@blamejs/exceptd-skills 0.9.1

package/skills/sector-financial/skill.md

@@ -0,0 +1,398 @@
+---
+name: sector-financial
+version: "1.0.0"
+description: Financial services cybersecurity for mid-2026 — EU DORA TLPT, PSD2 RTS-SCA, SWIFT CSCF v2026, NYDFS 23 NYCRR 500, FFIEC CAT, MAS TRM, APRA CPS 234, IL BoI Directive 361, OSFI B-13; Threat-Led Pen Testing schemes TIBER-EU + CBEST + iCAST
+triggers:
+  - financial security
+  - banking security
+  - dora
+  - psd2
+  - psd3
+  - sca
+  - strong customer authentication
+  - swift cscf
+  - nydfs
+  - 23 nycrr 500
+  - ffiec
+  - mas trm
+  - apra cps 234
+  - tiber-eu
+  - cbest
+  - icast
+  - tlpt
+data_deps:
+  - cve-catalog.json
+  - atlas-ttps.json
+  - framework-control-gaps.json
+  - global-frameworks.json
+  - cwe-catalog.json
+  - d3fend-catalog.json
+  - dlp-controls.json
+atlas_refs:
+  - AML.T0096
+  - AML.T0017
+attack_refs:
+  - T1078
+  - T1190
+  - T1486
+  - T1567
+framework_gaps:
+  - PSD2-RTS-SCA
+  - SWIFT-CSCF-v2026-1.1
+  - NIST-800-53-AC-2
+  - SOC2-CC6-logical-access
+rfc_refs:
+  - RFC-8446
+  - RFC-7519
+  - RFC-8725
+  - RFC-9421
+cwe_refs:
+  - CWE-287
+  - CWE-862
+  - CWE-863
+  - CWE-798
+  - CWE-352
+d3fend_refs:
+  - D3-MFA
+  - D3-CBAN
+  - D3-NTA
+  - D3-IOPR
+forward_watch:
+  - PSD3 + PSR (Payment Services Regulation) trilogue and final adoption (expected 2026-2027); track agent-initiated payment treatment in final text
+  - DORA Art. 26 TLPT first full cycle completion mid-2027; ESAs publishing aggregate findings under JC 2024/40 RTS
+  - SWIFT CSCF v2027 (annual update cycle); track AI-mediated message generation controls
+  - NYDFS 23 NYCRR 500 further amendments; track agentic-AI in CISO certification scope
+  - FFIEC CAT replacement by CRI Profile v2 (Cyber Risk Institute) — US sector baseline migration
+  - MAS Notice 655 / TRM Guidelines refresh tracking GenAI in financial services
+  - HKMA CFI 3.0 cycle and iCAST scope expansion to AI/ML systems
+  - APRA CPS 230 (Operational Risk Management) effective 2025-07-01 — operational resilience overlay on CPS 234
+  - UK FCA / PRA operational resilience self-assessment cycle (SS1/21, SS2/21) and impact tolerances refresh post-2025
+  - BCB Resolução BCB 85 (cyber policy for FIs) and Brazil PIX fraud-typology updates
+  - OSFI B-13 (Technology and Cyber Risk Management) post-2024 examination findings
+  - TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST
+last_threat_review: "2026-05-11"
+---
+
+# Sector — Financial Services Cybersecurity (mid-2026)
+
+## Threat Context (mid-2026)
+
+Financial services is the most-regulated sector for cybersecurity globally and the regulation cadence is accelerating, not slowing. As of mid-2026 every Tier-1 bank, payments processor, broker-dealer, insurer, and significant financial-market infrastructure operates under multiple binding cyber regimes simultaneously. The threat landscape that drives those regimes has shifted materially since 2023.
+
+**Regulatory state of play (mid-2026).**
+
+- **EU DORA** has been in force since 2025-01-17. The first round of TLPT (Threat-Led Penetration Testing) under DORA Art. 26 + RTS JC 2024/40 is mid-cycle; designated financial entities run TLPT every 3 years. Register-of-information submissions under Art. 28 are operational. ESAs are issuing aggregated supervisory feedback. The TIBER-EU framework is the implementation vehicle for most jurisdictions; cross-recognition with UK CBEST and HK iCAST is partial.
+- **PSD2** + RTS-SCA (Commission Delegated Regulation (EU) 2018/389) remains the binding payments security baseline. **PSD3 + PSR** (Payment Services Regulation) — trilogue concluded late-2025 with final text expected mid-to-late 2026 — extends scope to include non-bank payment service providers and tightens fraud-liability and SCA exemption rules. Agent-initiated payment treatment in PSD3/PSR is the open political question.
+- **SWIFT CSCF v2026** (Customer Security Controls Framework, annual update) is the binding baseline for all SWIFT-connected institutions globally; v2026 introduced refinements to mandatory control 1.1 (SWIFT environment protection) and tightened audit-evidence requirements but did not address LLM-assisted operations on the secure zone.
+- **NYDFS 23 NYCRR 500 Second Amendment** phased in through November 2025: enhanced CISO reporting, mandatory annual independent assessment, expanded incident reporting (24-hour cyber-event notification, 72-hour ransom-payment notification, written explanation within 30 days), Class A company designation with elevated controls.
+- **FFIEC Cybersecurity Assessment Tool (CAT)** was sunset for new use in mid-2024; the **Cyber Risk Institute (CRI) Profile v2.x** built on NIST CSF 2.0 is becoming the de-facto US sector baseline. FFIEC IT Examination Handbook remains the binding supervisory reference.
+- **MAS TRM Guidelines** (Singapore) most recent update 2021 with supplementary circulars 2024-2025; **MAS Notice 655** (Cyber Hygiene Notice) binds DSIBs and locally-incorporated banks since 2019. MAS 2-hour notification SLA is among the fastest in the world.
+- **UK FCA + PRA operational resilience** (PS21/3, SS1/21, SS2/21) requires impact-tolerance setting for important business services; self-assessment cycle ongoing. **CBEST** is the BoE/PRA TLPT scheme for systemically-important UK financial entities.
+- **AU APRA CPS 234** (Information Security) is the binding cyber prudential standard; **APRA CPS 230** (Operational Risk Management) effective 2025-07-01 layers operational-resilience requirements on top.
+- **JP FISC Security Guidelines v9** series is the de-facto banking technical baseline referenced by JFSA; major banks operate against FISC v9.x as binding.
+- **IL Bank of Israel Banking Supervision Directive 361** (2024 revision) is one of the world's strictest banking cyber regimes — Director-General-level accountability, prescriptive technical controls, cross-references INCD methodology.
+- **CA OSFI B-13** (Technology and Cyber Risk Management, effective 2024-01-01) is the binding cyber/tech risk regime for federally-regulated financial institutions; sits alongside OSFI B-10 (third-party risk).
+- **BR BCB** Resolução BCB 85 (2021) and successor circulars are the binding cyber regime for BCB-supervised institutions; Brazil's instant-payment system (PIX) has driven a parallel fraud-typology regulatory track.
+- **FR ACPR + Banque de France**, **DE BaFin**, **ES Banco de España + AEPD** all operate national overlays beneath DORA — for example BaFin BAIT (Bankaufsichtliche Anforderungen an die IT) and VAIT (insurance), ACPR's cyber notification circulars, BdP's CMVM cyber requirements. DORA does not replace these national overlays; it stacks on top.
+
+**Threat reality driving the rule-making.**
+
+The financial sector ransomware position has shifted. 2024-2026 saw ransomware actors throttle direct attacks on the largest banks (operational-resilience controls, segmentation, faster IR) and pivot to two more productive vectors:
+
+1. **Financial supply chain compromise.** Snowflake customer-credential abuse (2024) hit AT&T, Ticketmaster, Santander; CDK Global ransomware (2024) shut down a third of US auto-dealer financing; MOVEit (2023) cascaded into hundreds of financial-services downstream. Pure-play financial-targeted supply-chain attacks: ION Trading (LockBit, 2023), Ivanti VPN exploitation in financial sector (2024), and continuing 2025-2026 targeting of fintech-adjacent SaaS (loan-origination platforms, KYC verification services, payment gateways).
+2. **AI-augmented fraud against retail and commercial banking.** Voice-cloning + deepfake video defeating remote KYC: Hong Kong UOB deepfake-CFO wire transfer (USD 25.6M, January 2024) is the public reference case; documented at scale through 2025 against private-banking onboarding, business-email-compromise wire transfers, and account-takeover via help-desk social engineering. Deepfake-resistant liveness detection is supplier-fragmented.
+
+**Agentic AI is the emerging structural problem.** Banking copilots — both bank-supplied (Erica, Eno, Alexa-for-Bank-of-America-class assistants) and customer-supplied (operator's own ChatGPT/Copilot/Gemini agents acting on behalf of the customer) — are now initiating transactions. RTS-SCA contemplates two principals: the customer and the PISP (payment initiation service provider, regulated). It does not contemplate an autonomous AI agent acting under loosely-scoped delegated authority. Mid-2026 sees three real cases in production:
+
+- bank-supplied conversational interfaces with transaction-initiation tool-use (read balance → propose transfer → execute on SCA confirmation)
+- customer-supplied autonomous agents (LangChain / OpenAI Assistants / Anthropic computer-use class) that hold session credentials and initiate transactions
+- enterprise-treasury AI agents initiating B2B payments under delegated CFO authority, frequently across SWIFT or domestic RTGS rails
+
+In all three, the SCA evidence chain (the customer's authenticated session, the bank-side audit trail of MT/MX message origin) is fully compliant on paper. **Injected intent — prompt injection that causes an agent to send a payment the customer did not want — produces a SCA-compliant audit trail.** RTS-SCA, SWIFT CSCF v2026, MAS Notice 655, NYDFS 500.12, APRA CPS 234 paragraph 27 — all are silent on this failure mode.
+
+**Threat-Led Penetration Testing convergence.** TIBER-EU (the EU's TLPT framework, formally adopted by ECB 2018, now the implementation vehicle for DORA Art. 26), UK CBEST, HK iCAST, AU AESCSF red-team activities, and DORA TLPT proper (JC 2024/40 RTS) are converging methodologically. Mutual recognition is the political objective for 2026-2027; mid-2026 reality is that a multinational bank may need to run TIBER-EU once per primary EU jurisdiction, CBEST once for UK, iCAST once for HK, and bilateral pen-tests for AU/JP/SG — same scope, different documentation, different supervisors. Skill `attack-surface-pentest` covers method; this skill scopes the regulatory mapping.
+
+---
+
+## Framework Lag Declaration
+
+| Framework | Control | Designed For | Fails Because |
+|---|---|---|---|
+| EU DORA + RTS JC 2024/40 (TLPT) | Threat-Led Penetration Testing every 3 years for designated entities (Art. 26) | Pen testing against current adversary TTPs for systemically-important financial entities | Scenario libraries lag adversary capability 12-18 months. Agent-initiated payment threats are not in TIBER-EU TT&Ps inventory as of mid-2026. AI-augmented social engineering (voice clone, deepfake video) scenarios exist but rule-of-engagement constraints often exclude them as "out of scope for technical TLPT." Frequency (every 3 years) is well-matched to deep red-team; mismatched to rapid AI-driven TTP evolution. |
+| EU PSD2 RTS-SCA (Reg. 2018/389) | Two-of-three-factor Strong Customer Authentication for electronic payments | Customer + PISP transaction initiation | Silent on agent-as-initiator. Captured in `data/framework-control-gaps.json#PSD2-RTS-SCA`. Prompt-injection-induced transactions present a fully SCA-compliant audit trail because the customer's session authenticated; injected intent is invisible to the SCA evidence chain. PSD3/PSR draft does not yet close this; final text expected 2026-2027. |
+| SWIFT CSCF v2026 | Mandatory and advisory controls for SWIFT-connected institutions; control 1.1 (SWIFT Environment Protection) is the secure-zone foundation | Messaging integrity + operator authentication | Captured in `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`. Silent on LLM-assisted MT/MX drafting, AI-API egress from administrative jump zones, and AI-mediated reconciliation/sanctions tooling. SWIFT publishes annually; AI-on-CSCF guidance is forward-watched. |
+| US NYDFS 23 NYCRR 500 (Second Amendment, phased to Nov 2025) | Comprehensive cybersecurity program for NY-regulated financial entities (banks, insurers, broker-dealers) | Risk-based cybersecurity program + CISO accountability + incident reporting (24h cyber event, 72h ransom payment) | Method-neutral on penetration testing under 500.5; does not name agentic-AI as a covered system. Class A designation thresholds capture size but not AI-pipeline complexity. CISO annual certification is paper-attested unless paired with independent technical evidence. Privileged-access requirements (500.7) cover human accounts; AI-agent service accounts are treated as conventional service accounts when they are not. |
+| US FFIEC IT Examination Handbook + CRI Profile v2.x | Examiner reference for US banks; risk-based maturity profile mapped to NIST CSF 2.0 | Comprehensive IT/cyber examination across US banking sector | FFIEC CAT sunset 2024; CRI Profile is voluntary maturity self-assessment. Examiners increasingly cite CRI Profile but it is not binding. No AI-specific dimension; AI risk treated under existing NIST CSF 2.0 Govern / Identify pillars without sector-specific TTPs. |
+| MAS TRM Guidelines (2021) + MAS Notice 655 (Cyber Hygiene) + Notice 644 | Technology risk management and cyber hygiene baseline for SG-regulated financial institutions | Mature, prescriptive technical baseline for SG FIs | TRM 2021 predates GenAI deployment at scale; MAS supervisory circulars 2024-2025 fill some gaps but TRM main document is stale on agentic AI. 2-hour notification SLA is operationally tight; tabletop-tested rarely. |
+| UK FCA + PRA operational resilience (PS21/3, SS1/21, SS2/21) | Important Business Service mapping, impact tolerance setting, severe-but-plausible scenario testing | Cross-firm operational resilience post-2021 | Severe-but-plausible scenarios in mid-2026 still over-index on classical IT outage; AI-supply-chain or agentic-AI-mediated fraud scenarios under-represented. CBEST scenarios (the TLPT layer) close some of this for systemic entities. |
+| AU APRA CPS 234 + CPS 230 (effective 2025-07-01) | Information security obligations + operational risk and resilience | AU-regulated prudential entities (banks, insurers, super funds) | CPS 234 information-security control objectives are sound; AI-system classification under "information assets" is undocumented. CPS 230 layers operational resilience but is silent on AI-specific operational scenarios. 72-hour APRA notification (para 26) is reasonable but does not require AI-channel disclosure in the notification structure. |
+| JP FISC Security Guidelines v9.x | Detailed technical security guidelines for JP banks and financial institutions | JP financial-sector technical baseline; de-facto JFSA-referenced | Most prescriptive sector guideline globally on conventional IT but slow on AI integration. FISC v9 supplementary materials cite AI under outsourcing/third-party risk; no AI-specific cyber control set. |
+| IL Bank of Israel Banking Supervision Directive 361 (2024 revision) | Cyber defense management for IL banks | IL banking sector; cross-references INCD methodology | One of the strictest banking cyber regimes globally; AI-specific extension references INCD AI guidance without Directive-361-native AI controls. |
+| CA OSFI B-13 (effective 2024-01-01) | Technology and Cyber Risk Management for federally-regulated financial institutions | CA FRFI cyber/tech risk regime | Principle-based; specifies expectations but leaves operationalisation to the FRFI. AI/ML model risk is in B-13 scope as a technology risk; cyber controls specifically for AI agents are not yet articulated. |
+| BR BCB Resolução BCB 85 + Resolução CMN 4893 (cyber policy) | BR-regulated FI cyber policy and incident reporting | BR banking and payments sector; PIX-fraud-typology overlay | BR cyber policy is principle-based; PIX-specific fraud-typology rules (Circular 3978 AML overlay) close some retail-payments gaps. Agentic-AI in PIX initiation is forward-watched. |
+| FR ACPR + Banque de France | National financial-cyber overlay beneath DORA | FR FIs under ACPR supervision | DORA stacks on top; ACPR retains national notification and supervisory authority. Operational under DORA from 2025-01-17. |
+| DE BaFin BAIT + VAIT | Bankaufsichtliche Anforderungen an die IT (banks) / Versicherungsaufsichtliche (insurance) | DE financial-cyber baseline | DORA-aligned but retains national specificity; BaFin examinations cite BAIT/VAIT alongside DORA. |
+| HK HKMA CFI 2.0 + iCAST + TM-G-1 | HK Authorized Institution cyber baseline + intelligence-led red-team | HK banking sector | C-RAF 2.0 maturity assessment + iCAST red-team is substantive and tier-calibrated; AI cyber specifics gap noted in HKMA GenAI Circular 2024. |
+| NZ RBNZ BS11 / RBNZ guidance | NZ-regulated FI outsourcing and cyber | NZ banking sector | Outsourcing-focused; cyber-specific guidance is principle-based and trails AU APRA. |
+| AE CBUAE Cyber + UAE SCA + DFSA + FSRA | UAE federal banking cyber + free-zone (DIFC/ADGM) financial-cyber regimes | UAE conventional, DIFC, and ADGM financial sectors | Fragmented across federal + free-zone regimes; AE NESA Information Assurance Standards apply alongside. |
+| SA SAMA Cyber Security Framework (CSF) | KSA-regulated FI cyber baseline; tier-calibrated maturity | KSA banking and insurance sectors | SAMA CSF is prescriptive technically; AI-specific extension forward-watched. |
+| IN SEBI Cybersecurity and Cyber Resilience Framework + RBI Master Direction (IT, Cyber Security) | IN-regulated capital markets (SEBI) and banks (RBI) | IN financial sector | Recently strengthened (RBI Master Direction April 2024); AI-specific provisions limited. |
+| ISO 27001:2022 + ISO/IEC 27017 (cloud) + ISO/IEC 27018 (cloud PII) | Generic ISMS for financial entities | Organisation-level ISMS | A.5.16 (identity management) and A.8.5 (secure authentication) cross-walk to SCA but do not name agent-initiation. A.5.23 (cloud services) generic; financial-sector cloud risk not specifically addressed. |
+| SOC 2 Trust Services Criteria (CC6 logical access) | Service-organisation logical access controls | Audit attestation for service organisations | Captured in `data/framework-control-gaps.json#SOC2-CC6-logical-access`. Logical-access criteria treat the authenticated session as the access boundary; injected intent within an authenticated AI-agent session is invisible. |
+
+**Cross-jurisdiction posture (per AGENTS.md rule #5).** Any financial-sector gap analysis for a multi-jurisdiction institution must cite at minimum: EU DORA + PSD2 (transitioning to PSD3/PSR) + RTS-SCA + national overlays (BaFin BAIT/VAIT, ACPR, BdP, Banca d'Italia, AEPD, ENISA), UK FCA + PRA operational resilience + CBEST, AU APRA CPS 234 + CPS 230 + AESCSF, JP FISC v9 + JFSA, SG MAS TRM + Notice 655 + Notice 644, HK HKMA CFI 2.0 + iCAST + TM-G-1, IL BoI Directive 361 + INCD, CA OSFI B-13 + B-10, BR BCB Resolução 85, AE CBUAE + DFSA + FSRA, SA SAMA CSF, IN SEBI + RBI Master Direction, NZ RBNZ BS11, alongside SWIFT CSCF v2026, NYDFS 23 NYCRR 500 (for any NY-connected entity), ISO 27001:2022 + ISO/IEC 27017/27018, and SOC 2. US-only (FFIEC, NYDFS, NIST CSF) is incomplete.
+
+---
+
+## TTP Mapping
+
+| Surface | TTP | Matrix | Variant in mid-2026 | Gap Flag |
+|---|---|---|---|---|
+| Customer account credential reuse → ATO | T1078 — Valid Accounts | ATT&CK Enterprise | Snowflake-class credential database compromise; help-desk social-engineering with deepfake-voice | PSD2 RTS-SCA covers payment SCA; account-takeover via help-desk channel bypasses SCA entirely. CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization) are the underlying weakness classes. |
+| Internet-banking / treasury portal exploit | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | Ivanti VPN, MOVEit-class file-transfer, web-portal SSRF, JWT validation flaws (RFC 8725 best-current-practice violations) | DORA Art. 6-15 ICT risk-management requirements general; CWE-862 (Missing Authorization) and CWE-352 (CSRF) common findings; SWIFT CSCF v2026 covers SWIFT zone, not customer-facing portals |
+| Ransomware against banking infrastructure | T1486 — Data Encrypted for Impact | ATT&CK Enterprise | LockBit-class, BlackBasta, ALPHV/BlackCat residuals 2024-2026; double-extortion + regulatory-threat-of-disclosure | NYDFS 500.17 ransom-payment notification (72h) + DORA major-incident reporting (Art. 19, 24h initial) + APRA CPS 234 para 26 (72h) — notification cadences harmonising slowly; ransom-payment legality fragmented (NYDFS reporting only, OFAC sanctions-screening, EU sanctions overlay) |
+| Data exfiltration including LLM-channel | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | LLM API egress (OpenAI, Anthropic, Google) as covert channel; AI-coding-assistant context leaks; KYC-document upload to consumer-grade AI | DLP controls in `data/dlp-controls.json` apply; SWIFT CSCF v2026 1.1 segregation assumption violated when AI-API egress crosses administrative jump zone |
+| AI-as-covert-C2 in trading / treasury systems | AML.T0096 — Use AI for C2 Communications | ATLAS v5.1.0 | Steganographic encoding in trading-assistant prompts; LLM response decodes operator instructions; multi-agent covert relay in market-making bots | No ATT&CK Enterprise mapping; ATLAS v5.1.0 names the technique but no financial-sector-specific detection. SOC tooling rarely monitors trading-system AI tool-use. |
+| Fraud-detection model extraction | AML.T0017 — Discover AI Model Family | ATLAS v5.1.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
+| Hard-coded credentials in financial mobile / API clients | CWE-798 | CWE | Mobile-banking apps shipping API keys; partner-integration API tokens checked into Git; treasury-management-system local config | PSD2 RTS-SCA covers customer SCA, silent on partner-API credential hygiene; SWIFT CSCF 5.1/5.2 covers credential management for SWIFT users only |
+| Agent-initiated payment via prompt injection | (No native TTP — closest: T1078 + AML.T0051) | ATT&CK + ATLAS | LLM agent with payment-initiation tool-use receives injected instruction via email / document / web content; transaction executes under customer's authenticated session | RTS-SCA evidence chain is fully compliant; injected intent invisible. Captured in `data/framework-control-gaps.json#PSD2-RTS-SCA`. |
+| AI-generated SWIFT MT/MX message draft poisoning | (No native TTP — closest: T1565 + AML.T0051) | ATT&CK + ATLAS | LLM-assisted operator drafting tool produces subtly-wrong beneficiary BIC or amount; reviewer fatigue lets it pass 4-eyes principle | Captured in `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`. |
+| Deepfake-mediated SCA bypass / KYC bypass | T1556 — Modify Authentication Process (closest) | ATT&CK Enterprise | Voice-clone defeating remote-KYC liveness; deepfake-video defeating high-value-transaction step-up | RTS-SCA "inherence" factor (biometric) implementation-dependent; liveness-detection vendor-fragmented. CWE-287 underlying weakness. |
+
+**Note on TTP coverage.** ATT&CK Enterprise does not yet have a financial-sector matrix (unlike ATT&CK for ICS). ATLAS v5.1.0 covers AI-specific techniques. The gap between (a) the customer's authenticated session and (b) the AI agent's injected intent within that session is not currently named in either matrix — this is a tracked gap in `forward_watch`.
+
+---
+
+## Exploit Availability Matrix
+
+| Surface / CVE Class | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch Available | Live-Patchable | Sector-Aware Detection |
+|---|---|---|---|---|---|---|---|---|---|
+| Financial supply-chain credential abuse (Snowflake / similar SaaS) | n/a (config-class) | high (operationally exploited 2024-2026) | n/a | Documented at scale | n/a | Confirmed mass exploitation | Configuration hardening (MFA enforcement, network policy) | n/a | Vendor-side telemetry; CSPM if integrated |
+| Web-facing financial portal CVEs (Ivanti / MOVEit class) | varies (often 9.0+) | varies (KEV-listed entries high) | Multiple entries (Ivanti 2024, MOVEit 2023, Citrix NetScaler 2023) | Yes | Increasing | Confirmed in financial-sector breaches | Yes — vendor patches | Limited — appliance reboot windows constrained | EDR + WAF + network telemetry |
+| AI-augmented BEC / deepfake-voice wire fraud | n/a (social engineering) | high (USD 25.6M HK UOB case 2024 as public reference) | n/a | Demonstrated at scale | n/a (AI is the weapon) | Confirmed ongoing 2024-2026 | Mitigation only — out-of-band callback, AI-channel-aware liveness | n/a | Specialised liveness vendors; fragmented |
+| Agent-initiated payment via prompt injection | n/a (design class) | risk-modelled, not CVSS | n/a | Demonstrated in 2025 research and red-team engagements | n/a | Suspected in 2025-2026 advanced campaigns; under-reported due to SCA-compliant audit trail | Mitigation only — agent-scope tokens, out-of-band confirmation, AI-channel audit | n/a | LLM-aware fraud telemetry — almost never deployed |
+| Fraud-detection model extraction | n/a | risk-modelled | n/a | Research demonstrations | n/a | Suspected; difficult to detect | Mitigation only — query-rate-limiting, output perturbation, model-watermarking | n/a | Model-monitoring telemetry — vendor-fragmented |
+| SWIFT CSCF v2026 1.1 violations via AI-API egress | n/a | risk-modelled | n/a | Demonstrated in 2025 red-team | n/a | Suspected | Mitigation — DLP on jump-zone egress, AI-API explicit deny | n/a | DLP + egress telemetry |
+| HMI / treasury-workstation Linux LPE (Copy Fail CVE-2026-31431) where deployed | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch) on supported distros | EDR if deployable |
+
+**Honest gap statement (per AGENTS.md rule #10).** Vendor-specific financial-sector CVEs (core-banking platform CVEs, payment-gateway CVEs, broker-dealer trading-platform CVEs, SWIFT Alliance Access CVEs) are not exhaustively inventoried in `data/cve-catalog.json`. The authoritative sources are: vendor advisories (Temenos, Finastra, FIS, Fiserv, Jack Henry, Murex, Calypso, Bloomberg, Refinitiv, SWIFT KB), CISA KEV for cross-sector exposure, and sector-specific intel feeds (FS-ISAC, FI-ISAC EU). Forward-watched.
+
+---
+
+## Analysis Procedure
+
+This procedure threads the three foundational design principles required by AGENTS.md skill-format spec (defense in depth, least privilege, zero trust) through every step.
+
+**Defense in depth.** Multi-layer authentication for high-value transactions: AAL3 / FIDO2 device-bound passkey at customer layer (skill `identity-assurance`); 4-eyes principle on payment release; SWIFT CSCF 4.1/4.2 password management plus 5.1 logical access; CSCF 1.1 secure-zone segregation; network segmentation (D3-NI) between internet-banking, core-banking, treasury, SWIFT zone, fraud-detection; transaction monitoring (D3-NTA) at multiple layers (host, network, application, payment-message); model-output review for AI-mediated transactions; out-of-band confirmation for any AI-agent-initiated payment above scoped threshold.
+
+**Least privilege.** Per-service-account scoping (CWE-863 default-permissive role assignments are the dominant failing); SWIFT 4-eyes principle on every payment release; vendor-API tokens scoped to specific operations + amounts + counterparties + time windows; AI-agent transaction tokens scope-limited per delegated-authority attestation (PSD3/PSR forward-looking — see `data/framework-control-gaps.json#PSD2-RTS-SCA`); admin accounts on SWIFT secure zone segregated from administrative jump zone; fraud-detection model query-rate-limiting per-principal.
+
+**Zero trust.** Every transaction re-authenticated, not session-trusted; agentic-AI-initiated payments require ENHANCED authentication (out-of-band confirmation), not relaxed authentication; vendor remote access per-action verified (just-in-time credentialing); AI-assistant outputs treated as untrusted content until cross-checked against deterministic source (transaction-confirmation channel, customer step-up); fraud-model decisions logged with explanation for post-hoc review.
+
+### Step 1 — DORA Art. 26 TLPT scoping (where applicable)
+
+For EU-regulated entities designated under DORA Art. 26 (and TIBER-EU jurisdictions):
+
+- Confirm designation status with the lead competent authority (per Member State).
+- Pull last TLPT report; identify scope (which critical or important functions tested), threat-intelligence provider, red-team provider, replay/rerun gates.
+- Validate against JC 2024/40 RTS scope: critical or important functions, all critical ICT third-party service providers in scope.
+- Flag if last TLPT predates major AI integration (banking copilot, agentic payments, AI fraud detection model swap) — scope is stale.
+- Cross-walk to CBEST (UK), iCAST (HK), AESCSF red-team (AU) if entity is multi-jurisdictional. Mutual recognition is partial; do not assume one report satisfies all.
+
+### Step 2 — PSD2 RTS-SCA evidence audit + agent-initiation gap
+
+For all payment-related entities:
+
+- Pull RTS-SCA compliance evidence per payment channel (card, account-to-account, instant payment, treasury initiation).
+- Validate SCA element pairing: knowledge + possession + inherence two-of-three; biometric implementation per RFC-grade or vendor-attested standard.
+- Validate dynamic linking (RTS Art. 5) on every transaction: amount + payee bound into the SCA confirmation; replay-resistant.
+- Run the **agent-initiation question**: which transaction channels accept input from AI agents (bank copilot, customer-supplied agent, treasury-management automation)? For each, what is the delegated-authority attestation? Per `data/framework-control-gaps.json#PSD2-RTS-SCA`, document the absence of an agent-initiation construct as an open finding even if RTS-SCA evidence is otherwise complete.
+- Cross-walk to UK FCA SCA-RTS and AU CDR authentication where applicable.
+
+### Step 3 — SWIFT CSCF v2026 self-attestation gap analysis
+
+For SWIFT-connected institutions:
+
+- Pull the most recent KYC-SA (Know Your Customer - Security Attestation) submission.
+- Validate mandatory controls 1.1, 1.2, 2.1, 2.2, 2.3, 4.1, 4.2, 5.1, 5.4, 6.4, 7.1, 7.2 as a minimum (CSCF v2026 mandatory baseline; advisory controls assessed separately).
+- Per `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`: audit AI-API egress from SWIFT secure zone or administrative jump zone, LLM-assisted MT/MX drafting tools, AI reconciliation/sanctions tools. Document each AI integration's trust boundary.
+- Flag any "100% compliant" attestation that does not name AI integrations as a theater risk (see Theater Test 3).
+
+### Step 4 — NYDFS 23 NYCRR 500 Class A / standard institution check
+
+For NY-regulated entities:
+
+- Identify Class A designation status (Section 500.1(d) — 1B+ in revenue from NY business + 20K+ employees globally, broadly).
+- Validate CISO annual certification (Section 500.17): independent assessment, identified risk-based areas of non-compliance, remediation plan.
+- Validate 24-hour cyber-event notification + 72-hour ransom-payment notification readiness.
+- Audit privileged access (500.7) coverage of AI-agent service accounts — most institutions classify AI service accounts as conventional service accounts, which is structurally insufficient.
+
+### Step 5 — Ransomware resilience tabletop (multi-jurisdictional notification)
+
+- Tabletop a ransomware scenario hitting a critical-or-important function (DORA term) / important business service (UK FCA term) / critical ICT service (APRA, MAS term).
+- Time every regulator-notification clock: DORA Art. 19 (24h initial classification, 72h initial report, 1-month final), NYDFS 500.17 (24h cyber event, 72h ransom payment), APRA CPS 234 para 26 (72h material incident), MAS Notice 644/655 (1h notification of relevant cyber incident; 24h system unavailability), HKMA (within 24h), OSFI B-13 (24h significant incident), FCA (without delay), BoI Directive 361 (defined by impact).
+- Document ransom-payment decision authority pre-incident; map OFAC + EU + UK sanctions screening obligations on the payment processor.
+- Validate IR playbook against `data/cve-catalog.json` entries with ransomware-precursor relevance (Copy Fail CVE-2026-31431 LPE, Dirty Frag CVE-2026-43284, MOVEit-class file-transfer, Ivanti VPN, Citrix NetScaler).
+
+### Step 6 — Fraud-detection model adversarial-resilience audit
+
+- Pull current fraud-detection model architecture, training data refresh cadence, drift-monitoring posture.
+- Per AML.T0017 (Discover AI Model Family): test the institution's ability to detect model-probing — incremental test transactions, threshold-discovery patterns, chargeback-pattern fingerprinting. If detection is "manual review of false-positive rate trends only," the model is functionally undefended against probing.
+- Validate model retraining cadence: monthly or faster for high-velocity surfaces (card-not-present); quarterly is theater for any adversary-evolving surface (see Theater Test 4).
+- Cross-walk to OSFI E-23 (Enterprise-Wide Model Risk Management) and SR 11-7 equivalents.
+
+### Step 7 — Agentic-AI transaction policy audit
+
+- Enumerate every AI integration that can directly or indirectly initiate a transaction:
+  - bank-supplied conversational interface with payment tool-use
+  - customer-supplied agents (third-party AI agents holding session credentials)
+  - enterprise treasury AI agents under delegated CFO authority
+  - vendor-supplied AI features inside core-banking / treasury-management / trading platforms
+- For each, document: delegated-authority attestation, scope token (amount, counterparty, frequency, time window), out-of-band confirmation gate, prompt + completion + tool-call logging, kill switch.
+- If no policy exists, this is the single largest open structural gap in mid-2026 financial cyber.
+
+### Step 8 — Deepfake / voice-clone fraud-channel audit
+
+- Inventory remote-KYC + step-up-authentication channels using biometric inherence (voice, face).
+- Validate liveness detection vendor + version + last false-accept-rate / false-reject-rate test against adversarial generation tooling.
+- Help-desk social-engineering channel: validate out-of-band callback policy + voice-channel deepfake-resistant verification + transaction-history-question fallback.
+
+### Step 9 — Third-party / supply-chain risk per DORA Art. 28-30 and equivalents
+
+- Pull register of information per DORA Art. 28 (ICT third-party service providers supporting critical or important functions); validate completeness against actual third-party landscape.
+- Validate critical-ICT-TPP classification + concentration risk + exit strategy.
+- Cross-walk to OSFI B-10, APRA CPS 234 + CPS 230 (operational risk management), MAS TRM third-party section.
+- Use companion skill `supply-chain-integrity` for technical SBOM/SLSA/CSAF evidence; this skill scopes the regulatory mapping.
+
+### Step 10 — Compliance Theater Check (see dedicated section below for concrete tests)
+
+---
+
+## Output Format
+
+Produce this structure verbatim:
+
+```
+## Financial Sector Cybersecurity Posture Assessment
+
+**Assessment Date:** YYYY-MM-DD
+**Institution / Entity:** [name]
+**Regulatory exposure:** [EU DORA / UK FCA+PRA / US NYDFS / AU APRA / SG MAS / HK HKMA / IL BoI / CA OSFI / JP FISC / BR BCB / ...]
+**Critical or important functions in scope:** [list per DORA Art. 8 / equivalent]
+
+### DORA Register of Information Snapshot (where applicable)
+| ICT Third-Party | Service | Critical/Important Function Supported | Concentration Risk | Exit Strategy | Last Assessment |
+
+### PSD2 RTS-SCA Evidence Pack
+| Payment Channel | SCA Elements | Dynamic Linking | Exemption Use | Agent-Initiation Policy | Gap (per framework-control-gaps#PSD2-RTS-SCA) |
+
+### SWIFT CSCF v2026 Self-Attestation Gaps
+| Control | Mandatory/Advisory | Attested Compliant | Evidence Currency | AI-Integration Conduit Documented | Gap (per framework-control-gaps#SWIFT-CSCF-v2026-1.1) |
+
+### NYDFS 23 NYCRR 500 CISO Certification Readiness
+| Section | Class A Applicable | Evidence Status | Independent Assessment Currency | AI-Agent Service Accounts in Scope |
+
+### FFIEC / CRI Profile v2.x Scorecard (US examined entities)
+| NIST CSF 2.0 Function | CRI Profile Score | Examiner Finding History | AI Dimension Documented |
+
+### TLPT Status (TIBER-EU / DORA Art. 26 / CBEST / iCAST / AESCSF red-team)
+| Jurisdiction | Scheme | Last Test Date | Scope | Threat Provider | Red Team Provider | Mutual Recognition Status |
+
+### Multi-Jurisdiction Notification SLA Matrix
+| Regulator | Notification SLA | Last Tabletop Date | Pre-Decision Authority Documented |
+
+### Agentic-AI Transaction Surface Inventory
+| AI Surface | Bank-Supplied / Customer / Treasury / Vendor | Transaction Authority Scope | Delegated-Authority Attestation | Out-of-Band Confirmation | Kill Switch |
+
+### Fraud-Detection Model Adversarial-Resilience Posture
+| Model | Retraining Cadence | Drift Monitoring | Probing Detection | Last Adversarial Test |
+
+### Deepfake / Voice-Clone Channel Defense
+| Channel | Liveness Vendor / Version | Last FAR/FRR Test | Out-of-Band Fallback |
+
+### Cross-Jurisdiction Framework Gap Summary
+[Per-jurisdiction reconciliation — EU DORA + national overlays + UK + AU + SG + HK + IL + CA + JP + BR + AE + SA + IN + NZ + ISO 27001 + SOC 2 + SWIFT CSCF]
+
+### Compliance Theater Findings
+[Outcome of the four tests in the Compliance Theater Check section]
+
+### Defensive Countermeasure Plan (D3FEND)
+[D3-MFA, D3-CBAN, D3-NTA, D3-IOPR — concrete control placements by surface]
+
+### Priority Remediation Actions
+1. ...
+2. ...
+3. ...
+
+### RWEP-Prioritised CVE Exposure
+[Financial-sector-relevant CVEs ranked by RWEP, not CVSS; see `exploit-scoring` skill for recalculation]
+```
+
+---
+
+## Compliance Theater Check
+
+Run all four tests. Any "fail" is a theater finding documented with the evidence (or absence thereof).
+
+**Theater Test 1 — TIBER-EU / CBEST / iCAST scenario currency.**
+Ask: "Show me the TLPT scenario from your last cycle, the threat-intelligence inputs, the red-team report, and the remediation tracker."
+
+- If the answer is "we did a TIBER-EU in 2022 and we're due in 2025-2026": the test pre-dates banking copilot deployment, agentic payment surfaces, and 2024-2026 supply-chain TTPs. Scope is stale.
+- If the scenario library does not include AI-augmented social engineering (voice clone, deepfake video) or agent-initiated payment via prompt injection: scope is incomplete against current adversary capability.
+- If the remediation tracker is "all closed" but the next TLPT has not started: closure validation against re-exploitation is theater.
+- Acceptable: TLPT within the last 3 years, scenario library refreshed against current AI-augmented TTPs, remediation tracker explicitly retests closed findings before claiming closure.
+
+**Theater Test 2 — PSD2 SCA evidence for AI-agent-initiated transactions.**
+Ask: "What is your PSD2 SCA evidence for transactions initiated by an AI agent acting on behalf of the customer — whether your own conversational interface or a third-party agent holding the customer's session?"
+
+- If the answer is "all transactions go through SCA so they're compliant": this is the dominant theater answer. RTS-SCA evidence is fully satisfied by the customer's authenticated session; injected intent is invisible. Per `data/framework-control-gaps.json#PSD2-RTS-SCA`, document this as an open finding.
+- If the answer is "we don't allow AI agents to initiate transactions": validate against the actual product surface. Conversational interfaces with transfer tool-use exist at most large retail banks in mid-2026. The policy "no AI initiation" without the technical control is theater.
+- Acceptable: documented agent-initiation policy with scoped delegated-authority tokens, out-of-band confirmation for any agent-initiated payment above a threshold (the threshold itself documented and defensible), AI-channel audit indicator on every agent-mediated transaction.
+
+**Theater Test 3 — SWIFT CSCF v2026 attestation completeness.**
+Ask: "Show me your SWIFT CSCF v2026 self-attestation. For each control attested compliant, name the AI integrations that touch the SWIFT secure zone or its administrative jump zone — LLM-assisted message drafting, AI reconciliation, AI sanctions screening, vendor copilot features in SWIFT Alliance Access or Alliance Web Platform."
+
+- If the answer is "100% compliant" but no AI integrations are named: per `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`, the attestation is silent on a real attack surface. The "100% compliant" claim is paper completeness, not actual coverage.
+- If AI-API egress from administrative jump zones is allowed without explicit allowlist + DLP + monitoring: CSCF 1.1 segregation assumption is violated regardless of attestation.
+- Acceptable: attestation explicitly names AI integrations, documents their trust boundaries, names the DLP control on jump-zone egress, and includes the AI-mediated message-drafting review gate before MT/MX release.
+
+**Theater Test 4 — Fraud-detection model retraining cadence vs adversary capability.**
+Ask: "What is your fraud-detection model retraining cadence, drift-monitoring cadence, and adversarial-testing cadence? When did adversaries last successfully evade your model in production?"
+
+- If the answer is "quarterly retraining, manual drift review, no adversarial testing": this is theater against any AI-augmented fraud adversary. Mid-2026 adversary capability evolves on a 2-4 week cycle for AI-augmented BEC and on a continuous cycle for card-not-present fraud-pattern adaptation.
+- If "we don't know when adversaries last successfully evaded": detection of evasion is the missing control. Successful evasions show up as chargeback-volume drift weeks later, not as fraud-system alerts.
+- Acceptable: monthly-or-faster retraining for high-velocity surfaces, continuous drift monitoring with alerting, scheduled adversarial-resilience testing (AML.T0017 detection), retrospective audit of evasion patterns from chargeback / customer-complaint signal.
+
+---
+
+## Defensive Countermeasure Mapping
+
+Per AGENTS.md optional 8th section (required for skills shipped on or after 2026-05-11). Maps financial-sector offensive findings to MITRE D3FEND IDs from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per Hard Rule #9.
+
+| D3FEND ID | Technique | Layer Position | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline Applicability |
+|---|---|---|---|---|---|
+| D3-MFA | Multi-Factor Authentication | Customer-facing channel (AAL3 / FIDO2 device-bound passkey for high-value); employee-facing channel (FIDO2 for SWIFT operator, treasury, admin); vendor remote access | Per-principal MFA enrolment; phishing-resistant factors mandatory for any payment-authority principal | Every authentication event verified, not session-trusted; step-up for high-value and AI-agent-initiated transactions | Applicable to human principals. AI-agent service accounts need a distinct attestation construct (scope token + delegated-authority assertion) — D3-MFA conceptually extends but PSD2 RTS-SCA does not yet name it (see framework gap). |
+| D3-CBAN | Credential-Based Authentication | Application + API layer for customer credentials; SWIFT secure-zone operator credentials; vendor-API tokens; AI-agent service-account credentials | Per-credential scope (amount, counterparty, time window) for agent tokens; per-operator-role for SWIFT operators; CWE-798 prohibition on hard-coded credentials in code | Credential issuance just-in-time where feasible; credential rotation per documented cadence; credential leakage detection at egress and on public-code-search surfaces | Applicable. AI-agent credentials need scope-token construct beyond conventional CBAN; PSD3/PSR forward-looking. |
+| D3-NTA | Network Traffic Analysis | Network boundary (internet ↔ customer-facing portal); inter-zone boundary (customer-facing ↔ core-banking); SWIFT secure-zone boundary; administrative jump zone egress; AI-API egress | Operator alerting scoped to operator's zone; SOC aggregated visibility | Network-hostile-until-proven posture; AI-API egress explicitly allowlisted at administrative jump zone | Applicable. AI-API egress monitoring is the specific gap: DLP-aware NTA is required to detect AI-channel exfiltration (T1567) per `data/dlp-controls.json`. |
+| D3-IOPR | Input / Output Pattern Recognition | Application layer (transaction monitoring); fraud-detection model layer; AI-channel inspection (prompt + completion + tool-call) | Transaction-pattern detection per customer; model-probing detection per principal; AI-channel inspection per integration | Every transaction pattern verified against historical norm and against adversary-known patterns; AI-channel outputs treated as untrusted until cross-checked | Critical for AI-pipeline applicability. AI-channel I/O inspection is the primary defensive control against prompt injection mediating agent-initiated payments and AI-mediated SWIFT message drafting. Almost never deployed at mid-2026; this is the dominant defensive gap. |
+
+**AI-pipeline-specific posture (per Hard Rule #9).** Conventional D3-MFA cannot apply to autonomous AI agents acting on behalf of a customer — there is no agent-side biometric inherence factor, and possession factors are reduced to API-key custody. The AI-pipeline-appropriate construct is: scoped delegated-authority attestation (PSD3/PSR forward-looking) + out-of-band confirmation for any transaction above scoped threshold + AI-channel I/O recording (D3-IOPR) sufficient to support post-hoc dispute resolution and forensic reconstruction. Skill `identity-assurance` covers AAL/IAL/FAL constructs and is the companion for human-side authentication; this skill covers the sector-regulatory framing of the agent-side gap.
+
+---
+
+## Hand-Off / Related Skills
+
+After producing the financial-sector posture assessment, chain into the following skills.
+
+- **`identity-assurance`** — for AAL3 / FIDO2 / WebAuthn customer-side SCA implementation detail, IAL2/IAL3 for high-value onboarding, FAL constructs for federation, and the deep cryptographic posture (RFC 8446 TLS 1.3, RFC 7519 JWT, RFC 8725 JWT BCP, RFC 9421 HTTP Message Signatures) that PSD2 RTS-SCA and SWIFT CSCF reference but do not specify.
+- **`attack-surface-pentest`** — for DORA Art. 26 TLPT methodology, TIBER-EU rules of engagement, CBEST scope-setting, iCAST tier calibration, and AESCSF red-team execution. This skill scopes the regulatory mapping; `attack-surface-pentest` covers the test mechanics.
+- **`supply-chain-integrity`** — for DORA Art. 28-30 ICT third-party risk technical evidence (SBOM, SLSA, CSAF VEX, in-toto attestation, Sigstore verification), APRA CPS 230 third-party operational dependencies, OSFI B-10 outsourcing posture, and MAS TRM third-party section.
+- **`dlp-gap-analysis`** — for financial PII and customer-data egress controls, AI-channel egress (LLM API calls) from SWIFT secure zone administrative jump zones, KYC document leakage into consumer AI tools, and the DLP-aware NTA construct named in D3-NTA above. Per `data/dlp-controls.json`.
+- **`compliance-theater`** — to extend the four theater tests above with general-purpose theater detection across the wider GRC posture (DORA register completeness, CISO certification independence, SWIFT KYC-SA evidence currency).
+- **`coordinated-vuln-disclosure`** — for DORA Art. 19 major-incident reporting (24h initial / 72h follow-up / 1-month final), NYDFS 500.17 24h cyber event + 72h ransom payment, APRA CPS 234 para 26 72h material incident, MAS Notice 644/655 1h notification, HKMA 24h, OSFI B-13 24h, and the multi-regulator notification orchestration when a single incident triggers multiple clocks.
+- **`framework-gap-analysis`** — for any multi-jurisdiction institution, to produce the per-jurisdiction reconciliation called for in Output Format "Cross-Jurisdiction Framework Gap Summary."
+- **`global-grc`** — alongside framework-gap-analysis when EU DORA + national overlays (BaFin BAIT/VAIT, ACPR, BdP, Banca d'Italia, AEPD), UK FCA + PRA, AU APRA + AESCSF, SG MAS, HK HKMA, IL BoI 361, CA OSFI, JP FISC, BR BCB, AE CBUAE + DFSA + FSRA, SA SAMA, IN SEBI + RBI all apply.
+- **`ai-attack-surface`** and **`mcp-agent-trust`** — when banking copilot, agentic-payment surface, or AI-mediated SWIFT drafting is in scope; `ai-attack-surface` for prompt-injection and model-extraction threats, `mcp-agent-trust` for tool-use governance on copilots with write access to payment, transfer, or message-creation surfaces.
+- **`policy-exception-gen`** — to generate defensible exceptions for financial-sector controls that cannot be met within stated SLAs (e.g., legacy core-banking platforms where 30-day patch SLA is operationally infeasible; documented compensating-control programme is the exception evidence).
+
+**Forward watch (per skill-format spec).** PSD3 + PSR final text and agent-initiated-payment treatment; DORA TLPT first-cycle aggregate findings from ESAs; SWIFT CSCF v2027 annual update and AI-mediated-message-generation controls; NYDFS 23 NYCRR 500 further amendments and agentic-AI scope; CRI Profile v2 migration as US sector baseline replacing FFIEC CAT; MAS Notice 655 / TRM Guidelines refresh for GenAI; HKMA CFI 3.0 and iCAST AI/ML scope; APRA CPS 230 effective-date operational findings; UK FCA / PRA operational resilience self-assessment cycle; BCB Resolução BCB 85 PIX-fraud-typology updates; OSFI B-13 post-2024 examination findings; TIBER-EU v2.0 cross-recognition with CBEST and iCAST.