{ "file_id": "10_vertical_legal_regtech_legaltech", "version": "2026.03.16", "schema_version": "2.2", "status": "Production Authority", "last_authoritative_sync": "2026-03-16", "description": "Comprehensive enumeration library for the Legal & Regulatory Technology (LegalTech / RegTech) vertical. Covers every subdomain where agentic AI is actively deployed as of March 2026: contract lifecycle management (WorldCC / IACCM), legal document classification (Akoma Ntoso / LegalXML), regulatory filing and submission management (SEC EDGAR, XBRL, ESMA, FINRA CAT), ESG and sustainability disclosure (ISSB IFRS S1/S2, EU CSRD ESRS, SEC Climate Rule), litigation and e-discovery workflow (EDRM), legal research and case law analysis, compliance obligation management, anti-money laundering and financial crime compliance (FATF, FinCEN, AMLD6), sanctions and watchlist screening (OFAC, UN, EU), data privacy compliance programme management (GDPR, CCPA, CPRA), and AI-specific legal risk governance. Designed for use as OTel span attributes in an agentic AI SDK and as policy vocabulary in an OPA Rego GRC portal.", "vertical_metadata": { "vertical_key": "legal_regtech", "industry": "Legal & Regulatory Technology (RegTech / LegalTech)", "primary_standards": [ "Akoma Ntoso (AKN) 1.0 — Architecture for Knowledge-Oriented Management of African Normative Texts; adopted as OASIS Standard for legal documents (2018)", "LegalXML / OASIS LegalDocML — XML standards for legal document interchange", "XBRL International — eXtensible Business Reporting Language for financial and regulatory filings", "EDGAR XBRL US GAAP Taxonomy 2024 — SEC filing taxonomy", "ESMA ESEF Regulation — European Single Electronic Format (XBRL iXBRL) for EU annual reports", "FINRA CAT — Consolidated Audit Trail reporting specifications", "SEC EDGAR — Electronic Data Gathering, Analysis, and Retrieval system", "EDRM — Electronic Discovery Reference Model (e-discovery lifecycle)", "WorldCC / IACCM — Contract Management Framework (contract lifecycle standard)", "ISSB IFRS S1 — General Requirements for Disclosure of Sustainability-related Financial Information (2023)", "ISSB IFRS S2 — Climate-related Disclosures (2023)", "EU CSRD (2022/2464) — Corporate Sustainability Reporting Directive", "EU ESRS — European Sustainability Reporting Standards (ESRS 1, ESRS 2, ESRS E1–E5, ESRS S1–S4, ESRS G1)", "SEC Climate-Related Disclosures Rule (2024) — 17 CFR Parts 210, 229, 232, 239, 240", "SEC Cybersecurity Disclosure Rule (2023) — 17 CFR Parts 229 and 249", "FATF Recommendations (2023 update) — Financial Action Task Force AML/CFT standards", "EU AMLD6 (2024/1640) — Sixth Anti-Money Laundering Directive (in force July 2024; transposition by July 2027)", "EU AML Regulation (2024/1624) — AML/CFT directly applicable regulation (in force July 2024)", "EU AMLA — Anti-Money Laundering Authority (established 2024, operational 2025)", "FinCEN AML/CFT Programme Rule (2024) — Updated beneficial ownership and SAR requirements", "OFAC SDN List — US Office of Foreign Assets Control Specially Designated Nationals", "EU Sanctions Regulation — EU Consolidated Sanctions List", "UN Security Council Sanctions Lists — Consolidated List", "EU AI Act (2024/1689) — AI systems used in legal assistance, adjudication support, and regulatory compliance", "EU GDPR (2016/679) — Data privacy compliance programme management", "CCPA/CPRA (California) — Consumer Privacy Rights Act", "DORA (EU) 2022/2554 — Digital Operational Resilience Act for financial entities (in force Jan 2025)", "Basel Committee BCBS 239 — Principles for Effective Risk Data Aggregation and Risk Reporting", "ISO/IEC 27701:2019 — Privacy Information Management System (PIMS)" ], "primary_source_urls": [ "https://www.oasis-open.org/committees/legalDocML/", "https://www.xbrl.org/", "https://www.sec.gov/edgar", "https://www.edrm.net/frameworks-and-standards/edrm-model/", "https://www.worldcc.com/", "https://www.ifrs.org/issued-standards/ifrs-sustainability-standards-navigator/", "https://www.fatf-gafi.org/", "https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information", "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1624" ], "otel_namespace": "legaltech", "opa_namespace": "data.legaltech", "agentic_ai_deployment_context": "As of March 2026, agentic AI in legal and RegTech is deployed across: autonomous contract drafting, redlining, and negotiation support (CLM platforms), AI-driven regulatory change management and obligation mapping, automated SEC/ESMA/XBRL filing preparation and validation, ESG data collection and CSRD/ISSB disclosure assembly, AI-powered e-discovery document review and privilege log generation (EDRM), legal research and case law analysis (Westlaw AI, LexisNexis Protégé, Harvey), AML transaction monitoring and SAR narrative generation (FinCEN, FATF), sanctions and watchlist screening with fuzzy name matching, GDPR/CCPA data subject rights request automation, regulatory examination response preparation, and AI-generated legal opinions and compliance advice (subject to jurisdiction-specific UPL rules). The EU AI Act does not explicitly classify most LegalTech AI as Annex III high-risk, but AI systems used to assist courts, tribunals, and administrative bodies in legal interpretation are restricted under Article 5 if they manipulate judicial decision-making. Legal professional privilege, attorney-client confidentiality, and work product doctrine create distinct data governance constraints on LegalTech AI that differ from other verticals — AI vendor contracts must carefully scope privilege waivers.", "key_regulatory_risk_note": "EU AMLD6 (2024/1640) and the EU AML Regulation (2024/1624) entered force July 2024 with transposition required by July 2027. The EU AML Regulation is directly applicable (no transposition needed) and establishes AMLA as a supranational supervisor for high-risk financial entities from 2025. AI-driven AML transaction monitoring systems must now comply with AMLA's technical standards — which are still being developed. DORA (EU) 2022/2554 entered into full application January 17, 2025 — all EU financial entities must have tested their digital operational resilience including AI systems. The SEC Climate Disclosure Rule (2024) was partially stayed pending litigation as of early 2026 — the Scope 3 emissions disclosure requirement is particularly contested. CSRD ESRS mandatory standards apply to large EU companies for FY2024 (first reports 2025) and to listed SMEs for FY2026. The unauthorized practice of law (UPL) risk for AI agents providing legal advice without attorney supervision varies significantly by jurisdiction and is the primary liability vector for agentic LegalTech deployments." }, "subdomains": [ { "subdomain": "Contract Lifecycle Management", "description": "Covers WorldCC / IACCM contract management framework lifecycle stage enumerations, AI contract review obligation classification, and contract risk scoring taxonomy. AI contract lifecycle management (CLM) agents must use these values for interoperability with major CLM platforms (Ironclad, Icertis, Docusign CLM, Agiloft).", "relevant_standards": [ "WorldCC / IACCM Contract Management Standard — Contract lifecycle framework", "IACCM Contract Risk Framework — Obligation and risk classification", "ISO/IEC 19770-1 — IT Asset Management (for software licence agreement sub-type)", "UNCITRAL Model Law on Electronic Commerce — Electronic contract formation" ], "categories": [ { "enum_name": "ContractLifecycleStage", "label": "Contract Lifecycle Stage", "otel_attribute": "legaltech.contract.lifecycle_stage", "opa_policy_path": "data.legaltech.contract.lifecycle_stage", "rego_input_key": "legaltech_contract_lifecycle_stage", "stability": "stable", "description": "Contract management lifecycle stage per WorldCC / IACCM Contract Management Standard. AI CLM agents use this to track contracts from request through archival and to gate which AI actions are permissible at each stage. Executed contracts may not be autonomously amended without HITL approval.", "permitted_values": [ "intake", "drafting", "redlining", "negotiation", "legal_review", "approved", "executed", "active", "amendment_in_progress", "expiring", "expired", "terminated", "archived" ], "value_labels": { "intake": "Intake", "drafting": "Drafting", "redlining": "Redlining", "negotiation": "Negotiation", "legal_review": "Legal Review", "approved": "Approved", "executed": "Executed", "active": "Active", "amendment_in_progress": "Amendment in Progress", "expiring": "Expiring", "expired": "Expired", "terminated": "Terminated", "archived": "Archived" }, "code_definitions": { "intake": "Contract request received; counterparty, type, and business owner identified; AI pre-screening for template selection", "drafting": "AI generating initial contract draft from template and extracted parameters; no counterparty involvement yet", "redlining": "Counterparty has returned marked-up version; AI comparing redlines against playbook and standard positions", "negotiation": "Active back-and-forth negotiation in progress; AI tracking open issues and deviations from fallback positions", "legal_review": "Contract in attorney review queue; AI has flagged issues for attorney attention; HITL required before advancement", "approved": "All required approvals obtained; contract ready for signature; execution authorisation on file", "executed": "Fully signed by all parties; binding; AI CLM agent now monitoring for obligations, renewals, and expirations", "amendment_in_progress": "Executed contract subject to a change; original terms still in force pending amendment execution; HITL required", "expiring": "Contract within the auto-renewal or expiration notice window; renewal decision required", "terminated": "Contract terminated before natural expiration; termination basis and effective date recorded" }, "regulatory_mappings": { "eu_ai_act_art13": "EU AI Act Article 13 — If AI CLM is used in contracts with consumers, transparency about AI involvement in drafting must be provided", "dora_art30": "DORA Article 30 — Contractual arrangements with ICT service providers must include specific provisions; AI CLM agents must flag DORA-required clauses in financial sector contracts" }, "use_case": "AI CLM agent tracks every contract through its lifecycle. OPA policy enforces that transitions from 'approved' to 'executed' and any change to an 'active' or 'executed' contract require human authorisation — AI may not autonomously bind the organisation or modify binding terms.", "source": "WorldCC / IACCM Contract Management Standard; WorldCC Contract Lifecycle Management Framework", "source_url": "https://www.worldcc.com/" }, { "enum_name": "ContractObligationCategory", "label": "Contract Obligation Category", "otel_attribute": "legaltech.contract.obligation_category", "opa_policy_path": "data.legaltech.contract.obligation_category", "rego_input_key": "legaltech_contract_obligation_category", "stability": "proposed", "description": "Category of a contractual obligation extracted and tracked by an AI contract analysis agent. Used to route obligation monitoring, deadline tracking, and breach risk alerts to the correct business owner.", "permitted_values": [ "payment_obligation", "delivery_milestone", "reporting_requirement", "audit_right", "insurance_requirement", "data_processing_obligation", "confidentiality_restriction", "ip_ownership_assignment", "non_compete_non_solicit", "termination_notice_requirement", "renewal_option_window", "regulatory_compliance_obligation", "indemnification_obligation", "sla_performance_obligation", "consent_requirement" ], "value_labels": { "payment_obligation": "Payment Obligation", "delivery_milestone": "Delivery Milestone", "reporting_requirement": "Reporting Requirement", "audit_right": "Audit Right", "insurance_requirement": "Insurance Requirement", "data_processing_obligation": "Data Processing Obligation", "confidentiality_restriction": "Confidentiality Restriction", "ip_ownership_assignment": "IP Ownership Assignment", "non_compete_non_solicit": "Non Compete Non Solicit", "termination_notice_requirement": "Termination Notice Requirement", "renewal_option_window": "Renewal Option Window", "regulatory_compliance_obligation": "Regulatory Compliance Obligation", "indemnification_obligation": "Indemnification Obligation", "sla_performance_obligation": "SLA Performance Obligation", "consent_requirement": "Consent Requirement" }, "use_case": "AI contract analysis agent extracts obligations at execution and populates the obligation register. 'Data_processing_obligation' and 'regulatory_compliance_obligation' categories trigger automatic cross-referencing against the compliance obligation register. 'Payment_obligation' deadlines are surfaced to accounts payable.", "source": "WorldCC / IACCM Obligation Management Framework; IACCM contract risk taxonomy", "source_url": "https://www.worldcc.com/" }, { "enum_name": "ContractRiskFlag", "label": "Contract Risk Flag", "otel_attribute": "legaltech.contract.risk_flag", "opa_policy_path": "data.legaltech.contract.risk_flag", "rego_input_key": "legaltech_contract_risk_flag", "stability": "proposed", "description": "Risk flag raised by an AI contract review agent during redlining or legal review. Flags must be reviewed by an attorney before contract advancement — AI may not approve or waive risk flags autonomously.", "permitted_values": [ "unlimited_liability_exposure", "unilateral_amendment_right", "auto_renewal_with_no_cap", "broad_ip_assignment", "non_standard_governing_law", "exclusivity_provision", "most_favoured_nation_clause", "change_of_control_trigger", "data_processing_non_gdpr_compliant", "missing_dora_ict_clause", "aml_kyc_obligation_present", "uncapped_indemnity", "termination_for_convenience_absent", "liquidated_damages_excessive", "force_majeure_absent_or_narrow" ], "value_labels": { "unlimited_liability_exposure": "Unlimited Liability Exposure", "unilateral_amendment_right": "Unilateral Amendment Right", "auto_renewal_with_no_cap": "Auto Renewal with No Cap", "broad_ip_assignment": "Broad IP Assignment", "non_standard_governing_law": "Non Standard Governing Law", "exclusivity_provision": "Exclusivity Provision", "most_favoured_nation_clause": "Most Favoured Nation Clause", "change_of_control_trigger": "Change of Control Trigger", "data_processing_non_gdpr_compliant": "Data Processing Non-GDPR Compliant", "missing_dora_ict_clause": "Missing DORA ICT Clause", "aml_kyc_obligation_present": "AML KYC Obligation Present", "uncapped_indemnity": "Uncapped Indemnity", "termination_for_convenience_absent": "Termination for Convenience Absent", "liquidated_damages_excessive": "Liquidated Damages Excessive", "force_majeure_absent_or_narrow": "Force Majeure Absent or Narrow" }, "regulatory_mappings": { "dora_art30": "DORA Article 30 — 'missing_dora_ict_clause' flag required for all ICT service provider contracts in EU financial sector", "gdpr_art28": "GDPR Article 28 — 'data_processing_non_gdpr_compliant' flag required where data processing agreement terms deviate from GDPR Article 28 requirements", "eu_amld6": "EU AMLD6 — 'aml_kyc_obligation_present' flag triggers enhanced due diligence and beneficial ownership verification workflow" }, "use_case": "AI redlining agent flags non-standard clauses against the organisation's contract playbook. 'Unlimited_liability_exposure' and 'data_processing_non_gdpr_compliant' flags block automated contract advancement — attorney review is mandatory before escalation.", "source": "WorldCC / IACCM contract risk taxonomy; DORA Article 30 checklist; GDPR Article 28 DPA requirements", "source_url": "https://www.worldcc.com/" } ] }, { "subdomain": "Legal Document Classification & Management", "description": "Covers Akoma Ntoso / LegalXML document type taxonomy and AI legal document processing enumerations. Agentic AI systems ingesting or producing legal documents should use these standardised document type classifications for interoperability with legal information systems.", "relevant_standards": [ "Akoma Ntoso (AKN) 1.0 — OASIS Standard for legal documents", "LegalXML / OASIS LegalDocML — XML standards for court documents", "ECLI — European Case Law Identifier (Council of the EU Decision 2011/833/EU)", "OSCOLA — Oxford University Standard for Citation of Legal Authorities", "Westlaw Edge / LexisNexis classification schemas" ], "categories": [ { "enum_name": "LegalDocumentClassification", "label": "Legal Document Classification", "otel_attribute": "legaltech.document.classification", "opa_policy_path": "data.legaltech.document.classification", "rego_input_key": "legaltech_document_classification", "stability": "stable", "description": "Legal document type classification per Akoma Ntoso / LegalXML taxonomy. AI legal document processing agents use this to route documents to the correct workflow, apply the correct privilege assessment, and select the applicable extraction model.", "permitted_values": [ "act_legislation", "bill_proposed_legislation", "statutory_instrument_regulation", "judicial_opinion_judgment", "court_order", "pleading_complaint", "motion_application", "brief_submission", "contract_agreement", "nda_confidentiality_agreement", "license_agreement", "term_sheet_loi", "legal_opinion_memorandum", "regulatory_filing", "compliance_policy", "correspondence_legal", "due_diligence_report", "patent_application", "trademark_filing", "evidence_exhibit" ], "value_labels": { "act_legislation": "Akoma Ntoso 'act' Document Type", "bill_proposed_legislation": "Akoma Ntoso 'bill' Document Type", "statutory_instrument_regulation": "Akoma Ntoso 'doc' Subtype", "judicial_opinion_judgment": "Akoma Ntoso 'judgment' Document Type", "court_order": "Court Order", "pleading_complaint": "Pleading Complaint", "motion_application": "Motion Application", "brief_submission": "Brief Submission", "contract_agreement": "Contract Agreement", "nda_confidentiality_agreement": "Nda Confidentiality Agreement", "license_agreement": "License Agreement", "term_sheet_loi": "Term Sheet Loi", "legal_opinion_memorandum": "Legal Opinion Memorandum", "regulatory_filing": "Regulatory Filing", "compliance_policy": "Compliance Policy", "correspondence_legal": "Correspondence Legal", "due_diligence_report": "Due Diligence Report", "patent_application": "Patent Application", "trademark_filing": "Trademark Filing", "evidence_exhibit": "Evidence Exhibit" }, "code_definitions": { "act_legislation": "Akoma Ntoso 'act' document type — enacted primary legislation", "bill_proposed_legislation": "Akoma Ntoso 'bill' document type — proposed legislation not yet enacted", "statutory_instrument_regulation": "Akoma Ntoso 'doc' subtype — secondary/delegated legislation", "judicial_opinion_judgment": "Akoma Ntoso 'judgment' document type — court decision with precedential value" }, "use_case": "AI legal document classification agent ingests documents and assigns type before routing. 'Legal_opinion_memorandum' documents trigger privilege protection workflow — AI may not disclose or summarise these documents to unauthorised parties. 'Evidence_exhibit' documents in litigation context trigger EDRM chain-of-custody logging.", "source": "Akoma Ntoso (AKN) 1.0 OASIS Standard — Document types hierarchy; LegalXML taxonomy", "source_url": "https://www.oasis-open.org/committees/legalDocML/" }, { "enum_name": "LegalPrivilegeStatus", "label": "Legal Privilege Status", "otel_attribute": "legaltech.document.privilege_status", "opa_policy_path": "data.legaltech.document.privilege_status", "rego_input_key": "legaltech_document_privilege_status", "stability": "proposed", "description": "Legal privilege and confidentiality classification of a document. AI legal document agents must assess and log privilege status before any disclosure, summarisation, or transmission action. Inadvertent privilege waiver is an irreversible legal harm — AI must err on the side of caution.", "permitted_values": [ "not_privileged", "attorney_client_privileged", "work_product_doctrine", "attorney_client_and_work_product", "common_interest_privilege", "deliberative_process_privilege", "trade_secret_protected", "confidential_not_privileged", "privilege_review_required", "privilege_waived_inadvertent", "privilege_waived_intentional" ], "value_labels": { "not_privileged": "Not Privileged", "attorney_client_privileged": "Attorney Client Privileged", "work_product_doctrine": "Work Product Doctrine", "attorney_client_and_work_product": "Attorney Client and Work Product", "common_interest_privilege": "Common Interest Privilege", "deliberative_process_privilege": "Deliberative Process Privilege", "trade_secret_protected": "Trade Secret Protected", "confidential_not_privileged": "Confidential not Privileged", "privilege_review_required": "Privilege Review Required", "privilege_waived_inadvertent": "Privilege Waived Inadvertent", "privilege_waived_intentional": "Privilege Waived Intentional" }, "code_definitions": { "attorney_client_privileged": "Communication between attorney and client for the purpose of legal advice; protected from disclosure absent waiver or exception", "work_product_doctrine": "Material prepared by or for an attorney in anticipation of litigation; protects mental impressions, conclusions, opinions of counsel", "privilege_waived_inadvertent": "Document was disclosed inadvertently; clawback procedures under FRE 502(b) may apply; immediate HITL notification required", "privilege_review_required": "Document has not yet been reviewed for privilege; AI has flagged potential privilege indicators; disclosure or use blocked pending attorney review" }, "regulatory_mappings": { "fre_502": "Federal Rules of Evidence Rule 502 — Inadvertent disclosure of privileged material; clawback procedures", "gdpr_art9": "GDPR Article 9 — Legal professional privilege data may qualify as special category data in certain jurisdictions" }, "use_case": "OPA policy blocks any AI agent from disclosing, summarising to unauthorised parties, or using as training data any document with privilege status other than 'not_privileged' or 'confidential_not_privileged' without explicit attorney authorisation. 'Privilege_waived_inadvertent' triggers immediate HITL legal counsel notification.", "source": "Common law attorney-client privilege doctrine; FRE 502; UK LPP (Legal Professional Privilege); GDPR Article 9 special categories", "source_url": "https://www.law.cornell.edu/rules/fre/rule_502" } ] }, { "subdomain": "Regulatory Filing & Submission Management", "description": "Covers SEC EDGAR, XBRL, ESMA ESEF, FINRA CAT, and broader regulatory submission lifecycle enumerations. AI regulatory filing agents must use these values when interacting with regulatory submission portals and validating filing packages.", "relevant_standards": [ "SEC EDGAR XBRL Taxonomy 2024 — US GAAP and IFRS inline XBRL", "ESMA ESEF Regulation (EU) 2019/815 — European Single Electronic Format (iXBRL)", "FINRA CAT — Consolidated Audit Trail (CAT) NMS Plan", "CFTC Swap Data Reporting — Refit Phase 2 (December 2024)", "ECB BIRD — Banks' Integrated Reporting Dictionary", "EBA COREP / FINREP — EU prudential and financial reporting", "UK FCA Gabriel / RegData — FCA regulatory reporting platform" ], "categories": [ { "enum_name": "RegulatoryFilingStatus", "label": "Regulatory Filing Status", "otel_attribute": "regtech.filing.status", "opa_policy_path": "data.regtech.filing.status", "rego_input_key": "regtech_filing_status", "stability": "stable", "description": "Lifecycle status of a regulatory filing or submission. AI regulatory filing agents use this to track submissions from initial data collection through final acceptance by the receiving authority. Deadlines vary by filing type and authority — AI agents must enforce filing deadlines.", "permitted_values": [ "draft", "data_collection_in_progress", "validation_in_progress", "validation_failed", "ready_for_submission", "submitted", "under_review", "accepted", "accepted_with_comments", "rejected", "requires_amendment", "resubmitted", "final", "overdue", "archived" ], "value_labels": { "draft": "Draft", "data_collection_in_progress": "Data Collection in Progress", "validation_in_progress": "Validation in Progress", "validation_failed": "Validation Failed", "ready_for_submission": "Ready for Submission", "submitted": "Submitted", "under_review": "Under Review", "accepted": "Accepted", "accepted_with_comments": "Accepted with Comments", "rejected": "Rejected", "requires_amendment": "Requires Amendment", "resubmitted": "Resubmitted", "final": "Final", "overdue": "Overdue", "archived": "Archived" }, "code_definitions": { "validation_failed": "XBRL or schema validation has failed; specific error codes logged; filing cannot be submitted until errors are resolved", "accepted_with_comments": "Regulator has accepted the filing but raised questions or comments requiring a response; common in SEC comment letter process", "requires_amendment": "Regulator requires a corrected or amended filing; original filing is superseded by the amendment", "overdue": "Filing deadline has passed without accepted submission; late filing penalties may apply; HITL escalation to Chief Compliance Officer required" }, "regulatory_mappings": { "sec_edgar": "SEC rules require timely EDGAR filing; late filings may result in loss of S-3 eligibility and SEC enforcement", "esma_esef": "ESMA ESEF Regulation — Annual financial reports must be filed in iXBRL format; 'validation_failed' status must be resolved before filing", "finra_cat": "FINRA CAT — Daily trade reporting; late or rejected submissions result in CAT penalty schedule", "cftc_swap": "CFTC Swap Data Reporting Refit Phase 2 — Enhanced swap reporting; deadline-driven submission requirements" }, "use_case": "AI regulatory filing agent manages the end-to-end submission lifecycle. 'Overdue' status triggers immediate CISO/CCO escalation and assessment of late filing exposure. OPA policy blocks AI from submitting a filing with 'validation_failed' status — all XBRL schema errors must be resolved first.", "source": "SEC EDGAR submission status codes; ESMA ESEF validation rules; FINRA CAT reporting specifications", "source_url": "https://www.sec.gov/edgar" }, { "enum_name": "XBRLValidationErrorType", "label": "XBRL Validation Error Type", "otel_attribute": "regtech.xbrl.validation_error_type", "opa_policy_path": "data.regtech.xbrl.validation_error_type", "rego_input_key": "regtech_xbrl_validation_error_type", "stability": "stable", "description": "Category of XBRL validation error detected by an AI filing validation agent. Different error types have different remediation paths — some block submission entirely, others are warnings that may be submitted with a regulator waiver.", "permitted_values": [ "schema_validation_error", "taxonomy_element_not_found", "calculation_inconsistency", "label_linkbase_error", "reference_linkbase_error", "context_period_mismatch", "unit_mismatch", "duplicate_fact", "missing_required_element", "rendering_inconsistency", "extension_element_overuse", "efm_rule_violation" ], "value_labels": { "schema_validation_error": "Schema Validation Error", "taxonomy_element_not_found": "Taxonomy Element not Found", "calculation_inconsistency": "Calculation Inconsistency", "label_linkbase_error": "Label Linkbase Error", "reference_linkbase_error": "Reference Linkbase Error", "context_period_mismatch": "Context Period Mismatch", "unit_mismatch": "Unit Mismatch", "duplicate_fact": "Duplicate Fact", "missing_required_element": "Missing Required Element", "rendering_inconsistency": "Rendering Inconsistency", "extension_element_overuse": "Extension Element Overuse", "efm_rule_violation": "Efm Rule Violation" }, "code_definitions": { "efm_rule_violation": "SEC EDGAR Financial Data Quality Committee (FDQC) / EDGAR Filing Manual (EFM) rule violation; must be resolved before SEC acceptance", "calculation_inconsistency": "Tagged financial values do not sum correctly in the calculation linkbase; common AI-generated tagging error; requires reconciliation", "extension_element_overuse": "Filer has created custom taxonomy extensions where standard US GAAP / IFRS elements exist; SEC staff review risk" }, "use_case": "AI XBRL tagging agent generates inline XBRL and runs validation. Error types are logged and routed to the appropriate remediation workflow. 'Schema_validation_error' and 'efm_rule_violation' block submission; 'calculation_inconsistency' triggers financial reconciliation review.", "source": "XBRL International Conformance Suite; SEC EDGAR Financial Data Quality rules; ESMA ESEF validation rules", "source_url": "https://www.xbrl.org/" }, { "enum_name": "SECFilingFormType", "label": "SEC Filing Form Type", "otel_attribute": "regtech.sec.form_type", "opa_policy_path": "data.regtech.sec.form_type", "rego_input_key": "regtech_sec_form_type", "stability": "stable", "description": "SEC EDGAR filing form type for the most common AI-assisted regulatory filings. AI filing agents must select the correct form type — submitting the wrong form type results in rejection and potential SEC enforcement.", "permitted_values": [ "10_K", "10_Q", "8_K", "20_F", "6_K", "S_1", "S_3", "424B", "DEF_14A", "SC_13G", "SC_13D", "Form_4", "Form_D", "13F_HR", "SD_conflict_minerals", "TCFD_climate_disclosure" ], "value_labels": { "10_K": "10 K", "10_Q": "10 Q", "8_K": "8 K", "20_F": "20 F", "6_K": "6 K", "S_1": "S 1", "S_3": "S 3", "424B": "424b", "DEF_14A": "Def 14a", "SC_13G": "Sc 13g", "SC_13D": "Sc 13d", "Form_4": "Form 4", "Form_D": "Form D", "13F_HR": "13f HR", "SD_conflict_minerals": "Sd Conflict Minerals", "TCFD_climate_disclosure": "Tcfd Climate Disclosure" }, "use_case": "AI regulatory agent selects form type based on the triggering event (earnings release → 10-Q, material event → 8-K, annual report → 10-K). OPA policy enforces that 8-K material event filings require CCO sign-off within the 4-business-day filing window — AI may prepare the draft but cannot submit without human authorisation.", "source": "SEC EDGAR Forms and Filing Requirements", "source_url": "https://www.sec.gov/forms" } ] }, { "subdomain": "ESG & Sustainability Disclosure", "description": "Covers ISSB IFRS S1/S2, EU CSRD ESRS, and SEC Climate Rule enumerations for AI-driven ESG data collection, materiality assessment, and sustainability disclosure preparation. As of FY2025 reporting, large EU companies must comply with CSRD mandatory ESRS.", "relevant_standards": [ "ISSB IFRS S1 (2023) — General Requirements for Sustainability-related Financial Disclosures", "ISSB IFRS S2 (2023) — Climate-related Disclosures", "EU CSRD (2022/2464) — Corporate Sustainability Reporting Directive", "EU ESRS 1 — General requirements; ESRS 2 — General disclosures", "EU ESRS E1 — Climate change; E2 — Pollution; E3 — Water; E4 — Biodiversity; E5 — Resource use", "EU ESRS S1 — Own workforce; S2 — Workers in value chain; S3 — Affected communities; S4 — Consumers", "EU ESRS G1 — Business conduct (anti-corruption, lobbying)", "SEC Climate-Related Disclosures Rule (2024) — 17 CFR Parts 210, 229", "TCFD Recommendations (2017, updated 2021) — superseded by ISSB for IFRS reporters but still widely referenced", "GRI Standards — Global Reporting Initiative (used alongside ESRS for double materiality)" ], "categories": [ { "enum_name": "ESGDisclosureCategory", "label": "ESG Disclosure Category", "otel_attribute": "regtech.esg.disclosure_category", "opa_policy_path": "data.regtech.esg.disclosure_category", "rego_input_key": "regtech_esg_disclosure_category", "stability": "stable", "description": "ESG disclosure category aligned to ISSB IFRS S1/S2 and EU CSRD ESRS taxonomy. AI ESG data collection agents tag every data point with the applicable disclosure category for automated disclosure mapping and assurance evidence generation.", "permitted_values": [ "climate_scope1_ghg_emissions", "climate_scope2_ghg_location_based", "climate_scope2_ghg_market_based", "climate_scope3_ghg_upstream", "climate_scope3_ghg_downstream", "climate_physical_risk_acute", "climate_physical_risk_chronic", "climate_transition_risk_policy", "climate_transition_risk_technology", "climate_transition_risk_market", "biodiversity_land_use", "biodiversity_species_impact", "water_consumption", "water_pollution", "pollution_air", "pollution_soil", "circular_economy_waste", "own_workforce_health_safety", "own_workforce_pay_equity", "own_workforce_diversity_inclusion", "value_chain_labour_rights", "value_chain_forced_labour", "affected_communities_impact", "consumer_product_safety", "anti_corruption_bribery", "lobbying_political_contributions", "board_diversity_governance", "data_privacy_governance", "ai_ethics_governance", "tax_transparency" ], "value_labels": { "climate_scope1_ghg_emissions": "Climate Scope1 GHG Emissions", "climate_scope2_ghg_location_based": "Climate Scope2 GHG Location Based", "climate_scope2_ghg_market_based": "Climate Scope2 GHG Market Based", "climate_scope3_ghg_upstream": "Climate Scope3 GHG Upstream", "climate_scope3_ghg_downstream": "Climate Scope3 GHG Downstream", "climate_physical_risk_acute": "Climate Physical Risk Acute", "climate_physical_risk_chronic": "Climate Physical Risk Chronic", "climate_transition_risk_policy": "Climate Transition Risk Policy", "climate_transition_risk_technology": "Climate Transition Risk Technology", "climate_transition_risk_market": "Climate Transition Risk Market", "biodiversity_land_use": "Biodiversity Land Use", "biodiversity_species_impact": "Biodiversity Species Impact", "water_consumption": "Water Consumption", "water_pollution": "Water Pollution", "pollution_air": "Pollution Air", "pollution_soil": "Pollution Soil", "circular_economy_waste": "Circular Economy Waste", "own_workforce_health_safety": "Own Workforce Health Safety", "own_workforce_pay_equity": "Own Workforce Pay Equity", "own_workforce_diversity_inclusion": "Own Workforce Diversity Inclusion", "value_chain_labour_rights": "Value Chain Labour Rights", "value_chain_forced_labour": "Value Chain Forced Labour", "affected_communities_impact": "Affected Communities Impact", "consumer_product_safety": "Consumer Product Safety", "anti_corruption_bribery": "Anti Corruption Bribery", "lobbying_political_contributions": "Lobbying Political Contributions", "board_diversity_governance": "Board Diversity Governance", "data_privacy_governance": "Data Privacy Governance", "ai_ethics_governance": "AI Ethics Governance", "tax_transparency": "Tax Transparency" }, "regulatory_mappings": { "issb_ifrs_s1_s2": "ISSB IFRS S1/S2 — All climate categories map to IFRS S2 disclosure requirements; other categories map to S1 sustainability-related risks", "eu_csrd_esrs_e1": "EU CSRD ESRS E1 — Climate categories; ESRS E2 — Pollution categories; ESRS E3 — Water; ESRS E4 — Biodiversity; ESRS E5 — Circular economy", "eu_csrd_esrs_s1_s4": "EU CSRD ESRS S1 — Own workforce; ESRS S2 — Value chain workers; ESRS S3 — Affected communities; ESRS S4 — Consumers", "eu_csrd_esrs_g1": "EU CSRD ESRS G1 — Business conduct: anti_corruption_bribery and lobbying_political_contributions", "sec_climate_rule": "SEC Climate Rule (2024) — Scope 1 and 2 required for large accelerated filers; climate physical and transition risk disclosures required" }, "use_case": "AI ESG data collection agent gathers data points from internal systems, supplier surveys, and utility data. Each data point is tagged with its disclosure category, data source, and confidence level. AI assurance agent cross-references tagged data against CSRD mandatory ESRS disclosure requirements to identify gaps.", "source": "ISSB IFRS S1/S2 Standards (2023); EU ESRS (Commission Delegated Regulation 2023/2772); GRI Standards", "source_url": "https://www.ifrs.org/issued-standards/ifrs-sustainability-standards-navigator/" }, { "enum_name": "MaterialityAssessmentOutcome", "label": "Materiality Assessment Outcome", "otel_attribute": "regtech.esg.materiality_outcome", "opa_policy_path": "data.regtech.esg.materiality_outcome", "rego_input_key": "regtech_esg_materiality_outcome", "stability": "stable", "description": "Outcome of an ESG materiality assessment for a specific topic. ISSB uses financial materiality (investor perspective); EU CSRD uses double materiality (impact materiality AND financial materiality). AI materiality assessment agents must distinguish between the two frameworks.", "permitted_values": [ "material_financial_and_impact", "material_financial_only", "material_impact_only", "not_material", "materiality_assessment_in_progress", "materiality_assessment_not_conducted", "conditionally_material_sector_specific" ], "value_labels": { "material_financial_and_impact": "Topic Is Material Under Both Financial Materiality (issb/sec) and Impact Materiality (eu Csrd)", "material_financial_only": "Topic Is Financially Material (affects Enterprise Value) But Does not Meet Impact Materiality Threshold", "material_impact_only": "Topic Has Material Impact on People or Environment But Does not Affect Enterprise Value", "not_material": "Not Material", "materiality_assessment_in_progress": "Materiality Assessment in Progress", "materiality_assessment_not_conducted": "Materiality Assessment not Conducted", "conditionally_material_sector_specific": "Conditionally Material Sector Specific" }, "code_definitions": { "material_financial_and_impact": "Topic is material under both financial materiality (ISSB/SEC) and impact materiality (EU CSRD) — mandatory disclosure under both frameworks", "material_financial_only": "Topic is financially material (affects enterprise value) but does not meet impact materiality threshold — mandatory for ISSB/SEC, not CSRD impact disclosure", "material_impact_only": "Topic has material impact on people or environment but does not affect enterprise value — material under EU CSRD only", "not_material": "Topic assessed as not material under either framework; documented rationale required for audit purposes" }, "regulatory_mappings": { "eu_csrd_esrs1": "EU CSRD ESRS 1 — Double materiality assessment is mandatory; documented process required; auditor reviews assessment process", "issb_ifrs_s1": "ISSB IFRS S1 — Financial materiality only; entity-specific materiality determination required" }, "source": "ISSB IFRS S1 materiality concept; EU CSRD ESRS 1 double materiality assessment process; EFRAG double materiality implementation guidance", "source_url": "https://www.efrag.org/sustainability-reporting" }, { "enum_name": "ESGDataQualityTier", "label": "ESG Data Quality Tier", "otel_attribute": "regtech.esg.data_quality_tier", "opa_policy_path": "data.regtech.esg.data_quality_tier", "rego_input_key": "regtech_esg_data_quality_tier", "stability": "proposed", "description": "Data quality tier for an ESG data point as assessed by the AI ESG data collection agent. Disclosure quality and limited/reasonable assurance requirements depend on data quality — third-party assured disclosures must meet higher quality tiers.", "permitted_values": [ "tier_1_primary_metered", "tier_2_primary_calculated", "tier_3_supplier_reported", "tier_4_estimated_industry_factor", "tier_5_estimated_spend_based", "not_available_gap" ], "value_labels": { "tier_1_primary_metered": "Tier 1 — Primary Metered", "tier_2_primary_calculated": "Tier 2 — Primary Calculated", "tier_3_supplier_reported": "Tier 3 — Supplier Reported", "tier_4_estimated_industry_factor": "Tier 4 — Estimated Industry Factor", "tier_5_estimated_spend_based": "Tier 5 — Estimated Spend Based", "not_available_gap": "Not Available Gap" }, "code_definitions": { "tier_1_primary_metered": "Direct measurement from calibrated meter or sensor (e.g. utility smart meter, CEMS); highest data quality; preferred for assured disclosures", "tier_2_primary_calculated": "Calculated from primary activity data using standard emission factors (e.g. GHG Protocol); acceptable for limited assurance", "tier_3_supplier_reported": "Data reported directly by supplier via survey or data portal; quality depends on supplier data governance", "tier_4_estimated_industry_factor": "Estimated using industry average emission factors or proxy data; lowest quality for direct emissions; may be acceptable for Scope 3 categories", "tier_5_estimated_spend_based": "Estimated using spend-based methodology (cost × emission factor); lowest accuracy; acceptable for initial Scope 3 screening only" }, "use_case": "AI ESG assurance agent flags all data points below Tier 2 for Scope 1 and 2 disclosures subject to limited assurance. 'Not_available_gap' status triggers data gap remediation workflow and disclosure note drafting.", "source": "GHG Protocol data quality guidance; CSRD ESRS E1 data quality expectations; ISAE 3000 / ISAE 3410 assurance standards for GHG statements", "source_url": "https://ghgprotocol.org/" } ] }, { "subdomain": "E-Discovery & Litigation Support", "description": "Covers EDRM (Electronic Discovery Reference Model) lifecycle stage enumerations, document review classification, and AI-assisted privilege assessment. AI e-discovery agents must use EDRM stage values for platform interoperability and litigation hold chain-of-custody integrity.", "relevant_standards": [ "EDRM — Electronic Discovery Reference Model (edrm.net)", "FRCP Rule 26(b) — Federal Rules of Civil Procedure — Scope of discovery", "FRCP Rule 34 — Production requests for electronically stored information (ESI)", "FRCP Rule 37(e) — Failure to preserve ESI (spoliation sanctions)", "FRE 502 — Attorney-Client Privilege and Work Product; inadvertent disclosure", "Sedona Conference Principles — Best practices for e-discovery", "ISO/IEC 27050 — Electronic Discovery (Parts 1-4)" ], "categories": [ { "enum_name": "EDRMLifecycleStage", "label": "EDRM Lifecycle Stage", "otel_attribute": "legaltech.ediscovery.lifecycle_stage", "opa_policy_path": "data.legaltech.ediscovery.lifecycle_stage", "rego_input_key": "legaltech_ediscovery_lifecycle_stage", "stability": "stable", "description": "Electronic Discovery Reference Model stage used to track where a matter sits in the e-discovery lifecycle and to preserve defensible chain-of-custody records for ESI handling.", "permitted_values": [ "information_governance", "identification", "preservation", "collection", "processing", "review", "analysis", "production", "presentation" ], "value_labels": { "information_governance": "Information Governance", "identification": "Identification", "preservation": "Preservation", "collection": "Collection", "processing": "Processing", "review": "Review", "analysis": "Analysis", "production": "Production", "presentation": "Presentation" }, "code_definitions": { "information_governance": "Ongoing data management policies; not a triggered litigation response; AI information governance agents classify data for potential litigation readiness", "identification": "Litigation hold triggered; AI identifying potentially relevant ESI custodians, data sources, and date ranges", "preservation": "Legal hold notices issued; AI monitoring for preservation compliance; spoliation risk assessment active", "collection": "ESI being collected from identified sources; forensically sound collection methods; chain of custody initiated", "processing": "Raw ESI being de-duplicated, filtered, and indexed; AI extracting metadata and text for review platform ingestion", "review": "Attorneys and AI reviewing documents for relevance, responsiveness, and privilege; TAR (Technology Assisted Review) / predictive coding active", "analysis": "AI analysing review results for patterns, key custodians, and timeline reconstruction", "production": "Responsive, non-privileged documents being formatted and produced to requesting party per production specifications", "presentation": "Trial exhibits being prepared and marked; AI-generated timelines and visual exhibits" }, "regulatory_mappings": { "frcp_37e": "FRCP Rule 37(e) — Failure to take reasonable steps to preserve ESI at 'preservation' stage can result in adverse inference instructions or case-dispositive sanctions", "frcp_26b": "FRCP Rule 26(b)(1) — Proportionality standard applies to scope of discovery; AI must document review methodology for Rule 26(g) certification" }, "use_case": "AI e-discovery agent logs every ESI processing action with its EDRM stage. Transition from 'identification' to 'preservation' triggers automatic legal hold notice generation. 'Production' stage requires attorney review and FRCP Rule 34 compliance certification before documents are transmitted to opposing counsel.", "source": "EDRM — Electronic Discovery Reference Model (edrm.net); ISO/IEC 27050-1", "source_url": "https://www.edrm.net/frameworks-and-standards/edrm-model/" }, { "enum_name": "DocumentReviewDecision", "label": "Document Review Decision", "otel_attribute": "legaltech.ediscovery.review_decision", "opa_policy_path": "data.legaltech.ediscovery.review_decision", "rego_input_key": "legaltech_ediscovery_review_decision", "stability": "stable", "description": "Document review decision produced by an AI predictive coding / TAR (Technology Assisted Review) agent during e-discovery. All AI review decisions are subject to quality control sampling by attorneys — AI confidence scores below threshold must be human-reviewed.", "permitted_values": [ "responsive_produce", "responsive_redact_then_produce", "not_responsive", "privileged_withhold", "privileged_log", "confidential_subject_to_protective_order", "hot_document", "needs_human_review", "duplicate_near_duplicate", "foreign_language_needs_translation", "clawback_inadvertent_disclosure" ], "value_labels": { "responsive_produce": "Responsive Produce", "responsive_redact_then_produce": "Responsive Redact Then Produce", "not_responsive": "Not Responsive", "privileged_withhold": "Privileged Withhold", "privileged_log": "Privileged Log", "confidential_subject_to_protective_order": "Confidential Subject to Protective Order", "hot_document": "Hot Document", "needs_human_review": "Needs Human Review", "duplicate_near_duplicate": "Duplicate Near Duplicate", "foreign_language_needs_translation": "Foreign Language Needs Translation", "clawback_inadvertent_disclosure": "Clawback Inadvertent Disclosure" }, "code_definitions": { "hot_document": "AI has identified a document of high potential significance to the litigation (key custodian, key date, key terms); flagged for priority attorney review", "clawback_inadvertent_disclosure": "Privileged document identified after production; FRE 502(b) / clawback agreement procedure initiated; opposing counsel notification required", "needs_human_review": "AI TAR confidence score below threshold or document exhibits characteristics (handwriting, mixed language, unclear context) that reduce AI reliability" }, "regulatory_mappings": { "fre_502b": "FRE 502(b) — 'clawback_inadvertent_disclosure' triggers immediate notification obligation to opposing counsel and court", "frcp_26g": "FRCP Rule 26(g) — Attorney certification: review methodology including AI TAR must be documented and defensible" }, "source": "EDRM review stage; Sedona Conference Principles 6 and 7 on TAR; FRE 502; FRCP Rule 26", "source_url": "https://www.edrm.net/frameworks-and-standards/edrm-model/" } ] }, { "subdomain": "AML, Financial Crime & Sanctions Compliance", "description": "Covers FATF, EU AMLD6/AML Regulation, FinCEN, and OFAC enumerations for AI-driven anti-money laundering transaction monitoring, suspicious activity report (SAR) generation, KYC/CDD lifecycle management, and sanctions screening. These are among the most heavily audited AI applications in the financial sector.", "relevant_standards": [ "FATF 40 Recommendations (2023 update) — International AML/CFT standards", "EU AML Regulation (2024/1624) — Directly applicable AML/CFT regulation (in force July 2024)", "EU AMLD6 (2024/1640) — Sixth Anti-Money Laundering Directive", "FinCEN SAR Filing Requirements — 31 CFR Part 1020 (BSA)", "FinCEN AML/CFT Programme Rule (2024) — Updated risk-based programme requirements", "OFAC SDN List — Specially Designated Nationals and Blocked Persons List", "EU Consolidated Sanctions List — CFSP restrictive measures", "UN Security Council Consolidated List — SC Committee sanctions", "Basel Committee BCBS 239 — Risk data aggregation principles (applies to AML data quality)" ], "categories": [ { "enum_name": "AMLAlertDisposition", "label": "AML Alert Disposition", "otel_attribute": "regtech.aml.alert_disposition", "opa_policy_path": "data.regtech.aml.alert_disposition", "rego_input_key": "regtech_aml_alert_disposition", "stability": "stable", "description": "Disposition outcome of an AI-generated AML transaction monitoring alert. AI models generate alerts; compliance analysts review and disposition them. Alert disposition decisions drive SAR filing obligations. AI may not autonomously disposition alerts as 'cleared_no_sar' without analyst review for alerts above defined risk thresholds.", "permitted_values": [ "new_unreviewed", "under_review", "cleared_no_sar", "escalated_to_l2_review", "escalated_to_l3_investigation", "sar_filed", "sar_filed_continuing_activity", "blocked_frozen", "referred_to_law_enforcement", "false_positive_model_feedback" ], "value_labels": { "new_unreviewed": "New Unreviewed", "under_review": "Under Review", "cleared_no_sar": "Cleared No SAR", "escalated_to_l2_review": "Escalated to L2 Review", "escalated_to_l3_investigation": "Escalated to L3 Investigation", "sar_filed": "SAR Filed", "sar_filed_continuing_activity": "SAR Filed Continuing Activity", "blocked_frozen": "Blocked Frozen", "referred_to_law_enforcement": "Referred to Law Enforcement", "false_positive_model_feedback": "False Positive Model Feedback" }, "code_definitions": { "sar_filed": "Suspicious activity identified and Suspicious Activity Report filed with FinCEN / national FIU; 90-day monitoring period begins", "sar_filed_continuing_activity": "Continuing activity SAR filed; 90-day window extended; ongoing monitoring in place", "blocked_frozen": "Transaction blocked or account frozen per OFAC obligation or AML risk determination; customer notification rules apply", "false_positive_model_feedback": "Alert reviewed as false positive; disposition logged as model feedback for AI retraining; reduces alert fatigue" }, "regulatory_mappings": { "fincen_31_cfr_1020": "FinCEN 31 CFR 1020.320 — SAR filing obligation: financial institutions must file SARs within 30 days of detecting suspicious activity (60 days if no suspect identified)", "eu_aml_regulation": "EU AML Regulation (2024/1624) Article 69 — Suspicious transaction reports must be filed with the national FIU promptly", "fatf_rec16": "FATF Recommendation 16 — Wire transfer rules; AML alert disposition must consider originator/beneficiary information completeness" }, "use_case": "AI AML monitoring agent generates alert with 'new_unreviewed' status. OPA policy blocks any alert above high-risk threshold from being auto-disposed as 'cleared_no_sar' — analyst review is mandatory. 'Blocked_frozen' dispositions require HITL compliance officer approval before customer notification.", "source": "FinCEN SAR filing guidance; EU AML Regulation (2024/1624); FATF 40 Recommendations", "source_url": "https://www.fincen.gov/resources/filing-information" }, { "enum_name": "KYCCDDRiskLevel", "label": "KYC/CDD Risk Level", "otel_attribute": "regtech.kyc.cdd_risk_level", "opa_policy_path": "data.regtech.kyc.cdd_risk_level", "rego_input_key": "regtech_kyc_cdd_risk_level", "stability": "stable", "description": "KYC / Customer Due Diligence risk level classification per FATF risk-based approach and EU AML Regulation Article 20. Drives the level of due diligence required and ongoing monitoring frequency.", "permitted_values": [ "low_risk_simplified_cdd", "standard_risk_cdd", "high_risk_enhanced_due_diligence", "pep_politically_exposed_person", "pep_family_member_or_associate", "sanctions_match_pending_review", "sanctions_confirmed_blocked", "unacceptable_risk_exit" ], "value_labels": { "low_risk_simplified_cdd": "Low Risk Simplified CDD", "standard_risk_cdd": "Standard Risk CDD", "high_risk_enhanced_due_diligence": "High Risk Enhanced Due Diligence", "pep_politically_exposed_person": "Pep Politically Exposed Person", "pep_family_member_or_associate": "Pep Family Member or Associate", "sanctions_match_pending_review": "Sanctions Match Pending Review", "sanctions_confirmed_blocked": "Sanctions Confirmed Blocked", "unacceptable_risk_exit": "Unacceptable Risk Exit" }, "code_definitions": { "pep_politically_exposed_person": "Customer is a PEP per FATF definition (prominent public function); enhanced due diligence mandatory per EU AML Regulation Article 22; senior management approval required for PEP relationships", "sanctions_match_pending_review": "Customer name matches OFAC/EU/UN sanctions list; transaction must be blocked; OFAC/competent authority notification may be required pending review", "sanctions_confirmed_blocked": "Sanctions match confirmed; all transactions blocked; funds frozen; OFAC/competent authority notification completed", "unacceptable_risk_exit": "Compliance decision to exit the customer relationship due to unacceptable AML/CFT risk; de-risking procedures initiated" }, "regulatory_mappings": { "fatf_rec10": "FATF Recommendation 10 — Customer due diligence; risk-based approach mandated", "eu_aml_regulation_art20_22": "EU AML Regulation Articles 20–22 — SDD, CDD, and EDD requirements based on risk level; PEP EDD is mandatory", "ofac_50_percent_rule": "OFAC 50% Rule — Entities owned 50% or more by designated persons are treated as designated; AI sanctions screening must apply this rule" }, "source": "FATF 40 Recommendations; EU AML Regulation (2024/1624) Articles 17–25; FinCEN CDD Rule 31 CFR 1010.230", "source_url": "https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html" }, { "enum_name": "SanctionsScreeningMatchType", "label": "Sanctions Screening Match Type", "otel_attribute": "regtech.sanctions.match_type", "opa_policy_path": "data.regtech.sanctions.match_type", "rego_input_key": "regtech_sanctions_match_type", "stability": "stable", "description": "Type of match generated by an AI sanctions screening engine against OFAC SDN, EU Consolidated, or UN Consolidated sanctions lists. Match type determines the automated blocking and escalation response.", "permitted_values": [ "exact_match", "fuzzy_match_high_confidence", "fuzzy_match_medium_confidence", "fuzzy_match_low_confidence", "alias_match", "entity_ownership_50pct_rule", "vessel_imo_match", "aircraft_registration_match", "false_positive_cleared", "no_match" ], "value_labels": { "exact_match": "Exact Match", "fuzzy_match_high_confidence": "Fuzzy Match High Confidence", "fuzzy_match_medium_confidence": "Fuzzy Match Medium Confidence", "fuzzy_match_low_confidence": "Fuzzy Match Low Confidence", "alias_match": "Alias Match", "entity_ownership_50pct_rule": "Entity Ownership 50pct Rule", "vessel_imo_match": "Vessel Imo Match", "aircraft_registration_match": "Aircraft Registration Match", "false_positive_cleared": "False Positive Cleared", "no_match": "No Match" }, "code_definitions": { "exact_match": "Name, date of birth, and identifier match sanctions list entry exactly; immediate block required with no discretion", "fuzzy_match_high_confidence": "Name similarity score above high threshold (e.g. > 90%); automatic block and compliance escalation pending review", "entity_ownership_50pct_rule": "Entity is not directly listed but is owned 50% or more by a designated entity per OFAC 50% Rule; treated as designated", "false_positive_cleared": "Analyst has reviewed and confirmed no true sanctions match; documented in screening record for audit" }, "regulatory_mappings": { "ofac_31_cfr_501": "OFAC 31 CFR Part 501 — All 'exact_match' and confirmed 'fuzzy_match_high_confidence' results must be blocked and OFAC notified", "eu_aml_regulation": "EU AML Regulation — Sanctions screening is a mandatory element of CDD; screening results must be documented", "uk_ofsi": "UK OFSI — UK financial sanctions; similar blocking obligations for UK-listed entities" }, "source": "OFAC SDN matching guidance; OFAC 50 Percent Rule; EU sanctions screening best practices", "source_url": "https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information" } ] }, { "subdomain": "Data Privacy Compliance Programme", "description": "Covers GDPR, CCPA/CPRA, and privacy programme management enumerations for AI-driven data subject rights automation, consent management, and privacy impact assessment workflows.", "relevant_standards": [ "EU GDPR (2016/679) — Articles 12–22 (Data subject rights); Articles 30–36 (Compliance obligations)", "CCPA/CPRA (California) — Consumer Privacy Rights Act", "UK GDPR / DPA 2018 — UK data protection framework", "PIPL (China) — Personal Information Protection Law (2021)", "ISO/IEC 27701:2019 — Privacy Information Management System", "NIST Privacy Framework v1.0 — Privacy risk management", "IAB Europe Transparency and Consent Framework (TCF) 2.2 — Consent string standards" ], "categories": [ { "enum_name": "DataSubjectRightRequestType", "label": "Data Subject Right Request Type", "otel_attribute": "regtech.privacy.dsr_request_type", "opa_policy_path": "data.regtech.privacy.dsr_request_type", "rego_input_key": "regtech_privacy_dsr_request_type", "stability": "stable", "description": "Type of data subject rights request under GDPR Articles 15–22 and CCPA/CPRA. AI privacy automation agents must correctly classify each request to trigger the correct response workflow and deadline tracking.", "permitted_values": [ "access_art15", "rectification_art16", "erasure_right_to_be_forgotten_art17", "restriction_of_processing_art18", "data_portability_art20", "objection_to_processing_art21", "opt_out_automated_decision_art22", "opt_out_sale_ccpa", "limit_sensitive_pi_ccpa", "know_categories_ccpa", "correct_pi_ccpa", "delete_pi_ccpa" ], "value_labels": { "access_art15": "Access Art15", "rectification_art16": "Rectification Art16", "erasure_right_to_be_forgotten_art17": "Gdpr Article 17", "restriction_of_processing_art18": "Restriction of Processing Art18", "data_portability_art20": "Gdpr Article 20", "objection_to_processing_art21": "Objection to Processing Art21", "opt_out_automated_decision_art22": "Gdpr Article 22", "opt_out_sale_ccpa": "Opt Out Sale CCPA", "limit_sensitive_pi_ccpa": "Limit Sensitive Pi CCPA", "know_categories_ccpa": "Know Categories CCPA", "correct_pi_ccpa": "Correct Pi CCPA", "delete_pi_ccpa": "Delete Pi CCPA" }, "code_definitions": { "erasure_right_to_be_forgotten_art17": "GDPR Article 17 — Right to erasure; grounds include withdrawal of consent, unlawful processing, legal obligation; AI agent must identify and delete all instances across systems", "opt_out_automated_decision_art22": "GDPR Article 22 — Right not to be subject to solely automated decisions with significant effects; human review must be provided", "data_portability_art20": "GDPR Article 20 — Right to receive personal data in structured, machine-readable format and transmit to another controller" }, "regulatory_mappings": { "gdpr_art12": "GDPR Article 12 — Response must be provided without undue delay and within 1 month (extendable by 2 months for complex requests)", "ccpa_1798_100": "CCPA 1798.100 — Business must respond to access and deletion requests within 45 days", "gdpr_art77": "GDPR Article 77 — Right to lodge complaint with supervisory authority if request is not fulfilled" }, "use_case": "AI privacy automation agent receives DSR request, classifies by type, and initiates response workflow. 'Erasure_right_to_be_forgotten_art17' requests trigger AI discovery scan across all data stores. OPA policy enforces that responses to 'access_art15' requests require human privacy officer review before transmission to ensure no additional sensitive data is inadvertently included.", "source": "GDPR Articles 15–22; CCPA/CPRA 1798.100–1798.135", "source_url": "https://gdpr-info.eu/" }, { "enum_name": "DSRResponseStatus", "label": "Dsr Response Status", "otel_attribute": "regtech.privacy.dsr_response_status", "opa_policy_path": "data.regtech.privacy.dsr_response_status", "rego_input_key": "regtech_privacy_dsr_response_status", "stability": "stable", "description": "Status of a data subject rights request response lifecycle. AI privacy agents track each request through this lifecycle against regulatory deadlines.", "permitted_values": [ "received", "identity_verification_pending", "identity_verified", "in_progress", "extension_requested", "data_discovery_complete", "response_drafted", "human_review_required", "responded_fulfilled", "responded_partially_fulfilled", "responded_denied", "overdue", "complaint_filed_with_dpa" ], "value_labels": { "received": "Received", "identity_verification_pending": "Identity Verification Pending", "identity_verified": "Identity Verified", "in_progress": "In Progress", "extension_requested": "Extension Requested", "data_discovery_complete": "Data Discovery Complete", "response_drafted": "Response Drafted", "human_review_required": "Human Review Required", "responded_fulfilled": "Responded Fulfilled", "responded_partially_fulfilled": "Responded Partially Fulfilled", "responded_denied": "Responded Denied", "overdue": "Overdue", "complaint_filed_with_dpa": "Complaint Filed with Dpa" }, "code_definitions": { "responded_denied": "Request denied on legitimate grounds (e.g. GDPR Article 17(3) exemptions for erasure; CCPA business purpose exception); denial reasons must be documented and communicated to the data subject with right to complain", "overdue": "Response deadline exceeded; GDPR Article 12(3) deadline missed; supervisory authority notification risk elevated", "complaint_filed_with_dpa": "Data subject has exercised Article 77 right to lodge complaint with DPA; regulatory investigation risk elevated" }, "regulatory_mappings": { "gdpr_art12_3": "GDPR Article 12(3) — 1-month response deadline; up to 3 months if request is complex or numerous; 'overdue' status requires immediate CCO escalation", "gdpr_art83": "GDPR Article 83 — Failure to respect data subject rights: up to EUR 20 million or 4% global annual turnover" }, "source": "GDPR Articles 12–22; CCPA/CPRA response timeline requirements; EDPB Guidelines on data subject rights", "source_url": "https://gdpr-info.eu/" }, { "enum_name": "PrivacyImpactAssessmentOutcome", "label": "Privacy Impact Assessment Outcome", "otel_attribute": "regtech.privacy.pia_outcome", "opa_policy_path": "data.regtech.privacy.pia_outcome", "rego_input_key": "regtech_privacy_pia_outcome", "stability": "stable", "description": "Outcome of a Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA) for an AI system or data processing activity. GDPR Article 35 mandates DPIAs for high-risk processing — including AI profiling, biometrics, and systematic monitoring. AI systems must not be deployed for high-risk processing without a completed DPIA.", "permitted_values": [ "dpia_not_required", "dpia_required_in_progress", "dpia_completed_risks_acceptable", "dpia_completed_residual_risks_mitigated", "dpia_completed_risks_unacceptable", "dpa_prior_consultation_required", "dpa_prior_consultation_pending", "dpa_prior_consultation_completed" ], "value_labels": { "dpia_not_required": "DPIA Not Required", "dpia_required_in_progress": "DPIA Required - In Progress", "dpia_completed_risks_acceptable": "DPIA Completed - Risks Acceptable", "dpia_completed_residual_risks_mitigated": "DPIA Completed - Residual Risks Mitigated", "dpia_completed_risks_unacceptable": "DPIA Completed - Risks Unacceptable", "dpa_prior_consultation_required": "DPA Prior Consultation Required", "dpa_prior_consultation_pending": "DPA Prior Consultation Pending", "dpa_prior_consultation_completed": "DPA Prior Consultation Completed" }, "code_definitions": { "dpia_completed_risks_unacceptable": "DPIA identifies high residual risks that cannot be adequately mitigated; GDPR Article 36 requires prior consultation with DPA before processing commences; AI deployment blocked", "dpa_prior_consultation_required": "DPIA outcome triggers mandatory DPA consultation per GDPR Article 36; DPA has up to 8 weeks to provide written advice; processing must not begin during consultation period" }, "regulatory_mappings": { "gdpr_art35": "GDPR Article 35 — DPIA mandatory for: systematic profiling, large-scale processing of special categories, systematic monitoring of public areas; AI profiling systems almost always require DPIA", "gdpr_art36": "GDPR Article 36 — Prior DPA consultation required if DPIA shows high residual risk; processing blocked pending DPA response", "eu_ai_act_art9": "EU AI Act Article 9 — Risk management system for high-risk AI; DPIA outcome should inform AI risk management system" }, "use_case": "OPA policy blocks deployment of any AI system processing personal data at scale where DPIA outcome is 'dpia_required_in_progress', 'dpia_completed_risks_unacceptable', or 'dpa_prior_consultation_pending'.", "source": "GDPR Articles 35–36; EDPB Guidelines 09/2022 on DPIAs; WP29 Opinion on DPIAs", "source_url": "https://gdpr-info.eu/art-35-gdpr/" } ] }, { "subdomain": "Compliance Obligation & Regulatory Change Management", "description": "Covers AI-driven compliance obligation registry, regulatory change monitoring, and compliance programme effectiveness enumerations. These are the foundational RegTech enums supporting automated regulatory horizon scanning and obligation mapping.", "relevant_standards": [ "ISO 37301:2021 — Compliance Management Systems", "COSO Internal Control — Integrated Framework (2013)", "IIA Standards — Internal Audit professional standards", "Thomson Reuters Regulatory Intelligence — regulatory change taxonomy", "DORA Article 6 — ICT risk management framework requirements (financial sector)" ], "categories": [ { "enum_name": "ComplianceObligationStatus", "label": "Compliance Obligation Status", "otel_attribute": "regtech.obligation.status", "opa_policy_path": "data.regtech.obligation.status", "rego_input_key": "regtech_obligation_status", "stability": "stable", "description": "Status of a regulatory compliance obligation in the organisation's obligation register. AI regulatory change management agents update obligation status as regulations are enacted, amended, or repealed.", "permitted_values": [ "identified_not_assessed", "under_gap_analysis", "gap_identified_remediation_planned", "gap_identified_remediation_in_progress", "compliant", "compliant_with_compensating_controls", "non_compliant_accepted_risk", "non_compliant_regulatory_breach", "superseded_by_new_regulation", "repealed_obligation_archived", "not_applicable_jurisdiction" ], "value_labels": { "identified_not_assessed": "Identified not Assessed", "under_gap_analysis": "Under Gap Analysis", "gap_identified_remediation_planned": "Gap Identified Remediation Planned", "gap_identified_remediation_in_progress": "Gap Identified Remediation in Progress", "compliant": "Compliant", "compliant_with_compensating_controls": "Compliant with Compensating Controls", "non_compliant_accepted_risk": "Non Compliant Accepted Risk", "non_compliant_regulatory_breach": "Non Compliant Regulatory Breach", "superseded_by_new_regulation": "Superseded by New Regulation", "repealed_obligation_archived": "Repealed Obligation Archived", "not_applicable_jurisdiction": "Not Applicable Jurisdiction" }, "code_definitions": { "non_compliant_regulatory_breach": "Active non-compliance confirmed; regulatory breach exists; immediate escalation to CCO and General Counsel required; regulator notification may be obligatory", "non_compliant_accepted_risk": "Non-compliance identified but risk formally accepted by executive management with documented rationale; subject to ongoing monitoring and periodic review" }, "regulatory_mappings": { "iso_37301": "ISO 37301:2021 — Compliance management system requires documented obligation register with status tracking", "dora_art6": "DORA Article 6 — ICT risk management framework: obligations related to ICT risk must be tracked in the compliance register" }, "use_case": "AI regulatory horizon scanning agent identifies new regulations and creates obligation records with 'identified_not_assessed' status. OPA policy enforces that 'non_compliant_regulatory_breach' status triggers immediate escalation workflow — AI agent cannot auto-remediate a confirmed breach without HITL legal counsel involvement.", "source": "ISO 37301:2021 compliance management; Thomson Reuters regulatory intelligence taxonomy; DORA Article 6", "source_url": "https://www.iso.org/standard/79425.html" }, { "enum_name": "RegulatoryChangeSignificance", "label": "Regulatory Change Significance", "otel_attribute": "regtech.regulatory_change.significance", "opa_policy_path": "data.regtech.regulatory_change.significance", "rego_input_key": "regtech_regulatory_change_significance", "stability": "proposed", "description": "AI regulatory horizon scanning agent classification of the significance of an identified regulatory change. Drives escalation routing, gap analysis prioritisation, and board reporting.", "permitted_values": [ "critical_material_impact", "significant_moderate_impact", "minor_low_impact", "informational_monitoring_only", "not_applicable_jurisdiction_or_sector" ], "value_labels": { "critical_material_impact": "Critical Material Impact", "significant_moderate_impact": "Significant Moderate Impact", "minor_low_impact": "Minor Low Impact", "informational_monitoring_only": "Informational Monitoring Only", "not_applicable_jurisdiction_or_sector": "Not Applicable Jurisdiction or Sector" }, "code_definitions": { "critical_material_impact": "Regulatory change requires immediate operational or structural changes; affects core business activities; board and executive notification required; tight implementation deadline", "significant_moderate_impact": "Regulatory change requires programme or policy updates within a defined timeframe; assigned to compliance team for gap analysis" }, "ordered": true, "value_ordinals": { "critical_material_impact": 1, "significant_moderate_impact": 2, "minor_low_impact": 3, "informational_monitoring_only": 4, "not_applicable_jurisdiction_or_sector": 5 }, "source": "Thomson Reuters Regulatory Intelligence change significance taxonomy; ISO 37301 regulatory change management", "source_url": "https://www.thomsonreuters.com/en/products-services/legal/regulatory-intelligence.html" } ] } ], "opa_rego_policy_patterns": { "description": "Legal & RegTech-specific OPA Rego policy patterns referencing enum values from this file and from 00_core_sdk_and_governance.json. Illustrative patterns, not production policies.", "patterns": [ { "pattern_id": "legaltech.enforce_attorney_referral_for_upl_sensitive_contract_advice", "pattern_name": "enforce_attorney_referral_for_upl_sensitive_contract_advice", "enforcement_effect": "require_hitl_approval", "description": "Block Contract Q&A agents from answering non-attorney requests that cross the legal-advice boundary, including signing recommendations and deadline calculations that create business reliance. The only compliant path is a factual clause summary plus attorney referral or supervising-counsel approval.", "applicable_enums": [ "ContractLifecycleStage", "ContractObligationCategory", "LegalDocumentClassification" ], "regulatory_basis": "Unauthorized practice of law guardrails; ABA Model Rule 5.5; EU AI Act Article 14 human oversight for high-impact legal assistance; law-firm professional-responsibility controls requiring licensed attorney supervision before actionable legal advice is delivered", "rego_sketch": "package legaltech.contract_boundary\n\nupl_sensitive_requests := {\n \"signing_recommendation\",\n \"legal_deadline_calculation\",\n \"counterparty_acceptance_recommendation\"\n}\n\ndeny[msg] {\n input.legaltech_document_classification == \"contract_agreement\"\n input.request_type in upl_sensitive_requests\n input.requestor_is_attorney != true\n not input.attorney_referral_created == true\n msg := sprintf(\"UPL boundary: request type '%v' for contract '%v' requires attorney referral before any actionable guidance is delivered to a non-attorney requester.\", [input.request_type, input.contract_id])\n}\n\ndeny[msg] {\n input.legaltech_contract_obligation_category == \"renewal_option_window\"\n input.request_type == \"legal_deadline_calculation\"\n not input.supervising_attorney_approved == true\n msg := \"Contract deadline advice with business-reliance risk requires supervising attorney approval or referral before release.\"\n}" }, { "pattern_id": "legaltech.require_partner_signoff_for_privileged_legal_opinions", "pattern_name": "require_partner_signoff_for_privileged_legal_opinions", "enforcement_effect": "require_hitl_approval", "description": "Require supervising-partner sign-off before AI-generated legal opinion memoranda, litigation recommendations, or other privileged work-product is released outside the drafting workflow. This makes the Legal sandbox surface the same partner-approval boundary used in the litigation orchestrator and privilege-review scenarios.", "applicable_enums": [ "LegalDocumentClassification", "LegalPrivilegeStatus", "EDRMLifecycleStage" ], "regulatory_basis": "Attorney-client privilege doctrine; work-product doctrine under FRCP 26(b)(3); ABA Model Rules 1.1, 1.6, and 5.3; EU AI Act Article 14 for human oversight on consequential legal analysis outputs", "rego_sketch": "package legaltech.partner_review\n\nprotected_outputs := {\n \"legal_opinion_memorandum\",\n \"brief_submission\",\n \"motion_application\"\n}\n\nprotected_privilege_statuses := {\n \"attorney_client_privileged\",\n \"work_product_doctrine\",\n \"attorney_client_and_work_product\",\n \"privilege_review_required\"\n}\n\ndeny[msg] {\n input.legaltech_document_classification in protected_outputs\n input.legaltech_document_privilege_status in protected_privilege_statuses\n input.release_scope in {\"client_delivery\", \"court_filing\", \"counterparty_transmission\"}\n not input.supervising_partner_approved == true\n msg := sprintf(\"Privileged legal output '%v' cannot be released to scope '%v' without supervising partner sign-off.\", [input.legaltech_document_classification, input.release_scope])\n}\n\ndeny[msg] {\n input.legaltech_document_privilege_status == \"privilege_review_required\"\n input.release_scope == \"client_delivery\"\n not input.partner_review_completed == true\n msg := \"Privilege review is still pending. Client delivery is blocked until partner review is completed and logged.\"\n}" }, { "pattern_id": "legaltech.block_ai_contract_execution_without_human_authorisation", "pattern_name": "block_ai_contract_execution_without_human_authorisation", "enforcement_effect": "require_hitl_approval", "description": "Block any AI CLM agent from advancing a contract to 'executed' status, or from modifying any term in an 'active' or 'executed' contract, without documented human authorisation. AI may draft, redline, and flag issues but cannot bind the organisation to contractual commitments.", "applicable_enums": [ "ContractLifecycleStage", "ContractRiskFlag", "ContractObligationCategory" ], "regulatory_basis": "Contract law — authority to bind (actual and apparent authority); EU AI Act Article 13 — transparency about AI in consumer contracts; DORA Article 30 — contractual requirements for ICT providers must be human-approved", "rego_sketch": "package legaltech.contract\n\nbinding_stages := {\"executed\", \"active\"}\n\nrequires_human_authorisation := {\"executed\", \"approved\"}\n\nblocking_risk_flags := {\n \"unlimited_liability_exposure\",\n \"data_processing_non_gdpr_compliant\",\n \"missing_dora_ict_clause\",\n \"uncapped_indemnity\"\n}\n\ndeny[msg] {\n input.legaltech_contract_lifecycle_stage in requires_human_authorisation\n not input.human_authorisation_on_file == true\n msg := sprintf(\"Contract Law / DORA Art 30: Advancing contract '%v' to stage '%v' requires documented human authorisation. AI cannot bind the organisation to contractual commitments.\", [input.contract_id, input.legaltech_contract_lifecycle_stage])\n}\n\ndeny[msg] {\n input.legaltech_contract_lifecycle_stage in binding_stages\n input.proposed_action == \"modify_term\"\n not input.attorney_hitl_approved == true\n msg := sprintf(\"Contract amendment on '%v' (stage: '%v') requires attorney review and approval. AI cannot autonomously modify binding contract terms.\", [input.contract_id, input.legaltech_contract_lifecycle_stage])\n}\n\ndeny[msg] {\n input.legaltech_contract_risk_flag in blocking_risk_flags\n not input.attorney_hitl_reviewed == true\n msg := sprintf(\"Contract risk flag '%v' blocks automated advancement. Attorney review and explicit acceptance or resolution required.\", [input.legaltech_contract_risk_flag])\n}" }, { "pattern_id": "legaltech.block_sar_auto_clearance_for_high_risk_aml_alerts", "pattern_name": "block_sar_auto_clearance_for_high_risk_aml_alerts", "enforcement_effect": "deny", "description": "Block AI AML monitoring agents from autonomously clearing high-risk transaction monitoring alerts as 'cleared_no_sar' without compliance analyst review. Protects against AI-driven SAR suppression which is a FinCEN BSA violation.", "applicable_enums": [ "AMLAlertDisposition", "KYCCDDRiskLevel", "SanctionsScreeningMatchType" ], "regulatory_basis": "FinCEN 31 CFR 1020.320 — SAR filing obligation; BSA — Bank Secrecy Act; FinCEN AML/CFT Programme Rule (2024) — Risk-based programme requires analyst review of high-risk alerts; EU AML Regulation Article 69", "rego_sketch": "package regtech.aml\n\nhigh_risk_cdd_levels := {\n \"high_risk_enhanced_due_diligence\",\n \"pep_politically_exposed_person\",\n \"pep_family_member_or_associate\"\n}\n\ndeny[msg] {\n input.regtech_aml_alert_disposition == \"cleared_no_sar\"\n input.regtech_kyc_cdd_risk_level in high_risk_cdd_levels\n not input.compliance_analyst_reviewed == true\n msg := sprintf(\"FinCEN BSA / EU AML Regulation: High-risk customer (CDD level: '%v') alert cannot be auto-cleared. Compliance analyst review mandatory before 'cleared_no_sar' disposition.\", [input.regtech_kyc_cdd_risk_level])\n}\n\ndeny[msg] {\n input.regtech_sanctions_match_type in {\"exact_match\", \"fuzzy_match_high_confidence\", \"entity_ownership_50pct_rule\"}\n input.regtech_aml_alert_disposition not in {\"blocked_frozen\", \"escalated_to_l3_investigation\"}\n msg := sprintf(\"OFAC / EU Sanctions: Sanctions match type '%v' requires immediate blocking and escalation. Cannot be cleared or lowered in severity without compliance officer review and OFAC/competent authority consultation.\", [input.regtech_sanctions_match_type])\n}" }, { "pattern_id": "legaltech.enforce_dpia_gate_for_high_risk_ai_processing", "pattern_name": "enforce_dpia_gate_for_high_risk_ai_processing", "enforcement_effect": "deny", "description": "Block deployment of any AI system that performs high-risk personal data processing (profiling, biometrics, systematic monitoring, large-scale special category data) where a DPIA has not been completed or where the DPIA outcome is unacceptable. Implements GDPR Article 35/36 in automated AI deployment governance.", "applicable_enums": [ "PrivacyImpactAssessmentOutcome", "DataSubjectRightRequestType", "DSRResponseStatus" ], "regulatory_basis": "GDPR Article 35 — DPIA mandatory for high-risk AI processing including systematic profiling, large-scale special category processing, and systematic monitoring; Article 36 — Prior DPA consultation required if DPIA shows high residual risk; Article 83 — Fines up to EUR 20M or 4% global turnover", "rego_sketch": "package regtech.privacy\n\nblocking_dpia_outcomes := {\n \"dpia_required_in_progress\",\n \"dpia_completed_risks_unacceptable\",\n \"dpa_prior_consultation_required\",\n \"dpa_prior_consultation_pending\"\n}\n\ndeny[msg] {\n input.ai_system_processes_personal_data_at_scale == true\n input.regtech_privacy_pia_outcome in blocking_dpia_outcomes\n msg := sprintf(\"GDPR Article 35/36: AI system cannot be deployed for high-risk personal data processing — DPIA status is '%v'. Processing must not commence until DPIA is completed with acceptable outcome and, if required, DPA prior consultation is finalised.\", [input.regtech_privacy_pia_outcome])\n}\n\ndeny[msg] {\n input.regtech_privacy_dsr_response_status == \"overdue\"\n not input.dpo_hitl_notified == true\n msg := \"GDPR Article 12(3): DSR response is overdue. Data Protection Officer must be notified immediately. Supervisory authority complaint risk is elevated.\"\n}" }, { "pattern_id": "legaltech.block_xbrl_filing_with_validation_errors", "pattern_name": "block_xbrl_filing_with_validation_errors", "enforcement_effect": "deny", "description": "Block any AI regulatory filing agent from submitting an XBRL/iXBRL filing to SEC EDGAR or ESMA ESEF where schema validation errors or EFM rule violations have not been resolved. Rejected filings with deadline implications are a material compliance event.", "applicable_enums": [ "RegulatoryFilingStatus", "XBRLValidationErrorType", "SECFilingFormType" ], "regulatory_basis": "SEC EDGAR Filing Manual — Schema validation errors result in filing rejection; ESMA ESEF Regulation — iXBRL validation required before submission; SEC rules on timely filing for large accelerated filers", "rego_sketch": "package regtech.filings\n\nblocking_error_types := {\n \"schema_validation_error\",\n \"missing_required_element\",\n \"efm_rule_violation\",\n \"taxonomy_element_not_found\"\n}\n\ndeadline_sensitive_forms := {\n \"10_K\", \"10_Q\", \"20_F\", \"8_K\", \"DEF_14A\"\n}\n\ndeny[msg] {\n input.regtech_filing_status == \"validation_failed\"\n msg := \"EDGAR/ESMA: Filing cannot be submitted while in 'validation_failed' status. All XBRL schema errors must be resolved before submission.\"\n}\n\ndeny[msg] {\n input.regtech_xbrl_validation_error_type in blocking_error_types\n input.submission_attempted == true\n msg := sprintf(\"XBRL Validation: Error type '%v' is a blocking error. Filing submission blocked until error is resolved.\", [input.regtech_xbrl_validation_error_type])\n}\n\ndeny[msg] {\n input.regtech_filing_status == \"overdue\"\n input.regtech_sec_form_type in deadline_sensitive_forms\n not input.cco_hitl_notified == true\n msg := sprintf(\"SEC Filing Deadline: Form '%v' is overdue. Chief Compliance Officer must be notified immediately. Late filing analysis and potential Form 12b-25 extension assessment required.\", [input.regtech_sec_form_type])\n}" }, { "pattern_id": "legaltech.enforce_privilege_protection_gate_for_ai_document_disclosure", "pattern_name": "enforce_privilege_protection_gate_for_ai_document_disclosure", "enforcement_effect": "deny", "description": "Block any AI legal document agent from disclosing, summarising to unauthorised recipients, or using as AI training data any document marked with a privilege status other than 'not_privileged'. Inadvertent privilege waiver cannot be undone — AI must block before asking for attorney confirmation.", "applicable_enums": [ "LegalPrivilegeStatus", "LegalDocumentClassification", "EDRMLifecycleStage" ], "regulatory_basis": "Attorney-client privilege doctrine (common law); FRE Rule 502 — Inadvertent disclosure clawback; Work product doctrine — FRCP Rule 26(b)(3); GDPR Article 9 — LPP data may be special category in some EU jurisdictions", "rego_sketch": "package legaltech.privilege\n\nprotected_privilege_statuses := {\n \"attorney_client_privileged\",\n \"work_product_doctrine\",\n \"attorney_client_and_work_product\",\n \"common_interest_privilege\",\n \"deliberative_process_privilege\",\n \"privilege_review_required\"\n}\n\nrestricted_actions := {\"disclose\", \"summarise_to_third_party\", \"use_for_training\", \"transmit_to_counterparty\"}\n\ndeny[msg] {\n input.legaltech_document_privilege_status in protected_privilege_statuses\n input.requested_action in restricted_actions\n not input.attorney_hitl_authorised == true\n msg := sprintf(\"Privilege Protection: Document with privilege status '%v' cannot be '%v' without explicit attorney authorisation. Inadvertent waiver is irreversible.\", [input.legaltech_document_privilege_status, input.requested_action])\n}\n\ndeny[msg] {\n input.legaltech_document_privilege_status == \"privilege_waived_inadvertent\"\n not input.legal_counsel_hitl_notified == true\n msg := \"FRE 502(b): Inadvertent privilege waiver detected. Legal counsel must be notified immediately to initiate clawback procedures. All further use of this document is blocked pending clawback assessment.\"\n}" } ] }, "agent_registry_fields": { "description": "Recommended fields for registering a legal or RegTech domain agentic AI system in the GRC portal. Supplements the core agent identity schema from 00_core_sdk_and_governance.json.", "fields": [ { "field": "legal_practice_jurisdiction", "type": "array", "description": "Jurisdictions in which this AI agent provides legal analysis, contract drafting, or compliance advice. Determines unauthorized practice of law (UPL) risk profile and required attorney supervision level. Typical values include US_federal, US_state_specific, EU_member_state, UK, multi_jurisdictional, and non_legal_analysis_only.", "required_when": "All AI agents performing legal document drafting, contract analysis, regulatory interpretation, or compliance advice functions" }, { "field": "attorney_supervision_model", "type": "string", "description": "The attorney supervision model under which this AI agent operates. Determines UPL compliance posture and whether AI outputs are protected by attorney-client privilege. Use values such as attorney_in_loop_all_outputs, attorney_review_high_risk_only, attorney_supervised_product, or no_attorney_supervision_non_legal.", "required_when": "All AI agents producing legal analysis, drafting legal documents, or providing compliance guidance" }, { "field": "privilege_boundary_enforced", "type": "boolean", "description": "True if this AI agent has documented privilege boundary controls preventing disclosure of privileged materials to unauthorised parties, preventing use of privileged documents as AI training data, and logging all access to privileged documents.", "required_when": "All AI agents with access to legal document repositories containing potentially privileged materials" }, { "field": "aml_fiu_registration", "type": "string", "description": "If this AI agent is deployed at an EU/UK/US regulated entity for AML transaction monitoring, the FIU (Financial Intelligence Unit) or FinCEN registration number of the reporting entity. Links AI-generated SARs to the correct reporting institution.", "required_when": "AI AML transaction monitoring and SAR generation agents at regulated financial institutions" }, { "field": "ofac_sanctions_list_version", "type": "string", "description": "Version or date of the OFAC SDN list used by this AI sanctions screening agent. OFAC updates the SDN list frequently — AI screening agents must document the list version for each screening event.", "required_when": "All AI sanctions screening agents" }, { "field": "dpo_registered", "type": "boolean", "description": "True if the organisation has a registered Data Protection Officer (DPO) per GDPR Article 37 and the DPO has been consulted on the deployment of this AI system for personal data processing.", "required_when": "All AI agents processing personal data subject to GDPR Article 35 DPIA requirements" }, { "field": "sec_edgar_cik", "type": "string", "description": "SEC EDGAR Central Index Key (CIK) for the reporting company on whose behalf this AI regulatory filing agent prepares and submits SEC filings.", "required_when": "AI agents preparing or submitting SEC EDGAR filings" }, { "field": "edrm_chain_of_custody_enabled", "type": "boolean", "description": "True if this AI e-discovery agent maintains a FRCP-compliant chain of custody log for all ESI it processes, collecting, reviewing, or producing. Required for defensibility of AI-assisted e-discovery in federal litigation.", "required_when": "All AI e-discovery agents operating on ESI subject to federal court discovery obligations" } ] } }