Compliance

Compliance & Regulatory

Fidacy is an external, deterministic control with a tamper-evident audit and signed verdicts. That architecture is what regulators and risk teams ask for. Below is the dual EU/US mapping: how Fidacy's mechanisms line up with the frameworks a financial institution or PSP must answer to. These are alignment claims, Fidacy provides the evidence artifacts; your institution maps them to its own obligations.

United States

NIST AI RMF

The NIST AI Risk Management Framework is the de-facto US framework for trustworthy AI. Its four core functions are Govern, Map, Measure, Manage. Fidacy supplies concrete mechanisms and evidence under each.

NIST functionWhat Fidacy provides
GovernVersioned, activatable risk policies, every change recorded; an admin audit log of who changed what, when. Decisions reference the exact policy version that produced them.
MapKnow-Your-Agent (KYA) identity resolution by RFC 7638 thumbprint, plus decision classification, each action is mapped to an agent, a mandate, and a risk context before it is scored.
MeasureA deterministic Trust Score with the exact signals behind it, backtesting against historical traffic, and per-decision metrics (rates, confidences, rejection reasons).
ManageFail-safe degradation to review on any fault, webhooks for human-in-the-loop handling, a signed verdict for every decision, and a hash-chained audit trail, batch-anchored to Bitcoin, for after-the-fact review.

US Treasury, Financial Services AI RMF

The US Treasury's Financial Services AI Risk Management Framework (FS AI RMF) was released on February 19, 2026. It defines 230 control objectives across 7 risk domains and 4 adoption stages. It is voluntary and industry-led (developed through the AIEOG with 100+ institutions) and is structurally aligned with, and expands, the NIST AI RMF for financial services.

How Fidacy fits.Fidacy does not certify against the FS AI RMF, no one does; it is voluntary. Fidacy provides the evidence artifactsa financial institution maps to its own control objectives: signed verdicts, the policy-version record, the tamper-evident audit chain, decision metrics, and backtests. Because the FS AI RMF aligns with NIST, the NIST mapping above carries directly into a Treasury-framework control narrative.

Colorado, ADMT-ready

Colorado's original AI Act (SB 24-205) was replaced by SB 26-189 (signed May 14, 2026), effective January 1, 2027. The new law regulates automated decision-making technology (ADMT) used in “consequential decisions”, explicitly including financial services, under a disclosure / transparency model, not the original duty-of-care / risk-management model.

Fidacy is Colorado ADMT-ready: it supplies the artifacts a deployer needs to meet its disclosure obligations.

  • ·Developer disclosure, documentation of what the system does, the decision types it produces, and how outputs are generated.
  • ·Testing documentation, backtests and decision metrics a deployer can reference in its own transparency disclosures.
  • ·Audit cooperation, the tamper-evident, re-verifiable audit trail supports a deployer's record-keeping and any inquiry.
  • ·Indemnification terms, available in the enterprise agreement, allocating responsibility between developer and deployer.

European Union

EU AI Act-native

Fidacy is AI Act-native: it is built for automated decisioning in a high-risk-adjacent context, where the law expects governance, record-keeping, and human oversight. The append-only, hash-chained audit trail, sealed with Merkle anchors and re-verifiable offline, is the non-repudiable evidence that automated-decision systems are expected to keep. Fail-safe degradation to review and the webhook path give the human-oversight hooks the Act calls for.

GDPR

GDPR applies. Fidacy minimizes personal data on the decision path, the optional reasoning layer receives only non-sensitive signals (scores, flags, codes), never raw PII or payment credentials. Data residency, retention, and erasure are covered in Data Protection, and a Data Processing Agreement is available on request.

One mechanism, many frameworks.The same primitives, signed verdicts, a versioned policy record, and a tamper-evident audit chain, are the evidence that satisfies the EU AI Act, maps to NIST and the Treasury FS AI RMF, and backs Colorado ADMT disclosures. You instrument once and answer to all of them.