Financial entities shall ensure that contractual arrangements on the use of ICT services provided by ICT third-party service providers include audit rights and exit strategies.
For German banks
One chain answers BaFin, MaRisk, DORA, GDPR.
BaFin December 2025, 9th MaRisk-Novelle, DORA Article 19, GDPR Article 22 — answered in MaRisk vocabulary, not in vendor paraphrase.
BaFin-fluent·1,825-day retention·5-clock incidents
Evidence pointers · per framework
{
"audit_target": "DACH banking compliance",
"scope": {
"BaFin Dec 2025 ICT/AI": "Hash-Chain export bundle",
"9th MaRisk-Novelle (AT 9)": "matchedPolicy + audit-log + 1,825-day retention",
"DORA Art. 19": "IncidentClock × dora · 4 h / 72 h / 30 d",
"GDPR Art. 22 (SCHUFA C-634/21)": "ReviewItem linked by traceId"
}
}Each pointer links to a backend artefact verified in §02. Adjudon does not generate German prose; the chain is the source-of-truth that your compliance team formats per regulator.BaFin reads MaRisk. We answer in MaRisk.
Four named DACH frameworks, four rows. Each row pairs the obligation as German banks read it (not as a US-vendor paraphrases it) with the Adjudon artefact that satisfies it. Concrete citations: BaFin's December 2025 ICT/AI guidance, the 9th MaRisk-Novelle, DORA Article 19, and the SCHUFA ECJ ruling C-634/21.
| Framework | Obligation | Adjudon artefact | Plan tier |
|---|---|---|---|
| BaFin Dec 2025 ICT/AI under DORA | ICT-AI-incident logs in BaFin-readable format, enforceable now under DORA. Banks must produce decision-level audit evidence on demand. | Hash-Chain export bundle (GET /api/v1/hash-chain/export) — the self-contained JSON with every entry, replay-verifiable offline against the published algorithm. | Governance+ |
| 9th MaRisk-Novelle March 2026 · AT 9 Outsourcing | Bank using AI ICT-vendor must document outsourcing, retain logs ≥ 5 years, monitor service-provider SLA. | Organization.dataRetentionDays configurable up to 1,825 days (BaFin 5-year recommendation). matchedPolicy.name + policyResult.reason + audit-log entry on every blocked decision. | Governance+ > 365 d retention: Enterprise+ |
| DORA Art. 19 ICT-incident reporting | Major ICT-related incident reporting on a staged timeline — 4 h initial classification / 72 h intermediate report / 30 d final report. | IncidentClock with regulator: 'dora' + articleRef: 'Art. 19' + three checkpoints at the deadlines. Each checkpoint carries evidenceTraceId linking back to the trace-chain. | Governance+ |
| GDPR Art. 22 SCHUFA-Urteil C-634/21 | Automated individual decision-making with legal effect (e.g. credit denial) requires the right to human intervention; the subject must be able to contest and request review. | suggestedStatus = 'flagged' auto-routes blocked decisions to the Review Queue. Reviewer name + decision recorded on ReviewItem linked by traceId. PII scrubber removes IBAN, email, credit-card before the trace is hashed. | Sandbox+ Full Review Queue: Scale+ |
The DORA Article 19 mapping detail and the IncidentClock implementation live in docs.adjudon.com/compliance/dora.
One decision, six steps, one chain row.
A loan applicant submits. The bank's underwriter agent declines the application. What happens next at Adjudon, in six steps verified against backend code: PII scrubbing, three-pillar triangulation, policy resolution, HTTP 403, chain anchor, GDPR Article 22 disclosure path.
01 T+0 ms · Application
The bank's loan-underwriter agent receives the application and composes a trace — inputContext carries the loan amount and applicant data, outputDecision carries the decline rationale.
02 PII scrubbing
Adjudon's piiScrubber.scrubPayload runs at ingestion. IBAN, email, credit-card patterns are replaced with [REDACTED_*] markers before the trace is hashed or stored.
03 Confidence Engine · 3-pillar triangulation
Base probability (the model's self-report), variance (top decision vs next-best alternative), historical precedent (vector-similarity to past decisions). Example output: score: 0.42, flags [LOW_CONFIDENCE, HIGH_AMBIGUITY], suggestedStatus: 'flagged'.
04 Policy Engine · resolution
Active policies are evaluated by priority. The "Hold low-confidence loan denials" policy matches with action 'block'. Adjudon returns HTTP 403 with code: ADJ_BLOCKED_BY_POLICY and matchedPolicy.name.
05 Audit Trail · chain anchor
The trace is persisted with status: 'blocked'. HashChainEntry is appended with the per-org sequence number, prevHash, payloadDigest, and the new chainHash.
06 Review Queue · GDPR Art. 22 disclosure
A ReviewItem is created linked by traceId. The bank's reviewer can approve / reject / escalate; the decision is recorded with reviewer name. SCHUFA-Urteil C-634/21 disclosure to the applicant uses the trace as the source-of-truth — same hash, same chain, no second copy.
GDPR, DORA, AI Act — same incident, three clocks.
When an AI credit-decision goes wrong — discriminatory output, data leak, system failure — three regulators want different reports on different timelines: GDPR Article 33, DORA Article 19, AI Act Article 73. Adjudon's Multi-Clock Hub starts all three the moment the parent Incident is opened.
01 GDPR Art. 33 · Data Protection
72 hours
If personal data is exposed by the AI's decision-trace, the bank must notify the supervisory authority within 72 hours. IncidentClock with regulator: 'gdpr' schedules the single deadline; breach-evidence pulls from the chain via evidenceTraceId.
02 DORA Art. 19 · ICT-incident reporting
4 h · 72 h · 30 d
DORA classifies the AI-decline as a major ICT-related incident; in Germany, BaFin is the recipient. Three staged deadlines: 4-hour initial classification, 72-hour intermediate report, 30-day final report. IncidentClock with regulator: 'dora' carries all three checkpoints.
03 AI Act Art. 73 · Serious incident
2 d · 10 d · 15 d
If the credit-system is Annex-III high-risk and the incident causes widespread infringement (2 d), a fatality (10 d), or any other serious effect (15 d), the market surveillance authority must be notified. Same Incident, third IncidentClock with regulator: 'aiact'.
When BaFin shows up, hand them the chain.
You've seen four DACH frameworks, six engine steps, and three parallel regulator clocks. Next: wire one trace, generate your own chain, and request a sample BaFin-style export when you're ready. The first call lands at the engineer who writes the German compliance copy — not at an SDR.
Primary sourcesBaFin / DORAArt. 28 GDPRArt. 22(1) BaFin MaRiskAT 4.3.1
The text the regulator actually wrote.
The data subject shall have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her.
Institute haben angemessene Verfahren zur Steuerung und Überwachung der Risiken aus dem Einsatz von Modellen einzurichten.