# Annex IV Technical Documentation Template — Credit Underwriting (editable)

Not legal advice. This is an operational template designed to map each claim to evidence you can
export later.

Version: v1.0  
Last updated: 2025-12-16  
Changelog:
- 2025-12-16 v1.0 Initial release

Report an issue: https://kla.digital/contact?subject=Template%20issue%20-%20Annex%20IV%20Credit%20Underwriting

## Document control

- System name:
- Owner (function + name):
- Approvers (function + name):
- Scope / boundary (what is in-scope vs out-of-scope):
- Deployed regions and user groups:
- Versions in service (model/prompt/policy/workflow):
- Links (repo, runbooks, dashboards, risk register):

## One-page Annex IV summary (forwardable)

- Intended purpose:
- Decision(s) supported or automated:
- Primary users (roles) and affected persons:
- Human oversight checkpoints (where humans can approve/override/stop):
- Data sources (top 5):
- Primary harms & mitigations (top 5):
- Monitoring signals & thresholds:
- Logging & retention policy (default 7+ years if applicable):
- Evidence export location (manifest / bundle ID):

## 1) General description (Annex IV item 1)

### 1.1 Intended purpose + outcomes

- [ ] What problem does the system solve?
- [ ] What decision or recommendation does it generate (e.g., credit limit, pricing tier, approval)?
- [ ] What decisions are explicitly NOT automated by this system?

### 1.2 Deployment context

- [ ] Where does it run (SaaS, on-prem, hybrid)?
- [ ] What systems does it connect to (core banking, CRM, underwriting, data lake)?
- [ ] Fallback modes (manual processing, rules-only, queueing)?

## 2) System elements & development process (Annex IV item 2)

### 2.1 Workflow components (provider-grade level of detail)

- [ ] Inputs captured (application fields, bureau data, bank statements, device signals)
- [ ] Feature engineering pipeline (where, when, who owns it)
- [ ] Model(s) used (name, version, training window)
- [ ] Decision logic (rules, thresholds, policy gates)
- [ ] Adverse action flow (notice generation, rationale capture, audit)

### 2.2 Data governance

- [ ] Data sources + contracts/permissions
- [ ] Data quality checks (missingness, outliers, stale data)
- [ ] Retention schedule for input data vs logs (separate)
- [ ] Access controls (who can view, export, administer)

## 3) Monitoring, functioning, control (Annex IV item 3)

### 3.1 Capabilities + limitations

- [ ] Known blind spots (new geographies, thin-file applicants, novel fraud)
- [ ] OOD / drift detection approach
- [ ] “Do not use for” statements (explicit boundaries)

### 3.2 Human oversight triggers (tie to your oversight SOP)

- [ ] High-risk decisions requiring review (define)
- [ ] Low-confidence or out-of-distribution cases
- [ ] Policy near-misses / blocked attempts
- [ ] Escalation ladder (who, SLA, decision authority)

## 4) Performance metrics & thresholds (Annex IV item 4)

- [ ] Metric definitions (AUC, calibration error, approval rate, false positive/negative costs)
- [ ] Segment performance checks (by region, channel, portfolio segment)
- [ ] Fairness checks (if applicable to your use case and data)
- [ ] Acceptance thresholds and who approves changes

## 5) Risk management system (Annex IV item 5)

Link risk register:  

### 5.1 Typical credit underwriting harms (prompt list)

- [ ] Disparate impact or discriminatory outcomes
- [ ] Unfair denial due to proxy variables or data quality issues
- [ ] Inability to explain/rationalize key drivers (internal + customer-facing)
- [ ] Fraud / identity errors causing improper denial or approval
- [ ] Operational abuse (gaming application inputs)

### 5.2 Mitigations + verification evidence

- [ ] Mitigation implemented:
- [ ] Verification evidence (tests, sampling results, review queue labels):
- [ ] Residual risk and acceptance record (who signed, when):

## 6) Lifecycle changes (Annex IV item 6)

- [ ] Define “material change” for this system
- [ ] Change control process (who approves, what evidence is required)
- [ ] Versioning strategy (model/prompt/policy/workflow)

## 7) Standards / technical specs (Annex IV item 7)

- [ ] Standards used (if any)
- [ ] Internal controls mapped (policy-as-code references)

## 8) Declaration of conformity reference (Annex IV item 8)

- [ ] DoC location (internal reference, controlled doc ID)

## 9) Post-market monitoring plan reference (Annex IV item 9)

- [ ] Monitoring plan link:
- [ ] Sampling policy section link:
- [ ] Incident response runbook link:

## Evidence pointers (what auditors typically ask you to attach/export)

- [ ] Evidence pack manifest (bundle ID + checksums)
- [ ] Model/prompt/policy/workflow versions in effect at decision time
- [ ] Oversight records (approvals, escalations, overrides with justification)
- [ ] Sampling outcomes and reviewer guidance
- [ ] Drift/performance reports and threshold change approvals
- [ ] Incident reports + corrective actions