Horiuno — Compliance Infrastructure

Espacio Fintonic

Paquete de Dirección

Prioridades estratégicas para revisión del CTO este ciclo.

Decisions this week

Items needing central approval or intervention

Entities for review

Active steering population

Provider lanes

AI provider concentration in use

Pack cadence

Weekly

Tuesday operating review

Steering decisions

Review DORA ICT risk management framework for core banking services

Conduct a full DORA gap analysis across all Core service units and remediate critical ICT risk management deficiencies within 30 days.

CTO

DORA enforcement begins January 2025. Core banking services carry the highest ICT risk exposure and must demonstrate full compliance with risk management requirements.

Complete PSD2 Strong Customer Authentication compliance audit

Execute a comprehensive SCA compliance audit covering all payment initiation and account information flows.

Payment Services Lead

Recent PSD2 enforcement actions across EU fintechs indicate heightened regulatory scrutiny on SCA implementation gaps.

Submit EU AI Act conformity assessment for FinScore

Prepare and submit the mandatory conformity assessment for the FinScore credit scoring system classified as high-risk under the EU AI Act.

AI Governance

FinScore is a high-risk AI system under the EU AI Act. The Loan Eligibility Engine also lacks any approval, creating compounding regulatory exposure.

Conduct GDPR data minimization review for banking aggregation

Audit all PSD2 account information data flows to ensure data minimization principles are enforced and excess data retention is eliminated.

DPO

Banking aggregation services process sensitive financial data from 50+ institutions. GDPR data minimization compliance must be verified across the full data lifecycle.

Establish NIS2 incident reporting procedures

Implement NIS2-compliant incident reporting workflows with 24-hour early warning and 72-hour full notification capabilities across all service units.

Security Lead

As a digital infrastructure provider in the financial sector, Fintonic falls within NIS2 scope. Current incident reporting does not meet the mandated timelines.

Assess partner API concentration risk for lending providers

Evaluate third-party concentration risk across lending partner integrations and establish fallback routing for critical credit data providers.

CTO

Over 60% of lending decision data flows through two partner APIs. A single provider outage could halt loan origination across the platform.

Review packet contents

1. Top 10 entities by exposure and posture decline.

2. Tier 1 repo concentration and failing release lanes.

3. AI systems missing approval, prompt registration, or provenance confidence.

4. Overdue waivers and compensating controls that need renewal or closure.

5. Evidence freshness clusters blocking defensible assurance statements.

Provider concentration

OpenAI

2 systems

Internal ML

2 systems

AWS SageMaker

2 systems

Entities needing steering review

Entity	Exposure	Critical repos	Overdue	AI gaps	Top concern
FinScore Engine	110	5	3	1	AI governance
Lending Platform	95	6	4	2	Credit risk controls
Banking Aggregation	88	3	1	0	Fraud prevention
Payment Services	82	3	0	0	PSD2 compliance
Data Platform	78	3	1	0	Payment processing
Partner API	72	2	1	0	PSD2 compliance
Fraud Detection	68	2	1	0	Lending controls
Mobile App	55	2	0	0	Lending controls
Insurance Marketplace	45	1	1	1	Payment processing
Savings Products	40	1	0	0	Payment processing