Governance & Program Info
Customer Chatbots & Virtual Assistants — Governance
Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 15 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Map CFPB chatbot guidance to production behavior
Review June 2023 Issue Spotlight and August 2024 guidance and map each cited risk to a specific control in the stack.
05 · Governance & Compliance
Reg E dispute timeline compliance
12 CFR 1005.11 requires investigation within 10 business days and resolution within 45 days — chatbot intake must start the clock correctly and hand off within SLA.
05 · Governance & Compliance
Hallucination rate as a board-reported metric
Hallucination rate belongs on the board risk scorecard alongside fraud loss rate and customer satisfaction — not in an engineering dashboard.
05 · Governance & Compliance
UDAAP-aligned pre-deployment review
Every major model or prompt change undergoes compliance review for UDAAP exposure before production rollout.
05 · Governance & Compliance
GLBA Safeguards Rule — service provider attestation for LLM vendors
If a cloud LLM provider receives PII, they are a service provider under GLBA — requires contract terms, monitoring, and risk assessment.
05 · Governance & Compliance
CCPA / CPRA handling of conversational data
California residents' chat transcripts and voice recordings are personal information — subject to deletion and access rights.
05 · Governance & Compliance
Illinois BIPA for voice biometrics
Voice channels with voiceprint authentication or voice-signature processing fall under BIPA — written informed consent required.
05 · Governance & Compliance
Retention and deletion schedule for transcripts
Conversation transcripts inherit the retention schedule of the underlying customer data — not a generic log retention policy.
05 · Governance & Compliance
Measure quality parity across languages
Hallucination rate, intent accuracy, and resolution rate must be measured per language — English-only evaluation hides disparate quality.
05 · Governance & Compliance
Disparate-impact analysis on escalation rate
Escalation to human agent correlates with dissatisfaction — disparate escalation rate by segment is a fair-lending signal.
05 · Governance & Compliance
Accessibility requirements (ADA / Section 508)
Conversational UIs must meet accessibility standards — screen reader compatibility, alternate text paths for voice-only features.
05 · Governance & Compliance
NYC Local Law 144 / Colorado AI Act / state AI act readiness
State-level AI laws are proliferating — Colorado AI Act (effective Feb 2026), NYC Local Law 144, California AB-2013, Utah AI Act.
05 · Governance & Compliance
EU AI Act applicability and risk classification
Consumer financial service chatbots interact with EU AI Act obligations for transparency, logging, and in some contexts high-risk classification.
05 · Governance & Compliance
SR 11-7 model risk documentation for generative AI
Federal Reserve SR 11-7 applies to models that drive consequential decisions — applying it to generative AI requires purpose, limitations, data lineage, and performance monitoring documentation adapted for non-deterministic outputs.
05 · Governance & Compliance
Full decision provenance per interaction
Log the model version, retrieved documents, prompt, response, confidence, and any statutory-rights flags for every interaction.