Financial services — regulator-aligned by default.
PCI DSS Level 1 controls baseline, PSD2 SCA / open-banking flows live via Payvera, ISO 20022 across SEPA + national rails, SOX-aligned audit envelope. Customer-cloud (DM.02) for tier-2 banks; DM.03 sovereign for systemic operators; DM.04 confidential compute for treasury + AML flows where even the operator must not see plaintext.
Regulated finance signs against three things in 2026: PSD2 / PSD3 readiness, FFIEC / EBA-aligned operational resilience, and audit reproducibility. Payvera ships SCA + ISO 20022 + SCT-Inst; DORA-aligned operational resilience controls are tabletop-tested quarterly; the append-only audit envelope replays end-to-end for any regulator.
8 frameworks pre-mapped to the platform.
- VT.FN.RG.01
PCI DSS v4.0 Level 1
International · PCI SSCCardholder-data processing baseline. Payvera deployments achieve PCI DSS L1 with the platform substrate within scope; tokenisation removes most tenant-side scope.
- VT.FN.RG.02
PSD2 + RTS-SCA
European UnionStrong customer authentication for online payments; transaction risk analysis (TRA) exemption flows tightened in CL.035.
- VT.FN.RG.03
PSD3 + Payment Services Regulation
European UnionTracking finalisation; ready when published. Open-banking PSP federation in the platform roadmap (RM.P04).
- VT.FN.RG.04
DORA (Digital Operational Resilience Act)
European UnionOperational-resilience controls aligned; quarterly tabletop exercise log; ICT-third-party register published in the trust desk.
- VT.FN.RG.05
FFIEC IT Handbook
United States · FFIECIT examination handbook alignment for US-regulated financial institutions; SOC 2 Type II + ISO 27001 cover the platform-level scope.
- VT.FN.RG.06
Basel III ICAAP / BCBS 239
International · BCBSCapital adequacy + risk-data aggregation. Ledgera produces auditor-friendly export packs aligned with BCBS 239 risk-data aggregation principles.
- VT.FN.RG.07
MAS-TRMG
Singapore · MASTechnology Risk Management Guidelines for MAS-licensed institutions; sovereign-region deployment in Singapore on customer engagement.
- VT.FN.RG.08
SOX Section 404
United States · SECInternal-controls audit trail. Append-only audit_log + segregation-of-duties via Identra roles satisfy 404 IT-controls requirements.
- Payvera · Payments
PSD2 SCA, SEPA + SCT-Inst + national rails, anomaly + fraud scoring (AG.S.05) with HITL on high-risk transactions.
- Ledgera · Financial Ops
Multi-jurisdiction accounting (NO Kontoplan, UK FRS-102, US GAAP, IFRS), SAF-T / VAT-100 statutory exports, BCBS 239 risk-data aggregation pack.
- Identra · Identity
KYC + qualified signature for high-value transactions; FIDO2 step-up on admin paths; OIDC federation with bank workforce IdPs.
- Civitas · Government Services
Treasury + tax-authority integration where banks operate as collection agents.
4 risks named, with mitigation.
- VT.FN.RK.01
Privileged-insider attack vector
Treasury + AML flows expose card-holder + investigation data to platform operators by default. DM.04 confidential compute removes this vector — workloads run inside hardware-enforced TEEs the vendor cannot read.
- VT.FN.RK.02
Regulator examination cycle
FFIEC + EBA examinations compress timelines. The append-only audit envelope replays any transaction end-to-end with chain-of-custody preserved; signed export pack ships within one business day.
- VT.FN.RK.03
PSD3 transition exposure
PSD2 → PSD3 migration is a cliff for hand-rolled SCA implementations. Payvera abstracts the SCA flow; PSD3 lands as a platform release, not a tenant-side rebuild.
- VT.FN.RK.04
BCBS 239 risk-data aggregation
Risk-data aggregation completeness + accuracy is the single most-cited examination finding. Ledgera produces the BCBS 239 export pack with provenance manifest baked in.
- EBA Outsourcing Register documentation pack
- FCA Operational Resilience submission alignment
- MAS-TRMG due-diligence questionnaire pre-fill via /ask-flyttgo
- Crown Commercial Service Treasury route for UK government banking adjacencies
Open a programme on this vertical's terms.
Consultation routed to the desk handling financial services programmes. DM.03 substrate, L.05 tier and the regulatory framework matrix above presented at intake — scoping starts at SE.D2, not at framework discovery.