Regulatory Reference
Key regulatory frameworks relevant to Smartflow content. This guide covers what content writers need to know — not legal advice.
MAS — Monetary Authority of Singapore
| Aspect | Detail |
|---|---|
| Jurisdiction | Singapore |
| Relevant to | Singapore-licensed banks using Smartflow |
| Key regulation | MAS Notice on Technology Risk Management (TRM) |
| Data requirements | Financial institutions must ensure data resides in approved jurisdictions. Outsourcing of data processing requires MAS notification. |
| AI relevance | MAS has published FEAT (Fairness, Ethics, Accountability, Transparency) principles for AI use in financial services. |
| Reporting | MAS RODS (Regulatory Oversight Data Submission) — Smartflow's compliance module supports automated submission workflows. |
What to say in docs: Smartflow's edge deployment model supports MAS TRM requirements by keeping all data within the bank's infrastructure. No document data is transmitted externally.
HKMA — Hong Kong Monetary Authority
| Aspect | Detail |
|---|---|
| Jurisdiction | Hong Kong SAR |
| Relevant to | Hong Kong-licensed banks |
| Key regulation | HKMA Supervisory Policy Manual on Operational Risk Management |
| Data requirements | Data outsourcing requires HKMA approval if material. Cloud usage must comply with HKMA guidance on use of cloud computing. |
| AI relevance | HKMA has issued guidance on responsible AI adoption. Banks must maintain explainability for AI-driven decisions. |
What to say in docs: Smartflow provides evidence-linked provenance for every extracted field, supporting HKMA's explainability expectations for AI systems.
APRA — Australian Prudential Regulation Authority
| Aspect | Detail |
|---|---|
| Jurisdiction | Australia |
| Relevant to | APRA-regulated banks and insurers |
| Key regulation | CPS 234 (Information Security), CPS 231 (Outsourcing) |
| Data requirements | APRA-regulated entities must be able to demonstrate that data is adequately protected, including when processed by third-party systems. |
| AI relevance | APRA expects model risk management per SR 11-7 equivalent principles. |
What to say in docs: Smartflow supports APRA CPS 234 compliance through isolated deployment, encrypted data at rest and in transit, and comprehensive audit logging.
Data Sovereignty Principles
These principles apply across all jurisdictions:
- Data residency: Document data must reside in the jurisdiction where the bank operates (or an approved jurisdiction).
- No cross-border transfer: Smartflow's edge deployment ensures no document content crosses borders.
- Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.3).
- Access control: Role-based access control with SSO integration.
- Audit trail: All access and modifications to data are logged and retained per policy.
- Right to delete: Banks can request complete deletion of all data in their Smartflow instance.
EU AI Act (Informational)
While Smartflow's primary market is APAC, European regulations may apply to clients with EU operations:
| Aspect | Detail |
|---|---|
| Risk classification | Smartflow's use case (financial document processing) likely falls under "high-risk" if outputs directly influence lending decisions |
| Requirements | Transparency, human oversight, data governance, accuracy documentation |
| Smartflow alignment | Evidence-linked provenance, HITL workflows, extraction accuracy metrics already address core requirements |
SR 11-7 (Model Risk Management)
US Federal Reserve guidance on model risk management, widely adopted as a global standard for AI/ML governance in banking:
| Requirement | Smartflow Support |
|---|---|
| Model documentation | Extraction models documented with training data scope, performance benchmarks |
| Validation | AI Evals framework provides ongoing accuracy measurement |
| Monitoring | Confidence scores per field, accuracy trends over time |
| Governance | HITL review workflow ensures human oversight of AI outputs |
Writing Guidelines for Regulatory Content
- Never claim compliance. Say "supports compliance with" or "aligns with requirements," not "is compliant with."
- Cite the regulation name and number. "Per MAS TRM Notice" not "per Singapore regulations."
- State facts, not interpretations. "Smartflow deploys within the bank's infrastructure" not "Smartflow satisfies data residency requirements."
- Always qualify with "consult your compliance team."