MISCONCEPTION · ISSUE NO. 04
TiZNO proposes. Your team decides.
Regulators and internal audit are right to worry about automation that acts on its own. TiZNO is built so that every write to a downstream system, freezing an account, sending an email, opening a case, restricting a client, surfaces as an Action Card held in a pending state. No write API fires without an explicit human approval. The platform handles orchestration, retrieval, and drafting; your officers keep the decision.
When an action is approved, the execution runs under the approving user’s identity, never a service account, with a timestamped approval recorded against that person. Accountability stays inside your four-eyes culture rather than moving to a black box.
Role limits are enforced where they cannot be bypassed. A Suspicious Activity Report can be approved by the MLRO only, and that restriction lives in a Row-Level Security policy on the Action Card table in the database, not in the interface or in middleware. A direct API call from a user without the MLRO role is rejected by the database itself. If a person’s role changes between creating and approving a card, the policy re-evaluates at the moment of approval, so they cannot approve something their current role does not permit.
The same discipline applies to integrations. Read-only connector accounts do not graduate into write scopes without an officer context, and write-capable calls are routed through approval-gated paths. The platform cannot quietly configure a route that sidesteps the four-eyes requirement.
For a committee worried about model drift, the decision authority stays binary, approve or reject, while the system preserves the full rationale behind each proposal for later review. Conservative governance is encoded in the design rather than left to policy alone.
Workflow example
TiZNO recommends restricting wires for a client pending EDD completion. The Action Card shows the cited policy, the CRM status, and suggested wording. Only after a compliance manager approves does the restriction run, under that manager’s credentials, with the full trace retained for audit.