The $35 Million Question: Can You Prove What Your AI Did?
The EU AI Act penalty for prohibited AI practices: €35 million or 7% of global turnover.
MiFID II RTS 25 requires 100 microsecond UTC accuracy for high-frequency trading timestamps.
SEC Rule 17a-4 demands 6-year retention in WORM-compliant storage.
DORA requires incident reports within 4 hours containing 101 data points.
If your trading algorithm makes a bad decision tomorrow, can your audit system satisfy all of these requirements simultaneously?
For most financial institutions, the honest answer is: probably not.
The Regulatory Patchwork Problem
Financial services AI faces a unique compliance challenge: there's no single standard for AI audit trails. Instead, there's a patchwork of overlapping requirements across jurisdictions and subsectors.
The Global Regulatory Matrix
| Requirement | EU | US | UK | Singapore | Australia |
|---|---|---|---|---|---|
| Timestamp precision | 100μs (HFT) | 50ms (CAT) | 100μs (MiFID equivalent) | Not specified | Not specified |
| Retention period | 5-7 years | 6 years | 6 years | 5 years | 7 years |
| AI-specific logging | EU AI Act Art.12 | SR 11-7 (Fed) | FCA guidance | MAS AI guidelines | APRA CPS 234 |
| Incident reporting | 4 hours (DORA) | "Prompt" | "Promptly" | 24 hours (material) | 24 hours |
| Storage format | Not specified | WORM required | WORM recommended | Not specified | Not specified |
Every institution operating globally must satisfy the union of all applicable requirements—effectively implementing to the strictest standard in each category.
The Missing Standard
Here's what doesn't exist: a comprehensive, open standard for AI audit trails in financial services.
- ISO/IEC 42001 (AI Management System): General framework, no financial specifics
- IEEE 2894 (Explainable AI): Architecture guidance, no compliance documentation
- NIST AI RMF: Risk management, no prescriptive audit specifications
The result? Every institution builds proprietary solutions. Auditors face inconsistent formats. Regulators can't efficiently verify compliance. The industry spends $9.8 billion annually on RegTech without a common audit trail format.
IAP-FIN: Industry Application Profile for Financial Services
VAP-IAP-FIN-001 fills this gap. It's an industry application profile that maps the generic VAP (Verifiable AI Provenance) framework to the specific requirements of financial services.
The Architecture: Layered Conformance
┌─────────────────────────────────────────────────────────────────┐
│ VAP Framework (Cross-Domain) │
│ ─────────────────────────────────────────────────────────── │
│ Core cryptographic requirements, hash chains, Merkle trees │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ IAP-FIN Base Conformance │
│ ─────────────────────────────────────────────────────────── │
│ Mandatory fields for ALL financial AI systems │
│ • Decision identifier (UUID v7) │
│ • UTC timestamp (precision configurable) │
│ • Model identifier + version + hash │
│ • Input data hash │
│ • Output/decision value │
│ • Confidence score │
│ • Operator LEI │
│ • Cryptographic signature │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ Subsector Profiles │
│ ─────────────────────────────────────────────────────────── │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Capital │ │ Banking │ │ Insurance │ │
│ │ Markets │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Payments │ │ Asset │ │
│ │ │ │ Management │ │
│ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ Jurisdictional Extensions │
│ ─────────────────────────────────────────────────────────── │
│ ┌────┐ ┌────┐ ┌────┐ ┌──────┐ ┌─────┐ │
│ │ EU │ │ US │ │ UK │ │ APAC │ │ GCC │ │
│ └────┘ └────┘ └────┘ └──────┘ └─────┘ │
└─────────────────────────────────────────────────────────────────┘
This layered approach means:
- Base conformance is universal—every financial AI system implements it
- Subsector profiles add domain-specific requirements
- Jurisdictional extensions handle regulatory variations
Timestamp Precision: The Hidden Complexity
One of IAP-FIN's key contributions is configurable timestamp precision. Different use cases have radically different requirements:
Precision Tiers
| Use Case | Minimum Precision | Clock Sync | Standard |
|---|---|---|---|
| HFT algorithmic trading | 1 microsecond | PTP to BIPM UTC | MiFID II RTS 25 |
| Non-HFT algo trading | 1 millisecond | NTP to UTC | MiFID II |
| Credit decisioning | 1 second | NTP to UTC | Reg B |
| Insurance/actuarial | 1 day | System clock | Solvency II |
| Fraud detection | 1 millisecond | NTP to UTC | PSD2/PSD3 |
Why This Matters
HFT systems generate millions of events per second. Requiring 1-microsecond precision for an insurance actuarial model would be absurd—and expensive. Requiring only 1-day precision for HFT would violate MiFID II.
IAP-FIN lets implementations declare their precision tier and validates accordingly.
Implementation: Precision Time Protocol
For Tier 1 (microsecond) precision, NTP isn't sufficient. You need PTP (IEEE 1588-2019):
from dataclasses import dataclass
from enum import Enum
from typing import Optional
import time
class PrecisionTier(Enum):
TIER_1_MICROSECOND = "T1" # HFT: PTP required
TIER_2_MILLISECOND = "T2" # Standard algo: NTP sufficient
TIER_3_SECOND = "T3" # Credit/banking
TIER_4_DAY = "T4" # Insurance/actuarial
@dataclass
class IAPTimestamp:
"""IAP-FIN compliant timestamp with precision metadata"""
utc_nanoseconds: int
precision_tier: PrecisionTier
clock_source: str # "PTP", "NTP", "GPS", "SYSTEM"
uncertainty_ns: int # Clock uncertainty in nanoseconds
sync_status: str # "LOCKED", "HOLDOVER", "FREERUN"
@classmethod
def now(cls, tier: PrecisionTier) -> "IAPTimestamp":
"""Generate timestamp for specified precision tier"""
if tier == PrecisionTier.TIER_1_MICROSECOND:
# In production: read from PTP hardware clock
# This is a placeholder
return cls(
utc_nanoseconds=time.time_ns(),
precision_tier=tier,
clock_source="PTP",
uncertainty_ns=50, # 50ns typical for good PTP
sync_status="LOCKED"
)
elif tier == PrecisionTier.TIER_2_MILLISECOND:
return cls(
utc_nanoseconds=time.time_ns(),
precision_tier=tier,
clock_source="NTP",
uncertainty_ns=1_000_000, # 1ms typical for NTP
sync_status="LOCKED"
)
else:
return cls(
utc_nanoseconds=time.time_ns(),
precision_tier=tier,
clock_source="SYSTEM",
uncertainty_ns=10_000_000, # 10ms for system clock
sync_status="FREERUN"
)
def to_dict(self) -> dict:
return {
"utc_ns": self.utc_nanoseconds,
"precision_tier": self.precision_tier.value,
"clock_source": self.clock_source,
"uncertainty_ns": self.uncertainty_ns,
"sync_status": self.sync_status
}
def validate_for_tier(self) -> bool:
"""Validate timestamp meets precision tier requirements"""
max_uncertainty = {
PrecisionTier.TIER_1_MICROSECOND: 1_000, # 1μs
PrecisionTier.TIER_2_MILLISECOND: 1_000_000, # 1ms
PrecisionTier.TIER_3_SECOND: 1_000_000_000, # 1s
PrecisionTier.TIER_4_DAY: 86_400_000_000_000 # 1 day
}
return self.uncertainty_ns <= max_uncertainty[self.precision_tier]
Entity Identification: LEI Integration
IAP-FIN mandates LEI (Legal Entity Identifier) for operator identification. Over 200 regulations globally require LEI—it's the universal entity identifier for financial services.
Why LEI?
- Global uniqueness: 20-character alphanumeric code
- Verified identity: Certified by GLEIF-accredited LOUs
- Cross-reference capability: Maps to BIC, ISIN, MIC, OpenCorporates
- Verifiable LEI (vLEI): Digital certificates for cryptographic authentication
Implementation
import re
from dataclasses import dataclass
from typing import Optional
@dataclass
class OperatorIdentity:
"""IAP-FIN operator identification using LEI"""
lei: str # Legal Entity Identifier (ISO 17442)
vlei_credential: Optional[str] = None # vLEI digital credential
registration_authority: Optional[str] = None # MIC for venues
def __post_init__(self):
if not self._validate_lei(self.lei):
raise ValueError(f"Invalid LEI format: {self.lei}")
@staticmethod
def _validate_lei(lei: str) -> bool:
"""Validate LEI format (ISO 17442)"""
# LEI: 20 characters, alphanumeric
# Format: LLLLLLLLLLLLLLLLLLCC
# First 4: LOU prefix
# Next 14: Entity-specific
# Last 2: Check digits
if not re.match(r'^[A-Z0-9]{20}$', lei):
return False
# ISO 7064 Mod 97-10 check digit validation
lei_numeric = ''
for char in lei:
if char.isdigit():
lei_numeric += char
else:
lei_numeric += str(ord(char) - 55) # A=10, B=11, etc.
return int(lei_numeric) % 97 == 1
def to_dict(self) -> dict:
return {
"lei": self.lei,
"vlei_credential": self.vlei_credential,
"registration_authority": self.registration_authority
}
# Example usage
operator = OperatorIdentity(
lei="5493001KJTIIGC8Y1R12", # Example LEI
registration_authority="XNAS" # NASDAQ MIC
)
Subsector Profiles: One Size Doesn't Fit All
Capital Markets Profile
The most demanding profile—HFT algorithmic trading requires:
from dataclasses import dataclass
from typing import List, Optional
from enum import Enum
class OrderSide(Enum):
BUY = "BUY"
SELL = "SELL"
class OrderType(Enum):
MARKET = "MARKET"
LIMIT = "LIMIT"
STOP = "STOP"
ICEBERG = "ICEBERG"
@dataclass
class CapitalMarketsEvent:
"""IAP-FIN Capital Markets subsector event"""
# Base IAP-FIN fields
event_id: str
timestamp: IAPTimestamp # Tier 1 or 2 required
model_id: str
model_version: str
model_hash: str
operator_lei: str
# Capital Markets specific
event_type: str # SIG, ORD, ACK, EXE, REJ, CXL, MOD
instrument_isin: str
venue_mic: str
# Order details (when applicable)
order_id: Optional[str] = None
client_order_id: Optional[str] = None
side: Optional[OrderSide] = None
order_type: Optional[OrderType] = None
quantity: Optional[float] = None
price: Optional[float] = None
# Execution details (when applicable)
execution_id: Optional[str] = None
executed_quantity: Optional[float] = None
executed_price: Optional[float] = None
# Decision provenance
signal_factors: Optional[List[str]] = None
confidence_score: Optional[float] = None
risk_check_results: Optional[dict] = None
# Best execution (MiFID II)
best_execution_factors: Optional[dict] = None
def validate_mifid_compliance(self) -> List[str]:
"""Validate MiFID II RTS 25 compliance"""
issues = []
# Timestamp precision
if self.timestamp.precision_tier not in [
PrecisionTier.TIER_1_MICROSECOND,
PrecisionTier.TIER_2_MILLISECOND
]:
issues.append("Timestamp precision insufficient for MiFID II")
# Required fields for order events
if self.event_type in ["ORD", "ACK", "EXE", "MOD", "CXL"]:
if not self.order_id:
issues.append("Order ID required for order lifecycle events")
if not self.instrument_isin:
issues.append("ISIN required for all orders")
if not self.venue_mic:
issues.append("MIC required for venue identification")
return issues
Banking Profile: Credit Decisioning
Credit models have different requirements—lower timestamp precision, but stricter explainability:
@dataclass
class CreditDecisionEvent:
"""IAP-FIN Banking subsector - Credit Decision"""
# Base IAP-FIN fields
event_id: str
timestamp: IAPTimestamp # Tier 3 sufficient
model_id: str
model_version: str
operator_lei: str
# Credit decision specific
application_id: str
decision: str # APPROVE, DECLINE, REFER
# CFPB-required explainability
adverse_action_reasons: Optional[List[str]] = None
principal_factors: List[dict] = None # Must be human-readable
# Fair lending analysis
protected_class_impact_assessed: bool = False
less_discriminatory_alternatives_documented: bool = False
# Model governance
model_validation_date: str = None
model_owner: str = None
def validate_cfpb_compliance(self) -> List[str]:
"""Validate CFPB adverse action requirements"""
issues = []
if self.decision == "DECLINE":
if not self.adverse_action_reasons:
issues.append(
"CFPB requires adverse action reasons for declines"
)
if not self.principal_factors:
issues.append(
"Principal factors must be documented (no black-box exception)"
)
if not self.less_discriminatory_alternatives_documented:
issues.append(
"LDA analysis must be documented per CFPB guidance"
)
return issues
Insurance Profile: Actuarial Models
Insurance operates on longer cycles with different provenance needs:
@dataclass
class ActuarialModelEvent:
"""IAP-FIN Insurance subsector - Actuarial Model"""
# Base IAP-FIN fields
event_id: str
timestamp: IAPTimestamp # Tier 4 (daily) sufficient
model_id: str
model_version: str
operator_lei: str
# Insurance specific
model_type: str # PRICING, RESERVING, CAPITAL, CLAIMS
line_of_business: str
# Solvency II requirements
use_test_documented: bool = False # Model "widely used" in governance
model_limitation_adjustments: List[dict] = None
validation_date: str = None
# IFRS 17 lineage
source_systems: List[str] = None
transformations_applied: List[str] = None
contract_boundary_applied: bool = False
# UK Solvency II divergence
cro_attestation_date: Optional[str] = None
Extension Mechanism: FIX Protocol Pattern
IAP-FIN adopts the FIX Protocol reserved field range pattern for extensibility:
| Range | Purpose | Governance |
|---|---|---|
| 1000-4999 | Base specification fields | VSO Technical Committee |
| 5000-7999 | Industry-wide extensions | Public RFC process |
| 8000-8999 | Jurisdictional regulatory extensions | Regulatory working groups |
| 9000-9999 | Proprietary extensions | No governance required |
Example: Adding a Jurisdiction-Specific Field
# EU AI Act requires logging of "human verification actions"
# This is a jurisdictional extension (8000-8999 range)
EU_AI_ACT_HUMAN_VERIFICATION = 8001
@dataclass
class JurisdictionalExtension:
"""Jurisdictional extension for EU AI Act compliance"""
field_id: int = EU_AI_ACT_HUMAN_VERIFICATION
jurisdiction: str = "EU"
regulation: str = "EU_AI_ACT_ART_12"
# Extension data
human_verification_performed: bool = False
verifier_id: Optional[str] = None
verification_timestamp: Optional[int] = None
verification_outcome: Optional[str] = None # APPROVED, REJECTED, MODIFIED
Cryptographic Requirements: FIPS 140-3 Compliant
IAP-FIN specifies cryptographic requirements aligned with FIPS 140-3 and PCI DSS 4.0.1:
Algorithm Requirements
| Purpose | Algorithm | Minimum Strength | Standard |
|---|---|---|---|
| Hashing | SHA-256+ | 256-bit | FIPS 180-4 |
| Signing | Ed25519 or RSA-2048 | 128-bit equivalent | FIPS 186-5 |
| Encryption (at rest) | AES-256 | 256-bit | FIPS 197 |
| Transport | TLS 1.2+ | 112-bit | PCI DSS 4.0.1 |
Key Management
from dataclasses import dataclass
from typing import Optional
from enum import Enum
class KeyStorage(Enum):
HSM = "HSM" # Hardware Security Module (recommended)
SOFTWARE = "SOFTWARE" # Software keystore
CLOUD_KMS = "CLOUD_KMS" # Cloud key management
@dataclass
class CryptoConfig:
"""IAP-FIN cryptographic configuration"""
hash_algorithm: str = "SHA3-256"
signature_algorithm: str = "Ed25519"
key_storage: KeyStorage = KeyStorage.HSM
# FIPS 140-3 compliance
fips_module_validated: bool = True
fips_security_level: int = 3 # Level 3 for most financial services
# Key rotation
signature_key_rotation_days: int = 365
encryption_key_rotation_days: int = 90
def validate_fips_compliance(self) -> bool:
"""Validate FIPS 140-3 compliance"""
approved_hash = self.hash_algorithm in [
"SHA-256", "SHA-384", "SHA-512",
"SHA3-256", "SHA3-384", "SHA3-512"
]
approved_signature = self.signature_algorithm in [
"Ed25519", "RSA-2048", "RSA-3072", "RSA-4096",
"ECDSA-P256", "ECDSA-P384"
]
return (
approved_hash and
approved_signature and
self.fips_module_validated
)
Retention Policies: WORM Compliance
SEC Rule 17a-4 requires WORM (Write Once Read Many) storage. IAP-FIN supports configurable retention with jurisdiction-specific defaults:
from dataclasses import dataclass
from datetime import datetime, timedelta
from typing import Optional
from enum import Enum
class RetentionJurisdiction(Enum):
EU_MIFID = "EU_MIFID" # 5 years, extendable to 7
US_SEC = "US_SEC" # 6 years, first 2 easily accessible
UK_FCA = "UK_FCA" # 6 years
SG_MAS = "SG_MAS" # 5 years
AU_ASIC = "AU_ASIC" # 7 years
class StorageType(Enum):
WORM = "WORM" # Write Once Read Many (SEC 17a-4)
IMMUTABLE = "IMMUTABLE" # Cloud immutable storage
STANDARD = "STANDARD" # Standard storage (non-US)
@dataclass
class RetentionPolicy:
"""IAP-FIN data retention policy"""
jurisdiction: RetentionJurisdiction
retention_years: int
storage_type: StorageType
# Accessibility requirements
immediate_access_years: int = 2 # SEC requires 2 years readily accessible
# Extension handling
regulatory_extension_possible: bool = True
max_extension_years: int = 2
@classmethod
def for_jurisdiction(cls, jurisdiction: RetentionJurisdiction) -> "RetentionPolicy":
"""Create policy for specific jurisdiction"""
configs = {
RetentionJurisdiction.EU_MIFID: {
"retention_years": 5,
"storage_type": StorageType.IMMUTABLE,
"max_extension_years": 2
},
RetentionJurisdiction.US_SEC: {
"retention_years": 6,
"storage_type": StorageType.WORM,
"immediate_access_years": 2
},
RetentionJurisdiction.UK_FCA: {
"retention_years": 6,
"storage_type": StorageType.IMMUTABLE
},
RetentionJurisdiction.SG_MAS: {
"retention_years": 5,
"storage_type": StorageType.STANDARD
},
RetentionJurisdiction.AU_ASIC: {
"retention_years": 7,
"storage_type": StorageType.STANDARD
}
}
config = configs[jurisdiction]
return cls(jurisdiction=jurisdiction, **config)
def calculate_deletion_date(self, event_date: datetime) -> datetime:
"""Calculate when data can be deleted"""
return event_date + timedelta(days=self.retention_years * 365)
def is_in_immediate_access_period(self, event_date: datetime) -> bool:
"""Check if data must be immediately accessible"""
cutoff = datetime.utcnow() - timedelta(days=self.immediate_access_years * 365)
return event_date > cutoff
# Multi-jurisdictional: use the strictest requirements
def combined_retention_policy(
jurisdictions: list[RetentionJurisdiction]
) -> RetentionPolicy:
"""Combine policies to satisfy all jurisdictions"""
policies = [RetentionPolicy.for_jurisdiction(j) for j in jurisdictions]
return RetentionPolicy(
jurisdiction=jurisdictions[0], # Primary
retention_years=max(p.retention_years for p in policies),
storage_type=StorageType.WORM if any(
p.storage_type == StorageType.WORM for p in policies
) else StorageType.IMMUTABLE,
immediate_access_years=max(p.immediate_access_years for p in policies)
)
# Example: US broker-dealer with EU operations
policy = combined_retention_policy([
RetentionJurisdiction.US_SEC,
RetentionJurisdiction.EU_MIFID
])
# Result: 6 years, WORM storage, 2 years immediate access
Complete Event Schema
Here's a complete IAP-FIN event combining all components:
{
"iap_fin_version": "1.0",
"conformance_level": "CAPITAL_MARKETS",
"event": {
"event_id": "019400a2-7e5c-7000-8000-1a2b3c4d5e6f",
"event_type": "SIGNAL_GENERATED",
"timestamp": {
"utc_ns": 1734432600123456789,
"precision_tier": "T1",
"clock_source": "PTP",
"uncertainty_ns": 50,
"sync_status": "LOCKED"
},
"operator": {
"lei": "5493001KJTIIGC8Y1R12",
"vlei_credential": "base64...",
"registration_authority": "XNAS"
},
"model": {
"model_id": "alpha_momentum_v3",
"model_version": "3.2.1",
"model_hash": "sha3-256:8f14e45f...",
"model_owner": "quant_desk_ny",
"last_validation_date": "2025-06-15"
},
"provenance": {
"input_hash": "sha3-256:2c26b46b...",
"input_sources": [
"market_data:XNAS:2025-12-17T10:30:00Z",
"risk_params:v4.1"
],
"decision": {
"action": "GENERATE_BUY_SIGNAL",
"instrument_isin": "US0378331005",
"target_quantity": 1000,
"confidence": 0.87
},
"factors": [
{"name": "momentum_20d", "contribution": 0.45},
{"name": "volume_breakout", "contribution": 0.32},
{"name": "sector_correlation", "contribution": 0.23}
]
},
"risk_checks": {
"pre_trade_risk_passed": true,
"position_limit_check": "PASS",
"concentration_check": "PASS",
"kill_switch_active": false
},
"integrity": {
"prev_hash": "sha3-256:genesis...",
"signature": "ed25519:base64...",
"signer_key_id": "key_2025_001"
}
},
"jurisdictional_extensions": {
"8001_eu_ai_act_human_oversight": {
"human_verification_required": false,
"automated_decision": true
}
},
"retention": {
"policy_id": "MULTI_US_EU",
"retention_years": 6,
"storage_type": "WORM",
"deletion_eligible_date": "2031-12-17"
}
}
Regulatory Compliance Mapping
IAP-FIN includes non-normative annexes mapping fields to specific regulatory requirements:
EU AI Act Article 12 Mapping
| Requirement | IAP-FIN Field |
|---|---|
| Period of use logging | timestamp.utc_ns |
| Reference database used | provenance.input_sources |
| Input data | provenance.input_hash |
| Human verification | jurisdictional_extensions.8001_* |
MiFID II RTS 25 Mapping
| Requirement | IAP-FIN Field |
|---|---|
| Timestamp (100μs accuracy) |
timestamp (Tier 1) |
| Algorithm identifier | model.model_id |
| Instrument identification | provenance.decision.instrument_isin |
| Trading venue | operator.registration_authority |
SEC Rule 17a-4 Mapping
| Requirement | IAP-FIN Field |
|---|---|
| 6-year retention | retention.retention_years |
| WORM storage | retention.storage_type |
| 2-year accessibility | retention.immediate_access_years |
Federal Reserve SR 11-7 Mapping
| Requirement | IAP-FIN Field |
|---|---|
| Model documentation | model.* |
| Validation dates | model.last_validation_date |
| Inputs and outputs | provenance.* |
| Responsible individuals | model.model_owner |
Why IAP-FIN Matters
For Financial Institutions
- One implementation satisfies multiple regulators
- Auditor-friendly format reduces examination friction
- Future-proof architecture handles regulatory evolution
For Regulators
- Standardized format enables efficient review
- Cryptographic verification provides confidence in data integrity
- Cross-border consistency simplifies international coordination
For Auditors
- Common schema across clients
- Machine-processable validation rules
- Clear compliance mapping to authoritative requirements
For the Industry
- Reduced duplication of compliance effort
- Vendor interoperability for RegTech solutions
- Open standard prevents lock-in
Get Involved
IAP-FIN is under development. We're seeking input from:
- Compliance officers at banks, asset managers, and broker-dealers
- Quantitative developers building algorithmic trading systems
- RegTech vendors building compliance solutions
- Regulators interested in standardization
Resources
- 🌐 Website: veritaschain.org
- 📦 GitHub: github.com/veritaschain
- 📧 Standards: standards@veritaschain.org
- 📧 Enterprise: enterprise@veritaschain.org
Final Thought
The financial industry spends nearly $10 billion annually on regulatory technology. Much of that goes toward solving the same problem in slightly different ways at thousands of institutions.
IAP-FIN doesn't replace existing systems—it provides a common output format that any system can generate. One format that satisfies MiFID II, EU AI Act, SEC, CFTC, FCA, MAS, and APRA. One format that auditors can verify. One format that regulators can trust.
The alternative is what we have today: proprietary formats, inconsistent logs, and a €35 million question that nobody can confidently answer.
"Encoding Trust in Financial Services AI"
About IAP-FIN: VAP-IAP-FIN-001 (Industry Application Profile for Financial Services) is part of the VAP (Verifiable AI Provenance) framework, maintained by the VeritasChain Standards Organization (VSO). VCP (VeritasChain Protocol), the algorithmic trading specification, is already in production. IAP-FIN extends VCP with comprehensive subsector and jurisdictional support. The specification is open source under CC BY 4.0.
Top comments (0)