Doc · 07 / Governance
— Governance · controls & assuranceSheet 07 / 11
Controls that can be tested,
reconstructed and explained.
Springwood is built so that the decision record is a by-product of the workflow. The same file used to assess the customer, monitor the transaction or investigate the alert is the file produced for the regulator. Nothing reassembled at the end.
- Control areas
- 6 governance domains
One substrate (M.00) - Pattern
- Reconstructable
by construction - Audience
- MLRO · QA
Audit · Board
§ 01 / Control register
01.Section one
Six control areas
Substrate M.00
Six control areas
Substrate M.00
Six control areas.
One substrate.
§ 01 / Register
| Ref. | Control area | Scope | Owner |
|---|---|---|---|
| G.01 | Policy rules | Customer due diligence procedures, KYB requirements, screening rules, scenarios, thresholds and approval routes encoded as versioned workflows. Each rule traceable to the policy clause it implements. | MLRO · Policy |
| G.02 | Model governance | Risk-scoring, anomaly-detection, OSINT and AI-assistance models registered with version, validation evidence, performance metrics, drift monitoring and approved use cases. | Model risk |
| G.03 | Scenario governance | Monitoring scenarios tested against historical data, benchmarked against current outcomes, calibrated for false positives, false negatives and analyst load. | Compliance ops |
| G.04 | Decision records | Every approval, reject, RFI, SAR draft and override captured with user, role, timestamp, reason code, supporting evidence and approval route. No silent decisions. | All users |
| G.05 | Audit packs | Case-level, control-level and portfolio-level audit exports generated on demand — for internal audit, external audit, supervisory review and FIU production. | Audit · Legal |
| G.06 | Retention & privacy | Data minimisation, retention schedules, legal holds, deletion routines, redaction for restricted access, role-based visibility and subject-access response support. | DPO · Legal |
§ 02 / Supervisory readiness
02.Section two
Readiness checklist
What examiners ask
Readiness checklist
What examiners ask
Ready for the questions
before they're asked.
§ 02 / Body
Supervisory expectations converge on the same set of questions: Can you show how this decision was made? Who approved it? What was the evidence at the time? What has changed since?
Springwood is designed so each of these has an answer on the file. Not assembled later — written as the work was performed. The checklist alongside is what an examiner can ask of any case opened in the system.
- Decision provenanceWho decided, on what evidence, against which policy clause.
- Model transparencyVersion, variables and inputs behind every risk score.
- Override trailWho overrode automation, with what reason and what approval.
- Change historyEvery rule, scenario and threshold versioned and dated.
- Evidence retentionSource documents, screening results and OSINT links retained.
- Audit exportCase packs, control packs and portfolio reports on demand.
§ 03 / Audit-as-file
03.Section three
The working file
is the audit file
The working file
is the audit file
The audit file is
the working file.
Fig. 03.AAudit-as-file · investigation workspace
Caption ▸The investigation workspace is not a system that produces audit evidence at the end — it is the audit evidence. Entity network, profile, counterparties, transaction history and approval routes are all part of the same record, time-stamped and reconstructable. Nothing is exported into a separate "audit system" later.
By constructionReconstructable
Audit-retained
Audit-retained
§ 04 / Audit pack
04.Section four
What an audit pack contains
Exported on demand
What an audit pack contains
Exported on demand
An audit pack, written
as the case was worked.
§ 04 / Register
| Ref. | Pack item | Scope | Retention |
|---|---|---|---|
| A.01 | Identity evidence | Captured documents, NFC chip data, liveness output, address verification, registry data and document set with timestamps and source. | Policy-defined |
| A.02 | Profile record | KYC, KYB, ownership graph, control map, expected activity, source of funds and risk classification at intake and through life. | Through life |
| A.03 | Screening history | Sanctions, PEP, adverse media and counterparty exposure results, with date, source, match logic and disposition. | Continuous |
| A.04 | Transaction record | Underlying transactions, alerts triggered, scenarios applied, model outputs and analyst dispositions with reason codes. | Through life |
| A.05 | Investigation file | Network, counterparties, OSINT links, internal notes, evidence attachments, AI-assist summaries and approval route. | Through life |
| A.06 | Reporting record | SAR / STR drafts, approvals, submitted versions, FIU correspondence, redaction record and post-report monitoring. | Regulatory |
CTA / Governance briefing
Less time assembling.
More time deciding.
Springwood is designed for compliance and audit functions that need stronger records produced from less manual work. Brief the team on your current governance pain points.