Back to lumenii.io
Lumenii

Compliance Framework

How Lumenii determines which FCA regulations apply to each detected AI tool — the regulatory basis, evidence sources, and risk scoring methodology behind every compliance flag, risk score, and evidence document the platform generates.

Lumenii is a compliance evidence framework — not legal advice

Every compliance flag Lumenii raises cites a specific FCA Handbook rule, vendor document, or technical fact that can be independently verified. Lumenii surfaces the specific regulatory questions your compliance team and legal counsel need to answer — with the underlying evidence pre-assembled. It does not constitute legal advice and does not replace your compliance function.

FCA regulations Lumenii maps to each app

Seven regulatory frameworks are evaluated for every detected AI tool. Click any rule to see the trigger conditions, the regulatory text, and which apps are affected.

When this rule is triggered

Triggered when an AI tool performs a function the firm would otherwise do itself — accessing email, processing documents, transcribing calls, or assisting in investment decisions via OAuth.

What this requires from your firm

SYSC 13.9 requires firms to identify all third-party outsourcing arrangements, assess their risk, maintain ongoing oversight, and ensure appropriate contractual protections are in place. An OAuth token granting Grammarly access to a work inbox is legally indistinguishable from an outsourcing contract — it just happened without one.

Regulatory source

FCA Handbook SYSC 13.9.1G — Outsourcing and operational risk management

View in FCA Handbook

Commonly affects

ChatGPTGrammarlyOtter.aiNotion AIPerplexityJasperGoogle GeminiMicrosoft Copilot

How Lumenii scores each app — the six-step process

When Lumenii detects a new AI tool via Microsoft 365 or Google Workspace, it runs through this process automatically to determine risk level and applicable regulations.

1

OAuth detection

Lumenii reads the Microsoft Entra ID service principals and delegated permission grants, and the Google Workspace Admin SDK token logs. Every third-party app with an active OAuth token is identified.

2

App signature matching

The detected domain (e.g. grammarly.com) is matched against the Lumenii known-app database of 50+ AI tools. Each entry in the database has been individually researched against vendor terms and FCA rules.

3

Regulatory trigger evaluation

The app's function is evaluated against the six FCA regulatory triggers above. An app that accesses email (OAuth scope: mail.read) automatically triggers SYSC 13 and GDPR Art.28. A transcription app automatically triggers FCA MAR for investment-role employees.

4

DPA status check

The app's DPA availability is checked against the vendor database. If no enterprise DPA is available or confirmed, a GDPR Art.28 breach flag is raised. If a DPA exists but hasn't been confirmed signed, an amber "Review DPA" flag is raised.

5

Employee role context

The detected app is cross-referenced with the employee's department. Investment, M&A, and compliance teams have regular MNPI access — any AI tool used by these departments carries an elevated FCA MAR risk dimension.

6

Risk score assignment

A risk level is assigned: Critical (FCA MAR + no DPA + unapproved), High (unapproved + no DPA), Medium (approved DPA exists but SM&CR gap or Consumer Duty assessment needed), Low (approved, DPA confirmed, SM&CR assigned).

Evidence sources

Every risk flag Lumenii raises is grounded in one of these verifiable sources. None of it is invented or inferred without a documented basis.

FCA Handbook

Every FCA rule citation in Lumenii links directly to the live FCA Handbook chapter. The specific rule text is the basis for every compliance flag Lumenii generates.

Vendor privacy policies and DPA terms

Each app in the database has been individually researched against its published privacy policy and enterprise DPA availability. ChatGPT consumer has no DPA — this is documented from OpenAI's own published terms.

OAuth permission scope analysis

When an app is granted OAuth access, the specific scopes are recorded in Entra ID or Google Workspace. Lumenii reads these scopes directly — mail.read, files.read.all — as technical evidence of what data the app can access.

Vendor security certifications

Each app's ISO 27001, SOC 2 Type 2, Cyber Essentials, and UK GDPR compliance status is sourced from vendor trust pages and certification body records. These determine the compliance grid ticks and crosses.

Data residency verification

Whether an app processes data on UK or EU servers versus US servers is sourced from vendor documentation. Non-UK data residency triggers a UK GDPR Chapter V international transfer flag.

AI training policy research

Whether an app trains its AI models on user input is sourced directly from vendor privacy policies. The "Trains on your data" badge maps to UK GDPR Article 5(1)(b) purpose limitation — data used for model training is a new processing purpose requiring a separate lawful basis.

Risk level definitions

Every detected AI tool is assigned one of four risk levels based on the combination of regulatory triggers, DPA status, approval status, and employee role context.

Critical risk

FCA MAR risk detected (potential MNPI exposure) AND the tool is unapproved AND no DPA exists. Requires immediate escalation to the CCO. Most commonly triggered by Otter.ai used by investment professionals.

Example

Otter.ai — 7 investment team members recording client calls containing deal information

High risk

Tool is unapproved AND no signed DPA exists AND it has OAuth access to corporate data. SYSC 13 and GDPR Art.28 obligations are in breach. Requires compliance review and remediation plan.

Example

ChatGPT (consumer) — 18 analysts with OAuth access to work email, no DPA in place

Medium risk

Tool is under review OR a DPA exists but hasn't been confirmed signed OR an SM&CR accountability gap exists. No immediate breach but requires action to achieve full compliance.

Example

Microsoft Copilot — enterprise DPA exists but no SM&CR Senior Manager assigned

Low risk

Tool is approved, DPA is confirmed signed, SM&CR accountability is assigned, and a Consumer Duty assessment has been completed. Ongoing monitoring only — no action required.

Example

Microsoft Teams — approved, within M365 enterprise agreement, SM&CR assigned to CTO

What Lumenii cannot detect — honest limitations

Lumenii is transparent about its detection boundaries. OAuth-based detection covers the highest-risk category but is not the complete picture.

ScenarioDetectableWorkaround in Lumenii
AI tools connected via work email OAuth✓ Full detectionCore functionality — daily scan
AI apps on Intune-managed mobile devices✓ Full detectionMobile AI Monitor page
Browser-only AI use (no OAuth token)✗ Not detectedEmployee self-declaration survey
Personal email account signups for AI tools✗ Not detectedEmployee self-declaration survey
AI tools embedded in already-approved apps✗ Not detectedManual review in Tool Inventory
Personal device usage (unmanaged)✗ Not detectedMDM enrolment recommended
Netskope DLP alerts for AI file uploads✓ Via Netskope integrationConnect Netskope in Settings

Questions about the compliance methodology?

Contact tom@lumenii.io — we can walk through the regulatory basis for any specific app or risk flag in your environment.

Contact us →