapping.

✓Named approver logged for every human-reviewed transaction

✓Role-based access control maps to SMCR accountability structure

✓Escalation audit trail — who approved, when, and what rationale was provided

Named approverAccountability mapEscalation log

🇸🇬

Singapore

Southeast Asia

✓ MAS TRM

✓ MAS FEAT

✓ PDPA Aligned

Export format

Generic JSON / CSV

🏭

MAS Technology Risk Management (TRM)

Monetary Authority of Singapore · 2021 Guidelines

The MAS TRM Guidelines require financial institutions to establish robust governance and controls over technology systems, including AI models used in financial decisioning.

✓AI model risk documentation — inputs, decision logic, and outcome records

✓Change management: policy version history with approval workflow

✓Incident logging: denied or escalated intents logged with full context

✓Cyber resilience: immutable audit chain resistant to insider tampering

Model riskChange managementCyber resilience

📋

MAS FEAT Principles

Fairness, Ethics, Accountability & Transparency in AI

The MAS FEAT principles provide voluntary but widely adopted standards for responsible use of AI in financial services, focusing on fairness, ethical use, accountability, and transparency of AI-driven decisions.

✓Transparency: every decision explained by the matched policy rule

✓Accountability: named approver on all human-reviewed decisions

✓Ethical use: policy simulator tests for disproportionate denial patterns

FairnessTransparencyAccountability

🇦🇺

Australia

Oceania

✓ APRA CPS 234

✓ ASIC Aligned

✓ Privacy Act

Export format

Generic JSON / CSV

🛡

APRA CPS 234 — Information Security

Australian Prudential Regulation Authority

CPS 234 requires APRA-regulated entities (banks, insurers, superannuation funds) to maintain information security capabilities proportionate to the threats they face, with robust logging of all automated financial system actions.

✓Information asset classification: AI spend decisions flagged by risk level

✓Incident detection: anomalous spend patterns trigger risk engine alerts

✓Audit log integrity: cryptographic chain ensures log records cannot be altered

✓Third-party management: agent keypair signing verifies the source of each intent

CPS 234Info securityIncident detection

🇦🇪

UAE

Middle East

✓ CBUAE Ready

✓ ADGM Aligned

✓ DIFC Compatible

Export format

Generic JSON / CSV

🏠

CBUAE AI Governance Framework

Central Bank of the UAE

The CBUAE requires licensed financial institutions to establish governance frameworks for AI systems, ensuring human accountability, explainability, and auditability of AI-driven financial decisions.

✓AI decision explainability — which policy triggered the outcome and why

✓Human oversight mandate — high-risk transactions require named approver

✓Risk classification per transaction — low / medium / high / critical

✓Audit trail available for CBUAE inspection on demand

AI governanceHuman oversightExplainability

🏭

ADGM & DIFC Regulatory Frameworks

Abu Dhabi Global Market & Dubai International Financial Centre

Firms operating within the ADGM and DIFC free zones are subject to their own financial services regulators (FSRA and DFSA respectively), both of which require documented governance of AI and automated financial systems.

✓Conduct risk records for AI-driven client-affecting decisions

✓System controls documentation for regulatory examination

✓Conflict-of-interest audit trail for automated spend decisions

FSRADFSAConduct risk

🇨🇦

Canada

North America

✓ OSFI B-13

✓ PIPEDA Aligned

Export format

Generic JSON / CSV

📋

OSFI Guideline B-13 — Technology & Cyber Risk

Office of the Superintendent of Financial Institutions

OSFI B-13 sets expectations for federally regulated financial institutions in Canada regarding the governance, risk management, and controls over technology systems — including AI and algorithmic decisioning.

✓Technology risk inventory: AI spend systems classified and documented

✓Change and configuration management: policy version history with timestamps

✓Cyber event logging: all denied and escalated intents logged with context

✓Third-party dependency controls: agent signing verifies external AI integrations

OSFI B-13Tech riskChange management

Global compliance, built in.

Need a framework that's not listed?