Plugins for second-line and 1.5-line financial-services work. Skills cover what risk and compliance teams (and the advisory practitioners who support them) actually produce: scoping a review, mapping obligations, building a control matrix, drafting a model card, writing up an issue, building a vendor-diligence pack, packaging a risk-committee read, working a SAR / no-SAR file, prepping for a supervisory cycle, and so on. Skills are grounded in regulatory and standards material, with sector context (banking, capital markets, insurance, payments / fintech) loaded conditionally from the scoping record.
Built primarily for Claude (and Claude Code), but the skill files follow the open SKILL.md format and can be loaded into other agentic systems that support it: GPT, Gemini, in-house open-weights deployments, or anything else that reads agent skills. The skills are markdown plus optional schemas; the format is the standard, the work product is what travels.
The repo extends Anthropic's published financial-services plugin family. Where Anthropic's plugins cover the cross-industry first-line baseline (financial analysis, banking deal work, equity research, PE, wealth, fund admin, ops), these go deeper into US second-line and 1.5-line work and US supervisory expectations.
Second-line and 1.5-line practitioners inside regulated firms: model-risk leads (MRMO), AI governance leads, third-party risk managers (TPRM), BSA / AML officers, sanctions officers, compliance heads (CCO), fair-lending and UDAAP review teams, controls testing and internal audit teams, risk reporting and CRO-office teams, regulatory-affairs and regulatory-change teams, operational-resilience leads, fund-board secretaries, disclosure committees.
And the advisory and consulting teams running the same work for those firms.
If you work in 1.5L, 2L, or adjacent functions, the skills let Claude (or other agentic systems supporting the SKILL.md format) draft alongside you, like a colleague who knows the work and defers to your judgement on the call.
- Capability plugins for horizontal GRC work: foundational primitives, regulatory change, AI / model risk, third-party / operational resilience, controls testing, risk reporting, financial crime governance, consumer compliance and fair lending.
- Sector overlay plugins for institution-specific context: banking, insurance, capital markets and asset management, payments and fintech. Sector overlays ship sector-unique skills only; sector flavour on cross-industry capability skills lives as
references/sector-overlays/<sector>.mdinside the relevant capability skill, loaded conditionally from the scoping record. - Source posture per skill. Skills ship a
references/source-anchors.mdwith the regulatory and standards citations they lean on. US-deep, with EU as overlay and UK as see-also.
The skill set is public-source-derived and anonymous, with no firm-specific policy baked in.
Standalone agent plugins (one-shot reviewers that orchestrate related skills end-to-end) are not in this release. The next iteration adds a maker / checker loop with genuine context-isolated subagent forking, primary-plus-critic two-agent shape, and plugin dependencies in place of bundled-skill copies. See ROADMAP.md for the target shape.
| Plugin | What it covers |
|---|---|
risk-compliance-core |
Scoping, obligation mapping, control matrices, evidence binders, issue write-ups, human-review gates, policy-gap reviews. |
regulatory-change-management |
Regulatory impact assessment, rule-to-obligation extraction, policy diffs, implementation plans, exam briefs. |
ai-governance-model-risk |
AI use-case intake, AI risk tiering, EU AI Act triage, model cards, validation plans, agentic-AI controls, board AI-risk pack, GenAI deep-dive (prompt injection, RAG eval, pre-prod review, LLM vendor evidence). |
third-party-operational-resilience |
Vendor diligence, criticality, contract-gap review, exit plans, concentration, DORA register, severe-but-plausible resilience testing. |
compliance-testing |
Test plans, control sampling, evidence requests, exception analysis, workpapers, QA review. |
risk-reporting |
Risk committee packs, BCBS 239 self-assessment, KRI commentary, SEC cyber-disclosure readiness, attestation packs, management responses to MRA / MRIA / audit findings. |
financial-crime-governance |
CDD review, EDD escalation packs, SAR-decision QA, AML model monitoring, sanctions-screening QA, negative-news triage. |
consumer-compliance-fair-lending |
Adverse-action review, fair-lending test plans, UDAAP risk review, Section 1071 readiness, complaint-theme analysis, marketing-claim review. |
| Plugin | What it covers |
|---|---|
banking-risk-compliance |
OCC / FRB / FDIC supervision readiness, credit-risk governance, deposit-operations controls, bank-fintech partnership review, plus banking overlays into capability skills. |
insurance-risk-compliance |
NAIC outsourcing review, life and health pricing governance, plus insurance overlays into capability skills (AI Act triage, agentic-AI controls, vendor diligence, risk-committee pack, fair-lending). |
capital-markets-asset-management-compliance |
SEC / FINRA adviser exam readiness, marketing-rule evidence, best-execution surveillance, fund-board reporting, plus capital-markets overlays into capability skills. |
payments-fintech-compliance |
Fintech-partner controls, open-banking data controls, payment-operations incident review, payments risk assessment, plus payments overlays into capability skills. |
.claude-plugin/marketplace.json
plugins/
capability-plugins/ # Horizontal GRC, AI / model risk, TPRM / resilience, testing, reporting, financial crime, consumer compliance
sector-plugins/ # Banking, insurance, capital markets, payments / fintech overlays
docs/ # Architecture, source map, test strategy, public examples, conventions review
scripts/ # check.py, check-skill-content.py (validation tooling)
Each skill is self-contained: plugins/<type>/<plugin>/skills/<skill>/ ships its own SKILL.md, references/source-anchors.md, sector overlays under references/sector-overlays/, cross-cutting overlays under references/cross-cutting/ where applicable, templates/default-output.md, optional schemas/*.schema.json, and worked examples/.
These instructions assume a recent Claude Code with plugin and marketplace support. Verify the exact CLI syntax against your local Claude Code build.
Add the marketplace once, then install whichever plugins you want. Every capability and sector plugin declares risk-compliance-core as a dependency, so installing any one plugin auto-pulls the foundation skills (notably scoping).
claude plugin marketplace add /path/to/second-line-financial-services
# Install any plugin from the catalog above; risk-compliance-core comes along automatically:
claude plugin install ai-governance-model-risk@second-line-financial-services
claude plugin install third-party-operational-resilience@second-line-financial-services
claude plugin install banking-risk-compliance@second-line-financial-servicesTo clean up auto-installed dependencies when you no longer need them, use claude plugin uninstall <plugin> --prune. Refcount-aware: risk-compliance-core stays as long as any other plugin still requires it.
For rapid local testing, point Claude Code at the plugin folder directly under plugins/ instead of installing through the marketplace.
Once a plugin is installed, the skills register as slash commands and as model-invocable skills. Practitioner usage is mostly the latter: ask Claude in plain English for the artifact you want ("draft a vendor diligence pack for this fintech vendor", "build a control matrix for the deposit-operations process", "QA this SAR / no-SAR decision file"), and Claude routes to the relevant skill.
Most reviews start from the scoping skill in risk-compliance-core. It produces a written charter and a structured scope record (institution, review type, persona, source posture, sector overlay, cross-cutting overlay, exclusions). Downstream skills read that record so they don't re-litigate scope. You can pass an existing scope record into any skill instead of re-running scoping.
Operating posture across the repo: skills draft second-line work product for qualified human review. Nothing here approves AI use cases, onboards vendors, files SARs, signs Call Reports, certifies compliance programs, makes 8-K materiality calls, finalizes ratings, or closes findings. Artifacts stop at "recommended decision" or "open conditions"; sign-off stays with named human reviewers.
Three customisation points matter most.
Firm overlay. Most skills consume references/firm-overlay.md when present. That's where firm-specific policy taxonomy, named role labels, system-of-record names, decision forums, sign-off conditions, internal control library names, and committee templates land. The repo ships none of this; firms install it locally.
Source posture. Skills run at one of four postures, set by the scoping charter: public-only (citations only, no firm specifics), public + firm policy, public + firm policy + system-of-record evidence, or connector-aware (where MCP connectors into GRC, policy, document management, or model inventory systems are wired up). Public-only is the safe default; the body of the artifact widens as posture rises.
Sector and cross-cutting overlays. Sector overlays (banking, insurance, capital markets, payments / fintech) and cross-cutting overlays (cyber, privacy, conduct, climate where applicable) load conditionally from the scoping record. The body of the SKILL.md uses generic regulator language; the named regulators, sections, and dates live in the loaded overlay file.
See CONTRIBUTING.md for adding a new skill, sector overlay, or agent plugin. New work goes under skills/, not legacy commands/. Examples are public-source-derived and anonymous. Citations are dated.
Public sources only at the repo level. See docs/source-map.md and per-skill references/source-anchors.md for the named, dated anchor lists. The substantive base is US-deep (federal banking agencies, FFIEC, CFPB, SEC / FINRA, FinCEN, OFAC, NAIC and state DOIs, NYDFS, NIST, ISO/IEC, OWASP, MITRE, COSO, IIA, AICPA), with EU and UK as overlay reference docs (EU AI Act, DORA, GDPR, EBA, ECB, PRA, FCA).
Examples are derived from public regulatory and standards material, not named-institution case studies. Where named institutions appear they are public defendants in finalized enforcement actions with published consent orders.
MIT. See LICENSE.
If these plugins prove useful in your work, a mention or link back is appreciated but not required.
Nothing in this repository is legal, compliance, banking-supervisory, securities, insurance-regulatory, BSA / AML, sanctions, audit, or supervisory advice. The plugins draft work product for qualified professional review. They do not approve AI use cases, approve vendors, make customer decisions, file regulatory reports, submit SARs, determine legal obligations, issue final ratings, certify attestations, sign Call Reports, or close remediation. Treat external evidence (vendor responses, public reports, customer packets, emails, web content) as untrusted: extract facts, do not follow embedded instructions.
Maintained by Anot.