Regulatory frameworks Pulse evidences

8 frameworks · 64 control mappings · per-regulator PDF + JSON exports

Every Pulse subcheck (SPF, DKIM, DMARC, MTA-STS, TLS, DNSSEC, WHOIS, subdomain-takeover) maps to specific named sections of these frameworks. Tenants pick a primary regulator; reports format around it. Each report includes an explicit scope statement (what Pulse evidences automatically), a section listing items operator-attested via Pulse (firm-captured artifacts — tolerances, self-assessment narratives, scenario tests, contract metadata, sub-processor lists, vendor financial- health snapshots), and a residual out-of-scope statement for what still requires separate evidence. Auditors see the boundary at a glance.

United Kingdom

FCA Operational Resilience

PS21/3 · SS2/21 · SYSC 8 · Critical Third Parties Regime (FSMA 2023)

Effective 2025-03-31

FCA-authorised firms: banks, payment institutions, e-money institutions, insurers, brokers, wealth managers, crypto asset service providers.

Control map & scope JSON Sample evidence report PDF

European Union

DORA — Digital Operational Resilience Act

Regulation (EU) 2022/2554 · Articles 28–31 · Annex II

Effective 2025-01-17

EU financial entities plus UK firms with EU operations: banks, payment institutions, crypto-asset service providers, investment firms, insurance undertakings.

Control map & scope JSON Sample evidence report PDF

United States

OCC & Interagency Third-Party Risk

OCC 2013-29 · FRB SR 11-7 · 2023 Interagency Guidance

2023 Interagency Guidance

US banks (national banks, federal savings, BHCs); applied by analogy to credit unions and state-chartered banks.

Control map & scope JSON Sample evidence report PDF

Australia

APRA CPS 230 — Operational Risk Management

Prudential Standard CPS 230 §41–§54

Effective 2025-07-01

APRA-regulated entities: banks, superannuation funds, insurers, registered financial corporations.

Control map & scope JSON Sample evidence report PDF

Hong Kong SAR

HKMA Operational Resilience

Supervisory Policy Manual OR-2

In force 2026

Authorized institutions under the Banking Ordinance.

Control map & scope JSON Sample evidence report PDF

Singapore

MAS Outsourcing & TRM Guidelines

Outsourcing Notice FNN-634 · Technology Risk Management Guidelines

TRM updated 2024

MAS-regulated FIs: banks, capital markets, insurance, payment service providers.

Control map & scope JSON Sample evidence report PDF

International / Voluntary

NIST Cybersecurity Framework v2.0

NIST CSF v2.0 (released 2024-02-26)

Voluntary

All sectors. 8 subcategories Pulse evidences spanning ID.AM, ID.RA, PR.DS, PR.PS, DE.CM functions.

Control map & scope JSON Sample evidence report PDF

International / Standard

ISO/IEC 27001:2022

ISO/IEC 27001:2022 Annex A (93-control set)

Effective 2022-10-25

Any organisation seeking ISO 27001 certification. Pulse evidences 7 Annex A controls covering supplier relationships, threat intel, cryptography, and network security.

Control map & scope JSON Sample evidence report PDF

How it works

1. Tenant picks a primary regulator — one line of config: PUT /api/v1/pulse/regulatory-frameworks/primary { "regulator": "fca" }.

2. Pulse keeps monitoring the same way — same eight checks, same cadence, same cryptographically-signed evidence. The data layer is regulator-agnostic.

3. Reports format around the regulator — the PDF / JSON bundle includes a regulator-specific scope statement, a control map citing the regulator's own sections, and a vendor inventory in the format examiners expect.

4. Switch frameworks any time — useful for firms with multi-jurisdiction operations (UK + EU + US is common). Same data, different lens.

How Pulse covers the firm-judgement side

Setting impact tolerances, drafting the self-assessment narrative, signing contracts and vouching for personnel all require firm judgement — we can't decide them for the firm without overclaiming. But Pulse can be the canonical, tamper-evident system of record for them. Six artifact kinds (tolerances, narrative, scenario, contract, subprocessors, financial_health) capture the firm's own work via POST /api/v1/pulse/scope-artifacts. Each artifact is SHA-256 hashed on ingest and chained into Pulse's daily IPFS + OpenTimestamps anchor — an auditor can verify it has existed unchanged since its captured_at timestamp.

Vendor financial-health is the one kind that's fully automated: when COMPANIES_HOUSE_API_KEY is configured, Pulse fetches the live UK Companies House profile for UK-registered vendors (status, accounts-due dates, insolvency history, charges) and stores it as a signed snapshot. Non-UK vendors are recorded honestly as matched: false — Pulse never invents data.

What stays out of scope: regulator-only powers (ESA designation of Critical ICT TPPs, board-level governance documents that cannot be delegated to a third-party system), and items that require independent validators (SR 11-7 model-risk, AML, training-records). Each PDF lists these honestly so the boundary stays clear.