Sub-verticals
Three calling-side shapes; one shared platform.
AI-assisted financial advice (advisory)
Client-profile maintenance, MiFID II suitability assessment, AI-drafted advice and product recommendations, and the delivery of advice to retail and professional clients. The advice.delivered and recommendation.delivered action classes are gated behind a certified human in the loop.
AI-executed trades (trade execution)
Order proposal, pre-trade risk validation, order submission to execution venues, execution-report ingestion, and position lifecycle management. The order.submitted action above a tenant-configured notional threshold and position.modified above a size threshold are gated behind a head-of-trading approval.
Passive fraud detection and case management (fraud monitoring)
Transaction flagging and clearing, fraud-case lifecycle management, customer flagging for enhanced monitoring, customer suspension on confirmed incidents, and transaction reversal. The customer.suspended and transaction.reversed action classes are gated behind a certified human investigator.
Regulators covered
Which frameworks the financial-services pack maps to.
The per-sub-vertical pages below carry the full coverage table. The headline mapping: FCA SM&CR, MiFID II, DORA, FINRA, the SEC AI conduct pack, and the EU AI Act cross-reference for high-risk AI in credit scoring.
- FCA SM&CR
vortalis_proxy/compliance/fca_smcr.py
tests/conformance/regulators/fca_smcr/ - SEC AI conduct
vortalis_proxy/compliance/sec_ai_conduct.py
tests/conformance/regulators/sec_ai_conduct/ - FINRA
vortalis_proxy/compliance/finra.py
tests/conformance/regulators/finra/ - MiFID II
vortalis_proxy/compliance/frameworks.py - DORA
vortalis_proxy/compliance/frameworks.py - SOC 2
vortalis_proxy/compliance/frameworks.py - CSDR and SDR
vortalis_proxy/compliance/csdr_sdr.py
Settlement-discipline evidence pack. Cash penalties under CSDR Article 7(2) are mapped as in force; mandatory buy-in under Article 7(3) to 7(7) is mapped as dormant, because under CSDR as amended by Regulation (EU) 2023/2845 it applies only once the European Commission adopts an implementing act. See the honest limits below.
Honest limits
What this sector pack does not do.
Vortalis does not execute trades, settle transactions, or move funds; it governs AI-agent decisions about those actions.
The policy templates gate the actions an AI agent may take. The actual venue submission, the actual customer-portal delivery, the actual core-banking suspension all happen in the operator's existing infrastructure. The audit chain records the agent's decision and the upstream outcome; it does not move money.
Counterparty certification with Bloomberg, FIX networks, SWIFT, exchange APIs, and broker-dealer integrations is the operator's responsibility.
Vortalis ships financial adapters as code (FIX, SWIFT ISO 20022, SWIFT MT and ISO 15022, Bloomberg, Genesis, Taskize, and Symphony), not as counterparty-certified production integrations. Production certification with each venue, network, and counterparty sits with the operator. The Vortalis adapters provide a starting shape; conformance against the counterparty's certification programme is the operator's track.
Best-execution evidence is an audit-trail query; the determination of which venues qualify as best execution in a given jurisdiction is the operator's responsibility to encode in policy.
MiFID II Article 27 and FINRA Rule 5310 both require the firm to take all sufficient steps to obtain the best possible result for the client. The Vortalis audit chain records every order action with the venue, instrument, side, quantity, and price; an examiner can reconstruct the order trail. The list of venues that qualify as best execution, the weighting of price against speed and likelihood of execution, and the firm's periodic review schedule all live in the firm's written best-execution policy.
The SM&CR senior-manager-attribution chain depends on the operator's tenant configuration linking each agent to the responsible senior manager. Vortalis enforces the chain; the assignment lives in operator configuration.
The Vortalis audit chain captures the principal-chain on every governed action. When the operator threads the senior-manager-to-agent map into Tenant.config, every action surfaces with a named senior manager in the chain; FCA SM&CR enforcement reconstruction reads the chain by senior-manager id. The map itself is the operator's responsibility: Vortalis does not infer which senior manager is responsible for which AI agent.
The SEC AI rulemaking landscape is in flux. The evidence pack distinguishes published rules from anticipated rules; we do not invent SEC positions.
Investment Advisers Act § 206 and 17 CFR § 275.206(4)-7 are published rules in force. The 2024 SEC risk alerts on AI-washing are published interpretive guidance under existing anti-fraud authority. The 2023 Predictive Data Analytics rulemaking proposal is PROPOSED and may differ materially from any final rule. Controls in the SEC AI conduct pack are tagged by source so an external auditor can distinguish them.
The CSDR and SDR settlement-discipline pack maps the cash-penalty mechanism as in force and mandatory buy-in as dormant. It has not yet had external legal review.
Under CSDR as amended by Regulation (EU) 2023/2845 (CSDR Refit), the Article 7(2) cash-penalty mechanism remains in force, but mandatory buy-in under Article 7(3) to 7(7) is a measure of last resort that applies only if and when the European Commission adopts an implementing act activating it; no such act is in force, so the pack maps buy-in as dormant and makes no active buy-in claim. The pack is grounded in the published regulation text but has not yet been reviewed by external counsel. Vortalis does not operate a securities settlement system, does not calculate or collect penalties, and does not execute a buy-in; the settlement activity, the CSD authorisation, and the regulatory reporting are the operator's.
The general-purpose honest limits sit at /security/limitations; this list is specific to the financial-services pack.
Bring Vortalis to your financial-services agents.
Pick the sub-vertical above. Read the integration brief if you would rather start with the engineering detail. Talk to us first if you would rather start with a conversation about your threat model.