plainstamp 0.1.0 → 0.3.0

package/CHANGELOG.md

@@ -9,14 +9,30 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 ### Planned next
 
 - Add EU member-state AI Act implementation specifics where they diverge from the regulation (Germany, France, Spain, Italy, Netherlands first).
-- Add sector-specific rules: FDA Software-as-a-Medical-Device AI guidance, FINRA chatbot disclosure, healthcare HIPAA-adjacent AI rules.
 - Add a third watcher source (Cal Leg Info first; EUR-Lex if a usable feed surfaces).
-- Cloudflare Workers deployment of the MCP server for free-tier hosted access.
-- Get plainstamp listed on MCP registries (Anthropic registry, mcp-market, MCP Hive).
+- Cloudflare Workers deployment of the MCP server for free-tier hosted access — gates the smithery.ai / pulsemcp.com / official MCP registry submissions, all of which require a hosted MCP endpoint or GitHub-verified namespace ownership.
 
 ### Distribution
 
-Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `README.md`, `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
+Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
+
+## [0.3.0] — 2026-05-08
+
+### Added
+
+- HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (45 CFR § 92.210, May 6, 2024 final rule). Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, HHS-administered programs) must identify uses of AI/ML clinical decision-support tools and make reasonable efforts to mitigate algorithmic discrimination. Compliance deadline May 1, 2025 — now in effect and enforceable. Use case `healthcare`.
+- Second SEO guide: `docs/guides/colorado-ai-act-sb-24-205-builder-guide.md` — long-form coverage of Colorado's comprehensive AI Act, the high-risk AI system definition, deployer/developer obligations, the consumer-disclosure components, the June 30, 2026 deadline, and how SB 24-205 stacks with parallel state and federal AI rules. Targets the high-traffic Colorado-compliance search vertical (deadline pressure + uncertainty about scope).
+- Rule count 19 → 20. Tests still 51/51 passing.
+
+## [0.2.0] — 2026-05-08
+
+### Added
+
+- FINRA Regulatory Notice 24-09 — AI in customer communications. Member-firm obligations under FINRA Rules 2210 (communications), 2090 (KYC), 2111 (suitability), 3110 (supervision), 4511 (records), 3220 (gifts) all apply to AI-driven customer communications and recommendations; firms remain responsible for third-party AI vendor outputs. Use case `financial-services`. Issued 2024-06-27.
+- New SEO-leaning guide: `docs/guides/eu-ai-act-article-50-chatbot-disclosure.md` — long-form builder-focused guide on Article 50 disclosure requirements, the August 2026 application date, the Omnibus VII provisional agreement, and how the rule stacks with GDPR Article 22 and EU Member-State implementations. Ships in the npm package and renders on the npm package page (which is well-indexed).
+- Package `files` array now includes `docs/guides` so SEO-leaning content ships with the published artifact.
+- Keywords expanded: `gdpr`, `finra`, `cfpb`, `eeoc`, `regtech` added to support discovery via npm search and search-engine indexing of the npm package page.
+- Rule count 18 → 19. Tests still 51/51 passing.
 
 ## [0.1.0] — 2026-05-08
 

package/docs/guides/colorado-ai-act-sb-24-205-builder-guide.md

@@ -0,0 +1,216 @@
+# Colorado AI Act (SB 24-205): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI product is sold to or used by people in Colorado and any of
+its decisions could affect a person's access to housing, employment,
+education, healthcare, financial services, government services, legal
+services, or essential goods and services, **the Colorado AI Act
+applies to you**. The rule is one of the strictest comprehensive AI
+laws in the U.S. and its consumer-disclosure obligation goes into
+effect **June 30, 2026** after a delay from the original February 2026
+date. This guide walks through what the rule requires, what it does
+*not* require, and what to ship before the deadline.
+
+## What SB 24-205 actually does
+
+Colorado SB 24-205 (codified at Colorado Revised Statutes § 6-1-1701
+et seq.) creates obligations for two parties:
+
+- **Developers** of high-risk AI systems — entities that build and
+  deploy a high-risk AI system or substantially modify one.
+- **Deployers** of high-risk AI systems — entities that use a high-
+  risk AI system in their operations affecting Colorado consumers.
+
+A "high-risk AI system" is one that, when deployed, makes or is a
+substantial factor in making a "consequential decision" — defined to
+include decisions affecting access to or cost of:
+
+- Educational opportunities
+- Employment or employment opportunities
+- Financial or lending services
+- Essential government services
+- Healthcare services
+- Housing
+- Insurance
+- Legal services
+
+The Act layers two distinct sets of obligations: substantive (avoid
+algorithmic discrimination) and procedural (impact assessments, risk
+management, regulator notifications, consumer notices).
+
+## The consumer-disclosure obligation — what to ship
+
+The consumer-facing piece — the part most builders need to ship — has
+three components:
+
+### 1. Pre-decision disclosure (deployer obligation)
+
+Before a high-risk AI system makes a consequential decision about a
+consumer, the deployer must give the consumer:
+
+- A statement disclosing that a high-risk AI system has been used
+  in the consequential decision-making process.
+- A description of the high-risk AI system, its purpose, and how
+  it has been used.
+- The nature of the consequential decision.
+- Contact information for the deployer.
+- A description of any human components of the decision-making
+  process and how the AI system contributes to the decision.
+- A description of the consumer's rights under SB 24-205,
+  including the right to opt out of the processing of personal
+  data for profiling that produces legal or similarly significant
+  effects (under the Colorado Privacy Act), the right to correct
+  incorrect personal data, and the right to appeal an adverse
+  consequential decision.
+
+### 2. Adverse-decision notice (deployer obligation)
+
+If the high-risk AI system contributes to an adverse consequential
+decision, the deployer must additionally disclose to the consumer:
+
+- The principal reason(s) for the adverse decision.
+- The degree to which the AI system contributed to the decision.
+- The type of data processed by the AI system in making the
+  decision and the source of that data.
+- The right to correct incorrect personal data, the right to
+  appeal the adverse decision, and the right to opt out of
+  profiling.
+
+### 3. Public-facing statement (developer + deployer)
+
+Both developers and deployers must publish a public statement summarizing:
+
+- The types of high-risk AI systems they currently develop /
+  deploy.
+- How the entity manages known or reasonably foreseeable risks of
+  algorithmic discrimination.
+- The most recent date the public statement was updated.
+
+## What SB 24-205 does *not* require
+
+Common misconceptions worth clearing up:
+
+- **It is not a CCPA-style right of deletion**. SB 24-205 layers on
+  the existing Colorado Privacy Act for personal-data rights; it
+  doesn't create new general-purpose data rights.
+- **It does not require pre-approval or registration of every AI
+  system** with a Colorado regulator. Developers must notify the
+  Colorado Attorney General within 90 days of discovering that a
+  high-risk AI system has caused or is reasonably likely to have
+  caused algorithmic discrimination, but routine deployment doesn't
+  require pre-clearance.
+- **It does not apply to most generative AI consumer products**
+  unless a specific deployment of that product is itself a high-
+  risk AI system making consequential decisions. A general-purpose
+  LLM helping a user write an email is not a high-risk AI system;
+  the same LLM scoring resumes for an employer is.
+
+## The deadlines
+
+- **June 30, 2026** — consumer-disclosure obligations apply to
+  deployers (delayed from the original February 2026 date).
+- **Public statement and risk-management obligations apply on
+  the same date.**
+- **Algorithmic-discrimination notification to the Attorney General**
+  applies on the same date.
+
+## How SB 24-205 stacks with other AI rules
+
+Colorado SB 24-205 is part of a comprehensive U.S.-state AI regime
+that's emerging unevenly across jurisdictions. Builders deploying
+across multiple states need to layer obligations:
+
+- **California**: AB 2013 (training-data transparency, effective
+  2026-01-01); B&P § 17941 (bot disclosure); SB 942 (AI provenance);
+  the California Privacy Protection Agency's automated-decision-
+  making rulemaking.
+- **Illinois**: HB 3773 amending the Illinois Human Rights Act
+  (employment AI, effective 2026-01-01).
+- **Texas**: TRAIGA (HB 149, effective 2026-01-01) — government-
+  agency and healthcare-provider AI disclosure obligations.
+- **Utah**: SB 149 + SB 226 — GenAI disclosure in regulated
+  occupations.
+- **New York City**: Local Law 144 — AEDT bias audits for
+  employment AI.
+- **Maryland**: Labor & Employment § 3-717 — facial recognition
+  in interviews requires written consent.
+- **Federal**: EEOC technical assistance on Title VII selection
+  procedures; CFPB Circular 2023-03 on AI adverse-action notices;
+  HHS Section 1557 on patient-care decision support tools; FINRA
+  Regulatory Notice 24-09 on AI in member-firm communications.
+- **EU**: AI Act Articles 50(1) and 50(2); GDPR Article 22 on
+  automated decisions.
+
+A consumer-facing AI product operating across these jurisdictions
+needs disclosure copy for each — and the disclosures often differ in
+content, timing, and format. That's the maintenance problem
+`plainstamp` exists to solve.
+
+## How plainstamp helps
+
+`plainstamp` ships an `us-co-sb24-205-consumer-disclosure` rule that
+returns the live disclosure-element checklist for SB 24-205, ready-
+to-paste plain-language and formal-language templates, citation back
+to the Colorado Office of Legislative Legal Services source URL, and
+a `last_verified` date.
+
+Typical lookup for a deployer notifying a Colorado employment-AI user
+before a hiring decision:
+
+```bash
+npx plainstamp lookup --jurisdiction us-co \
+                      --channel email-transactional \
+                      --use-case employment-decisions
+```
+
+This returns the SB 24-205 consumer-disclosure rule. To pick up the
+parallel federal-floor obligation (EEOC technical assistance) and the
+parallel state-employment rules in other states the deployer
+operates in, query each jurisdiction in turn. plainstamp's
+parent-jurisdiction inheritance rule means a `us-co` query also
+matches federal-level `us` rules.
+
+For the public-facing statement (developer or deployer) and the
+internal-governance items (impact assessments, risk-management
+program), consult Colorado Attorney General published guidance
+directly — those are above plainstamp's scope (which covers per-
+interaction or per-decision disclosure text, not corporate
+governance program documentation).
+
+## The minimum viable Colorado disclosure
+
+If you ship one thing this quarter, ship the pre-decision disclosure:
+
+1. A clear statement that a high-risk AI system is being used in
+   the consequential decision.
+2. A description of the AI system's purpose and role in the
+   decision.
+3. A description of any human components of the decision.
+4. Contact information for the deployer.
+5. A summary of the consumer's appeal, correction, and opt-out
+   rights, with a path to exercise them.
+
+If your AI system can produce adverse outcomes (denials, rejections,
+adverse employment actions, etc.), also ship the adverse-decision
+notice with principal reasons, the AI's contribution, and data-source
+disclosure.
+
+## Source-of-truth links
+
+- **Colorado SB 24-205 — full text and legislative history**
+  ([leg.colorado.gov](https://leg.colorado.gov/bills/sb24-205))
+- **Colorado Attorney General — AI Act guidance and rulemaking**
+  ([coag.gov](https://coag.gov/))
+- **Colorado Privacy Act**, into which SB 24-205 connects for personal-
+  data rights ([leg.colorado.gov](https://leg.colorado.gov/))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/docs/guides/eu-ai-act-article-50-chatbot-disclosure.md

@@ -0,0 +1,161 @@
+# EU AI Act Article 50: a builder's guide to chatbot disclosure
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your product talks to people in the EU and an AI is doing the talking,
+Article 50 of the EU AI Act applies to you. This guide covers what the
+rule actually says, when it applies, what counts as compliance, and the
+deadline pressure most teams aren't tracking yet.
+
+## What Article 50 actually requires
+
+Article 50(1) of Regulation (EU) 2024/1689 says:
+
+> Providers of AI systems intended to interact directly with natural
+> persons must design and develop them in such a way that the natural
+> persons concerned are informed that they are interacting with an AI
+> system.
+
+There is one exception: if the fact that the user is talking to an AI
+is "obvious from the point of view of a reasonably well-informed person
+taking into account the circumstances and the context of use," the
+disclosure is not required. The bar for "obvious" is high — a chat
+window labeled "AI Assistant" probably qualifies; a chat window
+labeled "Customer Support" does not, even if the bot sounds robotic.
+
+Article 50(2) layers a separate obligation: any AI-generated synthetic
+audio, image, video, or text must be marked as artificially generated
+or manipulated, in a machine-readable format. The text-content
+sub-clause has narrow exemptions (assistive editing, no substantive
+change, etc.) that we cover later.
+
+## Who is the "provider"
+
+The Act distinguishes **providers** (who develop or place the AI system
+on the market) from **deployers** (who use it). Article 50 falls
+primarily on providers — but the deployer obligations under Article 50(4)
+on emotion-recognition / biometric systems and on deepfakes still apply
+where relevant.
+
+For a typical SaaS chatbot: the company that builds the chatbot model
+or wraps an LLM into a product is the provider. The customer that
+embeds the chatbot on their site is a deployer. Both have obligations
+under different Article 50 paragraphs.
+
+## When the obligation kicks in
+
+Article 50 applies as soon as a natural person begins interacting with
+the AI system. Practically, this means **the disclosure must appear at
+the start of the conversation**, before the AI has produced any
+substantive output that a user might rely on.
+
+A persistent banner reading "You are chatting with an AI assistant" at
+the top of the chat surface satisfies this for most chat UIs. A
+voice-channel disclosure must be spoken at session start. A
+video-avatar disclosure typically combines a spoken introduction with a
+visible on-screen indicator.
+
+## The "machine-readable" requirement (Art. 50(2))
+
+For AI-generated synthetic content, the marking must be machine-
+readable. The Act doesn't mandate a specific technical standard, but
+the European Commission has signaled that watermarking schemes
+compliant with C2PA, the SynthID variants, and similar provenance
+metadata will be acceptable. As of 2026, the Commission is finalizing
+implementing acts that will narrow the technical options.
+
+If you're producing AI-generated images, audio, or video at scale,
+adopt a watermarking standard now — retrofitting watermarks across an
+existing content corpus is materially harder than baking them into the
+generation pipeline.
+
+## Penalties and timing
+
+Article 50 obligations apply from **August 2, 2026**. Penalties under
+Article 99 of the Act for Article 50 violations can reach **€15 million
+or 3% of global annual turnover, whichever is higher**.
+
+A separate provisional agreement under the EU's Omnibus VII package
+(provisional agreement 2026-05-07) reduced the transparency-solutions
+grace period from 6 months to 3 months, moving the practical
+compliance deadline for Article 50(2) machine-readable marking
+implementations to **December 2, 2026**. Re-verify against the final
+adopted text — Omnibus VII's provisional agreement may shift before
+formal adoption.
+
+## How Article 50 stacks with other EU rules
+
+Article 50 doesn't operate in isolation. Builders should also check:
+
+- **GDPR Article 22** — if the AI conversation feeds into an automated
+  decision producing legal or similarly significant effects, the
+  data-subject rights to human intervention, point-of-view expression,
+  and contestation apply on top of the chatbot disclosure.
+- **GDPR Articles 13(2)(f) and 14(2)(g)** — when personal data is
+  collected during the AI interaction, the controller must inform the
+  data subject about the existence of automated decision-making, the
+  logic involved, and the envisaged consequences.
+- **EU AI Act Article 13** — high-risk AI systems have separate
+  transparency obligations to deployers (instructions for use,
+  expected outputs, characteristics and limitations).
+- **Digital Services Act (Regulation (EU) 2022/2065)** — provider
+  obligations around content moderation transparency layer over the
+  chatbot disclosure when the AI is moderating user-generated content.
+- **Member-state implementations** — Germany's BDSG, France's Loi
+  Informatique et Libertés, and Spain's AESIA framework all add
+  national-level safeguards on top of the EU regulation. Verify the
+  rules of every Member State your service operates in.
+
+## How plainstamp helps
+
+`plainstamp` ships with `eu-ai-act-art50-chatbot` and
+`eu-ai-act-art50-genai-content` rules that surface the live text of
+Article 50, the required disclosure elements, and ready-to-paste plain-
+language and formal-language disclosure templates. Each rule cites the
+EUR-Lex source URL and carries a `last_verified` date so you know
+whether the text you're reading is current.
+
+A typical lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction eu \
+                      --channel live-chat \
+                      --use-case b2c-customer-support
+```
+
+returns the rule, the disclosure-element checklist, and template text
+you can drop into your chat surface. For deployers running across
+multiple jurisdictions, the same query against `us-ca`, `us-co`,
+`us-il`, `us-tx`, `us-ut`, etc. will surface the parallel state-level
+obligations that often layer on top.
+
+## The minimum viable Article 50 disclosure
+
+If you ship one thing this week, ship a chat-surface header that
+includes:
+
+1. A clear statement that the user is interacting with an AI ("You
+   are chatting with an AI assistant").
+2. A path to escalate to a human (where applicable to your service
+   model and required by sectoral rules — e.g., financial-services
+   rules in many jurisdictions require an escalation path).
+3. A link to your privacy notice covering AI data use.
+
+Then, if you process AI-generated synthetic media, prioritize
+machine-readable marking for the Art. 50(2) deadline.
+
+## Source-of-truth links
+
+- **Regulation (EU) 2024/1689 — full text on EUR-Lex** ([eur-lex.europa.eu](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689))
+- **GDPR Article 22 on EUR-Lex** ([eur-lex.europa.eu](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679))
+- **EDPB Guidelines on Automated Decision-Making (WP251rev.01)** — apply alongside Art. 22 obligations.
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",
@@ -17,6 +17,7 @@
   "files": [
     "dist",
     "rules",
+    "docs/guides",
     "README.md",
     "AI-DISCLOSURE.md",
     "CHANGELOG.md",
@@ -53,7 +54,12 @@
     "compliance",
     "ccpa",
     "eu-ai-act",
+    "gdpr",
     "ftc",
+    "finra",
+    "cfpb",
+    "eeoc",
+    "regtech",
     "agent",
     "autonomous-ai"
   ]

package/rules/seed.json

@@ -812,6 +812,100 @@
         "formal": "Notice of Adverse Action under the Equal Credit Opportunity Act (15 U.S.C. § 1691(d)) and Regulation B (12 CFR § 1002.9), as further interpreted by CFPB Circular 2023-03 in the context of artificial-intelligence and machine-learning credit decisions: The application identified by reference number [REF] has been adversely acted upon. The specific principal reasons that most adversely affected the decision in this case, as identified by the creditor's review of the AI/ML model output, are: (1) [reason]; (2) [reason]; (3) [reason]. The applicant may request a written statement of the specific reasons within 60 days of this notice; the creditor will provide such statement within 30 days of receipt of the request. Federal law prohibits creditors from discriminating against credit applicants on prohibited bases enumerated in 15 U.S.C. § 1691(a). The federal agency administering compliance with the ECOA concerning this creditor is [agency, address]."
       },
       "notes": "CFPB Circular 2023-03 makes explicit a position the CFPB had taken in supervisory guidance for years: the technological complexity of an AI/ML model is not a defense for failing to provide ECOA-compliant adverse-action reasons. Creditors must identify the specific factors that affected THIS APPLICANT'S decision — not generic factors that influence the model in general. Practical implications for AI-credit fintechs: (1) the model itself must be explainable to a level that supports per-applicant reason codes — if the model cannot do this, the model cannot be deployed for credit decisions; (2) the reason codes must be checked for accuracy, not just plausibility — using post-hoc SHAP / LIME explanations as the source of reason codes is acceptable IF the creditor has validated that those explanations actually reflect what drove the decision in each case; (3) generic or boilerplate codes ('credit application incomplete', 'failed model threshold') are insufficient — the codes must point to applicant-specific factors. ECOA's statutory penalties combined with ongoing CFPB enforcement priority make this a high-stakes obligation. Note: Regulation B's adverse-action requirements run in parallel with the FCRA's adverse-action requirements (15 U.S.C. § 1681m) when the decision was based in whole or in part on a consumer report — both sets of obligations apply to the same notice."
+    },
+    {
+      "id": "us-finra-rn-24-09-ai-customer-communications",
+      "jurisdiction": "us",
+      "channels": ["live-chat", "voice", "email-marketing", "ai-generated-content"],
+      "use_cases": ["financial-services"],
+      "severity": "mandatory",
+      "short_title": "FINRA Regulatory Notice 24-09 — AI in customer communications",
+      "summary": "FINRA Regulatory Notice 24-09 (June 27, 2024) addresses member firm use of generative artificial intelligence and other large language model technologies in their securities business. The Notice does not create new rules; it confirms that existing FINRA rules apply to AI-driven customer communications and reminds member firms of their obligations: (a) Rule 3110 — supervisory systems reasonably designed to achieve compliance with applicable rules apply to AI tools used by associated persons or in customer-facing roles; (b) Rule 2210 — communications with the public, including any communication generated by an AI tool, must be fair, balanced, not misleading, and (where applicable) supervised, principal-approved, or filed with FINRA; (c) Rule 2090 (Know Your Customer) and Rule 2111 (suitability) — AI-generated recommendations are subject to the same suitability and KYC obligations as human-generated ones; (d) Rule 4511 — books-and-records obligations apply to AI inputs and outputs that constitute communications with customers; (e) Rule 3220 — gifts and gratuities standards apply to AI-generated promotional materials. Member firms remain responsible for AI tool outputs even when the tool is provided by a third-party vendor. Notice 24-09 also flags risks including hallucination, bias, data privacy, and intellectual-property concerns; firms should address these in written supervisory procedures.",
+      "required_elements": [
+        {
+          "id": "ai-communication-supervision",
+          "description": "AI-generated communications with the public are subject to FINRA Rule 2210 standards (fair, balanced, not misleading) and the firm's existing principal-review / pre-approval / filing workflow as applicable to the communication type.",
+          "required": true,
+          "example": "All customer-facing communications generated by the AI assistant are reviewed by a qualified principal under FINRA Rule 2210 before delivery and retained per the firm's books-and-records policy under Rule 4511."
+        },
+        {
+          "id": "ai-recommendation-suitability",
+          "description": "AI-generated investment recommendations or advice are subject to FINRA Rule 2111 suitability obligations on the same terms as human-generated recommendations; firm WSPs must address how AI-generated recommendations are reviewed for suitability.",
+          "required": true,
+          "example": "Any investment recommendation generated by the AI tool for a customer account is subject to a Rule 2111 suitability review against the customer's investment profile under the firm's written supervisory procedures."
+        },
+        {
+          "id": "third-party-vendor-responsibility",
+          "description": "Firm responsibility for AI tool outputs persists when the tool is operated by a third-party vendor; vendor due diligence and oversight are part of the firm's Rule 3110 supervisory obligation.",
+          "required": true,
+          "example": "AI tools operated by third-party vendors are vetted, monitored, and supervised by the firm under FINRA Rule 3110; the firm remains responsible for any communications, recommendations, or records generated by those tools in connection with its securities business."
+        },
+        {
+          "id": "wsp-ai-coverage",
+          "description": "Written supervisory procedures address AI tool use, including risk areas of hallucination, bias, data privacy, and IP. (System / governance requirement, not per-message text.)",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "FINRA Rules 2210, 2090, 2111, 3110, 4511, 3220 (existing); FINRA Regulatory Notice 24-09, 'FINRA Reminds Member Firms of Their Obligations When Using Generative Artificial Intelligence and Large Language Models' (June 27, 2024)",
+        "section": "Member-firm obligations when using AI in securities business",
+        "source_url": "https://www.finra.org/rules-guidance/notices/24-09",
+        "publisher": "Financial Industry Regulatory Authority"
+      },
+      "effective_date": "2024-06-27",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — Customer Communication via AI Tool: This message (or recommendation) was prepared with the assistance of an artificial-intelligence tool and is subject to the same review and supervision standards as any communication delivered by [Member Firm]. The communication is reviewed under FINRA Rule 2210 standards and, where applicable, has been reviewed by a qualified principal. Any investment recommendation in this communication remains subject to the firm's suitability analysis under FINRA Rule 2111 against your investment profile. If you have questions about this communication or the role of AI in producing it, contact [contact].",
+        "formal": "Notice under FINRA Regulatory Notice 24-09 and Rules 2210, 2090, 2111, 3110, 4511, and 3220: This communication was generated, in whole or in part, with the assistance of artificial-intelligence technology. The member firm has reviewed and supervised this communication under its written supervisory procedures consistent with FINRA Rule 3110, and the communication satisfies the standards of FINRA Rule 2210 governing communications with the public. Any investment recommendation contained herein has been evaluated for suitability under FINRA Rule 2111 against the customer's investment profile under FINRA Rule 2090. The firm retains records of this communication under FINRA Rule 4511. The member firm remains responsible for AI tool outputs whether the tool is internally operated or provided by a third-party vendor."
+      },
+      "notes": "FINRA Regulatory Notice 24-09 is reminder-and-clarification guidance — it does not create new rules. The binding obligations are the existing FINRA rules (2210, 2090, 2111, 3110, 4511, 3220), which apply by their existing terms to AI-driven communications, recommendations, and records. Member firms (broker-dealers and their associated persons) are bound; non-member firms are not directly bound by FINRA rules but may face parallel obligations under SEC rules (e.g., Rule 17a-4 books-and-records, Investment Advisers Act fiduciary duty for IA-registered firms) — this rule's `jurisdiction` is `us` because FINRA is a self-regulatory organization with national scope, not a single-state regulator. The 2023 SEC Staff Bulletin on conflicts of interest for AI/PDA-using broker-dealers and investment advisers (and the SEC's proposed PDA rule, Rel. No. 34-97990) layers additional obligations specifically around conflicts; firms with PDA / AI advisory tools should consult both. FINRA expects firms to update their WSPs to specifically address AI tool use; using AI without WSP coverage is an immediate Rule 3110 supervision deficiency. Firms should also be aware of state-level adverse-action and disclosure overlays (e.g., NYDFS's October 2024 cybersecurity / AI guidance for licensed entities)."
+    },
+    {
+      "id": "us-hhs-section-1557-pcdst-2024",
+      "jurisdiction": "us",
+      "channels": ["ai-generated-content", "about-page", "privacy-policy"],
+      "use_cases": ["healthcare"],
+      "severity": "mandatory",
+      "short_title": "HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (2024 final rule)",
+      "summary": "On May 6, 2024, the U.S. Department of Health and Human Services Office for Civil Rights published a final rule (89 Fed. Reg. 37522) implementing Section 1557 of the Affordable Care Act that imposes nondiscrimination obligations on covered entities' use of 'patient care decision support tools' (PCDSTs) — defined to include automated and non-automated tools, including artificial-intelligence and machine-learning-based clinical decision support. Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, and HHS-administered health programs) must (a) make reasonable efforts to identify uses of PCDSTs in their health programs and activities that employ input variables or factors that measure race, color, national origin, sex, age, or disability; AND (b) make reasonable efforts to mitigate the risk of discrimination resulting from the tool's use. The compliance deadline for the PCDST nondiscrimination obligation was May 1, 2025; the obligation is now in effect and enforceable. Penalties for Section 1557 violations include loss of federal financial assistance, OCR-imposed corrective-action plans, and potential private-right-of-action claims for discrimination.",
+      "required_elements": [
+        {
+          "id": "pcdst-identification",
+          "description": "Reasonable efforts to identify uses of PCDSTs (including AI/ML clinical decision support tools) in the entity's health programs and activities.",
+          "required": false,
+          "example": "Internal inventory and documentation of all AI/ML clinical decision support tools deployed in patient care, with notation of input variables and use cases. (System / governance requirement; does not require per-patient disclosure.)"
+        },
+        {
+          "id": "pcdst-mitigation",
+          "description": "Reasonable efforts to mitigate the risk of discrimination resulting from PCDST use, including documentation of mitigation steps and ongoing monitoring.",
+          "required": false,
+          "example": "Documented mitigation procedures, periodic testing for adverse impact across protected classes, and a designated responsible person or office. (System / governance requirement.)"
+        },
+        {
+          "id": "patient-facing-pcdst-notice",
+          "description": "Patient-facing notice that AI/ML decision-support tools may inform clinical decisions, where the entity's notice-of-availability obligations under § 92.11 apply (translation requirements + civil rights coordinator + grievance procedures).",
+          "required": true,
+          "example": "Notice: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial intelligence. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights."
+        },
+        {
+          "id": "civil-rights-coordinator-designation",
+          "description": "Designation of a Civil Rights Coordinator responsible for the entity's Section 1557 compliance, including PCDST nondiscrimination obligations. (Governance, not per-patient text.)",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116); 45 CFR Part 92, as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522",
+        "section": "45 CFR § 92.210 (Discrimination through the use of patient care decision support tools)",
+        "source_url": "https://www.federalregister.gov/documents/2024/05/06/2024-08711/nondiscrimination-in-health-programs-and-activities",
+        "publisher": "U.S. Department of Health and Human Services, Office for Civil Rights"
+      },
+      "effective_date": "2025-05-01",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — Use of Decision-Support Tools in Your Care: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial-intelligence and machine-learning systems. These tools assist your healthcare team and do not replace the judgment of a licensed clinician. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, please contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights at https://www.hhs.gov/ocr/.",
+        "formal": "Notice under Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116) and the implementing regulations at 45 CFR Part 92 (as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522): The covered entity uses one or more patient care decision support tools, including artificial-intelligence and machine-learning-based clinical decision support, in its health programs and activities. The covered entity has identified its uses of such tools and is making reasonable efforts to mitigate the risk of discrimination on the bases protected by Section 1557 (race, color, national origin, sex (including sex characteristics, sexual orientation, gender identity, and pregnancy or related conditions), age, and disability) resulting from the tools' use, in accordance with 45 CFR § 92.210. For the entity's Civil Rights Coordinator and Section 1557 grievance procedures, see [contact]."
+      },
+      "notes": "Section 1557's PCDST obligation is governance-heavy — most of the compliance work is internal (identifying tools, documenting mitigation, designating coordinators) rather than patient-facing text. The patient-facing element is the Section 1557 notice-of-availability under § 92.11 plus, where the entity exposes AI-informed decisions to patients, a clear acknowledgment that automated tools may inform clinical decisions and a path to discuss with a clinician. Covered entities include most healthcare providers receiving any form of federal financial assistance (Medicare-participating providers, Medicaid-participating providers, federally-qualified health centers, etc.), all health insurers in HHS-administered marketplaces, and HHS itself. The 'reasonable efforts' standard is intentionally flexible — OCR has stated in commentary that what constitutes 'reasonable' will scale with the entity's size and resources, but documentation is essential. PCDSTs explicitly include AI/ML decision-support tools and (per OCR commentary) tools that produce or use clinical scores (e.g., Epic Sepsis Model, Beth Israel Discharge Risk score, etc.). Federal funding loss is the principal sanction; OCR can also impose corrective action plans. State-level overlays may apply (e.g., California SB 1120 — Physicians Make Decisions Act, requiring physician review of AI-driven coverage denials in health plans — effective 2025-01-01). Stack with HIPAA Privacy Rule (45 CFR Part 164) when patient information is processed; stack with state AI hiring/employment-decision laws when the PCDST is used in employment of healthcare workers."
     }
   ]
 }