BCBS d457 · Standardised Approach & Internal Models 76 / 76 tests passing · Phase 8 shipped Self-hosted · Postgres + FastAPI + React
F FRTB SA Calculator OrbaOS · Capital governance suite
FRTB Capital Governance Edition 2026.05

Capital figures your audit, model‑risk, and regulator can replay, line by line.

A self-hosted FRTB calculator where every number is a node in a Merkle DAG anchored to its inputs and to the function identity that produced it. Drift any of those — input bytes, schema contract, engine version, regime parameters — and the verifier identifies the exact node where the chain breaks.

Request access Read the doctrine

Institutional infrastructure, not a self-serve product. Access granted after a brief conversation. Marketing pages, doctrine, roadmap, and verifier explainer are public.

SBM · DRC · RRAO Standardised Approach engine
IMCC + SES Internal Models · RFET / NMRF
PRA · EBA · APRA Regulator-template exports
Calibrated against
BCBS d457Minimum capital · Market risk Basel 3.1Default regime · shipped PRA SS21/15UK · reconciliation sheet EBA C 90/91/92EU · COREP templates APRA APS 116AU · paragraph mapping
§ 01  Doctrine

Why institutional risk teams choose it

Most FRTB programmes don't fail on the math. They fail because no two systems agree on which input row produced which capital number — and audit can't prove either. This calculator is built on the inverse premise: admissibility before calculation.

/ 01

Admissibility before calculation

A capital figure is a node in a Merkle DAG anchored to its input leaves and to the function identity that produced it. Drift any of those — input bytes, schema contract, engine version, regime parameters — and the root hash changes. The verifier identifies the exact node where the chain breaks.

SHA-256 over canonical JSONPure-function verifier
/ 02

Self-hosted on your network

One make up brings up Postgres, the FastAPI backend, an nginx-fronted React UI, and the marketing site on a single host. Trades, sensitivities, and capital numbers never leave your infrastructure. Cloud deploy via Railway templates if you prefer.

Docker ComposeOIDC / API keysRetention controls
/ 03

Verified math, falsifiable lineage

FRTB SA — sensitivity scaling, within/across-bucket aggregation, DRC, RRAO — pinned to hand-computed expected values. IMA pipeline shipped: ES, multi-LH aggregation, IMCC, RFET, NMRF, SES. A stateless verifier replays every figure offline from the saved lineage.

76 tests · CI on every push9 falsification axes
/ 04

Three-mode adoption · warn → gate → block

Roll the doctrine out without breaking your existing upload paths. warn observes refusals as data. gate requires a paired-actor override token, scoped and single-use. block fails closed. Every refusal is a first-class, queryable persisted entity.

423 Locked · 409 Conflict5-minute scoped tokens
§ 02  Admissibility flow

From upload to verified root, six steps

A row enters the system only after the caller has been shown its canonical form and echoed the hash back. A figure is produced only from inputs whose hashes are recorded under a registered function reference. An export ships only when the chain verifies. A refusal is itself a first-class persisted entity.

  1. 01
    POST /uploads/parse

    Parse and canonicalise

    Validates the row against a registered schema contract — numeric fields must declare a unit. Returns the canonicalised payload, payload_sha256, per-row leaf hashes, and a pending_upload_id.

  2. 02
    POST /uploads/{id}/commit

    Echo the hash back

    Only succeeds if the caller echoes payload_sha256 verbatim. Mismatches and double-commits return 409 plus a structured InadmissibilityEvent. On success, rows become provenance_node[input_leaf].

  3. 03
    GET /portfolios/{id}/capital

    Calc emits a Merkle root

    Builds input_leaves → function_node → output_root. The function node binds engine version + regime + parameter-set hash, so any drift breaks the chain on the next replay.

  4. 04
    GET /portfolios/{id}/export/{template}

    Export embeds the root

    Excel exports carry a Provenance sheet with the root hash, the function reference, and per-row leaf hashes. In block mode the renderer refuses if any row lacks provenance.

  5. 05
    GET /admissibility/lineage/{root}

    Replay anywhere

    Returns the full DAG as JSON. A regulator or auditor can run the verifier offline against the saved lineage and reconstruct every hash from leaves to root, no backend access required.

  6. 06
    GET /admissibility/events

    Refusals as data

    Lists every refusal — filterable by reason_code, mode, portfolio_id. The audit answer to "show me every refused computational state in the last quarter."

§ 03  Adoption path

Three modes, one variable

Set ADMISSIBILITY_MODE on the backend container. The intended adoption path is warn → gate → block. Migration from warn to gate makes every override a paired audit event; migration to block removes the override entirely.

Default · onboarding
warn

Observe; preserve adoption.

A provenance gap on calc or export proceeds, but persists an InadmissibilityEvent so the gap is observable. Useful for rolling out the doctrine without breaking the legacy upload path.

HTTP 200 OK + event recorded
Operating posture
gate

Acknowledge; pair the actors.

Refuses with 423 Locked unless a single-use override token is presented. Tokens are scoped to (operation, portfolio_id, reason_code), expire in 5 minutes, and require different actors on issuance vs consumption.

HTTP 423 Locked 4-eyes override
Destination state
block

Fail closed. No override path.

Refuses with 409 Conflict. A bearer with a token in block mode still gets 409. Every figure that ships is anchored to a verified root. The doctrine, fully enforced.

HTTP 409 Conflict terminal posture
§ 04  Falsifiable lineage

Five things the verifier catches at the exact broken node

The verifier (backend/app/admissibility/verifier.py) is a stateless function. Hand it a saved lineage payload and it recomputes every claimed hash from its claimed payload. Each failure mode below is provable in a unit test against a deliberately tampered fixture.

HASH_MISMATCH

Byte mutation in any leaf or interior payload — flagged at the tampered node, not at the root.

EDGE_LEAF_MISMATCH

A function_node whose payload claims a different set of leaves than its edges actually carry.

EDGE_FUNCTION_MISMATCH

An output_root pointing at a function_node not present in its edges. No silent re-parenting.

FUNCTION_REFERENCE_DRIFT

The function_node's claimed engine + regime + parameter-set hash differs from what the caller expects — silent parameter changes are caught.

ROOT_NOT_IN_NODE_SET

The lineage payload's claimed root has no matching node — orphan root, refused.

These five failure modes plus their happy-path counterparts are 9 of the 76 tests that run on every push. Read the verifier explainer →  ·  Field note: FRTB programmes don't burn capital on math →

§ 05  Inside the product

What you see once a credential is issued

The product UI sits behind authentication in production. Each module corresponds to a tab in the frontend. Click any thumbnail to view full-size.

Dashboard tab — capital breakdown KPIs and per-risk-class stacked bar chart
Dashboard Total capital with SBM / DRC / RRAO breakdown. Stacked bar by risk class; export to Excel, PDF, EBA, PRA, APRA in a click.
Lineage tab — three-column DAG viewer
Lineage Every capital figure as a DAG. Input leaves → function node → output root. Each node carries its SHA-256; JSON exports for offline replay.
Scenarios tab — per-factor multipliers and Load preset dropdown
Scenarios Five historical-crisis presets. GFC 2008, EZ debt 2011, SNB 2015, COVID 2020, UK LDI 2022 — editable before running.
Firm tab — multi-portfolio aggregation with diversification benefit
Firm Diversified vs naïve aggregation. Pool selected portfolios' sensitivities, run the engine once, surface the diversification benefit.
History tab — capital trend over time per desk
History Capital trend per desk. Total / SBM / DRC / RRAO across portfolio versions; latest, peak, and PoP delta as KPIs.
Audit-trail tab
Audit trail Append-only, downloadable as Excel. Actor + timestamp + structured details per action — every upload, calc, export, override.
Alerts panel
Alerts Concentration & KRI breaches. Default rule library ships with the calculator; thresholds tunable per desk.
§ 06  Roadmap

Eight phases shipped. Phase 9 in scoping.

Live status, generated from the same source of truth that drives ROADMAP.md. Updated whenever a feature ships.

Shipped In progress Planned
Phase 1 · shipped

MVP scaffold

End-to-end: upload sensitivities → calculate capital → export Excel.

✓ shipped
FRTB SA calculation engineSensitivity scaling, within/across-bucket aggregation, DRC, RRAO.
REST API surfaceDesks, portfolios, risk-factor upload, capital, audit trail, Excel export.
Versioned regulatory regime loaderBasel 3.1 calibration shipped; drop a JSON to add another.
React + Recharts frontendUpload (JSON / CSV), Dashboard, Audit trail.
Docker Compose + Railway templatesPostgres + backend + nginx-fronted frontend.
Phase 1.5 · shipped

Admissibility doctrine

Capital figures become nodes in a Merkle DAG; refusals become first-class data; tampering caught at the exact broken node.

Canonical hashing + provenance graphSHA-256 over canonical JSON; provenance_nodes / edges / events / pending_uploads / schema_contracts / function_references.
Two-step admissibility ingest/uploads/parse returns canonicalised payload + hash; /uploads/{id}/commit only succeeds when the caller echoes the hash back.
Calc emits Merkle rootinput_leaves → function_node → output_root. The function_node binds engine + regime + parameter-set hash.
Excel export embeds the rootProvenance sheet with root, function_reference, per-row leaf hashes. In block mode the renderer refuses missing provenance.
Three modes (warn / gate / block)ADMISSIBILITY_MODE env var. Migration warn → gate → block documented.
Falsification suite9 tests prove byte mutation, schema drift, function-reference drift each caught at the EXACT broken node.
Phase 2 · shipped

Reporting & scenarios

Board-ready PDF, scenario testing, and pre-loaded Basel stress scenarios.

PDF export (board summary)1–2 page board pack with capital breakdown and key drivers.
Scenario builder UIPer-factor δ / vega / curvature multipliers; base vs scenario side-by-side.
Pre-loaded stress scenariosGFC 2008, EZ debt 2011, SNB 2015, COVID 2020, UK LDI 2022.
Multi-portfolio aggregationPool selected portfolios' sensitivities, run the engine once, surface diversification benefit. Refuses cross-regime aggregation.
Phase 3 + 7 + 8 · shipped

Internal Models & modellability

End-to-end IMA: ES, multi-LH aggregation, IMCC, RFET, NMRF identification, SES capital add-on, total-capital orchestrator.

Expected Shortfall engineLiquidity-horizon scaled ES with regression tests.
P&L attribution + backtestingHypothetical vs risk-theoretical P&L; daily VaR backtests with traffic-light reporting.
Multi-LH ES aggregation (BCBS 457 §181)Across the five liquidity-horizon categories with the regulator's nested formula.
RFET + NMRF + SES≥24 obs/12m + no 90-day window with <4; per-NMRF SES with §188 aggregation.
Total IMA capital orchestratorTotal = m_c × IMCC + SES (NMRF). The headline IMA capital number.
Phase 4 + 5 + 6 · shipped

Templates, ops, boundary

Drop-in regulator templates, day-2 operations, and the trading-book boundary workflow.

PRA SS21/15 · EBA · APRA templatesUK / EU / AU regulator filing formats with mapping sheets.
SSO / OIDC / API-key authREQUIRE_AUTH gate, BOOTSTRAP_API_KEY seed, RS256/JWKS-backed bearer validation.
Concentration & KRI alertsDefault rule library; thresholds tunable per desk.
Data retention controlsRETENTION_PORTFOLIO_DAYS env + /retention/purge for compliant deletes.
Trading book boundary · 4-eyesPer-instrument TB/BB designation, presumptive lists, request/approve workflow.
§ 07  Deployment

Built to run in your environment

Self-hosted by default — no outbound traffic to a vendor cloud. Lifespan applies the admissibility schema migration idempotently on every start. A standalone migration runner is available for operators who prefer migrations as a distinct deploy step.

One command, four services

Docker Compose brings up Postgres, the FastAPI backend, an nginx-fronted React UI, and the marketing site on a single host. Trades, sensitivities, and capital numbers never leave your network.

  • Postgres with persistent volume; lifespan-applied migrations
  • FastAPI backend with OpenAPI docs at /docs
  • Audit trail per portfolio; refusals queryable as data
  • Standalone runner: python -m scripts.migrate
  • Cloud deploy via Railway templates if preferred

Full observability of the math

Excel exports include an Assumptions sheet with every scaling factor, correlation, and regime parameter applied — plus a Provenance sheet with the root hash, the function reference, and the per-row leaf hashes. So risk and audit teams reproduce any number without reading source.

  • Within / across-bucket aggregation, transparent
  • DRC and RRAO computed inline; documented assumptions
  • 76 calculation, API, and admissibility tests in CI on every push
  • Versioned regimes: Basel 3.1 today; PRA / EBA / APRA shipped
  • Stateless verifier replays every figure offline from saved lineage
§ 08  Request access

Tell me about your firm.

The tool is institutional infrastructure, not a self-serve product. I'll get back within two business days. No marketing list, no automated nurture sequence — this routes directly to my inbox.

  • Which scope: SA, IMA, or regulator templates
  • Deployment path: self-host vs cloud
  • Programme timeline + jurisdictions in scope