Banking compliance pack — 5-min demo

Five-minute demo for the compliance / GRC / audit-director persona at a payment institution or regulated bank. Lead-in to a 20-minute deep dive on whichever framework the buyer cares about.

Companion to the general portal demo.

Audience + framing

Aimed at the compliance / risk director at a bank, payment institution, or fintech operating under at least one of:

DORA (Digital Operational Resilience Act, EU 2022/2554) — enforced from 2026-01-17
PSD2 (Payment Services Directive 2, EU 2015/2366 + RTS on Strong Customer Authentication and Common and Secure Communication)
ISO 27001:2022 — baseline
SOC 2 Type II — vendor-side baseline that often comes up in cloud + SaaS supplier reviews

The pack ships pre-seeded controls for all four frameworks. No per-tenant configuration required to start.

Prereqs (one-time per demo tenant)

Demo tenant seeded — controls are loaded on portal install
Kosli flow karc-pipeline configured + at least one trail in the last 30 days
ServiceNow integration configured — sample CRs visible in the portal
ADMIN role on the demo session (Evidence Export requires it)

The five minutes

Minute 0 — Frame the pain (45 sec)

“Every change you ship into a payment-services production environment has to satisfy DORA, PSD2, ISO 27001, and SOC 2 simultaneously. Today that means evidence scattered across SonarQube, Snyk, Wiz, GitLab, ServiceNow, and three CI systems. Your CAB chair compiles it manually before each release. Your auditor compiles it manually each quarter. SARC removes both compilations.”

Minute 1 — Compliance dashboard with banking frameworks (60 sec)

Open: the compliance dashboard.

Point at:

The DORA card — “EU operational resilience. 7 controls. We’re at N% covered this quarter.”
The PSD2 card — “Payment-services directive. 7 controls. The card next to it. Same UX.”
The ISO 27001 + SOC 2 cards — “Your annual audit baselines. Same surface.”

Say: “These are not slideware. Every cell on these cards is wired to live evidence from your pipeline — Kosli trails, GitLab approvals, Snyk scans, ServiceNow CRs. Click any control to see.”

Minute 2 — Drill into a PSD2 control (75 sec)

Open: the controls page.

Filter: Framework chip → PSD2.

Pick: PSD2-Art95-2 — Major Incident Reporting.

Point at:

The description — “Within 4 hours of detection, NCAs must be notified.”
The pipeline gate — audit_logged. “Each deployment carries its severity classification in the audit log. Sev1 fires an incident in ServiceNow plus a 4-hour SLA timer.”
The evidence column — actual events from the last week.
The 8-group cross-link sidebar — “Same control affects vulnerabilities, releases, incidents, and AI risk. One click takes you to each.”

Say: “The 4-hour clock isn’t a process. It’s a metric your CTO can see in real time. If you miss it the dashboard goes red before the regulator notices.”

Minute 3 — One-button evidence export (60 sec)

Open: the evidence-export page.

Form: Framework = PSD2, date-range = last quarter.

Click: Generate evidence pack.

Point at: The downloaded PDF.

Single-page sealed summary
SHA-256 envelope at the bottom (tamper-evident)
Lists every control + the trail evidence supporting it
Cross-references to the deployment records + AuditLog rows

Say: “This is what your auditor walks out with. Previously: a week of compilation, no reproducibility. Now: one click, fresh each export. Same UX for DORA, ISO 27001, SOC 2 — pick your framework, get the pack.”

Minute 4 — The auditor’s own view (45 sec)

Switch to a fresh tab — log in as AUDITOR

Use the auditor magic-link invite for the live demo. Time-boxed read-only session.

Point at the sidebar:

AUDITOR sees ONLY the audit, compliance, controls, and evidence pages
Cannot reach deploy / services / settings — restricted by middleware
Cannot modify anything

Say: “Your external auditor gets their own time-boxed session in your tenant. They see the evidence directly from source, hash-chained, immutable. No screenshots in a PDF you emailed.”

Minute 5 — Close (15 sec)

“Four frameworks pre-loaded. Evidence reproducible per deployment. Auditor session standalone. Multi-cloud (AWS / Azure / GCP / on-prem). Multi-CI (GitLab / GitHub Actions / Azure DevOps). The same install runs unchanged across all of them.”

“What would you want to dive deeper on — DORA Article 9 in detail, the PSD2 SCA flow, the ServiceNow CR enrichment, or the implementation engagement?”

Frameworks shipped in the pack

Code	Label	Source	Controls in seed
`DORA`	DORA	EU 2022/2554	7
`PSD2`	PSD2	EU 2015/2366 + RTS on SCA & CSC	7
`ISO27001`	ISO 27001	ISO 27001:2022	7
`SOC2`	SOC 2	Trust Service Criteria (CC + A)	7

Plus the existing global pack:

Code	Label	Source	Controls in seed
`SOX`	SOX	Sarbanes-Oxley ITGC	6
`PCI_DSS`	PCI-DSS	PCI-DSS v4.0	7
`NIST_800_53`	NIST 800-53	NIST SP 800-53 Rev 5	7

Total: 48 controls globally seeded, so every freshly-installed tenant has them on day one.

Talking points by stakeholder

For the compliance director:

DORA Article 9 ICT change management is fully wired into the pipeline gate, not a manual review
PSD2 Article 95 incident-reporting clock starts at deployment, not at customer report
Evidence reproducibility ends the quarterly compilation cycle

For the CIO / CTO:

Same install runs on AWS, Azure, GCP, or your own k8s — TARGET_CLOUD switch
Same pipeline runs on GitLab, GitHub Actions, or Azure DevOps — no CI migration
Single source-of-truth for “is this deploy compliant?” — not three dashboards

For the CFO / executive sponsor:

Audit prep time reduced from weeks to one click
One platform replaces 4–6 manual evidence-compilation processes
Compliance overhead becomes a fixed cost, not per-audit scrambling

Follow-ups after the demo

If the prospect signals interest in:

DORA deep dive → walk through every Article 9 / Article 11 control + how it maps to the pipeline
PSD2 SCA flow → show the SCA-related controls + the dynamic-linking SAST rule pack
ServiceNow CR enrichment → switch to change requests, open a CR, walk through the 5-axis risk score tab
Implementation engagement → loop in the partner team