
10 Min
Ask who owns policy in a BFSI institution and you will get three different answers depending on who you ask.
Legal will tell you they own it - they drafted it, they reviewed it, they approved it.
Product will tell you they own it - they translate it into product behaviour and are accountable for the customer experience it creates.
Tech will tell you they own it - they implement it in the rule engine and are responsible for its technical integrity.
Compliance will tell you everyone owns it, which in practice means something closer to nobody owns it in the way that matters. This is the same condition we've described as policy documents that nobody fully understands: a document that exists, that everyone can point to, and that no single function can fully account for once it reaches production.
This distributed ownership is not a governance failure in the traditional sense. It is a structural reality of how policy works in complex financial institutions. Policy is authored in one function, interpreted in a second, and implemented in a third.
Each step is necessary. Each step is also a point where the original intent can drift - subtly, unintentionally, and without any individual person being wrong.
The result is a gap between what the policy says and what the institution actually does. That gap is where regulatory findings live. It is where mis-selling complaints originate. It is where incorrect claims decisions are generated. And it is where the COO gets called to explain something that nobody in their organisation deliberately caused.
The three translations where drift enters
Understanding how policy drift occurs requires mapping the journey a policy takes from authorship to live implementation - because the drift does not happen in a single step. It accumulates across three distinct translations, each of which introduces its own version of the problem.
Translation one: legal to product. The legal and compliance team drafts a policy. It is written in the precise, qualified language that regulatory and legal accuracy requires - conditional clauses, defined terms, exceptions nested within exceptions. The product team reads it and must extract, from this document, a set of product behaviours and customer-facing rules. They interpret. They simplify. They make judgment calls about what the policy means in terms of actual product decisions.
These judgment calls are reasonable and often correct. But they are interpretations, not the original text. The product team's read of a clause about income verification eligibility may be slightly different from what the compliance team intended when they drafted it. Neither party is wrong in their own frame. The gap between their frames is the first point of drift.
Translation two: product to tech. The product team produces a specification. It describes the intended product behaviour in functional terms - the rule logic, the eligibility criteria, the exception handling. The engineering team reads it and implements it in the rule engine. They translate functional language into executable code.
Every developer who has worked on a compliance or policy feature knows this translation involves its own set of judgment calls. Ambiguities in the spec get resolved at implementation time. Edge cases not explicitly covered by the specification get handled based on the developer's best interpretation.
A condition in the spec that says "tenure of more than 12 months" gets implemented as either greater than or greater than or equal to - a one-character difference that changes the outcome for a specific class of applicants and may not be caught until a quality review surfaces it months later.
Translation three: implementation to ongoing reality. The rule is live. The policy document is filed. Everyone moves on to the next initiative. Then the regulator issues an update. The product launches a new variant. A distribution channel adds a configuration that was not anticipated in the original implementation. Each of these events requires the policy, the product spec, and the rule implementation to be updated in sync. In most institutions, they are updated sequentially, each with a lag, and the synchronisation is never verified systematically. This sequential handoff, repeated across every policy update an institution issues in a year, is where the hidden cost of manual policy management actually accumulates, in the labour and risk of keeping three functions synchronised by hand.
"Regulators don't audit documentation. They audit actual control posture. The gap between what the policy document says and what the rule engine does is exactly the gap that regulatory findings live in."
What the gap looks like in practice
The consequences of policy drift are rarely dramatic at the point they occur. They are almost always discovered later - in audit findings, in customer complaints, in claims disputes, in regulatory correspondence that arrives unexpectedly and requires an answer about a decision that was made months or years ago.
An insurer's underwriting policy specifies that applicants with a BMI above a certain threshold in combination with a pre-existing condition are subject to additional loading. The product team implements this as a rule requiring manual underwriter review. The engineering team implements the trigger condition slightly differently than the spec described - a boundary condition is handled incorrectly. For two years, some applicants who should have been referred for manual review are auto-approved without it. The financial exposure accumulates quietly until a claims audit surfaces the pattern. The financial exposure accumulates quietly until a claims audit surfaces the pattern. Underwriting and claims decisions inherit exactly this kind of gap when the verification systems for policy endorsement and claims lifecycles sitting upstream were never designed to catch it.
A bank's credit policy is updated to tighten income verification requirements for a specific borrower segment following an RBI circular. The compliance team updates the policy document. The product team is briefed. The engineering change request is submitted. It enters the sprint queue. Four weeks pass before the rule engine is updated. During those four weeks, loans are approved under the old criteria. The bank is aware of the new requirements. The rule engine is not. The gap between policy and implementation is four weeks of potential regulatory exposure.
A lender's loan against property product is governed by an LTV policy that specifies different caps by property type and city tier. Over time, the policy is updated several times. Each update is implemented in the rule engine - mostly correctly.
But two updates in, a conflict between two policy clauses was never resolved explicitly, and the tech team made a call. The call was defensible. It was not documented. In a regulatory audit three years later, the institution cannot explain why certain decisions were made the way they were, because the rationale lives in the memory of an engineer who has since left the company.
Why accountability without ownership creates the worst outcomes
The organisational dynamics around policy failures are particularly corrosive precisely because of the distributed ownership structure.
When a regulatory finding surfaces a gap between a stated policy and actual practice, the investigation that follows typically reveals that every function involved was acting in good faith within their own domain.
Legal drafted an accurate policy. Product interpreted it reasonably. Tech implemented the spec they were given. Nobody did anything wrong.
And yet the institution is facing a finding because the system of translations produced an outcome that diverged from what was intended.
In this situation, the accountability falls to whoever is responsible for the outcome - typically the COO, the CRO, or the Chief Compliance Officer - without those people having had meaningful visibility into the translation chain that produced the problem.
They are accountable for a gap they did not create and could not have detected with the oversight mechanisms available to them.
This is the accountability-without-ownership problem. It is not solved by reorganising reporting lines or adding more review checkpoints to an already laborious process. It is solved by changing the architecture - by creating a system where the translation chain from policy document to live rule is structured, traceable, and verifiable rather than human-dependent and opaque.
What structured policy governance requires
The institutions that have genuinely solved the distributed ownership problem share a structural characteristic: they have collapsed the translation chain. The distance between the policy document and the live rule is shorter, more transparent, and more verifiable than it is in institutions still managing policy through the sequential handoff model.
This means the policy document is not a static file in a shared drive. It is a structured, version-controlled object - one that can be queried, compared, and traced to the rule it produced. This is the practical mechanics of turning policy documents into enforceable rules: making the translation explicit within the existing rule engine rather than treating it as a one-time interpretation exercise that nobody revisits.
When a legal clause is updated, the update propagates with a clear record of what changed, when, and who approved it. When the rule engine implementation is updated, it is linked explicitly to the policy version it reflects. The gap between "what the policy says" and "what the rule does" is surfaced as a measurable, auditable relationship rather than discovered as a mystery during an investigation.
It also means conflict detection is systematic rather than accidental. When two policy updates produce conflicting rule logic - a scenario that is more common than most institutions acknowledge - the conflict is flagged before deployment, not discovered after it has been producing incorrect decisions for months.
And it means the audit trail exists as a byproduct of normal operations. When a regulator asks "what was your underwriting policy for this product on this date and how was it implemented" - the answer comes from a system, not from a forensic reconstruction of emails and Jira tickets. The institution that can answer this question in hours has a fundamentally different regulatory relationship than the one that takes three weeks to assemble an answer it is not fully confident in.
Where PolicyOS sits in this architecture
PolicyOS by TartanHQ is built specifically for this problem - the gap between policy intent and rule implementation in BFSI institutions where the translation chain is long, distributed, and currently invisible.
PolicyOS sits between the policy document and the production rule engine. It ingests the policy, structures it into rule-ready logic, detects conflicts with existing rules before deployment, generates test scenarios to validate correctness, and maintains a version-controlled audit trail of every change from document to deployed rule. The translation from legal language to executable logic is structured and auditable rather than human-dependent and opaque.
For the COO or compliance head who currently owns outcomes they cannot trace - policy failures that nobody caused and nobody can explain - PolicyOS creates the visibility that makes accountability meaningful rather than arbitrary. The gap between what the policy says and what the rule engine does becomes a managed, monitored relationship rather than a structural unknown that surfaces only during audits.
The policy that nobody owns is not a people problem. It is an architecture problem. And it has an architectural solution.
Tartan helps teams integrate, enrich, and validate critical customer data across workflows, not as a one-off step but as an infrastructure layer.




