From agentic-bundle-aas-privacy-compliance-engineering
Maps code, architecture, and IaC changes to PCI-DSS v4.0 and MAS TRM controls for Singapore-regulated financial institutions, producing audit-ready compliance findings with remediation guidance.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-bundle-aas-privacy-compliance-engineering:fsi-compliance-checkerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Maps a concrete change (code diff, architecture design, IaC, pipeline config) to the specific controls it touches in financial services compliance frameworks — PCI-DSS v4.0 for payment card data and MAS TRM for Singapore-regulated institutions — and reports gaps with actionable remediation. This is engineering-level compliance triage: it helps teams catch violations before audit, but it does no...
Maps a concrete change (code diff, architecture design, IaC, pipeline config) to the specific controls it touches in financial services compliance frameworks — PCI-DSS v4.0 for payment card data and MAS TRM for Singapore-regulated institutions — and reports gaps with actionable remediation. This is engineering-level compliance triage: it helps teams catch violations before audit, but it does not replace a qualified assessor (QSA) or the institution's compliance function. Say so in every report.
Load only the reference file(s) the engagement needs:
| Situation | Load |
|---|---|
| Payment card data is stored, processed, or transmitted | pci-dss.md |
| Singapore-regulated financial institution (bank, insurer, capital markets, major payment institution) | mas-trm.md |
| Both apply (e.g. Singapore bank handling cards) | Both files |
| Other jurisdictions/frameworks (SOX, GDPR, HKMA, APRA) | State they are out of scope; offer general secure-engineering review instead |
If the user hasn't said which applies, ask one question: what data does the change touch, and is the institution Singapore-regulated?
Identify what the diff/design actually touches: data elements (card data? customer PII? credentials?), trust boundaries, environments (production? DR?), and third parties.
Select the applicable controls from the loaded reference file(s) — typically 5-15 controls, not the whole framework. List what you ruled out and why (one line each) so the scoping is auditable. Assess each as Compliant / Gap / Needs evidence (can't tell from the artifact — name the evidence required).
Every Gap gets: the control ID, what's wrong in this specific change, concrete remediation, and severity (Critical = violation involving live regulated data; High = control absent; Medium = control partial/undocumented).
# Compliance Review: [change title]
**Frameworks:** [PCI-DSS v4.0 / MAS TRM 2021] · **Date:** [YYYY-MM-DD]
**Scope:** [what was reviewed: files, design doc, pipeline]
> Engineering triage only — not a substitute for QSA assessment or the compliance function.
## Data & Boundary Analysis
- Data elements touched: [e.g. PAN (masked), customer NRIC, none]
- Environments/boundaries: [e.g. CDE-adjacent service, public API]
## Findings
| # | Control | Status | Severity | Finding | Remediation |
|---|---------|--------|----------|---------|-------------|
| 1 | [PCI 3.5.1] | Gap | Critical | [specific issue in this change] | [specific fix] |
## Ruled Out (not applicable)
- [Control area] — [one-line reason]
## Evidence Needed
- [Control]: [what artifact would demonstrate compliance]
Offer to turn findings into backlog items with the control ID in each story for traceability.
User: "Is this PCI-DSS compliant: we log the full request body of card authorization calls for debugging?"
Skill: Loads pci-dss.md → Critical findings against 3.3.1 (CVV must never be stored post-authorization — logs are storage), 3.4.1 (PAN display masking), 3.5.1 (PAN unreadable at rest); remediation: remove the log line or apply a field-allowlist redaction filter; flags downstream log-pipeline scoping (10.3.x); QSA disclaimer included.
User: "Our Singapore bank is moving the customer notification service to a cloud region in another country. MAS TRM implications?"
Skill: Loads mas-trm.md → reviews against §11.5 (cloud: due diligence, data residency, exit strategy), flags the MAS Outsourcing Guidelines as a related instrument, asks what customer data the service touches before rating severity.
Changes that almost always have compliance impact — check proactively when they appear in a diff:
Needs evidence.Adapted from timwukp/agent-skills-best-practice (MIT), where the skill ships with evals and a documented 4-layer test methodology (see the repo's TESTING.md).
npx claudepluginhub sickn33/agentic-awesome-skills --plugin agentic-bundle-aas-privacy-compliance-engineering65plugins reuse this skill
First indexed Jun 12, 2026
Showing the 6 earliest of 65 plugins
Maps code, architecture, and IaC changes to PCI-DSS v4.0 and MAS TRM controls for Singapore-regulated financial institutions, producing audit-ready compliance findings with remediation guidance.
Audits codebases against SOC2, HIPAA, GDPR controls: scans data stores, traces user data flows, and generates gap analysis reports with remediation plans.
Generates structured compliance reports for PCI DSS, HIPAA, SOC 2, GDPR, and ISO 27001 by scanning codebases and configurations for control evidence.