Kenshiki

Demo workspace

Tiny detour: the demo opens in a new tab.

The workspace contains 60 synthetic people and representative lender-review workflows. No production borrower data, no surprise detour from this page.

  • No production borrower records are displayed.
  • The new tab keeps this page right where you left it.
  • The app surface is noindexed and marked as synthetic data.
Request a briefing

Regulatory taxonomy

The regulatory burden does not disappear at community scale.

This taxonomy explains the financial and AI-related rules that shape U.S. banks, thrifts, and federally insured credit unions. Each entry should show the legal source, regulator, who it may apply to, what may change, what operational duty is curated where available, and where to verify it.

Length
1,170 words
Read time
6 min read

How to read this

Applicability is broad; execution scales.

Many federal regimes reach institutions regardless of asset size, but the depth of the required program usually scales to the institution’s size, risk, charter, and complexity. “Applies to all” does not mean “identical burden for all.”

A useful compliance taxonomy has to preserve that nuance. Some rules are universal, some are charter-specific, and some turn on loan volume, asset tier, activity, jurisdiction, litigation, or pending rule changes. Kenshiki keeps those differences visible instead of flattening them into sales shorthand.

Use the taxonomy

Start with the decision, then check the source.

Start from the situation.

Read institution type, rule family, use case, obligation type, and source together. The goal is not to prove a final legal answer; it is to show which rules deserve counsel, compliance, and model-risk review.

Keep source context attached.

Each entry should keep the summary, source, regulator, use cases, operational duty where curated, change notes, and citations together so teams can tell why a rule may be in scope and what needs another check.

Rule taxonomy

The public taxonomy tracks 80 rules and guidance items.

The taxonomy is intentionally broader than a banking checklist: 57 entries cover federal financial obligations and 23 entries cover AI-related rules, existing financial law applied to AI, prudential model-risk guidance, state AI laws, biometric regimes, and insurance-adjacent governance templates.

Financial obligations

BSA/AML, OFAC, consumer lending, deposits and payments, privacy and data security, UDAP/UDAAP, safety and soundness, CRA and structure rules, credit-union-specific obligations, and bank-specific operational regimes.

AI-assisted decisions

Existing law applied to AI, adverse-action explainability, contested fair-lending posture, AVM rules, SR 26-2 model-risk boundaries, NYDFS AI cybersecurity guidance, state AI laws, biometric consent regimes, and voluntary governance frameworks.

Ten families

The banking foundation still starts with ten federal regime families.

BSA/AML

Five-pillar AML program, CIP, CDD and beneficial ownership, SAR, CTR, and Travel Rule obligations. NCUA guidance confirms no small-institution exemption exists for BSA obligations.

OFAC sanctions

Strict-liability sanctions screening with no de minimis transaction floor. The taxonomy should flag the 2025 extension of OFAC recordkeeping from five to ten years.

Consumer lending

TILA/Reg Z, RESPA/Reg X, ECOA/Reg B, FCRA/Reg V, HMDA, flood, SAFE Act, SCRA, and MLA obligations, with volume and product-scope caveats preserved.

Deposits and payments

EFTA/Reg E, Truth in Savings — Reg DD for banks and Part 707 for credit unions — and Reg CC funds-availability requirements.

Privacy and data security

GLBA Privacy and Safeguards, breach-notification expectations, RFPA, FCRA affiliate-marketing and disposal rules, and time-sensitive consumer-data-rights items.

UDAP and UDAAP

FTC Act §5 and Dodd-Frank §§1031/1036 principles-based conduct standards, including advertising and product-integrity implications.

Safety and soundness

Capital and PCA rules, distinct credit-union net-worth tiers, deposit and share insurance, Call Reports, Reg O, Reg W, audit, affiliate, insider, and governance requirements.

CRA and structure rules

CRA and branch, merger, and change-in-control requirements. CRA applies to banks and thrifts, not federal credit unions, with state CRA-style credit-union rules in Illinois, Massachusetts, and New York.

Credit-union-specific federal rules

Federal Credit Union Act and NCUA 12 CFR 700-series obligations, including field of membership, lending, member-business lending, investment, audit, CUSO, and notice rules.

Bank-specific federal rules

Holding-company supervision, Volcker, federal usury and interest-rate exportation, federal-benefit garnishment, unclaimed-property operations, and IRS information reporting.

Accuracy flags

Three modeling errors matter enough to flag up front.

Common error

Modeling CRA as universal.

CRA applies to banks and thrifts, but not federal credit unions.

How to handle it

Preserve charter specificity.

State CRA-style rules for credit unions in Illinois, Massachusetts, and New York should be modeled separately from federal CRA.

Common error

Treating “size-agnostic” as absolute.

HMDA, CRA tiers, and CFPB §1071 small-business lending data requirements have real volume, size, or tier conditions.

How to handle it

Use size-conditionality flags.

Model universal, volume-threshold, asset-tier, charter-specific, and time-sensitive status as explicit fields instead of prose assumptions.

Common error

Applying FDCPA as blanket coverage.

First-party creditors collecting their own debts are generally exempt from FDCPA, while third-party or defaulted-debt collection can be covered.

How to handle it

Model activity conditions.

FDCPA belongs in the taxonomy as conditionally applicable, not as an always-on obligation for every account-holding institution.

Source design

Every obligation should point back to a source.

A review-ready rule taxonomy should store each obligation with source and “who does this apply to?” details, not as an undifferentiated document pile.

Required provenance fields

Statute, implementing regulation, CFR part, regulator, institution type, size conditionality, supervisory-manual reference, and last-verified date.

Scheduled re-verification

CFPB §1071, §1033 open banking, BOI/CTA scope, OFAC retention, FDIC rate schedules, and PCA thresholds should be on a time-sensitive review schedule.

Primary-source anchors

FFIEC examination manuals, eCFR Title 12 and Title 31 Chapter X, CFPB regulations, NCUA guides and rules, Federal Reserve compliance materials, OFAC sanctions programs, and FDIC assessment rules.

Commercial boundary

Kenshiki does not replace counsel, compliance, or model-risk review. The taxonomy makes the evidence package easier to assemble, verify, and replay.

FAQ

Common taxonomy questions

How to read the public taxonomy without treating it as a legal conclusion.

Is the regulatory taxonomy legal advice?
No. The taxonomy is a research and planning tool. It does not replace counsel, compliance, model-risk review, or institution-specific legal analysis.
Why does the taxonomy include AI and algorithmic decisioning obligations?
The AI layer matters because banks and credit unions usually face binding AI obligations through existing financial law, prudential guidance, state laws, biometric regimes, and enforcement posture rather than a single comprehensive federal AI statute.
What does the compliance taxonomy cover?
The taxonomy groups rules by institution type, financial or AI-related topic, use case, source, timing, and obligation type. Seeded records also show operational duties such as filing, disclosure, retention, training, and monitoring.
Why are some obligations marked time-sensitive or contested?
Some obligations depend on pending rule changes, litigation, effective dates, preemption disputes, or supervisory guidance. Those entries need scheduled re-checks before teams rely on them.