FSI Compliance
Feature row 35 — Sprints FSI / FSI.1
The FSI Compliance Framework is included on the Enterprise plan.
Scope
Financial services institutions operate under a layered set of regulators and frameworks that go beyond SOC 2 / ISO / NIST. Behavry's FSI module maps 13 requirements across six frameworks:
- OCC SR 11-7 — Model Risk Management
- NYDFS 23 NYCRR Part 500 — Cybersecurity Requirements for Financial Services Companies
- SEC Rule 206(4)-7 — Investment Adviser Compliance Procedures
- SEC Rule 204-2 — Books and Records
- Reg S-P — Privacy of Consumer Financial Information
- SEC Fiduciary Duty — Anti-fraud provisions
Source: backend/behavry/compliance/fsi.py. UI: Compliance → FSI.
What it adds beyond base compliance
Generic SOC 2 / ISO mapping is necessary but not sufficient for FSI. The FSI module adds:
- Model risk controls — evidence that AI agents doing anything resembling model output (credit decisioning, advisor recommendations, trading signals) are governed with SR 11-7 lifecycle controls
- Investment adviser logs — SEC Rule 204-2 requires specific records for investment advisers; the FSI module maps the audit log fields directly
- Consumer financial privacy — Reg S-P's safeguards requirements are mapped to the DLP scanner and data protection pipeline
- Cybersecurity program — NYDFS 500 sections map to multi-factor auth, encryption, incident response, and vendor management
The 13 requirements
| Framework | Ref | Behavry answer |
|---|---|---|
| OCC SR 11-7 | Governance | Policy Writer + Change Requests |
| OCC SR 11-7 | Validation | ARS + Red Team → Policy Automation |
| OCC SR 11-7 | Ongoing monitoring | Behavioral Monitor, Intent Drift |
| NYDFS 500.03 | Cybersecurity program | Policy Engine, Audit log |
| NYDFS 500.05 | Penetration testing & vulnerability assessments | ARS, MCP Attack Probing (when Sprint MP ships) |
| NYDFS 500.06 | Audit trail | Decision Trace, hash-chained log |
| NYDFS 500.09 | Risk assessment | Behavioral Risk Framework |
| NYDFS 500.12 | Multi-factor authentication | SSO / OIDC / SAML |
| NYDFS 500.14 | Training & monitoring | Human AI Governance |
| SEC 204-2 | Books and records | Long-retention audit export |
| SEC 206(4)-7 | Compliance procedures | Policy version history |
| Reg S-P | Safeguards rule | DLP + Data Protection Pipeline |
| SEC Fiduciary Duty | Anti-fraud surveillance | Behavioral Monitor + Alerts |
FSI-specific DLP patterns
- Brokerage account numbers
- CUSIP (US securities identifier)
- SWIFT / BIC codes
- Trading symbol + volume proximity (flag potential front-running)
- MNPI markers — material non-public information keywords in proximity to names or tickers
Tagged fsi:sensitive in the DLP taxonomy.
Export
GET /api/v1/compliance/fsi/export?format=pdf|csv|json
The PDF is formatted for regulator submission, with signatures block and each requirement's evidence appendix.