Compliance

Understanding compliance features in Islamic Open Finance™. The platform is designed with Compliance by Design — all 13 regulatory frameworks are enforced at every layer, not bolted on afterward.

Compliance Layers

graph TB
    subgraph layers ["Compliance Layers"]
        A["Shariah Compliance\nAAOIFI, IFSB"]
        B["Regulatory Compliance\nBasel III/IV, PSD2, DORA, NIS2, EBA"]
        C["AML/CFT Compliance\nSanctions, PEP, transaction monitoring"]
        D["Data Compliance\nGDPR, SOC2 Type II, ISO 27001"]
        E["Financial Reporting\nIFRS 9, ISO 20022, ISO 22301"]
        F["Supply Chain Security\nSLSA, SBOM, DAST"]
    end
    A --> B --> C --> D --> E --> F

    style layers fill:#f5f5f5,stroke:#1a5f4a,stroke-width:2px
    style A fill:#1a5f4a,color:#fff,stroke:#1a5f4a
    style B fill:#1565c0,color:#fff,stroke:#1565c0
    style C fill:#e65100,color:#fff,stroke:#e65100
    style D fill:#7b1fa2,color:#fff,stroke:#7b1fa2
    style E fill:#0d47a1,color:#fff,stroke:#0d47a1
    style F fill:#4a148c,color:#fff,stroke:#4a148c

Supported Frameworks (13)

Islamic Finance Standards

Framework	Standard	Coverage	Status
AAOIFI	Shariah Standards SS-8 through SS-39	All Islamic contract types, Shariah board governance, annual Shariah audit	Implemented
IFSB	Prudential standards for Islamic financial services	Capital adequacy, risk management, corporate governance	Implemented

EU/UK Regulatory

Framework	Standard	Coverage	Status
PSD2	Payment Services Directive 2	Strong Customer Authentication (SCA), secure communication, TPP authorization	Implemented
DORA	Digital Operational Resilience Act	ICT risk management, incident reporting, operational resilience testing	Implemented
NIS2	Network and Information Security Directive	Security measures, incident reporting, supply chain security	Implemented
EBA	European Banking Authority ICT Guidelines	ICT governance, risk management, outsourcing oversight	Implemented

Information Security

Framework	Standard	Coverage	Status
SOC2 Type II	AICPA Trust Services Criteria	Audit trails, encryption, access controls, change management	Implemented
GDPR	General Data Protection Regulation	Data minimization, consent, right to erasure, data portability	Implemented
ISO 27001	Information Security Management System	ISMS, risk assessment, incident response, business continuity	Implemented
ISO 22301	Business Continuity Management	BCM plan, important business services, disaster recovery	Implemented

Financial Standards

Framework	Standard	Coverage	Status
ISO 20022	Financial Messaging Standard	XML/JSON schemas, standardized identifiers (ISIN, LEI, BIC)	Implemented
Basel III/IV	Banking Supervision Framework	Capital adequacy, leverage ratio, liquidity coverage	Implemented
IFRS 9	Financial Instruments Standard	Expected credit loss (ECL) calculation, impairment, classification	Implemented

Software Supply Chain

Framework	Standard	Coverage	Status
SLSA	Supply-chain Levels for Software Artifacts	Build provenance, source integrity, build platform security	Implemented
SBOM	Software Bill of Materials	Dependency tracking, vulnerability scanning, license compliance	Implemented

AAOIFI (Shariah Standards)

Every Islamic contract schema includes Shariah compliance metadata:

const contract = await iof.contracts.create({
  type: "MURABAHA",
  shariahStructure: {
    standard: "SS-8", // AAOIFI Shariah Standard
    boardApproval: "SB-2024-042",
    fatwahReference: "FATWA-2024-003",
    annualAudit: true,
    complianceChecks: [
      { rule: "no_riba", required: true },
      { rule: "asset_backed", required: true },
      { rule: "gharar_free", required: true },
    ],
  },
});

IFSB (Prudential Standards)

Capital adequacy and risk management for Islamic financial institutions:

const report = await iof.compliance.checkIFSB({
  tenantId: "tenant_123",
  standards: ["IFSB-15", "IFSB-16"], // Capital adequacy, supervisory review
  period: "2024-Q4",
});

SOC2 Type II

Audit trails on all data access with structured logging:

// Every API endpoint logs: who, what, when, why
const auditEntry = {
  actor: request.user.id,
  action: "contract.create",
  resource: "contract_abc123",
  timestamp: new Date().toISOString(),
  reason: "Customer requested Murabaha financing",
  result: "success",
  ipAddress: request.ip,
  sessionId: request.sessionId,
};

Data protection with consent management and right to erasure:

// Data subject rights
await iof.privacy.handleRequest({
  type: "RIGHT_TO_ERASURE",
  dataSubject: "user@example.com",
  requestId: "DSR-2024-001",
  verifiedIdentity: true,
});

// Consent management
await iof.privacy.recordConsent({
  dataSubject: "user@example.com",
  purpose: "contract_processing",
  lawfulBasis: "CONSENT",
  consentGiven: true,
  timestamp: new Date().toISOString(),
});

PSD2

Strong Customer Authentication and secure payment processing:

// SCA challenge
const authResult = await iof.auth.performSCA({
  transactionId: "txn_123",
  factors: ["knowledge", "possession"], // Two-factor minimum
  amount: { value: 5000, currency: "EUR" },
});

// TPP authorization
const tppAccess = await iof.openBanking.authorizeTPP({
  tppId: "TPP-2024-001",
  scope: ["accounts", "payments"],
  consentId: "consent_abc",
});

PSD3 / PSR (Designed-for)

Status: Designed-for, not yet certified. PSD3 + PSR (COM(2023) 366/367) has not entered into force; expected per-member-state transposition 2025–2026. IOF carries PSD3 as a forward-compatible regime alongside PSD2 (still active). Customers receive an explicit advisory in their compliance pack until the directive transposes into national law.

PSD3 + the companion Payment Services Regulation (PSR) modernise the EU framework with: (1) enhanced SCA exemptions, (2) mandatory IBAN-name verification (Verification of Payee, VOP) on credit transfers, (3) liability shifts on instant-payment fraud, (4) Open Finance access via the Financial Data Access (FIDA) regulation extending data scope beyond payment accounts to investment, savings, pension, mortgage, and lending data, (5) merger of EMD2 into the unified framework, and (6) explicit cash-withdrawal services scope.

// Verification of Payee (VOP) on a credit transfer — PSD3 / PSR requirement
const vop = await iof.psd3.vop.check({
  iban: "AE070331234567890123456",
  expectedName: "Acme Corp",
  matchPolicy: "exact|fuzzy", // PSP-set policy per PSR draft
});
// vop.status: 'match' | 'partial-match' | 'no-match'
// vop.attestationId: persisted to evidence pack for audit

// FIDA Open Finance scope grant — only the data subject can grant
const grant = await iof.psd3.fida.scopes.grant({
  subjectId: "subj_123",
  grantedTo: "data_user_456",
  scopes: ["payment-account", "savings-account", "investment-account"],
  expiresAt: "2027-05-01T00:00:00Z",
});

// Instant-payment fraud monitoring — emits structured signals to PSP-to-PSP sharing
const fraudSignal = await iof.psd3.fraud.monitor({
  paymentId: "pay_abc",
  riskScore: 0.32,
  velocityFlags: ["new_payee", "round_amount"],
  liabilityFramework: "psd3_instant_payment",
});

Cerbos resource policy: config/cerbos/policies/psd3.yaml. Glossary entry: /glossary/psd3.

ISO 27001

Information Security Management System controls:

// Risk assessment
const assessment = await iof.security.assessRisk({
  asset: "customer_database",
  threats: ["unauthorized_access", "data_breach"],
  vulnerabilities: ["weak_encryption"],
  impact: "HIGH",
  likelihood: "MEDIUM",
  controls: ["encryption_at_rest", "access_control", "audit_logging"],
});

ISO 20022

All financial messages use ISO 20022 standardized schemas:

// Payment initiation (pain.001)
const payment = await iof.payments.create({
  schema: "pain.001.001.09",
  messageId: "MSG-2024-001",
  creditor: {
    name: "Acme Corp",
    iban: "AE070331234567890123456",
    bic: "NBADAEAA",
  },
  amount: { value: 10000, currency: "AED" },
  purpose: "MURABAHA_INSTALLMENT",
});

ISO 22301

Business Continuity Management with defined recovery objectives:

// Business impact analysis
const bia = await iof.continuity.assessImpact({
  service: "rail-api",
  rto: "4h", // Recovery Time Objective
  rpo: "1h", // Recovery Point Objective
  mtpd: "24h", // Maximum Tolerable Period of Disruption
  classification: "IMPORTANT_BUSINESS_SERVICE",
});

Basel III/IV

Capital adequacy and liquidity monitoring:

// Capital adequacy ratio
const car = await iof.basel.calculateCAR({
  tenantId: "tenant_123",
  period: "2024-Q4",
  riskWeightedAssets: 50000000,
  tier1Capital: 8000000,
  tier2Capital: 2000000,
});

// Liquidity Coverage Ratio
const lcr = await iof.basel.calculateLCR({
  tenantId: "tenant_123",
  hqla: 15000000,
  netCashOutflows: 12000000,
});

IFRS 9

Expected Credit Loss calculation and financial instrument classification:

// ECL calculation
const ecl = await iof.ifrs9.calculateECL({
  portfolio: "islamic_financing",
  method: "SIMPLIFIED", // or GENERAL
  stage: 1, // Stage 1: 12-month ECL
  exposureAtDefault: 1000000,
  probabilityOfDefault: 0.02,
  lossGivenDefault: 0.45,
});

DORA

Digital Operational Resilience testing and incident reporting:

// ICT risk assessment
const riskReport = await iof.resilience.assessICTRisk({
  service: "rail-api",
  category: "THIRD_PARTY",
  provider: "AWS",
  criticality: "CRITICAL",
  controls: ["redundancy", "failover", "monitoring"],
});

// Incident reporting (within 4-hour window)
await iof.resilience.reportIncident({
  type: "ICT_INCIDENT",
  severity: "MAJOR",
  detectedAt: new Date().toISOString(),
  affectedServices: ["payment-processing"],
  preliminaryAssessment: "Service degradation due to cloud provider issue",
});

NIS2

Network and information security measures:

// Security posture check
const posture = await iof.security.checkNIS2Compliance({
  measures: [
    "risk_analysis",
    "incident_handling",
    "business_continuity",
    "supply_chain_security",
    "vulnerability_disclosure",
  ],
  reportingReady: true,
});

SLSA & SBOM

Software supply chain security:

// Build provenance verification
const provenance = await iof.supplyChain.verifyProvenance({
  artifact: "rail-api:v2.1.0",
  slsaLevel: 3, // SLSA Level 3
  buildPlatform: "github-actions",
  sourceRepo: "Islamic-Open-Finance/app",
});

// SBOM generation
const sbom = await iof.supplyChain.generateSBOM({
  format: "CycloneDX", // or SPDX
  scope: "production",
  includeTransitive: true,
});

Compliance Evidence Packs

Generate evidence packs for auditors:

const pack = await iof.compliance.generateEvidencePack({
  framework: "SOC2",
  period: { start: "2024-01-01", end: "2024-12-31" },
  controls: ["CC6.1", "CC6.3", "CC6.7", "CC7.2"],
  format: "pdf",
  includeScreenshots: true,
  includeLogExcerpts: true,
});

Shariah Compliance

Automatic validation of Islamic finance principles:

const check = await iof.compliance.checkShariah({
  contractId: "contract_123",
});

// {
//   compliant: true,
//   checks: [
//     { rule: "no_riba", passed: true, details: "No interest charges" },
//     { rule: "asset_backed", passed: true, details: "Underlying asset identified" },
//     { rule: "gharar", passed: true, details: "Terms are clear and certain" }
//   ]
// }

Supported Jurisdictions

Code	Jurisdiction	Framework	Key Regulations
MY	Malaysia	BNM Shariah	IFSA 2013, BNM Guidelines
AE	UAE	CBUAE	CBUAE Circular, ESCA Rules
SA	Saudi Arabia	SAMA	SAMA Rules, CMA Regulations
BH	Bahrain	CBB	CBB Rulebook, IIRA Standards
GB	United Kingdom	FCA	FCA Handbook, PRA Rules
SG	Singapore	MAS	MAS Guidelines, SFA
EU	European Union	EBA/ECB	CRR/CRD, PSD2, DORA, NIS2

Real-time Monitoring

Set up compliance alerts:

await iof.compliance.createAlert({
  type: "threshold_breach",
  conditions: {
    metric: "exposure",
    operator: "gt",
    value: 1000000,
  },
  webhook: "https://yourapp.com/alerts",
});

Compliance Reports

Generate regulatory reports:

const report = await iof.compliance.generateReport({
  type: "AAOIFI_FAS",
  period: { start: "2024-01-01", end: "2024-12-31" },
  format: "pdf",
});

Next Steps

Compliance API - Full API reference
AML Rail - Anti-money laundering
Basel Capital API - Capital adequacy endpoints
IFRS 9 ECL API - Expected credit loss endpoints