Overview
Complaint Analyst is built for firms operating in regulated complaint-handling environments. This document describes the platform's current regulatory positioning across the frameworks most relevant to UK and EU fintech complaint operations.
Regulatory positioning is not the same as certification. Where the platform meets requirements, this document explains how. Where requirements are not yet fully met or formal compliance has not been assessed, this document says so plainly.
FCA DISP
The FCA's Dispute Resolution sourcebook (DISP) is the primary regulatory framework for complaint handling by UK-authorised firms. Complaint Analyst is built around DISP's core requirements: prompt acknowledgement, 8-week final response deadlines, complainant rights disclosure, and record-keeping obligations.
The platform's regulatory deadline service enforces DISP timelines using UK business day calculations. Analysts see live deadline indicators on every complaint. The audit trail satisfies DISP's record-keeping requirements by capturing every material action with timestamps and actor identity. The draft response system supports FOS referral language inclusion in final response letters.
The platform's compliance test suite includes automated DISP-specific tests covering deadline enforcement, acknowledgement tracking, and audit trail completeness. These tests run on every release path, preventing DISP-relevant behaviour from regressing silently.
GDPR & Data Handling
Complaint Analyst processes personal data on behalf of regulated firms, making it a data processor under GDPR. The platform's data handling posture is designed to support the firm's obligations as data controller.
Data residency: complaint data, user accounts, and all application state are stored in EU-hosted PostgreSQL (Hetzner Cloud, Frankfurt). No complaint data is replicated outside the EU unless explicitly configured by the firm.
Data subject rights: the platform includes a retention and erasure workflow that allows firms to handle GDPR deletion requests against complaint records. The workflow is designed to reconcile erasure rights with the competing FCA obligation to retain complaint records for at least 3 years (5 years for MiFID business). Where a record cannot be fully erased due to a regulatory retention obligation, the platform surfaces this conflict for analyst resolution.
PII handling: personal identifiers are stripped from complaint text before any AI processing. Stored credentials (IMAP passwords, data source connections) are encrypted with Fernet symmetric encryption. API responses mask credential fields with placeholder characters.
PSD2 / PSD3 & PSR Readiness
The platform is used by payment service providers subject to PSD2 complaint-handling obligations and, for UK firms post-Brexit, the Payment Services Regulations 2017 (PSR). These frameworks require payment services firms to handle complaints within the same DISP-equivalent timelines.
The platform's deadline engine, audit trail, and reporting tooling apply equally to payment services complaints. Jurisdiction-aware complaint handling allows firms to route payment-related complaints to appropriate analyst queues with relevant regulatory context surfaced in the ticket view.
PSD3 (EU) is in legislative progress. The platform's regulatory-change monitoring workflow — described in the monitoring section below — is the mechanism for tracking PSD3 developments and updating platform behaviour as requirements crystallize. No PSD3-specific claims are made here beyond readiness to adapt.
EBA Guidelines & ADR Directive
EBA Guidelines on Internal Governance and on complaints handling for credit institutions and payment institutions inform the platform's workflow design, particularly around escalation paths, root-cause categorisation, and board reporting requirements.
The platform's analytics module provides the complaint volume, root-cause distribution, and resolution timeline data that EBA-covered firms need for management information reporting. Saved report templates can be configured to produce EBA-aligned data extracts.
The EU Alternative Dispute Resolution Directive (ADR Directive, 2013/11/EU) requires firms to inform complainants of ADR entities when a complaint cannot be resolved. The platform's draft response workflow supports ADR referral language inclusion in final response letters for EU-market complaints handled through the platform.
Regulatory Change Monitoring
Regulatory requirements evolve. The platform includes a regulatory knowledge graph that tracks obligations, deadlines, and jurisdictional rules as structured data rather than hardcoded configuration. This architecture is designed to allow regulatory updates to be applied without requiring schema migrations for each change.
The platform monitors FCA consultation papers and policy statements through a crawler that surfaces update suggestions to the internal compliance team. When a regulatory change affects platform behaviour — for example, a change to complaint-handling deadlines or reporting categories — the update is reviewed, the knowledge graph is updated, and the change is tested before deployment.
Firms can subscribe to regulatory change notifications through the platform's notification system. When a regulatory update affects complaint workflow requirements, the relevant firms are alerted and the platform's documentation is updated to reflect the new posture.
What Is Not Yet Certified
The platform does not hold formal regulatory approval or certification from the FCA, EBA, or any supervisory authority. It is a software platform for use by regulated firms, which remain responsible for their own regulatory compliance.
ISO 27001 certification is on the roadmap. SOC 2 Type II is in progress. Neither has been achieved at the time of this document. The security controls described in the Trust Center's Security & Data Protection article reflect actual implemented controls, not aspirational ones.
The platform has not undergone a formal GDPR Data Protection Impact Assessment (DPIA) conducted by an external assessor. Firms with DPIA obligations should conduct their own assessment against the platform's documented data handling practices.