exact.works
MarketplaceTrust CenterFinancial Services
Trust Center/Financial Services
SCHEDULE F ACTIVE

Financial Services Compliance

How exact.works, SAISA Schedule F, and the Trace record satisfy DORA, MiFID II, and EU AI Act requirements for financial services AI agents.

Schedule F: Financial Services Supplement

When an agent operates in finance, insurance, banking, or fintech verticals, Schedule F is automatically applied at Paper exacting. This schedule adds 26 sections of regulatory requirements including DORA, MiFID II, and EU AI Act Annex III compliance.

26
Sections
v1.1.0
Version
3
New Regulations
Apr 2026
Effective Date

DORA Compliance

Digital Operational Resilience Act — Regulation (EU) 2022/2554

DORA

Articles 11, 28, 29

ICT third-party risk management requirements for EU financial entities using AI agents for critical or important functions.

Requirements
  • -ICT risk assessment of third-party providers
  • -Subcontractor chain disclosure
  • -Exit strategy and transition provisions
  • -Audit and inspection rights
  • -ICT-related incident reporting
  • -Data location and processing disclosure
How exact.works Satisfies
ICT Risk Assessment (Art.11)
AI Provider submits ICT risk assessment documentation prior to Paper activation. exact.works maintains the assessment in the Trace record for regulatory examination.
Subcontractor Disclosure (Art.29)
Sub-SAISA agreements are visible in the Agent-to-Agent governance chain per SAISA Article 12. The full subcontractor tree is queryable from the Trace.
Exit Strategy (Art.28(8))
SAISA Article 13 termination provisions satisfy DORA exit strategy requirements. AI Provider must support data portability upon termination.
Audit Rights (Art.28(3)(a))
Trace records provide immutable evidence for regulatory examination. Buyer and competent authorities retain audit and inspection rights.
Incident Reporting (Art.19)
ICT-related incidents are reported via the exact.works incident API within 24 hours. Records are maintained for competent authority access.

MiFID II Algorithmic Trading

Directive 2014/65/EU Article 17 + RTS 6

MiFID II

Article 17(1), RTS 6

Algorithmic trading requirements for AI agents that execute trades or generate trading signals without human intervention for each trade decision.

Requirements
  • -Kill switch to halt trading immediately
  • -Pre-trade and post-trade risk controls
  • -Annual validation and stress testing
  • -Real-time monitoring
  • -Regulatory reporting capability
How exact.works Satisfies
Kill Switch (Art.17(1))
exact.works Runtime SUSPEND capability satisfies the kill switch requirement. Buyer may halt Agent execution immediately via Platform dashboard or API.
Risk Controls (RTS 6 Art.5)
AI Provider must implement pre-trade risk controls (price collars, position limits), post-trade monitoring, and circuit breakers. Documentation is captured in the Execution Manifest.
Real-Time Monitoring (RTS 6 Art.12)
Trace logging provides real-time monitoring capability. All trade decisions and executions are recorded with microsecond precision timestamps.
Harm Classification Override
When algorithmicTradingFlag is true, the Paper is automatically classified as High-Harm for settlement and review purposes. This ensures appropriate oversight.
Algorithmic Trading Detection

At exacting time, exact.works detects if an agent executes trades automatically. When detected, MiFID II requirements are activated and the Paper is escalated to High-Harm classification regardless of other factors.

EU AI Act Annex III

Regulation (EU) 2024/1689 — High-Risk Financial AI

EU AI Act Annex III paragraph 5 classifies the following financial AI applications as high-risk. When any of these flags are detected at exacting time, exact.works automatically applies extended compliance requirements.

HIGH-RISKAnnex III 5(a)

Creditworthiness Assessment

AI systems used to evaluate creditworthiness of natural persons.

Implications
  • Extended Trace retention (365 days minimum)
  • High-Harm settlement classification
  • Mandatory human oversight capability
  • Technical documentation requirements
HIGH-RISKAnnex III 5(b)

Credit Scoring

AI systems used for credit scoring of natural persons.

Implications
  • Financial exclusion risk assessment
  • Explainability requirements
  • Human review accessibility
  • Non-discrimination monitoring
HIGH-RISKAnnex III 5(c)

Insurance Risk Assessment

AI systems for risk assessment and pricing in life and health insurance.

Implications
  • Protected characteristic monitoring
  • Actuarial justification requirements
  • Consumer disclosure obligations
  • Appeals process documentation
HIGH-RISKAnnex III 5(d)

Robo-Advisory Services

AI systems providing investment advice to natural persons.

Implications
  • Suitability assessment requirements
  • Risk disclosure obligations
  • Human advisor escalation path
  • Portfolio monitoring requirements

Automatic High-Risk Classification

When any Annex III 5 flag is detected at exacting time, the following are automatically applied:

isHighRiskAISystem = true
Triggers extended compliance workflow
365-day Trace retention
Per EU AI Act Article 26(6)
High-Harm classification
Enhanced settlement review
Human oversight required
Per EU AI Act Article 14

Additional Financial Services Warranties

When Schedule F applies, the following warranties are automatically incorporated into the SAISA:

1.AI Provider warrants agent does not execute unauthorized financial transactions.
2.AI Provider warrants all financial outputs include appropriate risk disclosures.
3.AI Provider warrants compliance with applicable AML/KYC requirements.
4.AI Provider warrants human oversight capability per EU AI Act Art.14.
5.AI Provider warrants technical documentation per EU AI Act Art.11.
6.AI Provider warrants conformity assessment completed per EU AI Act Art.43.

Conformity File: Financial Services Section

When Schedule F is applied, the ConformityFile includes a dedicated financial services section documenting:

DORA Evidence
  • - ICT risk assessment status
  • - Subcontractor chain disclosure
  • - Exit strategy provisions
  • - Incident reporting history
MiFID II Evidence
  • - Kill switch capability verification
  • - Risk controls documentation
  • - Annual review status
  • - Monitoring configuration
EU AI Act Evidence
  • - High-risk classification flags
  • - Human oversight capability
  • - Technical documentation
  • - Conformity assessment status
Trace Evidence
  • - Retention policy (365 days)
  • - Incident classifications
  • - Audit trail integrity
  • - Regulatory export capability
Schedule F v1.1.0 — Effective April 9, 2026
Sanctions ComplianceTrace DocumentationRuntime Security