fsi-compliance-checkerlisted

# FSI Compliance Checker Map a concrete change (code diff, architecture design, IaC, pipeline config) to the specific controls it touches in financial services compliance frameworks, and report gaps with actionable remediation. This is engineering-level compliance triage — it helps teams catch violations before audit, but it does not replace a qualified assessor (QSA) or the institution's compliance function. Say so in every report. ## Framework Selection Load only the reference file(s) the engagement needs: | Situation | Load | |-----------|------| | Payment card data is stored, processed, or transmitted (PAN, CVV, track data) | [references/pci-dss.md](references/pci-dss.md) | | Singapore-regulated financial institution (bank, insurer, capital markets, major payment institution) | [references/mas-trm.md](references/mas-trm.md) | | Both apply (e.g. Singapore bank handling cards) | Both files | | Other jurisdictions/frameworks (SOX, GDPR, HKMA, APRA) | State that they are out of scope of this skill's bundled references; offer general secure-engineering review instead | If the user hasn't said which applies, ask one question: what data does the change touch, and is the institution Singapore-regulated? ## Review Process 1. **Scope the change.** Identify what the diff/design actually touches: data elements (card data? customer PII? credentials?), trust boundaries, environments (production? DR?), and third parties. 2. **Select applicable controls** from the loaded reference