Compliance Architecture

Compliance infrastructure that compounds

Framework-aligned controls with automated evidence collection, continuous monitoring, and structured documentation for examiner review. Compliance is infrastructure, not overhead.

Framework Matrix

Compliance Framework Status

Each framework below is tracked with evidence items, audit metadata, and implementation status. Select a framework to view control details and verification dates.

ACAF

Aaim Compliance Assurance Framework

ACAF is Aaim's proprietary meta-framework that unifies compliance requirements across SOC 2, ISO 27001, PCI-DSS, NIST-CSF, GDPR, and CCPA. Rather than treating each framework as an independent checklist, ACAF maps all external controls to a single unified structure, identifying overlaps, gaps, and opportunities for enhanced assurance.

Unified Control Structure

347 controls mapped across 6 frameworks with deduplication and crosswalk. Single evidence base serves multiple framework requirements, reducing audit burden while improving control effectiveness.

Enhanced Controls

ACAF implements controls that exceed any individual framework baseline: distributed audit trails with blockchain anchoring, quantum-resistant cryptography preparation, and privacy-preserving analytics with differential privacy.

Real-Time Monitoring

Live control health tracking via Drata integration with hourly sync and dashboard visibility. Continuous validation vs quarterly or annual audit snapshots.

Accelerated Due Diligence

Unified documentation structure enables faster partner due diligence. Security questionnaires (VAQs) are pre-mapped to applicable frameworks with evidence links, reducing response time from weeks to days.

ACAF is continuously validated through internal audits and external framework certifications. Framework crosswalk and control mapping available upon request under NDA.

SOC 2

Trust Services Criteria

Aaim is pursuing SOC 2 Type II certification covering the five Trust Services Criteria. Controls are monitored continuously through automated evidence collection.

Security

Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems.

Availability

Information and systems are available for operation and use to meet the entity's objectives. Recovery procedures are tested regularly with documented RTO and RPO targets for each service tier.

Processing Integrity

System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. Financial calculations are verified through independent validation and reconciliation processes.

Confidentiality

Information designated as confidential is protected to meet the entity's objectives. Data classification policies define handling requirements for each sensitivity level from public through restricted.

Privacy

Personal information is collected, used, retained, disclosed, and disposed to meet the entity's objectives. Privacy notices accurately describe data practices and consumer rights are supported through documented workflows.

Regulatory Alignment

Examiner-ready documentation

Platform controls are mapped to specific regulatory guidance documents and examination procedures. Control documentation is structured for examiner review, with evidence items traceable to specific regulatory requirements.

Institutional partners retain full regulatory compliance responsibility for their lending programs. Aaim provides the infrastructure, documentation, and audit support that compliance teams need to demonstrate sound practices to their examiners.

Key Regulatory Frameworks

FFIEC IT Examination Handbook

FFIEC

Platform controls map to FFIEC examination objectives across all booklets: Information Security, Operations, Development and Acquisition, Business Continuity Management, and Outsourcing Technology Services. Control documentation structured for examiner review.

OCC Bulletin 2013-29

OCC

Third-party risk management program aligns with OCC guidance on vendor management lifecycle including due diligence, contract structuring, ongoing monitoring, and contingency planning for critical technology service providers.

OCC Bulletin 2011-12

OCC

Sound practices for model risk management applied to all financial models including lending risk assessment, collateral valuation, and economic projections. Model validation, documentation, and governance procedures in place.

NCUA Letter 18-CU-03

NCUA

Technology service provider relationships with federally insured credit unions structured per NCUA due diligence and ongoing monitoring guidance. Examination documentation available for credit union examiners.