CLIMA
CLIMA RISK INTELLIGENCE
Try the Demo

Regulatory Compliance & Documentation

CLIMA maintains examination-ready documentation across model risk management (OCC SR 11-7), information security (GLBA Safeguards Rule), fair lending (ECOA/Reg B), and capital adequacy (Basel III/CECL). All claims are traceable to documented methodology, backtest results, or public data sources.

0.904
Disaster AUC (10yr)
145K+
County-Year Obs.
7yr
Audit Log Retention
GLBA compliant OCC SR 11-7 aligned AES-256 encrypted

Table of Contents

Effective: March 2026 · Next review: September 2026

1. Certification Attestation

Attestation Statement. CLIMA does not make unqualified "compliant" or "certified" claims. Every numeric and regulatory assertion in CLIMA materials is traceable to documented methodology, reproducible backtest results, or publicly verifiable data sources. This approach aligns with OCC SR 11-7 model risk management, examiner expectations for transparency, and industry standards for third-party model providers serving FDIC-insured institutions.

Regulatory Basis: OCC Bulletin 2011-12 (SR 11-7), "Sound Practices for Model Risk Management"; OCC/FDIC/Federal Reserve Interagency Guidance on Third-Party Relationships (June 2023); FFIEC IT Examination Handbook.

Backtest & Validation Scale

  • 145,452 county-year observations — Statistical power sufficient for disaster default prediction across multiple horizons per academic and regulatory norms.
  • 30,131 disaster-exposed county-years — Captures FEMA major disaster incidence; primary target variable for ML models.
  • 68,485 raw FEMA declarations — Full OpenFEMA history; no sampling; audit trail to fema.gov.

Disaster & Loss Rates

  • 20.7% / 6.2% — Baseline vs CLIMA-approved disaster default rates. Justification: Freddie Mac Loan Performance analysis; CLIMA-approved geography materially reduces disaster-linked defaults.
  • 30.3% loss severity — NFIP-validated from 762 real claims. Justification: Actual payout vs coverage; no synthetic or estimated data.

Model Performance (AUC)

  • 0.904 (10yr) / 0.978 (30yr) disaster AUC — Walk-forward validation; exceeds 0.80 at 5+ year horizons per industry norms.
  • 0.841 credit model AUC — Separate model; 1M-loan holdout; used for PD inputs.

Data Lineage & Standards

  • FEMA, Census, BLS, Freddie, NFIP — Public or licensed; transparent lineage; no synthetic data in production.
  • EL = PD × LGD × EAD — Aligned with Basel III / CECL; bank-examiner recognizable.
  • NGFS scenarios — Orderly, Hot House, Disorderly; used for stress testing.

Source: docs/DEFAULT_AUC_METHODOLOGY.md, docs/COMPLIANCE_CHECKLIST.md, backtest/elite_constants.py

2. Regulatory Framework & Alignment

Banks face overlapping requirements from the OCC, Federal Reserve, CFPB, and Basel III. Below we map CLIMA's controls to each framework and explain the legal and prudential rationale for each requirement.

Climate Risk (Safety & Soundness)

OCC/Fed guidance (including legacy climate principles); Federal Reserve SR 24-5 "Principles for Climate-Related Financial Risk Management"

Regulators require identification and management of physical and transition climate risk. CLIMA supports examiner expectations for climate-aware underwriting and portfolio management.

  • Physical risk — Heat, wildfire, flood, wind integrated. Justification: Multi-hazard coverage; not flood-only.
  • Transition risk — NGFS scenarios for scenario analysis. Justification: Regulatory standard for climate stress.
  • FEMA history — Full disaster declarations; no sampling. Justification: Audit trail to government source.
  • Property-level — Elevation, water distance, building age. Justification: Granular risk; reduces adverse selection.

CFPB Fair Lending (ECOA / Reg B)

Equal Credit Opportunity Act (15 U.S.C. § 1691 et seq.); Regulation B (12 CFR Part 1002); Fair Housing Act (42 U.S.C. § 3605)

ECOA and Fair Housing require that credit models do not have disparate impact on protected classes. Geographic scores can correlate with demographics; CLIMA uses objective physical risk factors only, with documented disparate impact testing framework.

  • Methodology transparent — Full documentation; explainable features. Justification: Examiners and legal can audit.
  • Geographic factors = objective risk — Flood zone, wildfire hazard, not race/ethnicity. Justification: Bona fide risk factors; not proxies.
  • Disparate impact framework — Scripts for analysis; real Census data only. Justification: Proactive testing when loan data available.

Basel III / CECL

Basel III capital framework; FASB ASC 326 (CECL); 12 CFR Part 3 (OCC Capital Rules)

Capital and reserving require PD, LGD, EAD. CLIMA outputs feed into CECL and capital models; methodology is bank-examiner recognizable.

  • PD model — Random Forest with calibration. Justification: Validated AUC; tier-based uplifts.
  • LGD — NFIP-validated baseline; disaster uplifts from literature. Justification: Real loss data; no synthetic.
  • EL = PD × LGD × EAD — Standard formula. Justification: Examiner expectation.
  • GSE loan data — Freddie Mac 14.8M loans in production; portfolio, defaults, statistics via API. Justification: Real loan-level validation available.

Governance & OCC SR 11-7

OCC Bulletin 2011-12 (SR 11-7), "Sound Practices for Model Risk Management"

Model risk management requires documentation, validation, and ongoing monitoring. Banks must demonstrate sound model governance when using third-party models.

  • Model documentation — Methodology, features, AUC. Justification: Single source of truth.
  • Backtesting — Walk-forward; out-of-sample. Justification: Evidence of predictive validity.
  • Scenario analysis — NGFS; stress tests. Justification: Forward-looking risk.
  • Board reporting — PDF/Excel via API. Justification: Examiner-ready output.

3. Model Risk Management (OCC SR 11-7)

CLIMA maintains a Model Risk Management Framework aligned with OCC SR 11-7. The framework covers model development, validation, documentation, governance, and monitoring.

Component Status Evidence
Model risk management framework✅ ImplementedMODEL_RISK_MANAGEMENT_FRAMEWORK.md
Development standards & code review✅ ImplementedDevelopment documentation, Git workflow
Validation (backtesting, calibration)✅ ImplementedValidation reports, walk-forward analysis
Model documentation✅ Implementeddocs/MODEL_METHODOLOGY.md, docs/DEFAULT_AUC_METHODOLOGY.md
Model inventory✅ ImplementedMODEL_INVENTORY_TEMPLATE.md
Monitoring framework✅ ImplementedMonitoring procedures, dashboards
Independent third-party validation⏳ In progress (Q3 2026)compliance/INDEPENDENT_MODEL_VALIDATION_RFP.md

4. Fair Lending & ECOA Compliance

CLIMA scores geography (physical climate risk), not borrower demographics. No protected-class inputs are used. The methodology supports a business necessity defense through validated risk prediction.

  • No race, ethnicity, gender, age, religion — CLIMA inputs are physical hazard exposure (flood zone, wildfire hazard, wind, heat) and property characteristics.
  • Transparent, explainable methodology — Public data sources; feature importance documented.
  • Business necessity — Validated risk prediction (0.904 disaster AUC, 0.841 credit AUC) supports use of climate risk as a bona fide underwriting factor.
  • Disparate impact testing — Framework established; GSE loan data (14.8M Freddie Mac) available for analysis. Scripts in scripts/fair_lending_disparate_impact.py.

FAIR_LENDING_TESTING_FRAMEWORK.md, CLIMA_LEGAL_COMPLIANCE.md

5. Information Security (GLBA Safeguards Rule)

16 CFR Part 314 (FTC Safeguards Rule, as amended June 9, 2023); Gramm-Leach-Bliley Act; OCC/FDIC/Fed Interagency Guidance on Third-Party Relationships (June 2023)

CLIMA maintains a Written Information Security Program (WISP) compliant with the GLBA Safeguards Rule. A designated Qualified Individual oversees the program.

Data Protection

  • Encryption at rest: AES-256 (Fernet) for uploaded portfolio files
  • In transit: TLS 1.2+ only; HSTS enforced
  • Passwords: PBKDF2-SHA256, per-user salts (NIST SP 800-63B)
  • MFA: TOTP (Google Authenticator compatible)
  • File integrity: SHA-256 hash verification on uploads

Access & Monitoring

  • JWT auth: 30-min access token; 7-day refresh
  • RBAC: Admin, Analyst, Viewer per organization
  • Audit logging: All auth, data access, admin actions; 7-year retention
  • Single-session: Enforcement; automatic timeout

Incident Response & Business Continuity

Incident Response Plan: Detection, containment, notification (72-hour client notification for NPI breach), root cause analysis. Severity levels P1–P4 with defined response times.

Business Continuity: RTO 4 hours (portal/API); RPO 15 minutes (database); daily backups; 30-day retention; quarterly DR testing.

compliance/INCIDENT_RESPONSE_PLAN.md, compliance/BUSINESS_CONTINUITY_PLAN.md, compliance/INFORMATION_SECURITY_PROGRAM.md

6. Data Governance & Retention

Data retention aligns with CECL, Basel III, and regulatory examination requirements.

Data Category Retention Period Rationale
Uploaded portfolio files90 days from last access, or per DPAOperational need; client may request deletion
Scoring results / reports7 yearsCECL, Basel III, regulatory examination
Audit logs7 yearsSecurity and compliance investigations
Model artifactsIndefinite, versionedReproducibility and audit trail
Backtest outputsIndefiniteValidation and methodology defense

compliance/DATA_RETENTION_POLICY.md, docs/DATA_QUALITY_POLICY.md

7. Bank Vendor Due Diligence Package

Available for prospective bank clients under NDA. Banks request this for vendor risk management and procurement; documented controls for security, data handling, and compliance are required by OCC/FDIC/Fed third-party guidance.

Available Documents

  • Written Information Security Program (WISP)
  • Incident Response Plan
  • Business Continuity / Disaster Recovery
  • Data Processing Agreement (template)
  • Privacy Policy, Terms of Service
  • NIST CSF 2.0 Mapping, SOC 2 Prep
  • Access Review, Change Management, Risk Assessment
  • Security Awareness Training Program

Contractual Provisions (DPA)

  • Right-to-audit clause
  • Breach notification (72-hour)
  • Data deletion upon termination (30-day export window)
  • Subprocessor notification (30-day advance)
  • Regulatory examination cooperation
  • GLBA Safeguards Rule compliance commitment

Contact: info@clima.solutions | security@clima.solutions | legal@clima.solutions

compliance/BANK_DUE_DILIGENCE_PACKAGE.md

8. Validated Metrics (v5)

All figures below are from reproducible backtests. See docs/DEFAULT_AUC_METHODOLOGY.md for methodology.

Metric Value Justification
Default (credit) AUC0.8411M-loan holdout; separate from disaster model
Disaster 5yr AUC0.825Walk-forward 2009-2014
Disaster 10yr AUC0.904Walk-forward 2006-2013
Disaster 30yr AUC0.978Walk-forward 2006
Observations145,452 county-yearsPanel coverage; 3,231 counties
Coverage100% FIPS, 0% NaNv5 resolution; no synthetic fallbacks

9. Key Documents & Resources

Methodology (PDF-ready)
Full methodology for printing
Score Methodology
How CLIMA scores are computed
Regulatory Capital
Capital requirements by tier
Interactive Demo
Try ZIP lookup and scoring

Compliance Summary

✅ Compliant: Model Risk Management (OCC SR 11-7), Fed Climate Risk Guidance, Data Governance, Production Readiness, Information Security (GLBA), Documentation
⚠️ Partial: Fair Lending (disparate impact testing framework ready; GSE data available)
⏳ Planned: Third-party validation (in progress), SOC 2 Type II (Q3 2026)
Overall institutional readiness: 85%

See docs/COMPLIANCE_CHECKLIST.md for full self-assessment.