Compliance Framework
How Lumenii determines which FCA regulations apply to each detected AI tool — the regulatory basis, evidence sources, and risk scoring methodology behind every compliance flag, risk score, and evidence document the platform generates.
Lumenii is a compliance evidence framework — not legal advice
Every compliance flag Lumenii raises cites a specific FCA Handbook rule, vendor document, or technical fact that can be independently verified. Lumenii surfaces the specific regulatory questions your compliance team and legal counsel need to answer — with the underlying evidence pre-assembled. It does not constitute legal advice and does not replace your compliance function.
FCA regulations Lumenii maps to each app
Seven regulatory frameworks are evaluated for every detected AI tool. Click any rule to see the trigger conditions, the regulatory text, and which apps are affected.
When this rule is triggered
Triggered when an AI tool performs a function the firm would otherwise do itself — accessing email, processing documents, transcribing calls, or assisting in investment decisions via OAuth.
What this requires from your firm
SYSC 13.9 requires firms to identify all third-party outsourcing arrangements, assess their risk, maintain ongoing oversight, and ensure appropriate contractual protections are in place. An OAuth token granting Grammarly access to a work inbox is legally indistinguishable from an outsourcing contract — it just happened without one.
Regulatory source
FCA Handbook SYSC 13.9.1G — Outsourcing and operational risk management
View in FCA HandbookCommonly affects
How Lumenii scores each app — the six-step process
When Lumenii detects a new AI tool via Microsoft 365 or Google Workspace, it runs through this process automatically to determine risk level and applicable regulations.
OAuth detection
Lumenii reads the Microsoft Entra ID service principals and delegated permission grants, and the Google Workspace Admin SDK token logs. Every third-party app with an active OAuth token is identified.
App signature matching
The detected domain (e.g. grammarly.com) is matched against the Lumenii known-app database of 50+ AI tools. Each entry in the database has been individually researched against vendor terms and FCA rules.
Regulatory trigger evaluation
The app's function is evaluated against the six FCA regulatory triggers above. An app that accesses email (OAuth scope: mail.read) automatically triggers SYSC 13 and GDPR Art.28. A transcription app automatically triggers FCA MAR for investment-role employees.
DPA status check
The app's DPA availability is checked against the vendor database. If no enterprise DPA is available or confirmed, a GDPR Art.28 breach flag is raised. If a DPA exists but hasn't been confirmed signed, an amber "Review DPA" flag is raised.
Employee role context
The detected app is cross-referenced with the employee's department. Investment, M&A, and compliance teams have regular MNPI access — any AI tool used by these departments carries an elevated FCA MAR risk dimension.
Risk score assignment
A risk level is assigned: Critical (FCA MAR + no DPA + unapproved), High (unapproved + no DPA), Medium (approved DPA exists but SM&CR gap or Consumer Duty assessment needed), Low (approved, DPA confirmed, SM&CR assigned).
Evidence sources
Every risk flag Lumenii raises is grounded in one of these verifiable sources. None of it is invented or inferred without a documented basis.
FCA Handbook
Every FCA rule citation in Lumenii links directly to the live FCA Handbook chapter. The specific rule text is the basis for every compliance flag Lumenii generates.
Vendor privacy policies and DPA terms
Each app in the database has been individually researched against its published privacy policy and enterprise DPA availability. ChatGPT consumer has no DPA — this is documented from OpenAI's own published terms.
OAuth permission scope analysis
When an app is granted OAuth access, the specific scopes are recorded in Entra ID or Google Workspace. Lumenii reads these scopes directly — mail.read, files.read.all — as technical evidence of what data the app can access.
Vendor security certifications
Each app's ISO 27001, SOC 2 Type 2, Cyber Essentials, and UK GDPR compliance status is sourced from vendor trust pages and certification body records. These determine the compliance grid ticks and crosses.
Data residency verification
Whether an app processes data on UK or EU servers versus US servers is sourced from vendor documentation. Non-UK data residency triggers a UK GDPR Chapter V international transfer flag.
AI training policy research
Whether an app trains its AI models on user input is sourced directly from vendor privacy policies. The "Trains on your data" badge maps to UK GDPR Article 5(1)(b) purpose limitation — data used for model training is a new processing purpose requiring a separate lawful basis.
Risk level definitions
Every detected AI tool is assigned one of four risk levels based on the combination of regulatory triggers, DPA status, approval status, and employee role context.
Critical risk
FCA MAR risk detected (potential MNPI exposure) AND the tool is unapproved AND no DPA exists. Requires immediate escalation to the CCO. Most commonly triggered by Otter.ai used by investment professionals.
Example
Otter.ai — 7 investment team members recording client calls containing deal information
High risk
Tool is unapproved AND no signed DPA exists AND it has OAuth access to corporate data. SYSC 13 and GDPR Art.28 obligations are in breach. Requires compliance review and remediation plan.
Example
ChatGPT (consumer) — 18 analysts with OAuth access to work email, no DPA in place
Medium risk
Tool is under review OR a DPA exists but hasn't been confirmed signed OR an SM&CR accountability gap exists. No immediate breach but requires action to achieve full compliance.
Example
Microsoft Copilot — enterprise DPA exists but no SM&CR Senior Manager assigned
Low risk
Tool is approved, DPA is confirmed signed, SM&CR accountability is assigned, and a Consumer Duty assessment has been completed. Ongoing monitoring only — no action required.
Example
Microsoft Teams — approved, within M365 enterprise agreement, SM&CR assigned to CTO
What Lumenii cannot detect — honest limitations
Lumenii is transparent about its detection boundaries. OAuth-based detection covers the highest-risk category but is not the complete picture.
| Scenario | Detectable | Workaround in Lumenii |
|---|---|---|
| AI tools connected via work email OAuth | ✓ Full detection | Core functionality — daily scan |
| AI apps on Intune-managed mobile devices | ✓ Full detection | Mobile AI Monitor page |
| Browser-only AI use (no OAuth token) | ✗ Not detected | Employee self-declaration survey |
| Personal email account signups for AI tools | ✗ Not detected | Employee self-declaration survey |
| AI tools embedded in already-approved apps | ✗ Not detected | Manual review in Tool Inventory |
| Personal device usage (unmanaged) | ✗ Not detected | MDM enrolment recommended |
| Netskope DLP alerts for AI file uploads | ✓ Via Netskope integration | Connect Netskope in Settings |
Questions about the compliance methodology?
Contact tom@lumenii.io — we can walk through the regulatory basis for any specific app or risk flag in your environment.