plainstamp 0.1.0 → 0.2.0

package/CHANGELOG.md

@@ -9,14 +9,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 ### Planned next
 
 - Add EU member-state AI Act implementation specifics where they diverge from the regulation (Germany, France, Spain, Italy, Netherlands first).
-- Add sector-specific rules: FDA Software-as-a-Medical-Device AI guidance, FINRA chatbot disclosure, healthcare HIPAA-adjacent AI rules.
 - Add a third watcher source (Cal Leg Info first; EUR-Lex if a usable feed surfaces).
-- Cloudflare Workers deployment of the MCP server for free-tier hosted access.
-- Get plainstamp listed on MCP registries (Anthropic registry, mcp-market, MCP Hive).
+- Cloudflare Workers deployment of the MCP server for free-tier hosted access — gates the smithery.ai / pulsemcp.com / official MCP registry submissions, all of which require a hosted MCP endpoint or GitHub-verified namespace ownership.
 
 ### Distribution
 
-Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `README.md`, `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
+Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
+
+## [0.2.0] — 2026-05-08
+
+### Added
+
+- FINRA Regulatory Notice 24-09 — AI in customer communications. Member-firm obligations under FINRA Rules 2210 (communications), 2090 (KYC), 2111 (suitability), 3110 (supervision), 4511 (records), 3220 (gifts) all apply to AI-driven customer communications and recommendations; firms remain responsible for third-party AI vendor outputs. Use case `financial-services`. Issued 2024-06-27.
+- New SEO-leaning guide: `docs/guides/eu-ai-act-article-50-chatbot-disclosure.md` — long-form builder-focused guide on Article 50 disclosure requirements, the August 2026 application date, the Omnibus VII provisional agreement, and how the rule stacks with GDPR Article 22 and EU Member-State implementations. Ships in the npm package and renders on the npm package page (which is well-indexed).
+- Package `files` array now includes `docs/guides` so SEO-leaning content ships with the published artifact.
+- Keywords expanded: `gdpr`, `finra`, `cfpb`, `eeoc`, `regtech` added to support discovery via npm search and search-engine indexing of the npm package page.
+- Rule count 18 → 19. Tests still 51/51 passing.
 
 ## [0.1.0] — 2026-05-08
 

package/docs/guides/eu-ai-act-article-50-chatbot-disclosure.md

@@ -0,0 +1,161 @@
+# EU AI Act Article 50: a builder's guide to chatbot disclosure
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your product talks to people in the EU and an AI is doing the talking,
+Article 50 of the EU AI Act applies to you. This guide covers what the
+rule actually says, when it applies, what counts as compliance, and the
+deadline pressure most teams aren't tracking yet.
+
+## What Article 50 actually requires
+
+Article 50(1) of Regulation (EU) 2024/1689 says:
+
+> Providers of AI systems intended to interact directly with natural
+> persons must design and develop them in such a way that the natural
+> persons concerned are informed that they are interacting with an AI
+> system.
+
+There is one exception: if the fact that the user is talking to an AI
+is "obvious from the point of view of a reasonably well-informed person
+taking into account the circumstances and the context of use," the
+disclosure is not required. The bar for "obvious" is high — a chat
+window labeled "AI Assistant" probably qualifies; a chat window
+labeled "Customer Support" does not, even if the bot sounds robotic.
+
+Article 50(2) layers a separate obligation: any AI-generated synthetic
+audio, image, video, or text must be marked as artificially generated
+or manipulated, in a machine-readable format. The text-content
+sub-clause has narrow exemptions (assistive editing, no substantive
+change, etc.) that we cover later.
+
+## Who is the "provider"
+
+The Act distinguishes **providers** (who develop or place the AI system
+on the market) from **deployers** (who use it). Article 50 falls
+primarily on providers — but the deployer obligations under Article 50(4)
+on emotion-recognition / biometric systems and on deepfakes still apply
+where relevant.
+
+For a typical SaaS chatbot: the company that builds the chatbot model
+or wraps an LLM into a product is the provider. The customer that
+embeds the chatbot on their site is a deployer. Both have obligations
+under different Article 50 paragraphs.
+
+## When the obligation kicks in
+
+Article 50 applies as soon as a natural person begins interacting with
+the AI system. Practically, this means **the disclosure must appear at
+the start of the conversation**, before the AI has produced any
+substantive output that a user might rely on.
+
+A persistent banner reading "You are chatting with an AI assistant" at
+the top of the chat surface satisfies this for most chat UIs. A
+voice-channel disclosure must be spoken at session start. A
+video-avatar disclosure typically combines a spoken introduction with a
+visible on-screen indicator.
+
+## The "machine-readable" requirement (Art. 50(2))
+
+For AI-generated synthetic content, the marking must be machine-
+readable. The Act doesn't mandate a specific technical standard, but
+the European Commission has signaled that watermarking schemes
+compliant with C2PA, the SynthID variants, and similar provenance
+metadata will be acceptable. As of 2026, the Commission is finalizing
+implementing acts that will narrow the technical options.
+
+If you're producing AI-generated images, audio, or video at scale,
+adopt a watermarking standard now — retrofitting watermarks across an
+existing content corpus is materially harder than baking them into the
+generation pipeline.
+
+## Penalties and timing
+
+Article 50 obligations apply from **August 2, 2026**. Penalties under
+Article 99 of the Act for Article 50 violations can reach **€15 million
+or 3% of global annual turnover, whichever is higher**.
+
+A separate provisional agreement under the EU's Omnibus VII package
+(provisional agreement 2026-05-07) reduced the transparency-solutions
+grace period from 6 months to 3 months, moving the practical
+compliance deadline for Article 50(2) machine-readable marking
+implementations to **December 2, 2026**. Re-verify against the final
+adopted text — Omnibus VII's provisional agreement may shift before
+formal adoption.
+
+## How Article 50 stacks with other EU rules
+
+Article 50 doesn't operate in isolation. Builders should also check:
+
+- **GDPR Article 22** — if the AI conversation feeds into an automated
+  decision producing legal or similarly significant effects, the
+  data-subject rights to human intervention, point-of-view expression,
+  and contestation apply on top of the chatbot disclosure.
+- **GDPR Articles 13(2)(f) and 14(2)(g)** — when personal data is
+  collected during the AI interaction, the controller must inform the
+  data subject about the existence of automated decision-making, the
+  logic involved, and the envisaged consequences.
+- **EU AI Act Article 13** — high-risk AI systems have separate
+  transparency obligations to deployers (instructions for use,
+  expected outputs, characteristics and limitations).
+- **Digital Services Act (Regulation (EU) 2022/2065)** — provider
+  obligations around content moderation transparency layer over the
+  chatbot disclosure when the AI is moderating user-generated content.
+- **Member-state implementations** — Germany's BDSG, France's Loi
+  Informatique et Libertés, and Spain's AESIA framework all add
+  national-level safeguards on top of the EU regulation. Verify the
+  rules of every Member State your service operates in.
+
+## How plainstamp helps
+
+`plainstamp` ships with `eu-ai-act-art50-chatbot` and
+`eu-ai-act-art50-genai-content` rules that surface the live text of
+Article 50, the required disclosure elements, and ready-to-paste plain-
+language and formal-language disclosure templates. Each rule cites the
+EUR-Lex source URL and carries a `last_verified` date so you know
+whether the text you're reading is current.
+
+A typical lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction eu \
+                      --channel live-chat \
+                      --use-case b2c-customer-support
+```
+
+returns the rule, the disclosure-element checklist, and template text
+you can drop into your chat surface. For deployers running across
+multiple jurisdictions, the same query against `us-ca`, `us-co`,
+`us-il`, `us-tx`, `us-ut`, etc. will surface the parallel state-level
+obligations that often layer on top.
+
+## The minimum viable Article 50 disclosure
+
+If you ship one thing this week, ship a chat-surface header that
+includes:
+
+1. A clear statement that the user is interacting with an AI ("You
+   are chatting with an AI assistant").
+2. A path to escalate to a human (where applicable to your service
+   model and required by sectoral rules — e.g., financial-services
+   rules in many jurisdictions require an escalation path).
+3. A link to your privacy notice covering AI data use.
+
+Then, if you process AI-generated synthetic media, prioritize
+machine-readable marking for the Art. 50(2) deadline.
+
+## Source-of-truth links
+
+- **Regulation (EU) 2024/1689 — full text on EUR-Lex** ([eur-lex.europa.eu](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689))
+- **GDPR Article 22 on EUR-Lex** ([eur-lex.europa.eu](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679))
+- **EDPB Guidelines on Automated Decision-Making (WP251rev.01)** — apply alongside Art. 22 obligations.
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",
@@ -17,6 +17,7 @@
   "files": [
     "dist",
     "rules",
+    "docs/guides",
     "README.md",
     "AI-DISCLOSURE.md",
     "CHANGELOG.md",
@@ -53,7 +54,12 @@
     "compliance",
     "ccpa",
     "eu-ai-act",
+    "gdpr",
     "ftc",
+    "finra",
+    "cfpb",
+    "eeoc",
+    "regtech",
     "agent",
     "autonomous-ai"
   ]

package/rules/seed.json

@@ -812,6 +812,53 @@
         "formal": "Notice of Adverse Action under the Equal Credit Opportunity Act (15 U.S.C. § 1691(d)) and Regulation B (12 CFR § 1002.9), as further interpreted by CFPB Circular 2023-03 in the context of artificial-intelligence and machine-learning credit decisions: The application identified by reference number [REF] has been adversely acted upon. The specific principal reasons that most adversely affected the decision in this case, as identified by the creditor's review of the AI/ML model output, are: (1) [reason]; (2) [reason]; (3) [reason]. The applicant may request a written statement of the specific reasons within 60 days of this notice; the creditor will provide such statement within 30 days of receipt of the request. Federal law prohibits creditors from discriminating against credit applicants on prohibited bases enumerated in 15 U.S.C. § 1691(a). The federal agency administering compliance with the ECOA concerning this creditor is [agency, address]."
       },
       "notes": "CFPB Circular 2023-03 makes explicit a position the CFPB had taken in supervisory guidance for years: the technological complexity of an AI/ML model is not a defense for failing to provide ECOA-compliant adverse-action reasons. Creditors must identify the specific factors that affected THIS APPLICANT'S decision — not generic factors that influence the model in general. Practical implications for AI-credit fintechs: (1) the model itself must be explainable to a level that supports per-applicant reason codes — if the model cannot do this, the model cannot be deployed for credit decisions; (2) the reason codes must be checked for accuracy, not just plausibility — using post-hoc SHAP / LIME explanations as the source of reason codes is acceptable IF the creditor has validated that those explanations actually reflect what drove the decision in each case; (3) generic or boilerplate codes ('credit application incomplete', 'failed model threshold') are insufficient — the codes must point to applicant-specific factors. ECOA's statutory penalties combined with ongoing CFPB enforcement priority make this a high-stakes obligation. Note: Regulation B's adverse-action requirements run in parallel with the FCRA's adverse-action requirements (15 U.S.C. § 1681m) when the decision was based in whole or in part on a consumer report — both sets of obligations apply to the same notice."
+    },
+    {
+      "id": "us-finra-rn-24-09-ai-customer-communications",
+      "jurisdiction": "us",
+      "channels": ["live-chat", "voice", "email-marketing", "ai-generated-content"],
+      "use_cases": ["financial-services"],
+      "severity": "mandatory",
+      "short_title": "FINRA Regulatory Notice 24-09 — AI in customer communications",
+      "summary": "FINRA Regulatory Notice 24-09 (June 27, 2024) addresses member firm use of generative artificial intelligence and other large language model technologies in their securities business. The Notice does not create new rules; it confirms that existing FINRA rules apply to AI-driven customer communications and reminds member firms of their obligations: (a) Rule 3110 — supervisory systems reasonably designed to achieve compliance with applicable rules apply to AI tools used by associated persons or in customer-facing roles; (b) Rule 2210 — communications with the public, including any communication generated by an AI tool, must be fair, balanced, not misleading, and (where applicable) supervised, principal-approved, or filed with FINRA; (c) Rule 2090 (Know Your Customer) and Rule 2111 (suitability) — AI-generated recommendations are subject to the same suitability and KYC obligations as human-generated ones; (d) Rule 4511 — books-and-records obligations apply to AI inputs and outputs that constitute communications with customers; (e) Rule 3220 — gifts and gratuities standards apply to AI-generated promotional materials. Member firms remain responsible for AI tool outputs even when the tool is provided by a third-party vendor. Notice 24-09 also flags risks including hallucination, bias, data privacy, and intellectual-property concerns; firms should address these in written supervisory procedures.",
+      "required_elements": [
+        {
+          "id": "ai-communication-supervision",
+          "description": "AI-generated communications with the public are subject to FINRA Rule 2210 standards (fair, balanced, not misleading) and the firm's existing principal-review / pre-approval / filing workflow as applicable to the communication type.",
+          "required": true,
+          "example": "All customer-facing communications generated by the AI assistant are reviewed by a qualified principal under FINRA Rule 2210 before delivery and retained per the firm's books-and-records policy under Rule 4511."
+        },
+        {
+          "id": "ai-recommendation-suitability",
+          "description": "AI-generated investment recommendations or advice are subject to FINRA Rule 2111 suitability obligations on the same terms as human-generated recommendations; firm WSPs must address how AI-generated recommendations are reviewed for suitability.",
+          "required": true,
+          "example": "Any investment recommendation generated by the AI tool for a customer account is subject to a Rule 2111 suitability review against the customer's investment profile under the firm's written supervisory procedures."
+        },
+        {
+          "id": "third-party-vendor-responsibility",
+          "description": "Firm responsibility for AI tool outputs persists when the tool is operated by a third-party vendor; vendor due diligence and oversight are part of the firm's Rule 3110 supervisory obligation.",
+          "required": true,
+          "example": "AI tools operated by third-party vendors are vetted, monitored, and supervised by the firm under FINRA Rule 3110; the firm remains responsible for any communications, recommendations, or records generated by those tools in connection with its securities business."
+        },
+        {
+          "id": "wsp-ai-coverage",
+          "description": "Written supervisory procedures address AI tool use, including risk areas of hallucination, bias, data privacy, and IP. (System / governance requirement, not per-message text.)",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "FINRA Rules 2210, 2090, 2111, 3110, 4511, 3220 (existing); FINRA Regulatory Notice 24-09, 'FINRA Reminds Member Firms of Their Obligations When Using Generative Artificial Intelligence and Large Language Models' (June 27, 2024)",
+        "section": "Member-firm obligations when using AI in securities business",
+        "source_url": "https://www.finra.org/rules-guidance/notices/24-09",
+        "publisher": "Financial Industry Regulatory Authority"
+      },
+      "effective_date": "2024-06-27",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — Customer Communication via AI Tool: This message (or recommendation) was prepared with the assistance of an artificial-intelligence tool and is subject to the same review and supervision standards as any communication delivered by [Member Firm]. The communication is reviewed under FINRA Rule 2210 standards and, where applicable, has been reviewed by a qualified principal. Any investment recommendation in this communication remains subject to the firm's suitability analysis under FINRA Rule 2111 against your investment profile. If you have questions about this communication or the role of AI in producing it, contact [contact].",
+        "formal": "Notice under FINRA Regulatory Notice 24-09 and Rules 2210, 2090, 2111, 3110, 4511, and 3220: This communication was generated, in whole or in part, with the assistance of artificial-intelligence technology. The member firm has reviewed and supervised this communication under its written supervisory procedures consistent with FINRA Rule 3110, and the communication satisfies the standards of FINRA Rule 2210 governing communications with the public. Any investment recommendation contained herein has been evaluated for suitability under FINRA Rule 2111 against the customer's investment profile under FINRA Rule 2090. The firm retains records of this communication under FINRA Rule 4511. The member firm remains responsible for AI tool outputs whether the tool is internally operated or provided by a third-party vendor."
+      },
+      "notes": "FINRA Regulatory Notice 24-09 is reminder-and-clarification guidance — it does not create new rules. The binding obligations are the existing FINRA rules (2210, 2090, 2111, 3110, 4511, 3220), which apply by their existing terms to AI-driven communications, recommendations, and records. Member firms (broker-dealers and their associated persons) are bound; non-member firms are not directly bound by FINRA rules but may face parallel obligations under SEC rules (e.g., Rule 17a-4 books-and-records, Investment Advisers Act fiduciary duty for IA-registered firms) — this rule's `jurisdiction` is `us` because FINRA is a self-regulatory organization with national scope, not a single-state regulator. The 2023 SEC Staff Bulletin on conflicts of interest for AI/PDA-using broker-dealers and investment advisers (and the SEC's proposed PDA rule, Rel. No. 34-97990) layers additional obligations specifically around conflicts; firms with PDA / AI advisory tools should consult both. FINRA expects firms to update their WSPs to specifically address AI tool use; using AI without WSP coverage is an immediate Rule 3110 supervision deficiency. Firms should also be aware of state-level adverse-action and disclosure overlays (e.g., NYDFS's October 2024 cybersecurity / AI guidance for licensed entities)."
     }
   ]
 }