Controls to COF mapping
Purpose. Readers often ask whether COF replaces controls. It does not. COF is how selected controls become executable and traceable at scale. This page shows examples of control intent expressed twice: first as a traditional control, then as a COF-enabled pattern. Your bank’s obligations and architecture will differ; use this as a design conversation aid, not a vendor spec.
Prerequisites. Read Controls framework and COF for DCA first.
Mapping table (examples)
| Control need | Traditional control pattern | COF-enabled pattern |
|---|---|---|
| Stop DCA during hardship | Policy plus manual suppression flag; ops checks spreadsheets | State activation for hardship; prohibition gate blocks placement and outbound; trace on override |
| Stop after recall | Recall file plus manual kill list; hope vendor clears dialler | Recall state plus event interception on contact engines; acknowledgement trace from vendor runtime |
| Prevent wrong default listing | QA sample of listings; post-hoc fixes | State-aware prohibition on bureau submission while protected; parameterised listing rules |
| Reconcile DCA state | Daily ops review; email escalation | Dual-state compare with exception detection, ageing, and automated holds on outbound when break exceeds threshold |
| Complaint overlap with enforcement | Manual pause instructions | Arbitration between complaint clock and enforcement intent; explicit resume conditions |
| DCA1 to DCA2 explainability | Meeting notes; partial data | Decision trace with proposed versus actual next strategy and rule version |
Maturity progression
Most banks run a mixed model: some controls are manual but strong (small volume, expert team), some are automated but brittle (old batch files), and a few obligations are COF-aligned in modern stacks. The risk is invisible inconsistency: customers in similar circumstances treated differently because one path hit an engineered gate and another path relied on a busy team’s memory.
Maturity is not “COF everywhere tomorrow.” It is deliberate movement of high-risk obligations from detect after breach to prevent by construction, with logging that stands up in review.
Where this connects in the pack
- Recall: Recall and reassignment and CP / DCA files.
- Trace fields: R1 / R2 traceability.
- Reporting truth: Reporting data lineage and Reporting.