← Islamic Open Finance™AI Systems Compliance Card
AI Systems Compliance Card.
Public disclosure of every AI system Islamic Open Finance™ uses to inform a customer-affecting decision. EU AI Act Article 13 (transparency) + Article 49 (high-risk registry) aligned. Each card lists the purpose, risk class, model provider, inputs, outputs, oversight mechanism, accuracy benchmark, audit retention, and privacy posture.
Asset-Integrity Copilot (KYA)
HighPre-screen asset uniqueness, encumbrance state, Shariah validity for Sukuk + Ijarah underlyings.
Risk basis
Annex III §5(b) creditworthiness — outputs feed an underwriting decision for a regulated product.
Model provider
Anthropic Claude (Sonnet)
Inputs
Asset metadata (type, valuation, jurisdiction), prior encumbrance log, Shariah board attestation history.
Outputs
Triage memo: APPROVE / REVIEW / REJECT with AAOIFI paragraph citations. Never auto-approves; always human-in-loop.
Oversight
Read-only triage. Sensitive actions (encumbrance state transition, Sukuk pool admission) require Shariah board + Cerbos `kya:approve`. 4-eyes on all writes.
Accuracy
98.4% agreement with Shariah board manual review (sample N=312 cases, Q1 2026). Disagreements always escalated.
Audit retention
Per-call evidence pack with input snapshot, model id, prompt, output, board override (if any). 7-year retention.
Privacy
Tenant-scoped. PII redacted before model call. EU-resident edge. No customer data in training.
Art. 13 (transparency)Art. 14 (oversight)Art. 49 (registry)Art. 72 (post-market)
Shariah Board Pre-Screener
HighPre-screen Murabaha / Ijarah / Sukuk / Takaful contracts against AAOIFI SS-8/9/17/26 before board sitting.
Risk basis
Annex III §5(b) — outputs influence approval of a regulated financial product.
Model provider
Anthropic Claude (Sonnet)
Inputs
Contract draft (typed schema), counterparty profile, asset class, jurisdiction.
Outputs
Pre-screen memo with paragraph-level AAOIFI citations + flagged non-permissible structures. Drafts a board memo template.
Oversight
Read-only. Never auto-approves. Board sitting required for every contract regardless of pre-screen verdict.
Accuracy
96.1% agreement with subsequent board decisions (sample N=148 contracts).
Audit retention
Same 7-year evidence pack as KYA.
Privacy
Tenant-scoped. Counterparty PII redacted. Outputs accessible to tenant Shariah board only.
Art. 13Art. 14Art. 49Art. 72
KYC / AML Investigator
HighTriage sanctions hits, PEP escalations, transaction-monitoring alerts before maker-checker review.
Risk basis
Annex III §5(d) fraud detection + §5(c) identity verification.
Model provider
Anthropic Claude (Sonnet)
Inputs
Sanctions / PEP screening output, transaction-monitoring alert metadata, prior triage history.
Outputs
Triage classification (true positive / false positive / needs review) with rationale; never auto-freezes / files SAR.
Oversight
Read-only. Sensitive actions (account freeze, SAR filing, sanctions block) remain with compliance officers under 4-eyes.
Accuracy
99.2% on sanctions FP-rejection benchmark; 92.7% on PEP-classification benchmark.
Audit retention
Per-call evidence pack + cross-reference to FIU submission ID where applicable.
Privacy
Tenant-scoped. PII pseudonymised before model call where feasible. Subject access rights honoured per GDPR Art. 15.
Art. 13Art. 14Art. 26Art. 49
Settlement & Reconciliation Investigator
Limited+Classify settlement breaks (timing / counterparty / liquidity / reference-data / system) and recommend recovery path.
Risk basis
Operational classification (not Annex III) but material consequence — recovery path informs ledger postings.
Model provider
Anthropic Claude (Sonnet)
Inputs
Failed-settlement record, counterparty data, ledger snapshot.
Outputs
Cause classification + recommended path (re-submit / return / book-transfer / write-off).
Oversight
Read-only. Force-settle, manual reverse, write-off all require treasury + ops 4-eyes.
Accuracy
95.8% cause-class agreement vs ops manual triage (N=2,144 breaks).
Audit retention
Evidence pack per break, regulator-shaped CSV export.
Privacy
Tenant-scoped. Counterparty PII pseudonymised.
Art. 13
IOF Coding Engine
GPAI deployerInternal developer tooling — Claude Code-driven implementation, auto-fix CI failures, propagate cohesive updates.
Risk basis
GPAI deployment per EU AI Act Aug 2025 obligations; not customer-facing.
Model provider
Anthropic Claude (Opus / Sonnet / Haiku)
Inputs
Source code, CI failure logs, developer prompts.
Outputs
Code edits, PRs, commit messages.
Oversight
All commits require human review (PR-gated). Pre-commit hooks (cohesive-drift, prettier, typecheck, tigerstyle) gate every change.
Accuracy
Tracked via PR-merge rate and post-merge revert rate (currently 91% / 1.3%).
Audit retention
Git history + .claude session transcripts (7-year retention for compliance changes).
Privacy
No customer data accessible to coding engine. Internal-only.
GPAI Code of Practice (Aug 2025)
Reporting + escalation
Serious incident notification: 15 calendar days per EU AI Act Art. 73. Widespread infringement notification: 2 calendar days. See the Customer Commitments page for full SLA.
Concerns about an AI-driven decision affecting your account? Contact ai-oversight@islamicopenfinance.com — DPO + Risk Officer review within 5 business days.