Compliance Certificates
What is a compliance certificate?
A comply54 compliance certificate is a structured JSON document that captures the full outcome of a policy evaluation in a format suitable for regulatory audit files, export-control logs, and internal compliance records.
Unlike a signed receipt, which is a compact JWT for machine verification, a certificate is human-readable and designed to be handed to auditors, filed with regulators, or stored in a document management system.
Every certificate includes:
| Field | Type | Description |
|---|---|---|
certificate_id | string | Unique identifier, prefixed cert_ |
audit_id | string | Matches ComplianceResult.audit_id — links back to the raw result |
issued_at | datetime | UTC timestamp of the evaluation |
sector_pack | string | Name of the sector pack that produced the result |
jurisdictions | list[str] | ISO country codes covered (e.g. ["NG", "KE"]) |
regulations | list[str] | Human-readable regulation names evaluated |
overall | string | Final decision: allow, deny, escalate, or audit |
passed | bool | true if overall is allow or audit |
violations | list[dict] | Each violation with pack, regulation, messages, and citations |
packs_evaluated | list[str] | Every policy pack included in the evaluation |
integrity_hash | string | SHA-256 fingerprint of the decision set — tamper-evident |
Generating a certificate
From a sector compliance object
The fastest path — runs the check and returns a certificate in one call:
from comply54 import NigeriaFintechCompliance
compliance = NigeriaFintechCompliance()
cert = compliance.certificate(
action="transfer_funds",
params={"amount": 5_000_000, "currency": "NGN"},
)
print(cert.overall) # "deny"
print(cert.passed) # False
print(cert.certificate_id) # "cert_a3f9e12b8c01"
print(cert.integrity_hash) # SHA-256 hex string
From a ComplianceResult
If you already have a result from .check(), convert it directly:
result = compliance.check(
action="transfer_funds",
params={"amount": 5_000_000, "currency": "NGN"},
)
cert = result.to_certificate(
sector_pack="Nigeria Fintech Compliance",
jurisdictions=["NG"],
)
Exporting
- JSON
- Python dict
- Write to file
# Pretty-printed JSON string — ready to write to a file or send to an API
json_str = cert.to_json()
print(json_str)
Example output:
{
"certificate_id": "cert_a3f9e12b8c01",
"issued_at": "2026-07-09T08:15:32.441Z",
"sector_pack": "Nigeria Fintech Compliance",
"jurisdictions": ["NG"],
"regulations": [
"Nigeria Data Protection Act 2023",
"CBN Consumer Protection Framework 2022",
"NFIU / MLPPA 2022"
],
"overall": "deny",
"passed": false,
"packs_evaluated": [
"nigeria/cbn",
"nigeria/ndpa",
"nigeria/nfiu-aml",
"universal/pii-leakage"
],
"violations": [
{
"pack": "nigeria/nfiu-aml",
"regulation": "NFIU / MLPPA 2022",
"jurisdiction": "NG",
"action": "deny",
"messages": ["Transaction exceeds ₦5,000,000 single-transaction threshold (CTR required)"],
"citations": [{ "article": "Section 9", "text": "Currency Transaction Report..." }]
}
],
"audit_id": "aud_7c2d4e9f1a",
"integrity_hash": "b3a7f2c...e91d"
}
# Raw dict — for storing in a database, passing to other systems, etc.
data = cert.to_dict()
assert data["passed"] is False
assert "integrity_hash" in data
import pathlib
pathlib.Path("audit_cert.json").write_text(cert.to_json())
Verifying integrity
The integrity_hash is a SHA-256 fingerprint of the evaluation's audit_id, overall decision, violations, and packs evaluated — computed at generation time.
Two certificates generated from the same ComplianceResult will always produce the same hash. If the hash changes, the certificate has been modified.
# Verify a certificate hasn't been tampered with after the fact
import hashlib, json
def verify_certificate(cert_dict: dict) -> bool:
payload = json.dumps(
{
"audit_id": cert_dict["audit_id"],
"overall": cert_dict["overall"],
"violations": cert_dict["violations"],
"packs": cert_dict["packs_evaluated"],
},
sort_keys=True,
)
expected = hashlib.sha256(payload.encode()).hexdigest()
return expected == cert_dict["integrity_hash"]
data = cert.to_dict()
assert verify_certificate(data)
Combining with signed receipts
Certificates and receipts serve different purposes and complement each other:
| Certificate | Signed receipt | |
|---|---|---|
| Format | JSON | JWT |
| Audience | Auditors, regulators | Downstream systems, APIs |
| Verification | Integrity hash (manual) | Ed25519 signature (automatic) |
| Readability | Human-readable | Machine-readable |
| Use case | Regulatory filings, audit logs | Runtime proof, inter-service trust |
For the highest assurance, generate both from the same result:
from comply54 import NigeriaFintechCompliance
from comply54.receipts import sign_result, load_or_generate_key
compliance = NigeriaFintechCompliance()
result = compliance.check(action="transfer_funds", params={"amount": 5_000_000, "currency": "NGN"})
# Auditor-exportable certificate
cert = result.to_certificate(
sector_pack="Nigeria Fintech Compliance",
jurisdictions=["NG"],
)
# Machine-verifiable JWT receipt
key = load_or_generate_key()
receipt_jwt = sign_result(result, key)
Related
- Signed compliance receipts — compact Ed25519-signed JWT for machine verification
- Nigerian fintech sector pack
- NFIU / MLPPA 2022 policy reference
- NDPA 2023 policy reference