Three lines of defense, written in JSON.

Audit-ready governance as code.

The three-lines model in a fintech context

The three-lines-of-defense model is a governance framework: the first line (business) owns the risk, the second line (risk and compliance) sets the policy and monitors, the third line (internal audit) provides independent assurance. In a traditional bank, these are three separate teams with separate reporting lines.

In a fintech platform, the same structure exists but the tooling is different. The first line's controls are implemented in application code (the BPM engine's decision rules, the KYC tier thresholds, the transaction limits). The second line's policy is expressed as configuration (risk appetite parameters, screening list sources, escalation thresholds). The third line's audit is served by the event log (every first-line decision, every second-line policy change, every system event).

Policy as configuration

In Coreal, risk appetite parameters are configuration, not code. The KYC tier thresholds (Tier 1: identity verified, €1,000/month limit; Tier 2: enhanced due diligence, €10,000/month) are set in a policy configuration file. When the regulator asks to see the policy, we export the configuration. When the policy changes, the configuration change is a commit in the policy repository with an approval workflow.

This is what 'governance as code' means in practice: the policy is explicit, versionable, reviewable, and auditable. It is not in someone's email or a shared document. It is in the system that applies it — and it is the same format as the application code, so the same review and approval process applies.