payments-fintech-compliance

Drafts the fintech-side controls evidence pack a sponsor bank's third-party risk function expects in its file: control inventory mapped to Reg E error-resolution timing, NACHA Operating Rules obligations the program operator owes upstream, FBO subledger reconciliation, sponsor-bank reporting cadence, customer-facing disclosure adherence (Reg E §1005.7-§1005.11, Reg DD), money-transmitter / MSB BSA posture where applicable, contract-clause adherence evidence under the program agreement, and a 12-month incident-history summary. Output is a Word memo plus an Excel control inventory, review-ready for the fintech's own second line and for production to the sponsor bank's TPRM team or to a state-MTL examiner. Best for: - A fintech, neobank, BaaS program, or wallet operator preparing or refreshing its self-evidence pack for a sponsor-bank annual review, sponsor-bank-led audit, or state-MTL exam. - Compliance has been asked to self-evidence Reg E §1005.11 error-resolution timing (10 / 45 / 90-day clocks), NACHA return handling, or unauthorised-transfer liability allocation between fintech and bank. - A new payment rail (FedNow, RTP) or new product (debit-card program, instant payouts, secured card) is being added under the sponsor-bank's existing oversight envelope and the program operator needs the delta-control pack. - An incoming sponsor bank, processor, or program manager has issued a control questionnaire (SIG, CAIQ-style, or bespoke) and the fintech's second line is preparing a defensible response. Not the right tool when: - The user is the sponsor bank doing principal-side oversight (use `banking-risk-compliance/bank-fintech-partnership-review`, or `third-party-operational-resilience/vendor-diligence` with the payments-fintech overlay). - The work is incident-specific (use `payment-operations-incident-review`). - The work is a top-down rail-and-segment risk assessment, not a controls inventory (use `payments-risk-assessment`). - The work is data-access permissioning under §1033 (use `open-banking-data-controls`). - The work is a UDAAP themes review of fintech marketing or fee disclosure (use `consumer-compliance-fair-lending/udaap-risk-review` with the payments-fintech overlay).

Drafts a controls inventory and self-evidence pack for consumer-permissioned data sharing under the named US personal-financial-data-rights frame. The pack covers data-provider duties (covered-data scope, developer-interface availability and security, consumer authorisation, scope and duration limits, revocation propagation, third-party screening) and data-recipient duties (consumer authorisation, collection and use limits, retention, deletion-on-revocation, reauthorisation, downstream sharing). The artifact aligns to industry-standard tokenised data-sharing patterns and to the migration off credential-based screen scraping. Audience is the data-provider fintech, the data-recipient fintech (account aggregator, PFM, lender, BNPL, payroll-on-demand), or the sponsor-bank programme acting as either, plus the second-line or advisory team supporting them. Best for: - A data-provider fintech (or its sponsor bank's programme) is preparing for an implementation-tier milestone, an examiner data request, or a sponsor-bank-led review of the developer interface and authorisation stack. - A data-recipient fintech is preparing its consumer-authorisation, scope, retention, and reauthorisation controls for second-line review. - A programme is migrating an aggregator integration from credential-based screen scraping to API-tokenised access and needs the side-by-side controls comparison and gap close-out plan. - An incoming due-diligence or contract-cycle review involves an aggregator or developer-interface partner and the team needs the data-rights-aligned controls and evidence list. Not the right tool when: - The work is a generic vendor due-diligence pack (use `third-party-operational-resilience/vendor-diligence` with the payments-fintech overlay). - The work is a fintech-side controls inventory across all rails (use `fintech-partner-controls`). - The work is an incident review where data was disclosed without authorisation (use `payment-operations-incident-review`). - The work is a Safeguards-only review without the personal-financial-data-rights frame in scope (use the Safeguards-side capability skills).

Drafts the incident-review pack for a payments-operations event at a fintech program operator, BaaS platform, money transmitter, neobank, wallet, BIN sponsor, or payments processor. The pack carries an incident summary, customer-impact population, named-rail and sponsor-bank notification triggers, root cause, affected transaction population by rail, remediation actions, sponsor-bank reporting, and the regulator-facing artifact list. Output is review-ready for the program operator's second line and for production to the sponsor bank, the named payment-rail authorities (where applicable), and the regulator-facing incident file. Best for: - An ACH return spike, mis-posted batch, double-debit, stuck FedNow / RTP transfer, faulty Reg E claim queue, card-network fraud-rate or chargeback program escalation, or processor-side outage has happened and second line owns the review pack. - A sponsor-bank annual review, internal audit, or examiner data request includes incident retrospectives and the team needs the structured artifact. - A subcontractor (processor, ledger provider, KYC vendor, fraud-decision vendor) outage has cascaded into the program operator's customer-impact surface and the team needs the rail-by-rail attribution and notification map. - A near-miss has been escalated and second line wants the same structure to evidence the control catch even though no customer was impacted. Not the right tool when: - The work is a top-down rail-and-segment risk assessment (use `payments-risk-assessment`). - The work is a controls inventory or sponsor-bank-facing self-evidence pack (use `fintech-partner-controls`, or `open-banking-data-controls` where the surface is §1033 data flows). - The incident is purely cyber with no payments-operational impact and the disclosure-track artifact is what is needed (use `risk-reporting/cyber-disclosure-readiness`). This skill defers the public-disclosure leg to that one and stays focused on the payments-operational chain. - The work is a SAR-decision review (use `financial-crime-governance/sar-decision-qa`). - The work is enterprise-wide incident management not anchored to payments rails (use the generic incident pattern in `risk-compliance-core` / `compliance-testing`).

Drafts a payments risk assessment for a fintech, money transmitter, BaaS platform, neobank, wallet, or sponsor-bank program: a matrix-shaped artifact denominated by rail (ACH, Same Day ACH, wire, card debit / credit, FedNow, RTP, P2P, check, cross-border correspondent, virtual-currency on-ramp), by customer segment (consumer, SMB, payroll-on-demand, gig, BNPL, cross-border remittance, high-risk vertical), and by US-state and corridor geography. Carries fraud, BSA / AML, sanctions, operational resilience, third-party / sponsor-bank dependence, customer-harm / UDAAP, and reporting-control views, with concentration sub-tables for sponsor-bank, processor, and BIN-sponsor exposure. Output suits a sponsor-bank annual review, a state MTL exam preparation file, an internal audit kickoff, or an enterprise risk committee read-out. Best for: - A program operator, sponsor-bank program-management team, or money transmitter is running its annual or semi-annual payments risk assessment and second-line is owning the artifact. - A new product, rail, or corridor is being added and the team needs the delta-risk view. - An exam letter or sponsor-bank annual review has asked for the rail-by-rail risk picture and the team is preparing the response file. - A processor consolidation, sponsor-bank change, or BIN-sponsor change has shifted the risk profile and the team needs to re-baseline. Not the right tool when: - The work is a controls inventory for a fintech being read by its sponsor bank (use `fintech-partner-controls`). - The work is incident-specific (use `payment-operations-incident-review`). - The work is data-access permissioning under §1033 (use `open-banking-data-controls`). - The work is enterprise-wide and not payments-rail-dominant (use `risk-compliance-core/risk-assessment` with the payments-fintech overlay). - The work is BSA / AML model monitoring or sanctions screening QA in isolation (use `financial-crime-governance/aml-model-monitoring` or `sanctions-screening-qa` with the payments-fintech overlay).