Fintech AI governance
SMCR puts a Senior Manager on every material AI decision. Consumer Duty makes outcomes your liability. The EU AI Act and DORA require documented, live risk controls, not policy documents written after the fact. OBEXGATE enforces governance at the moment of action and produces the evidence trail that survives regulatory scrutiny.
The problem
Affordability assessments. Fraud scores. Credit decisions. Customer triage. Vendor-embedded models making recommendations in your name. If an FCA supervisor, an audit committee, or a Senior Manager asked right now what governed each of those decisions at the moment it was taken, could you answer?
A governance framework in a document is not governance. A log reviewed on Friday is not runtime control. Post-hoc audit trails are not the same as a live enforcement gate. The regulatory environment has moved, and the gap between a policy that exists and a control that operates at the point of action is where liability lives.
SMCRNamed Senior Managers carry personal accountability for AI systems within their remit. Governance that cannot be evidenced at decision level does not discharge that responsibility.
Consumer DutyOutcomes must be demonstrably good. Where AI influences a customer outcome, the basis of that decision needs to be retrievable, auditable, and defensible.
EU AI ActHigh-risk AI systems in credit, insurance, and employment require a live risk management system with documented controls. A static risk assessment filed at deployment does not satisfy Article 9.
DORAICT risk management, including third-party AI, must be monitored and documented continuously. Vendor-embedded models are inside your risk boundary whether you govern them or not.
What runtime means
Most governance tools tell you what happened. OBEXGATE operates before the action executes. The Witness Tetrad intercepts AI outputs, evaluates them against your live policy and regulatory controls, and either permits, flags, holds, or blocks. Every decision produces a timestamped, attributable record that captures what governed it.
That is not a log. It is a governance receipt: the evidence that a control was active, a policy applied, and a named authority was responsible at the exact moment the AI system acted.
A credit decision, a fraud flag, a customer communication, a vendor model recommendation.
The output is assessed against your live policy rules, regulatory controls, and governance thresholds.
Allow, Warn, Hold, Block, or Stop. The decision is made at runtime, not surfaced for review three days later.
Timestamped governance receipt: what acted, what governed it, who owned it, which authority applied.
What OBEXGATE covers
Each concern area maps directly to the regulatory obligations and internal control frameworks your AI estate is subject to.
Evaluate whether an AI-enabled process meets current risk controls before it executes. Captures the live governance state at the moment of action rather than reconstructing it after an incident. Directly supports PRA model risk management expectations, DORA ICT risk requirements, and internal risk control frameworks that require documented, continuous monitoring.
Preserve who authorised the action, which policy applied, and what the AI system produced. Under SMCR, Senior Manager accountability cannot be discharged by a governance framework that exists only as a document. OBEXGATE creates a retrievable, timestamped record that attributes responsibility at decision level, directly supporting FCA audit trail expectations and EU AI Act Article 9 documentation requirements.
Record the decision context, policy basis, and available remediation routes for every customer-facing AI action. Consumer Duty requires firms to demonstrate that AI-influenced outcomes are good outcomes. GDPR Article 22 and its UK equivalent require that automated decisions can be explained. OBEXGATE produces the record that satisfies both without manual reconstruction after the fact.
Map conduct risk, model risk, data protection, and senior accountability requirements directly into enforcement gates. Rather than maintaining separate compliance artefacts for each framework, OBEXGATE's Cross-Mapping layer evaluates a single AI action against multiple simultaneous regulatory requirements, covering FCA and PRA supervisory expectations, NIS2 cybersecurity obligations, and EU AI Act Article 9 risk management provisions.
Enforce governance controls around AI-generated fraud scores and risk decisions before they are acted upon. Maintains an auditable record of the inputs, thresholds, and policy basis applied at the moment of scoring. Supports PRA and EBA model risk management expectations for AI-driven risk models, and PCI DSS requirements where payment system decisions are in scope.
Extend governance controls to AI supplied by third parties, embedded models, and platform-level AI features acting in your name. DORA Article 28 makes ICT third-party risk a documented, monitored obligation. FCA outsourcing rules require that critical functions remain governable regardless of delivery mechanism. OBEXGATE reaches into vendor-embedded AI so the governance boundary does not stop at your own code.
What OBEXGATE produces
When a supervisor, an audit committee, or a Senior Manager asks what governed an AI decision, OBEXGATE produces a structured record that answers the question directly. Not a log. Not a reconstructed narrative. A governance receipt.
The record is created at the moment the decision is taken, not assembled from logs after the fact.
The Senior Manager, policy, and authority that governed the decision are captured in the record.
The specific governance controls and thresholds active at decision time are recorded, not assumed.
A single action can be evaluated simultaneously against SMCR, Consumer Duty, EU AI Act, and DORA requirements.
Where a decision is flagged, held, or blocked, the governance record captures the basis and the available remediation path.
Where an action originated in a third-party model, the governance record identifies the source and the controls that applied.
Deployment
OBEXGATE does not require a 12-month implementation programme. Observer Mode lets you start with monitoring and evidence capture across your existing AI stack before any enforcement gates are activated. You see what OBEXGATE would have flagged in your current environment before a single process changes.
The AI governance diagnostic takes 15 minutes and produces a structured assessment of your current exposure across the frameworks that apply to your operations. Bring it to your next risk committee, audit conversation, or SMCR review.
No commitment. Produces a report you can use internally.
Information contained is not legal or financial advice or a guarantee of outcome. Regulatory requirements change and should be verified against current published guidance, legislation, and regulator materials.
