Compliance
Compliance & Regulatory
Fidacy is an external, deterministic control with a tamper-evident audit and signed verdicts. That architecture is what regulators and risk teams ask for. Below is the dual EU/US mapping: how Fidacy's mechanisms line up with the frameworks a financial institution or PSP must answer to. These are alignment claims, Fidacy provides the evidence artifacts; your institution maps them to its own obligations.
United States
NIST AI RMF
The NIST AI Risk Management Framework is the de-facto US framework for trustworthy AI. Its four core functions are Govern, Map, Measure, Manage. Fidacy supplies concrete mechanisms and evidence under each.
| NIST function | What Fidacy provides |
|---|---|
| Govern | Versioned, activatable risk policies, every change recorded; an admin audit log of who changed what, when. Decisions reference the exact policy version that produced them. |
| Map | Know-Your-Agent (KYA) identity resolution by RFC 7638 thumbprint, plus decision classification, each action is mapped to an agent, a mandate, and a risk context before it is scored. |
| Measure | A deterministic Trust Score with the exact signals behind it, backtesting against historical traffic, and per-decision metrics (rates, confidences, rejection reasons). |
| Manage | Fail-safe degradation to review on any fault, webhooks for human-in-the-loop handling, a signed verdict for every decision, and a hash-chained audit trail, batch-anchored to Bitcoin, for after-the-fact review. |
US Treasury, Financial Services AI RMF
The US Treasury's Financial Services AI Risk Management Framework (FS AI RMF) was released on February 19, 2026. It defines 230 control objectives across 7 risk domains and 4 adoption stages. It is voluntary and industry-led (developed through the AIEOG with 100+ institutions) and is structurally aligned with, and expands, the NIST AI RMF for financial services.
Colorado, ADMT-ready
Colorado's original AI Act (SB 24-205) was replaced by SB 26-189 (signed May 14, 2026), effective January 1, 2027. The new law regulates automated decision-making technology (ADMT) used in “consequential decisions”, explicitly including financial services, under a disclosure / transparency model, not the original duty-of-care / risk-management model.
Fidacy is Colorado ADMT-ready: it supplies the artifacts a deployer needs to meet its disclosure obligations.
- ·Developer disclosure, documentation of what the system does, the decision types it produces, and how outputs are generated.
- ·Testing documentation, backtests and decision metrics a deployer can reference in its own transparency disclosures.
- ·Audit cooperation, the tamper-evident, re-verifiable audit trail supports a deployer's record-keeping and any inquiry.
- ·Indemnification terms, available in the enterprise agreement, allocating responsibility between developer and deployer.
European Union
EU AI Act-native
Fidacy is AI Act-native: it is built for automated decisioning in a high-risk-adjacent context, where the law expects governance, record-keeping, and human oversight. The append-only, hash-chained audit trail, sealed with Merkle anchors and re-verifiable offline, is the non-repudiable evidence that automated-decision systems are expected to keep. Fail-safe degradation to review and the webhook path give the human-oversight hooks the Act calls for.
GDPR
GDPR applies. Fidacy minimizes personal data on the decision path, the optional reasoning layer receives only non-sensitive signals (scores, flags, codes), never raw PII or payment credentials. Data residency, retention, and erasure are covered in Data Protection, and a Data Processing Agreement is available on request.