NATIVE COMPLIANCE

Compliance is part of the core, not a module above it

Solid treats tax reporting, regulatory exchanges, resilience, and data protection as native properties of the platform. KYC and AML run through specialist partners — their results are captured on the same records, so reporting and audit surfaces read from one live source of truth, not a reconstructed view.

Aligned with

  • ISO 27001 Information security
  • DORA Operational resilience
  • NIS2 Cyber security
  • GDPR Data protection
  • PSD2 Payment services

WHY NATIVE MATTERS

Bolted-on compliance fragments over time. Native compliance doesn't.

Most legacy cores added regulatory capabilities as separate products — reporting extractors, ETL warehouses, GRC and audit databases — wired in through integrations. Each one keeps its own copy of customer data, its own version of "truth", and its own release cadence. Solid is architected so that the compliance surfaces it owns are produced by the same service that owns the state they describe. Specialist KYC and AML systems integrate over APIs, and their decisions are captured as first-class state on the same records.

What "native" means in practice

  • Customer and transaction records carry their compliance attributes — verification status, screening verdicts, risk scores — from the moment they're written.
  • Specialist KYC and AML systems integrate over APIs; their decisions are captured as live state on the record, not in a shadow database.
  • New regulatory requirements are configuration work, not a multi-quarter integration project.
  • Audit lineage is produced continuously, without a separate logging pipeline to reconcile.

REGULATORY COVERAGE

What's built in

Solid covers tax reporting, Swedish regulatory exchanges, operational resilience, and data protection natively — produced from the same core data, no third-party compliance platform, no parallel data stack.

  • CRS Common Reporting Standard
  • FATCA Foreign Account Tax Compliance
  • MEK Mekanismen
    (SKV)
  • BANKINFO Bankinfo
    exchange
  • KU FORMS KU-forms (Skatteverket)
  • DORA Digital Operational Resilience

Tax

CRS & FATCA

Self-certification capture, classification, and annual reporting formats for Swedish Tax Agency and IRS are produced from native customer and account data.

Swedish reporting

Mekanismen & Bankinfo

Skatteverket's query mechanism and bank information exchanges are served directly from the core, without a separate extract-transform pipeline.

Tax reporting

Interest & withholding

Kontrolluppgift forms and interest statements are generated from the same real-time ledger that produces customer-facing balances and statements.

Resilience

DORA aligned

Incident detection, response, and reporting, third-party risk visibility, and continuity testing all read from the same platform telemetry — not a separate GRC tool.

SECURITY FOUNDATIONS

Bank-grade security as a platform default

The controls NIS2 and ISO 27001 auditors ask about — encryption, identity, access, change management, monitoring, incident reporting — are part of how Solid is built and operated, not configuration checklists to run through before every review.

Encryption

At rest and in transit

AES-256 at rest, TLS 1.2+ in transit, and per-deployment key boundaries that stay under the bank's control.

Identity

SSO, SAML, SCIM

Enterprise identity integration for staff access, with role-based permissions, short-lived credentials, and MFA enforced at the platform layer.

Access

Least privilege by default

Every action passes through explicit authorization. IP restriction, device posture, and session boundaries are available per environment.

Change management

Infrastructure as code

Every environment, policy, and deployment is versioned and reviewed. Rollback is a first-class operation, not a rehearsal.

Monitoring

Continuous evidence

Access logs, change logs, and security events are captured continuously and retained for the regulatory window without a separate SIEM integration.

Residency

Deployed in the bank's cloud and region

Solid is cloud-agnostic and deployed inside the bank's own cloud account. Data residency, sovereignty, and supervisory boundaries are entirely the bank's to define — there is no Solid-managed cloud or shared region in the picture.

COMPLIANCE REPORTING

Regulatory reports produced from the same live ledger

Reports for tax authorities and cross-border regimes are generated directly from core state — no separate reporting warehouse, no end-of-period reconciliation step before a regulator can be answered.

Tax reports

Interest, withholding, and statement reporting produced from posted ledger events, ready to file in the formats local tax authorities require.

FATCA

US person identification, indicia tracking, and annual reporting on reportable accounts in the formats expected by local revenue authorities.

CRS

OECD Common Reporting Standard classification, due-diligence evidence, and annual XML reporting across reportable jurisdictions.

Bankinfo

Swedish bank-account information reporting (kontoinformation) generated from the same core data used to service the account.

Mekanismen

Reporting under the Swedish enforcement mechanism for financial-account information, produced and submitted on the regulator's cadence.

DATA PROTECTION & RESILIENCE

GDPR and NIS2 aligned by architecture, not policy alone

Solid's data model treats personal data and operational resilience as first-class concerns. Purpose tagging, retention, access boundaries, and erasure are enforced by the platform itself — and the same controls that protect data also satisfy NIS2 cybersecurity, incident reporting, and supply-chain obligations for essential entities in the financial sector.

Lawful basis & purpose tagging every personal-data field carries the purpose it was collected for, read by the services that use it.
Data subject rights access, rectification, portability, restriction, and erasure are served through the same APIs used for day-to-day operations.
Configurable retention policies retention rules are configured per record class — covering both customer and employee personal data — and enforced by the platform, not left to downstream systems to apply correctly.
EU data residency cloud-native deployment in EU regions, with encryption at rest and in transit as a platform default.
Incident detection & reporting continuous access and change logs support the NIS2 24-hour early warning and 72-hour incident notification timelines without a forensic scramble.
Supply-chain & change management infrastructure-as-code deployments, tested rollback, and monitored SLOs give a defensible answer to NIS2 supply-chain risk and business-continuity expectations.

AUDIT & TRACEABILITY

One trail across the full lifecycle

Auditors and second-line teams spend most of their time reconciling systems. When the core and its compliance surfaces are the same system, that work disappears.

Ordered & immutable

Every posting, state change, ingested screening result, and policy update is recorded in order. Historical state can be reconstructed at any point in time.

Actor & reason captured

Who made the change, from where, and why — all carried alongside the record itself rather than stored in a separate audit database.

Segregation of duties

Role boundaries are enforced at the API layer and reflected in the audit lineage. Approval chains are part of the record, not an external workflow tool.

TALK TO THE TEAM

Walk through a compliance scenario

Schedule a call to walk through how tax reporting, Nordic regulatory exchanges, and data-subject workflows run on live core state.

Schedule a call See platform page