Keystone National Bank is a fictional regional bank — one of ten companies we ran, in full, through the live Bylaw system before any real client touched it. It is fictional. The run was not. If you sit inside a bank or a credit union, read this as a rehearsal for your next exam.

Keystone is the kind of institution examiners understand on sight: a regional bank with a commercial-lending arm, a deposit franchise, a wealth desk, and a compliance function that already carries more frameworks than people. It came into the run with the full set — ten governing documents covering information security, access control, retention, incident response, vendor management, the employee handbook, the code of conduct, finance controls, business continuity, and training. On paper, Keystone is a well-run bank. The question was never whether it had policies. It was whether it could prove, on any given Tuesday, that those policies were operating.

What a bank wants is boring on purpose: clean exams, a calm board, correspondent and institutional partners who never have a reason to flinch, and growth that does not import risk faster than the controls can absorb it. What stands in the way is a single, recurring moment — the examiner, the internal auditor, the institutional counterparty, the cyber-insurer — asking “show me it operated,” and a compliance team answering with a binder assembled the week before.

What a bank is actually being asked

No industry carries a denser evidentiary load than banking, and it is layered. The Gramm-Leach-Bliley Act sets safeguards and privacy duties. Sarbanes-Oxley puts internal control over financial reporting under attestation. SEC and FINRA books-and-records rules — the 17a-4 lineage — demand retention in specific forms for specific periods. The FFIEC examination handbooks define what “adequate” looks like for IT and information security. State regimes such as NYDFS Part 500 add their own attestation and access-control teeth. BSA/AML expectations sit across all of it. And for any bank touching EU customers, GDPR plus the EU AI Act now matter directly: credit scoring and creditworthiness assessment are named high-risk uses under Annex III, which means the moment Keystone runs an AI underwriting or fraud model, it inherits logging, human-oversight, and monitoring duties that are, at bottom, evidence duties.

Every one of those regulators asks the same thing in a different dialect: not “do you have a policy,” but “can you prove the control operated across the period.” That is the question point-in-time screenshots answer badly and a continuous record answers in an afternoon. The cost of answering badly is not abstract for a bank — it is a Matters Requiring Attention finding, a consent order, a capital and reputation hit, a correspondent relationship that quietly cools, an insurer that declines, a deal that reprices.

Where the cracks were

When Keystone’s ten documents went through the engine, the first pass did what a year of well-meaning edits never quite does: it read every document against every other and found where the bank had promised two different things. Retention windows that disagreed between the records policy and finance controls. A vendor-oversight cadence stated one way in the vendor policy and another in information security. Access-review frequencies that did not line up across documents. None of these are scandals; they are the ordinary sediment of a real institution — and they are exactly what an examiner circles. Across the set the engine surfaced 119 items of orphan data — the most of any company in the fleet — lines that could not be cleanly governed as written, each one captured rather than quietly dropped, and every genuine contradiction routed to a person for a ruling instead of a guess.

A governing document mid-pipeline: raw text, cleaned statements, the template, and the hash trail.
keystone · documents live data

How Bylaw stepped in

Here is where it should feel like the cavalry arriving. We did not hand Keystone a GRC seat and a login. We ran the office. The ten documents were cleaned into atomic, tagged statements, fitted to a governed template, and mapped to 86 live controls — each a plain sentence with one operator, one expected value, and the live signal it should read. Contradictions went to the Ruling Guide, where an authorized person decided which rule wins; of sixty-one issues raised, forty were ruled and recorded, the rest queued with named owners. Nothing reached the live record without three signatures — department admin, tenant admin, and Bylaw — bound to the exact accepted control set, so editing anything afterward visibly voids the sign-off.

The result was an Evidence Index of 81 across the bank: one color-coded map of every control, what it proves, and where the proof is read. A compliance officer could click a single control — privileged access to the core, retention on a record class, the cadence of an access review — and follow its lineage in a straight line from document to section to control to signal to source to framework. And throughout, Bylaw held none of the bank’s data. The record carries statuses, timestamps, and hashes; the account and customer data never moved.

The Explorer: every control as a tile, grouped by department, with a ranked evidence index.
keystone · explorer live data

Ninety percent of Keystone’s controls came back proven — the highest pass rate in the fleet. The ten percent that did not were named and owned, not hidden. That is what an honest record looks like.

Testing tomorrow before it arrives

The part that matters most to a growing bank is the part that answered tomorrow’s question. In the Simulation Lab we introduced rules Keystone did not yet live under and watched what they would break — on a model, never on the bank. We saved territory packs for California, Texas, New York, the EU, and Canada and ran them against the live controls; the New York pack alone is a useful proxy for NYDFS-style expectations. We ran a combined-entity expansion shock test — what happens to this control set the day the bank has to answer the EU AI Act and GDPR at once because an underwriting model now touches EU applicants. Each run returned a clean ledger: every conflict, what it collided with, and a ripple count of downstream controls affected.

Then we connected partners. Keystone issued evidence-scoped keys to two counterparties — the kind of correspondent and core-processor relationships every bank depends on — and ran partner-versus-bank simulations in which only evidence crossed: control sentences, verdicts, hashes. Never a ledger, never a customer, never a document. When the test ended the key was revoked and the partner lost access to evidence it never actually held. Across its sessions Keystone ran twelve simulations and exercised a real M&A diligence scenario both directions — the acquirer’s view and the target’s.

Proven, not asserted

Every action across the run — every clean, ruling, signature, simulation, report, and key — passed through a single audited door that recorded it first and chained each record to the one before it. By the reporting session the workspace held more than three hundred chained audit records, and the chain verified end to end. Four export requests sat pending at the locked gate; nothing left without a named approval.

We did not grade our own work. Three independent audits re-checked it from different angles — one rebuilt the hash chain from the specification and re-counted every record, one proved the system cannot bypass its own audit gate and recomputed every verdict against the sealed engine, and one recomputed every published figure against the raw snapshots. The verdict across all three: no fabrication. What you have just read is what actually ran.

The Audit Trail with one-click chain verification — every action stamped, every record linked.
keystone · audit trail live data

What it looks like when the examiner calls

Run it forward. The examination notice arrives, or internal audit opens its annual cycle, or a correspondent bank’s risk team sends the questionnaire. In the world before Bylaw, that letter starts a quarter: a workpaper request list goes out, three departments scramble for exports, and someone assembles a binder of point-in-time screenshots that, by construction, can only show a handful of moments across the exam period. Examiners know exactly what that looks like, and they probe the gaps, because a control that can only be shown on one day is a control nobody can prove operated on the other 364.

In the governed world, the same letter is a working session. The compliance officer opens the record, filters to the control in the request — privileged access to the core, retention on a record class under 17a-4, the cadence of the quarterly access review, MFA enforcement under NYDFS expectations — and reads the lineage in a straight line: the policy that set the rule, the control it became, the live signal it reads, the source system, the framework it answers, and the hash that proves the record was not edited after the fact. The evidence covers the period, not a moment, because it was collected continuously. It exports with integrity hashes embedded, scoped to exactly what was asked, and nothing about a customer ever enters the exchange.

That is the difference between a clean exam and an anxious one, and it compounds: the institution that can prove itself to an examiner can prove itself to a correspondent, an insurer, and an acquirer with the same record, on the same afternoon. Proof stops being an annual fire drill and becomes a standing asset the bank can lean on whenever someone with authority asks the only question that matters.

If this were your institution

If you run compliance inside a bank, you already have the policies and the people. What you do not have is the office that keeps the proof current between exams — that reads every document, reconciles the contradictions before an examiner finds them, wires the rules to the systems where they live, and has the answer ready the day the request arrives. Standing that up in-house is a Chief Governance Officer, support staff, counsel, and systems — commonly half a million dollars a year. Embedded through Bylaw, it is a fraction of that, and it walks in already fluent in 17a-4, FFIEC, NYDFS, and the EU AI Act’s line on credit models.

Keystone is fictional so we could show you the whole machine — the contradictions, the rulings, the simulations, the audit — without a real bank’s name on it. The machinery is real and running. The fastest way to find out where your own proof stands before the next exam is a governance review.

What crossed, and what never did

It is worth being precise about how the evidence for Keystone was collected, because it is the whole difference between Bylaw and the tools that ask for your data. Bylaw never logged in and pulled records. It dispatched worker packets — small, single-purpose, read-only instructions — to the core banking platform, the identity provider, the document and ticketing systems, and the data warehouse, each asking one question and returning one structured verdict: the operator, the expected value, the observed value, and a content hash. The reasoning happened on the other side of a wall, in a sealed engine reached with a key Keystone controlled, working only over configuration and event state.

Between Keystone’s environment and anything that left it sat the edge wall, which rejected every name, email, and identifier before it could cross — to us, to a partner, or into the audit trail. What crossed was proof: statuses, timestamps, and hashes. What never crossed was content — no account, no transaction, no customer record. That is not a promise; it is the architecture, and it is why a worst case for Bylaw could never become a data breach for Keystone or its customers. The record is defensible precisely because it contains evidence of operation and nothing an attacker would want.

Why this matters now

The reason to do this now, rather than after the next audit, is that proof cannot be reconstructed backward. You cannot retroactively show that a control operated last quarter if no one was recording it; the evidence either accrued or it did not. A continuous record is the one compliance asset that is strictly more valuable the earlier it starts, because it compounds — every day it runs, it proves a longer period.

The deadline pressure is real and specific. The EU AI Act’s high-risk obligations are phasing into force through 2026, and for a bank the exposure is concrete the moment an AI underwriting or fraud model touching EU applicants is in play: logging across the system’s lifetime, demonstrable human oversight, and post-market monitoring — all of them evidence duties, not policy statements. Add the frameworks already on the table and the enterprise buyers who enforce them faster than any regulator, and the company that started keeping the record is simply ready, while the one that waited is assembling screenshots against a clock. That is the whole argument for starting before you are asked.

If this were your company

We’re ready to step in.

Every figure in this study came from the live system, run against a company built to look like a real one. The fastest way to see where your own proof stands — strong, fragile, and missing — is a structured governance review. No data required; findings in weeks, and yours to keep whatever you decide.

Talk to a Bylaw SpecialistSee how it works
Brandon JunkinFounder, Bylaw Evidence

Brandon spent years alongside hundreds of mid-market companies at GoDaddy and watched the same story on repeat: good teams unable to prove the good work they did, governance buried under tools that demanded data and returned screenshots. He founded Bylaw Evidence to be the guide those teams were missing — someone who maps the rules, keeps the record, and has the answer ready when the auditor asks. BA in Philosophy of Law, Politics and Ethics, Arizona State University; ARM candidate.