返回 Papers
AI 底层逻辑 / 经典论文

AI Regulatory Reporting:风险数据聚合与签证架构

重要说明: 本文是学习、作品集和内部架构训练材料, 不构成法律意见、监管解释、合规结论、审计意见、财务报告结论、资本充足性结论、模型验证结论或监管报送建议。具体适用范围、报送义务、口径解释、重要性判断、提交时限、更正或重报判断由 Legal / Compliance / Regulatory Affairs / Finance / Risk / Internal Audit / Managemen

581ai-foundations/papers/146-ai-regulatory-reporting-risk-data-aggregation-attestation-architecture.md

AI Regulatory Reporting / Risk Data Aggregation / Attestation Architecture 解读

面向对象: CBAP+ Financial Retail PM / Senior BA / Regulatory Reporting Product Lead / Risk Data Architect / Enterprise Architect / Data Governance Lead / Finance-Risk Technology Partner。 核心问题: 金融机构如何把 Call Report、FR Y-14、内部风险报告、BCBS 239 风险数据聚合、报表血缘、转换控制、指标定义、对账、签署、提交证据、问题整改和更正重报做成可追溯、可复算、可审计、可被 AI 辅助但不被 AI 接管的 reporting data architecture? 学习目标: 建立 source-to-report lineage、metric contract、attestation evidence graph、reporting control plane、AI assist boundary、restatement loop 和 senior management reporting readiness 的高级架构心智模型。

重要说明: 本文是学习、作品集和内部架构训练材料, 不构成法律意见、监管解释、合规结论、审计意见、财务报告结论、资本充足性结论、模型验证结论或监管报送建议。具体适用范围、报送义务、口径解释、重要性判断、提交时限、更正或重报判断由 Legal / Compliance / Regulatory Affairs / Finance / Risk / Internal Audit / Management 授权角色结合机构类型、牌照、监管关系、报告说明和内部政策确认。访问日期按 2026-06-30 记录。

Source Anchors

SourceOfficial link本文使用方式
BCBS 239 Principles for effective risk data aggregation and risk reportinghttps://www.bis.org/publ/bcbs239.pdf用 governance、data architecture、accuracy、completeness、timeliness、adaptability、report accuracy、review 和 remedial action 组织 reporting data architecture。
BCBS implementation update on BCBS 239https://www.bis.org/publ/bcbs_nl36.htm用持续实施、集团层级、子公司层级、数据治理和风险报告实践的官方语境校准 RDARR 成熟度。
FDIC Current Quarter Call Report Forms, Instructions, and Related Materialshttps://www.fdic.gov/bank-financial-reports/current-quarter-call-report-forms-instructions-and-related-materials作为 Call Report forms、instructions、updates 和 filing material 的官方入口之一。
FFIEC 041 Current Informationhttps://www.ffiec.gov/resources/reporting-forms/ffiec041用 FFIEC 报表页面作为 Call Report form/instruction 入口锚点, 支持报表版本和说明书管理。
Federal Reserve FR Y-14A Reporting Formhttps://www.federalreserve.gov/apps/reportingforms/Report/Index/FR_Y-14A用 annual capital assessment / stress testing reporting 的 instructions、forms 和 schedules 组织 capital planning reporting data architecture。
Federal Reserve FR Y-14Q Reporting Formhttps://www.federalreserve.gov/apps/reportingforms/Report/Index/FR_Y-14Q用 quarterly detailed asset、capital、PPNR、retail、wholesale、operational risk 等 schedules 组织高粒度风险数据聚合和报送控制。
Federal Reserve FR Y-14M Reporting Formhttps://www.federalreserve.gov/apps/reportingforms/Report/Index/FR_Y-14M用 monthly loan portfolio data collection 语境设计 loan-level / account-level reporting lineage。
Federal Reserve SR 26-2 Revised Guidance on Model Risk Managementhttps://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm用 risk-based model risk、development/use、validation/monitoring、governance/control 语言校准报表模型、估计和 AI 辅助能力。
OCC Bulletin 2026-13 Model Risk Management: Revised Guidancehttps://www.occ.gov/news-issuances/bulletins/2026/bulletin-2026-13.html与 SR 26-2 交叉锚定银行模型风险管理、第三方产品和治理控制。
OCC Corporate and Risk Governance booklethttps://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/corporate-risk-governance/index-corporate-and-risk-governance.html用 board/senior management、risk governance、roles/responsibilities 的官方监督语言支撑 reporting accountability。
NIST AI Risk Management Frameworkhttps://www.nist.gov/itl/ai-risk-management-framework用 Govern / Map / Measure / Manage 管理 AI-assisted reporting 的风险、边界、度量和处置。
ISO/IEC 42001 AI management systemshttps://www.iso.org/standard/81230.html用 AI management system、traceability、transparency、reliability、performance evaluation 和 continual improvement 组织 AI 辅助报送的管理体系。

一句话:

Regulatory reporting architecture is not a report factory. It is a governed source-to-report evidence system where every reported fact has definition, lineage, control, reconciliation, owner, attestation and correction path.

1. Thesis: 报送不是填表, 是事实产品化

低成熟度 regulatory reporting 通常长这样:

源系统抽数
  -> 数据团队拼表
  -> 报表团队调 Excel
  -> Finance / Risk 人工检查
  -> 管理层签字
  -> 提交后靠邮件和共享盘解释差异

这种模式在 AI 时代会更危险。LLM 可以让 narrative 更快、mapping 更像样、异常解释更流畅, 但如果底层事实链没有工程化, AI 只会把不可靠数据包装成更有说服力的文本。

成熟 reporting data architecture 的目标是:

obligation / instruction
  -> report metric contract
  -> source-of-record and as-of snapshot
  -> controlled transformation
  -> reconciled reporting data product
  -> schedule / cell / narrative output
  -> layered attestation
  -> submission package
  -> post-submit issue and correction loop
  -> audit-ready evidence graph

PM / BA / Architect 的高级价值不在于解释每个报表字段, 而在于把监管说明书、业务事实、数据结构、口径控制、责任签署、问题管理和 AI 辅助边界连成一个可运行系统。

2. Reporting Data Architecture 心智模型

2.1 从 Source-to-Report 到 Evidence-to-Action

层级核心对象关键问题架构产物
Obligation layerCall Report item、FR Y-14 schedule、内部风险报告要求哪些报告、哪些实体、哪些期间、哪些说明书版本适用obligation inventory、instruction version map
Definition layermetric、schedule item、line item、cell、dimension口径、粒度、分母分子、排除项、as-of 时间、合并范围是什么report metric contract、semantic layer
Source layerGL、subledger、loan servicing、cards、deposits、treasury、CRM、risk engines哪个系统是权威来源, 数据何时可用, 如何冻结版本source-of-record register、as-of snapshot
Transformation layerETL/ELT、rules、allocations、classification、manual adjustment每一步转换是否可解释、可测试、可复跑transformation spec、control tests、code version
Control layerDQ、edit check、reasonableness check、reconciliation、variance analysis是否准确、完整、及时、一致, 差异如何解释control matrix、reconciliation engine、exception workflow
Attestation layerdata owner、report owner、finance/risk owner、executive signer谁证明什么事实, 基于哪些证据, 覆盖哪个版本attestation packet、sign-off ledger
Submission layerfinal files、templates、validation results、confirmation、Q&A提交了什么, 何时提交, 用哪个版本, 有哪些反馈submission manifest、checksum、confirmation archive
Issue layerdata defect、instruction interpretation issue、late adjustment、correction影响哪些报告、期间、指标、客户/账户/组合和管理结论issue ledger、impact assessment、correction/restatement evidence

2.2 三个不能混淆的对象

对象定义常见误区正确架构要求
Regulatory obligation来自报表说明、监管规则、监管问询或内部政策的报告要求把说明书 PDF 当成静态附件建成 versioned obligation inventory, 每个 line item 有 owner、解释记录和变更影响
Reportable metric可填入 schedule/cell 或管理报告的一项可计算事实把 dashboard 指标直接拿去报送必须有 metric contract、source、transformation、DQ、reconciliation、approval
Attested report经授权责任人确认并提交或用于管理层的报告包把签字当形式签署必须绑定数据版本、控制结果、例外、解释和提交证据

2.3 BCBS 239 到架构语言

BCBS 239 lensProduct / architecture translation可验收证据
Governancereporting data owner、report owner、risk/finance owner、technology owner、issue owner 明确RACI、committee decision、attestation ledger
Data architecture and IT infrastructure集成 taxonomy、metadata、single identifier、as-of data store、resilient pipelinedata model、lineage graph、BCP evidence
Accuracy and integrity自动化聚合、源头控制、编辑校验、对账、EUC 控制validation rule inventory、reconciliation report
Completeness覆盖所有 material exposure、legal entity、business line、off-balance sheet relevant populationcompleteness control、population reconciliation
Timeliness正常和 stress/crisis 情境下按时生成更新数据close calendar、SLA/SLO、late data log
Adaptability支持 ad hoc supervisory query、scenario subset、new instruction mappingquery workbench、semantic layer、change impact analysis
Report accuracy报告结果与风险数据对账, 近似值有可靠性标准report-to-source reconciliation、approximation rationale
Comprehensiveness / clarity / frequency / distribution报告覆盖重要风险, 口径清楚, 频率适合, 分发受控report catalog、distribution log、recipient entitlement
Review and remedial action独立评审、缺陷整改、监管反馈闭环control test, audit issue, CAPA, closure evidence

3. Reference Architecture

Regulatory instructions / reporting obligations
  Call Report | FR Y-14A/Q/M | internal risk reports | supervisory requests
        |
        v
Obligation and metric contract registry
  schedule item | cell | definition | materiality | scope | owner | effective date
        |
        v
Source-of-record and as-of data layer
  GL | subledger | deposits | loans | cards | treasury | risk engines | model outputs
  legal entity | product | customer | account | collateral | scenario | calendar
        |
        v
Transformation and control plane
  extraction | mapping | classification | aggregation | allocation | adjustment
  DQ rules | edit checks | reconciliations | variance analytics | lineage events
        |
        v
Reporting data products
  Call Report mart | FR Y-14 mart | risk aggregation mart | management reporting mart
        |
        v
Attestation and evidence layer
  owner sign-off | exception disclosure | issue linkage | evidence manifest | audit log
        |
        v
Submission and post-submit lifecycle
  final package | checksum | validation result | submission confirmation | regulator Q&A
  correction / restatement | remediation | control improvement
        |
        v
AI assist layer with hard boundaries
  mapping suggestions | anomaly explanations | narrative drafts | evidence retrieval | QA triage

架构原则:

No reported number without metric contract.
No metric contract without owner and lineage.
No lineage without transformation version.
No transformation without control evidence.
No attestation without exceptions and issue disclosure.
No AI-generated narrative without grounded source facts and human approval.
No submission without immutable package manifest.

4. Canonical Data Entities

EntityMinimum fields设计理由
Reporting obligationobligation_id, regulator, report_family, report_form, schedule, item, instruction_version, effective_date, applicability_owner把说明书和内部解释变成可管理对象
Report metric contractmetric_id, line_item, definition, numerator, denominator, grain, dimensions, source_systems, exclusions, materiality, owner, version防止同名指标多口径
Reporting periodperiod_id, as_of_date, close_calendar, freeze_time, late_data_policy, submission_due_date区分业务日期、可用日期、冻结日期和提交日期
Source datasetdataset_id, source_system, owner, refresh_time, cutoff, record_count, checksum, retention_class, DQ_status证明报表输入版本
Transformation rulerule_id, input, output, logic, code_version, parameter_version, approver, effective_date, test_suite证明口径转换可解释可复跑
Reconciliation rulerecon_id, source_a, source_b, tolerance, frequency, owner, break_category, escalation_path把差异从邮件争论变成流程对象
Manual adjustmentadjustment_id, report_item, amount, reason_code, preparer, approver, evidence_ref, reversal_policy控制人工覆盖和最后一刻改数
Report cellreport_id, schedule, row, column, metric_id, value, unit, precision, data_version, validation_status细到 cell 的追溯能力
Attestationattestation_id, scope, signer_role, signer, data_version, control_results, exceptions, sign_time签署绑定事实和例外
Submission packagepackage_id, report_id, files, checksums, validation_results, submitter, submission_time, confirmation_ref可证明提交的 exact artifact
Issue / correctionissue_id, severity, impacted_reports, impacted_periods, root_cause, owner, action, correction_decision, closure_evidence支持更正、重报和整改闭环
AI assist eventai_event_id, use_case, model, prompt_version, retrieved_sources, output_type, reviewer, approval_status证明 AI 只在授权边界内辅助

5. Report Metric Contract: 报送口径的产品契约

报表指标不是普通 BI metric。它直接连接监管说明、财务/风险事实、提交证据和签署责任。

Contract field必须写清楚反例
Regulatory anchorreport family、schedule、line item、instruction version只写"贷款余额"
Business definition业务含义、产品范围、风险范围、客户/账户/交易口径不区分信用卡 loan、commitment、unused line
Grainaccount、loan、customer、legal entity、product、scenario、period聚合后无法回溯 population
Time basisas-of date、event time、posting time、available time、freeze time把月末后补录数据混入月末报表
Source of recordGL、subledger、servicing、risk engine、model output 的权威优先级多系统哪个准靠会议判断
Transformation logicmapping、classification、aggregation、allocation、rounding、currency、consolidation只有 SQL, 没有业务解释
Exclusions and inclusions排除项、例外、materiality threshold、materiality rationale人工过滤没有 reason code
Reconciliation对账对象、容忍度、break 分类、处理 SLA差异只写"immaterial"
Quality SLOcompleteness、accuracy、validity、freshness、consistency、uniquenessDQ 失败仍能静默出数
Attestationdata owner、report owner、risk/finance owner、executive signer签署人不知道签的是哪个版本
AI usage boundary是否允许 AI 辅助解释、检测异常、起草 narrative让 AI 解释口径并直接进入报表

示例:

metric_id: RPT-CREDITCARD-UTILIZED-BALANCE
report_mapping: FR Y-14M credit card portfolio schedule, internal regulatory reporting mart
grain: account x legal_entity x product x reporting_period
time_basis: month-end as-of, source freeze at T+2 18:00 CST
source_priority: card servicing ledger, reconciled to GL control account
transformation: exclude charged-off accounts after charge-off effective date; include posted purchases, fees and interest per approved mapping
reconciliation: subledger-to-GL tolerance 0.05% or USD 50k, lower of absolute/materiality rule
attestation: card data owner, finance reporting owner, regulatory reporting owner
AI_boundary: AI may draft variance explanation using approved recon facts; AI cannot change mapping or approve break

6. Source-to-Report Lineage

6.1 Lineage 深度分层

Level适用场景需要追溯到
L1 Report lineage低风险内部管理汇总report -> schedule -> metric -> source system
L2 Dataset lineage常规监管报表和风险报告report -> metric -> curated dataset -> source dataset -> job run
L3 Column lineage重要监管报表、关键风险指标、重大管理决策report cell -> formula -> columns -> transformations -> source fields
L4 Record lineage高影响贷款级、账户级、交易级或监管问询样本report cell -> contributing records -> source record versions
L5 Evidence lineage提交、签署、更正、审计、监管问询record/metric -> control evidence -> attestation -> submission -> issue/action

6.2 Report Lineage 应能回答的问题

Question合格答案
这个 cell 为什么是这个值?能看到 metric definition、input population、transformation、aggregation 和 rounding
来源数据何时冻结?有 source extract time、as-of date、available time、late arrival policy
哪些记录贡献了这个值?material schedules 至少可 drill down 到 contributing population 或样本
哪些控制通过或失败?DQ、edit check、reconciliation、variance check 的结果和例外
谁批准了例外?例外 owner、审批人、理由、有效期和补救动作
提交的是哪个版本?package manifest、checksum、submission timestamp 和 confirmation
提交后发现问题怎么办?issue impact assessment、correction decision、resubmission evidence

7. Transformation Controls

报表转换控制的目标不是让每条规则都复杂, 而是让每条规则都能被理解、测试、变更和签署。

Control area控制设计Evidence
Instruction mapping报表说明书 line item 映射到 metric contract, 解释争议由 Legal/Compliance/Reg Reporting 记录mapping approval, interpretation memo
Source extraction抽取窗口、过滤条件、record count、checksum、late data policy 固化extract log, record-count reconciliation
Classificationproduct、counterparty、legal entity、risk segment、collateral、geography 使用受控 taxonomytaxonomy version, unmapped item report
Aggregationgroup-by key、currency、rounding、netting、consolidation 明确aggregation test, sample replay
Allocationshared balance、expense、capital、exposure allocation 有 approved methodologyallocation methodology, sensitivity review
Manual adjustmentadjustment reason、evidence、dual approval、reversal/roll-forward policyadjustment register
EUC / spreadsheetinventory、access control、version control、change log、independent checkEUC control report
Code changetransformation code 走 SDLC、peer review、test、deployment approvalpull request, release note, test result
Parameter changethreshold、mapping table、calendar、scenario、materiality 独立审批parameter change log
Runtime monitoringjob failure、data delay、quality breach、unexpected distribution shift 告警run log, alert, incident ticket

AI 可以帮助发现映射异常、生成测试候选、解释差异模式, 但不能绕过 transformation control。

8. Reconciliation Architecture

对账不是最后一道人工检查, 而是 reporting data product 的核心能力。

8.1 对账类型

Reconciliation type目标例子
Source-to-source多源系统同一事实是否一致loan servicing balance vs GL control account
Source-to-report报表值能否回到权威来源Call Report line item vs reporting mart vs GL
Cross-schedule同一报告不同 schedule 是否一致FR Y-14 retail totals vs balances / capital schedules
Cross-report监管报表、财务报表、内部风险报告是否口径可解释Call Report vs internal risk exposure dashboard
Period-over-period环比/同比变化是否合理deposit balances, delinquency, allowance, capital components
Population记录集合是否完整active accounts included/excluded with reason
Model-output-to-input模型或估计输出是否能回到输入和参数stress projection, allowance estimate, PPNR model output
Narrative-to-fact文字解释是否被结构化事实支持variance narrative cites approved recon facts

8.2 Break Management

Break severity标准处理动作
Critical影响提交准确性、关键报告项、管理层签署或监管问询回应freeze affected item, escalate to Reg Reporting / Finance / Risk / Legal as required, no silent submission
High超过容忍度, 但可通过批准调整或解释控制issue ticket, owner assigned, management exception approval
Medium未超容忍度但趋势异常或重复发生RCA, monitor, backlog remediation
Low文档、映射说明或非关键阈值优化batch fix through normal change process

每个 break 必须有:

break_id
impacted_metric / schedule / period
amount / count / percentage
tolerance
root_cause
owner
decision: correct now / disclose exception / monitor / remediate after filing
approver
evidence_ref

9. Attestation Architecture

签署不是"我看过这个报表"。签署应明确:

I attest to this scope,
for this reporting period,
based on this data version,
with these controls passed,
with these disclosed exceptions,
within this responsibility boundary.

9.1 Layered Attestation

Attestation layer签署对象典型签署人不能签什么
Source data attestation源数据完整性、抽取窗口、冻结版本、已知限制source system owner / data owner不签最终报表解释
Transformation attestationmapping、rules、job run、test、parameter versiondata engineering / reporting technology owner不签监管适用性
Control attestationDQ、edit check、reconciliation、variance、exception dispositionreporting control owner不签业务事实源头
Business attestation业务口径、产品分类、异常解释、手工调整理由business / finance / risk owner不签技术运行细节
Regulatory reporting attestationreport package completeness、instruction version、filing readinessregulatory reporting owner不替代 executive certification
Executive attestation管理层批准、重大例外知情、提交授权authorized executive不消除底层 owner 责任

9.2 Attestation Packet

Packet section内容
Scopereport family、period、legal entity、schedule、metric set
Versioninstruction version、data freeze、transformation release、semantic layer version
Control resultsDQ status、reconciliation status、edit checks、variance review
Exceptionsopen issues、approved breaks、manual adjustments、late data, EUC dependency
Material changessource change、mapping change、model/estimate change、methodology change
AI usage disclosure哪些 AI assist 用于分析、叙事或证据检索, reviewer 和 approval
Sign-offsigner、role、time、delegation authority、comments
Evidencelinks to logs、reports、tickets、meeting decisions、submission manifest

10. Submission Evidence

提交证据要能证明"提交过"、"提交的是什么"、"基于什么版本"、"验证结果如何"、"之后发生了什么"。

Evidence item说明
Final report files报送文件、模板、schema、forms, 保存 exact final version
Package manifest文件名、hash/checksum、row count、cell count、reporting period、creator、approver
Validation outputregulator portal validation、internal edit checks、error/warning disposition
Attestation ledger所有 required sign-offs 和 exception acknowledgements
Submission confirmationportal confirmation、timestamp、submitter、tracking number
Regulator Q&Aquestions、responses、source facts、approvals、versions
Post-submit issue logsubmitted issues, discovered defects, correction decisions
Retention and access log证据保留期限、访问权限、下载/查看记录

Submission evidence vault 的设计要求:

  • immutable versioning: final package 不被覆盖。
  • access segregation: preparer、approver、auditor、viewer 权限分离。
  • searchability: 可按 report、period、metric、issue、signer、source system 查找。
  • retention alignment: 按内部 records retention 和 legal hold 执行。
  • evidence integrity: hash、timestamp、owner、approval chain 可验证。

11. Issue, Correction and Restatement Loop

提交后发现问题时, 架构必须支持事实快速定位, 但判断是否更正、重报或沟通监管属于授权治理流程。

detection
  -> issue classification
  -> impacted reports / periods / metrics / entities
  -> quantitative and qualitative impact
  -> Legal / Compliance / Regulatory Reporting / Finance / Risk decision
  -> correction or no-correction rationale
  -> resubmission package if required
  -> root cause remediation
  -> control enhancement
  -> closure attestation

11.1 Issue Taxonomy

Issue type例子架构响应
Source data defectservicing 系统余额回灌错误identify impacted extracts, rebuild as-of snapshot, rerun reconciliations
Mapping defect产品映射到错误 Call Report categoryupdate mapping table, impact historical periods, enhance mapping tests
Transformation defectaggregation / allocation rule 代码错误fix code, regression test, version release, quantify impact
Manual adjustment erroradjustment reason 不充分或金额错误reverse / correct adjustment, dual approval, strengthen threshold
Instruction interpretation change内部口径与说明书解释不一致document interpretation, Legal/Compliance/Reg Reporting decision
Model / estimate issuestress projection、allowance estimate、PPNR model output 发现缺陷model risk review, output replacement or disclosure decision
AI narrative issuevariance explanation 引用错误事实或过度推断revoke narrative, correct source references, prompt/control update
Submission artifact issue文件版本、format、portal warning、confirmation gappackage reconstruction, portal evidence, submitter review

11.2 Correction Decision Record

Field内容
issue_id与 issue ledger 一致
discovered_bycontrol, audit, regulator, business, AI anomaly detection
impacted_scopereport, schedule, item, period, legal entity, amount/count
materiality analysisquantitative and qualitative facts, owner, reviewer
decisioncorrect, resubmit, disclose, monitor, no correction with rationale
approvalauthorized roles and timestamps
evidencerecalculation, revised package, communications, closure proof
preventive actioncontrol, data, transformation, training, AI prompt/guardrail update

12. AI Assist Boundaries

AI 在 regulatory reporting 中有价值, 但必须定位为 assistant, not accountable reporter。

12.1 Allowed with Controls

AI use case价值必要控制
Instruction-to-metric mapping suggestion加速说明书解析和影响分析human owner approval, source citation, version lock
Data anomaly detection发现异常变动、缺失、分布漂移deterministic thresholds + explainable alert + false positive tracking
Reconciliation break clustering把大量 break 按根因聚类no auto-close, owner review
Variance narrative draft根据 approved facts 起草原因说明grounded evidence, no unsupported conclusion, sign-off
Evidence retrieval快速查找 lineage、control、ticket、attestationrole-based access, retrieval log
Control test generation生成候选 DQ/edit rules 和 test casesengineer/control owner review before production
Impact analysis assistant根据 lineage 推测受影响报表和指标deterministic lineage query as source, human confirmation

12.2 Not Allowed

Boundary原因
AI 不做法规适用性最终判断exact applicability Legal/Compliance-owned
AI 不改变 report metric definitionmetric contract owner 和授权 governance 决定
AI 不直接写入 final report cells报送事实必须来自受控 data product
AI 不关闭 reconciliation breakbreak disposition 需要 accountable owner
AI 不签署 attestationattestation 是授权责任行为
AI 不提交监管报表submission authority、dual control、evidence capture 必须由授权流程执行
AI 不生成无来源 narrative所有 narrative 必须可追溯到 approved facts
AI 不掩盖 issue 或重写审计痕迹audit trail 必须不可篡改

12.3 Generated Narrative Controls

Control要求
Groundingnarrative 只能使用 approved reporting facts、variance tables、reconciliation results 和 owner comments
Citation每个关键解释指向 metric、period、source、break 或 issue reference
Separation区分 fact、analysis、judgment、legal/compliance conclusion
Human reviewreport owner / business owner / regulatory reporting owner 根据 scope 审核
Versioningprompt、model、retrieval corpus、output、human edits 保留版本
Prohibited language不写监管结论、承诺、责任归因或未经批准的解释
Sampling QA定期抽检 narrative 是否与数字、对账和问题台账一致

13. Senior Management MI: 只报告 Reporting Readiness

本文不展开通用 board MI。这里的 senior management MI 只服务 regulatory reporting data architecture readiness。

MI areaQuestionMetric examples
Filing readiness本期报送是否在轨reports on schedule, open critical breaks, pending attestations
Data quality关键数据是否可靠critical DQ pass rate, late feeds, completeness exceptions
Reconciliation差异是否受控unreconciled amount, break aging, repeat break root causes
Manual adjustment人工覆盖是否过多adjustment count/value, late adjustments, approval exceptions
Lineage coverage报告数字是否可追溯% critical metrics with L3/L4 lineage, missing owner count
Issue management缺陷是否关闭open issues by severity, remediation SLA, repeat defects
Correction / restatement提交后质量如何corrections, resubmissions, regulator questions, root causes
AI usageAI 是否在边界内辅助AI assist events, narrative QA defects, unauthorized use detections

好的 MI 不是"本期已完成报送", 而是:

Which report items are materially reliant on manual workarounds?
Which reconciliations are open and who accepted them?
Which metrics lack required lineage depth?
Which AI-assisted narratives had factual defects?
Which repeat defects need platform investment?

14. PM / Architect Implications

角色关键职责高级产出
PM把 regulatory reporting 从项目交付转成长期 data product roadmapreporting product canvas, capability roadmap, adoption and control KPIs
Senior BA把 instructions、业务口径、数据字段、例外、签署和证据转成需求metric contracts, process maps, control requirements
Data Architect设计 source-of-record、as-of layer、semantic layer、lineage 和 DQcanonical data model, lineage architecture, data contract
Solution Architect设计 pipeline、control plane、attestation workflow、evidence vault、integrationreference architecture, NFR, resilience and access design
Regulatory Reporting Owner确认报告流程、签署、提交、例外和问询响应report calendar, attestation matrix, submission manifest
Risk / Finance Owner确认业务事实、指标解释、对账差异和管理层影响variance explanation, break disposition, management readiness
AI Governance / Model Risk确认 AI assist 边界、模型/提示词控制、输出验证AI use register, narrative QA, model/prompt evidence

高级面试表达:

我不会把 AI regulatory reporting 做成"LLM 帮忙填表"。我会先做 source-to-report data product: obligation inventory、metric contract、as-of snapshot、lineage、DQ、reconciliation、attestation 和 submission evidence。AI 只在 mapping suggestion、anomaly detection、evidence retrieval 和 grounded narrative draft 中辅助, 所有定义、例外、签署、提交和更正判断仍由授权 owner 负责。

15. Anti-Patterns

Anti-pattern风险改法
PDF instruction + spreadsheet mapping口径不可追溯, 变更影响靠人记忆versioned obligation registry + metric contract
Dashboard number copied into filingBI 口径和报送口径混用reporting mart with approved semantic layer
GL reconciliation at final step only上游错误发现太晚source-to-source and source-to-report controls embedded in pipeline
Manual adjustment without reason taxonomy无法分析重复问题和责任adjustment register + reason code + approval threshold
Attestation as email sign-off签署与数据版本脱节structured attestation packet
AI writes variance narrative from raw tables可能编造解释或引用未经批准事实grounded narrative over approved facts only
Submission package overwritten无法证明提交 exact versionimmutable manifest + checksum
Corrections handled case-by-case根因不沉淀, 重复缺陷issue ledger + CAPA + control enhancement
Treat BCBS 239 as compliance checklist数据架构没有改变convert principles into controls, lineage and operating model

16. 面试题准备

Q1: 如何设计一个 AI-assisted regulatory reporting architecture?

30 秒版本: 我会先建设 source-to-report evidence system, 再加 AI assist。核心是 obligation inventory、metric contract、as-of source data、controlled transformation、reconciliation、attestation、submission evidence 和 issue/restatement loop。AI 只能做建议、检测、检索和有来源的 narrative draft, 不能定义口径、改数、关闭差异、签署或提交。

2 分钟版本: 金融监管报送的风险不在于表格生成慢, 而在于数字能否被证明。架构上我会把每个 report item 当成一个数据产品: 有说明书版本、业务定义、粒度、source-of-record、转换规则、对账规则、质量 SLO、owner 和签署范围。数据层要有 as-of snapshot, 因为报送关心某个报告期和冻结点的事实。控制层要包括 source-to-source、source-to-report、cross-schedule、period-over-period 和 narrative-to-fact reconciliation。签署层要分 source、transformation、control、business、reg reporting 和 executive。AI 放在辅助层, 例如异常聚类、证据检索、说明书影响分析、variance narrative 草稿, 但每个输出必须有来源、版本、reviewer 和审批记录。

Q2: BCBS 239 对产品和架构最重要的启发是什么?

30 秒版本: BCBS 239 的本质是让风险数据聚合和风险报告具备 governance、architecture、accuracy、completeness、timeliness 和 adaptability。对 PM/Architect 来说, 它要求我们把报表从人工汇总升级为可追溯的数据产品和控制系统。

2 分钟版本: 我会把 BCBS 239 翻译成工程要求: 数据架构要有统一 identifier、taxonomy 和 metadata; 关键指标要有 owner 和 contract; 数据要能自动化聚合并与源系统和会计数据对账; 报告要在正常和压力情境下按时生成; 对监管临时问询要能按 legal entity、产品、行业、地区和风险维度快速重切。最容易被低估的是 adaptability: 它不是临时 SQL 能跑出来, 而是语义层、血缘、质量和权限已经产品化。

Q3: AI 生成 regulatory reporting narrative 的边界是什么?

30 秒版本: AI 可以基于 approved facts 起草 variance explanation, 但不能生成没有来源的解释、法律/合规结论、责任归因、提交承诺或更正判断。所有 narrative 都要有 fact grounding、citation、人审、版本和 QA。

2 分钟版本: 我会把 narrative 当成派生控制对象。输入只允许来自 approved variance table、reconciliation result、issue ledger 和 owner comment, 不让模型自由读取原始大表后发挥。输出要区分事实、分析、判断和需 Legal/Compliance 确认的问题。关键句子必须引用 metric、period、source 或 issue reference。高影响报表和监管问询材料必须人工审批, 并保留 prompt、model、retrieval corpus、AI output、human edit 和 approval log。

Q4: 发现提交后数据错误, 架构应该如何支持更正或重报?

30 秒版本: 系统应快速做 impact assessment: 哪些报告、期间、line item、legal entity、records 和 attestations 受影响。是否更正或重报由授权 governance 判断, 架构负责提供复算、证据、版本、审批和整改闭环。

2 分钟版本: 我会先冻结 evidence, 创建 issue_id, 通过 lineage 找到 impacted reports、periods、metrics、data versions 和 submission packages。然后量化影响, 区分 source defect、mapping defect、transformation defect、manual adjustment error、instruction interpretation 或 model estimate issue。Reg Reporting、Finance、Risk、Legal/Compliance 根据事实决定是否 correction、resubmission、disclosure 或 monitor。技术侧生成 revised dataset、reconciliation、validation、attestation 和 package manifest。最后把根因转成 preventive action, 例如新增 DQ rule、mapping test、parameter approval 或 AI narrative guardrail。

Q5: 如何避免 AI 让报送流程看起来更快但实际更不可靠?

30 秒版本: 先把 deterministic controls 建好, 再接 AI。AI 输出必须低权限、可追溯、可拒绝、可抽检。所有关键动作仍由系统控制和人类 owner 完成。

2 分钟版本: 我会设置四类 guardrail。第一, data guardrail: AI 只能访问 approved catalog、metric contracts 和 evidence vault, 不直接改 reporting mart。第二, workflow guardrail: AI 只能生成 suggestion 或 draft, final action 需要 owner review。第三, evidence guardrail: 每次 AI assist 都有 model、prompt、retrieved source、output、reviewer 和 decision。第四, quality guardrail: 抽检 AI narrative factuality、reconciliation break clustering accuracy 和 unauthorized use detection。这样 AI 提升分析效率, 但不削弱报送责任链。

17. 最小可落地能力集

CapabilityMVPScale version
Obligation inventory关键报表和 schedule 的 versioned register自动 diff instructions, impact analysis
Metric contractsTop material line items全量 schedule/cell semantic layer
As-of snapshots关键源系统 freeze and checksumevent-time/available-time bitemporal store
Lineagedataset-level lineagecell/column/record/evidence lineage
ReconciliationGL/subledger and period variancecross-report, cross-schedule, narrative-to-fact
Attestationstructured sign-off packetworkflow-integrated attestation ledger
Evidence vaultsubmission package archiveimmutable evidence graph with search and retention
AI assistevidence retrieval and variance draftcontrolled anomaly detection, impact analysis, QA copilot
Issue loopissue register and RCAcorrection/restatement workflow and CAPA analytics

最终判断标准:

Can the team reconstruct a submitted number, its source records, transformation logic,
control results, exceptions, signer, submission artifact and later corrections without
asking the original preparer to remember what happened?

如果答案是否定的, 问题不是 AI 不够强, 而是 reporting architecture 还没有成为可证明的系统。