Compliance & audit
Security, regulatory compliance, and audit trail features for enterprise governance
Compliance & audit
LYNKS provides security and compliance features designed to meet the rigorous requirements of financial institutions and regulated entities. The platform maintains audit trails for all system events, enforces governance controls through the four-eyes principle, and supports regulatory compliance with frameworks including ISO 27001, PSD2, and CSSF regulations.
These compliance capabilities enable organizations to demonstrate proper controls, maintain transparency in their operations, and satisfy auditor requirements. From granular audit logs at the transaction level to platform-wide security certifications, LYNKS delivers the governance infrastructure needed for enterprise treasury and payment operations.
Audit trail architecture
LYNKS maintains audit logs for all significant system events, creating an immutable record of user actions, system changes, and transaction processing. These logs support compliance requirements, internal audits, and incident investigation.
Event recording scope
The audit trail captures events across all platform areas:
| Area | Events Recorded |
|---|---|
| Payments | Creation, modification, approval, rejection, cancellation, bank submission, execution, failure |
| Counterparties | Creation, editing, approval, rejection, deactivation, group membership changes |
| Users | Creation, modification, permission changes, authentication method changes, deactivation |
| Tenant settings | All configuration changes, approvals, discards |
| KYC screenings | Screening initiation, result categorization, case resolution |
| Authentication | Login attempts, signature events, session management |
Audit log characteristics
| Characteristic | Description |
|---|---|
| Immutable | Records cannot be modified or deleted after creation |
| Timestamped | Precise date and time (UTC) for all events |
| Attributed | User identification for all actions |
| Detailed | Before and after values for modifications |
| Searchable | Filter and search capabilities for investigation |
Entity-level audit logs
Each entity in LYNKS maintains its own dedicated audit log, accessible from the entity's detail page. This provides a focused view of all changes and actions related to that specific item.
Payment audit trail
Every credit transfer includes a audit log tracking its lifecycle:
- Payment creation with initial parameters
- Modifications to payment details
- Signature requests and approvals
- Rejection events with reasons
- Bank submission timestamps
- Execution confirmations or failure notifications
- Status changes throughout the payment journey
Payment audit log showing transaction lifecycle events
Counterparty audit trail
Counterparty records track all compliance-relevant events:
- Initial creation and data entry
- Approval workflow progression
- Modifications to counterparty details
- Risk level assignments and changes
- KYC screening linkages
- Group membership changes
- Deactivation and reactivation events
Configuration audit trail
Tenant settings changes are tracked in the change history with details on who changed what and when. See Change History - Audit trail for configuration for detailed information on reviewing configuration changes.
Four-eyes principle
LYNKS enforces the four-eyes principle (dual control) across critical operations, requiring independent review and approval before changes take effect.
Areas with four-eyes enforcement
| Area | Enforcement |
|---|---|
| Tenant settings | All configuration changes require approval by a different user |
| Counterparties | New and modified counterparties require approval |
| Counterparty groups | Group membership changes require approval |
| Payments | Signatory rules define approval requirements per payment type |
Approval workflow
The four-eyes principle ensures:
- Maker-checker separation - The user who creates or modifies cannot approve their own changes
- Independent review - A different authorized user must review and approve
- Audit trail - Both the creator and approver are recorded
- Rejection capability - Approvers can reject inappropriate changes with documented reasons
Tenant settings approvalFor detailed information on the four-eyes approval workflow for configuration changes, see Pending Changes - Configuration change management.
Regulatory compliance
LYNKS is designed and operated to support compliance with financial services regulations applicable to its users and to Finologee as the platform provider.
ISO 27001 certification
Finologee maintains ISO/IEC 27001:2022 certification for its Information Security Management System (ISMS), verified by Bureau Veritas through regular audits.
| Aspect | Description |
|---|---|
| Scope | Information security management for LYNKS platform operations |
| Certification body | Bureau Veritas |
| Audit frequency | Annual surveillance audits with triennial recertification |
| Controls | Comprehensive security controls across all Annex A domains |
PSD2 compliance
LYNKS supports Payment Services Directive 2 (PSD2) compliance for payment service providers:
- Strong Customer Authentication (SCA) through multiple authentication methods
- Secure communication channels for payment initiation
- Transaction monitoring and fraud prevention capabilities
- Audit trails meeting regulatory record-keeping requirements
CSSF regulatory framework
As a Luxembourg-based Support PFS (Professionals of the Financial Sector), Finologee operates under CSSF (Commission de Surveillance du Secteur Financier) supervision:
| Regulation | Relevance |
|---|---|
| CSSF Circular 22/806 | Outsourcing arrangements and critical function requirements |
| CSSF Circular 20/750 | ICT risk management and security requirements |
| AML/CFT Law | Anti-money laundering and counter-terrorist financing obligations |
Additional certifications and standards
| Standard | Description |
|---|---|
| SWIFT CSP | SWIFT Customer Security Programme compliance |
| DORA readiness | Digital Operational Resilience Act framework alignment |
| GDPR | General Data Protection Regulation compliance for personal data |
Data protection and isolation
LYNKS implements security controls to protect data confidentiality, integrity, and availability.
Multi-tenant data isolation
Each tenant's data is completely isolated from other tenants:
- Separate database schemas per tenant
- No cross-tenant data access
- Tenant-specific encryption keys
- Independent configuration and customization
Access controls
| Control | Implementation |
|---|---|
| Role-based access (RBAC) | Permissions assigned through roles and groups |
| Granular permissions | Fine-grained access control by feature, account, category, currency |
| Principle of least privilege | Users receive only necessary permissions |
| Segregation of duties | Critical functions separated across different roles |
Data encryption
- Data encrypted at rest using industry-standard encryption
- Data encrypted in transit using TLS
- Secure key management practices
AML/CFT compliance support
LYNKS provides features to support Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) compliance obligations.
KYC screening
Screen counterparties against sanctions lists, PEP databases, and adverse media:
- On-demand screening for new counterparties
- Scheduled monitoring based on risk levels
- Result categorization and case management
- Compliance officer workflow integration
See Risk Management - KYC screening and risk assessment for detailed information on KYC screening processes.
Counterparty risk management
Classify and monitor counterparties by risk level:
- Risk level assignment (high, medium, low)
- Risk-based monitoring frequencies
- Automated re-screening schedules
- Alert notifications for compliance teams
See Counterparty Monitoring - Configure ongoing monitoring for configuration details.
Transaction controls
- IBAN blacklist enforcement preventing payments to blocked accounts
- Signatory rules incorporating counterparty risk parameters
- Payment validation against compliance rules
Audit support features
LYNKS provides features specifically designed to support internal and external audits.
Audit-ready reports
Generate reports for audit purposes:
| Report Type | Contents |
|---|---|
| Payment reports | Transaction history with full audit trail |
| User access reports | Permission assignments and access history |
| Signatory matrix | Complete approval rule configuration |
| Change history | Configuration modifications with attribution |
Export capabilities
Export audit data in multiple formats:
- PDF for formal documentation
- Excel/CSV for analysis
- Structured data for integration with audit tools
Evidence collection
For each auditable event, LYNKS provides:
- Timestamp (UTC)
- User identification
- Action performed
- Affected entity details
- Before and after values (for modifications)
- Related context (IP address, session information)
Infrastructure security
The LYNKS platform is hosted on infrastructure designed for financial services workloads.
Hosting environment
| Aspect | Description |
|---|---|
| Data centers | Tier IV-certified facilities in Luxembourg |
| Provider | EBRC (European Business Reliance Centre) |
| Certifications | ISO 27001, ISO 20000, ISO 22301, ISO 27017, ISO 9001 |
| Geographic scope | Luxembourg soil for data residency requirements |
Operational security
- 24/7 monitoring and incident response
- Regular security assessments and penetration testing
- Vulnerability management program
- Business continuity and disaster recovery plans
Best practices
Follow these recommendations for effective compliance management:
- Review audit logs regularly - Establish periodic review of audit logs to identify anomalies or policy violations
- Maintain proper segregation - Ensure critical functions are separated across different users and roles
- Document compliance evidence - Use LYNKS export features to maintain audit evidence documentation
- Configure risk-based controls - Align signatory rules and monitoring frequencies with your risk assessment
- Train users on compliance - Ensure users understand their compliance responsibilities within the platform
- Engage with auditors proactively - Familiarize auditors with LYNKS audit capabilities before formal audits
Related documentation
Explore related sections for more information:
- Permissions - Comprehensive explanation of access control and role-based permissions - Role-based access control and permission management
- Approvals - How approval workflows and signature processes function - Approval workflows and signatory requirements
- Blacklisted Accounts - Manage prohibited accounts - IBAN blocking for compliance
- Risk Management - KYC screening and risk assessment - KYC screening and risk assessment
- Counterparty Monitoring - Configure ongoing monitoring - Automated AML/CFT monitoring
- Pending Changes - Configuration change management - Four-eyes principle for configuration
- Change History - Audit trail for configuration - Configuration change audit trail
- Authentication Methods - Detailed setup and usage of SSO, LuxTrust, and mobile app authentication - Secure authentication options
- Digital Signatures - Transaction signing methods and legal validity - eIDAS-compliant electronic signatures
Support
For assistance with compliance features or audit-related questions, contact [email protected].
Updated 3 days ago