PRISM Audit — Northway Financial Group — Private Client Onboarding

Moschetti Consulting

PRISM Audit · Engagement Report

Private Client Onboarding
as observed and as specified.

A two-week assessment of the current onboarding process, with findings, gap-filler inventory, AI integration risk, and a draft PRISM (Process Resource and Interaction Specification).

Prepared for

Northway Financial Group
Wealth Management Division

Engagement

PA-2026-014

Engagement period

14 — 28 March 2026

Prepared by

Moschetti Consulting

Confidential · For internal Northway use only

§ 00Contents

§ 01Executive summary3

§ 02Engagement scope and method4

§ 03The process as observed5

§ 04Findings7

§ 05Gap-filler inventory10

§ 06AI integration risk assessment12

§ 07Recommendations14

App. ADraft PRISM (excerpt)16

App. BInterviewees and source documents18

Document conventions

Findings are numbered F-NN; recommendations R-NN; gap-filler entries GF-NN. Severity classifications (HIGH / MEDIUM / LOW) refer to the impact on AI integration readiness, not to general operational risk.

The Draft PRISM in Appendix A is rendered in structured Markdown, which is the canonical format used in the Moschetti Consulting methodology. The format is human-readable and machine-readable; downstream tooling derives implementation, tests, monitoring, and audit evidence from this single source.

§ 01Executive summary

Northway's private client onboarding process functions, but it functions on a foundation of human accommodations that would not survive the AI-assisted automation contemplated in the Q2 2026 platform program. The two-week assessment identified twelve findings across the process, of which four are classified HIGH severity for AI-integration readiness. A draft PRISM has been produced for the assessed process and is included as Appendix A.

Headline observations

Documented vs. observed steps

14 → 27

The current process documentation describes 14 steps. We observed 27 substantive transitions in real cases — a gap closed by undocumented human work.

Time-in-process variance

3 — 41 days

Sampled cases ranged from 3 to 41 calendar days. Median 11 days; the variance is dominated by exceptions handled outside the documented flow.

Gap-filler dependencies

17

Distinct human accommodations identified. Of these, 11 are concentrated in three roles. Two roles are held by single individuals nearing retirement.

Free-text load-bearing

~6%

Of sampled onboarding cases, ~6% contained processing-critical instructions in the Comments or Notes free-text fields. None of these are validated by the system.

Bottom line

The Q2 platform program, as currently scoped, is likely to deliver a faster process that produces more inconsistent outcomes than the current process — because the AI-assisted steps will operate on the documented process, not the observed one. The shortest path to a successful integration is not to rescope the platform program. It is to produce, in advance of the integration, the specification artifact described in Appendix A — fully closed and simulated — and to use that artifact as the input to the platform team rather than the current documentation. We estimate this work, fully scoped, at 8 — 10 weeks.

What follows

§ 02 describes the scope and method of this two-week engagement. § 03 reconstructs the process as actually observed, contrasted with the documented version. § 04 enumerates the twelve findings. § 05 inventories the gap-filler dependencies. § 06 assesses the integration risk against the Q2 program scope. § 07 presents seven prioritized recommendations. Appendix A contains the draft PRISM excerpt; Appendix B documents interviewees and sources.

§ 02Engagement scope and method

In scope

The private client onboarding process within the Wealth Management Division of Northway Financial Group, US domicile, from receipt of the prospect's application through funded-account status and assignment of an active relationship manager. Both individual and joint account types are included. Trust and entity-account onboarding are excluded, as are corporate banking and institutional flows.

Out of scope

Vendor and counterparty onboarding; AML and KYC source-system implementation (assessed as upstream dependencies but not redesigned); the prospect-acquisition pipeline preceding application receipt; ongoing servicing post-funding.

Method

Activity	Detail
Document review	Process documentation, training materials, system documentation, audit findings (last 24 months), prior consulting outputs (2 prior engagements, 2022 and 2024).
System inspection	Read-only access to onboarding workflow system, KYC vendor portal, document-management system, customer master, and ticketing system.
Case sampling	40 onboarding cases sampled across the prior 90 days, stratified by account type and relationship-manager office.
Interviews	13 interviews across 11 individuals; roles documented in Appendix B.
Observation sessions	4 sessions of live workflow handling, 2 hours each, with KYC ops and onboarding-team operators.
Specification draft	Iterative drafting of the PRISM for the assessed process, run through preliminary closure-completion review (Appendix A reflects state at engagement end; further iteration recommended).

Limitations

The two-week engagement window is sufficient to identify the structural patterns documented in this report and to produce a credible draft PRISM, but it is not sufficient to fully close the specification under the methodology's adversarial-interrogation discipline. Recommendation R-01 addresses this scope explicitly. We did not interview Northway's external KYC vendor; representations about the vendor interface are based on Northway operator accounts and the vendor portal's behavior, not on direct vendor consultation.

Confidentiality and use

This document contains observations about Northway's internal processes and named individuals' roles. It is provided under the terms of the engagement letter dated 10 March 2026. Distribution beyond the named recipients listed on the cover requires written agreement.

§ 03The process as observed

The diagrams below contrast the process as documented in Northway's current onboarding playbook (Fig. 1) with the process as we observed it in the 40-case sample (Fig. 2). The contrast is the substantive finding of this section; the individual deviations are catalogued in § 04.

Fig. 1 — Onboarding process as documented in Northway WM Operations Manual rev. 7.2 (2024).

Fig. 2 — Onboarding process as observed in 40-case sample. Solid boxes are documented steps; italic red text identifies undocumented sub-steps and accommodations; dashed red arcs indicate observed reverse-flow loops not represented in the documentation.

The headline observation is that no observed case in our 40-case sample completed using only the steps in Fig. 1. The closest case used 19 of the 27 transitions; the typical case used 22 — 25. The unaccounted-for steps are not exceptions in any meaningful sense; they are the work.

Time-in-process distribution

The 40-case sample showed a median onboarding duration of 11 calendar days against a stated target of 5 business days. The variance is dominated by re-entry into earlier stages, not by elapsed time within any single stage. The table below summarizes elapsed time per documented stage versus per observed sub-flow.

Stage (documented)	Sub-flows observed	Median (days)	P90 (days)	Notes
Application received	4	0.5	1.5	Time-to-receipt is fine; re-keying delays surface in next stage.
KYC screening	3	2.0	6.5	P90 driven by adverse-media false-positive adjudication (manual).
Risk profiling	3	1.5	4.0	RM override loop accounts for 28% of variance.
Compliance approval	3	2.5	9.0	"Sue M. queue" is the binding constraint at quarter-end.
Account opening	2	1.0	3.0	DOB / name-match exceptions, manual reconciliation.
Funding	3	1.5	5.5	Wire-ops cutoffs and the funding-holdback policy are unstated downstream.
RM assignment	2	1.0	3.5	Territory tie-breaks done in monthly RM meeting; introduces calendar dependency.

Authoritative sources for "approved"

During interviews, four distinct definitions of approved client emerged across the operating teams. None of these definitions are wrong in the team's local context. They are nevertheless not the same definition, and the present process operates because human operators translate between them in real time. We document them explicitly here because Findings F-03, F-07, and F-09 turn on this point.

Term used	Operator	Operational meaning
"Approved"	Front office (RM)	Application has cleared compliance and is ready to fund.
"Approved"	KYC operations	Sanctions and adverse-media checks completed without unresolved adverse hits.
"Approved"	Compliance	Compliance lead has signed the file under the delegation matrix; subject to monthly attestation.
"Approved"	Account-opening ops	Account record exists in customer master with active status flag.

§ 04Findings

Findings are presented in declining order of severity for AI-integration readiness. Severity classifications refer to the impact on the Q2 platform program, not to operational risk in the current process. Each finding is structured: identifier, title, severity, domain, and observation / impact / recommendation reference.

ID	Title	Severity	Domain	See R-
F-01	"Approved" carries four operationally distinct meanings	High	Semantics	R-02
F-02	Free-text comment field carries load-bearing instructions	High	Data	R-02, R-04
F-03	Compliance approval depends materially on a single operator	High	Operations	R-03
F-04	No explicit error contract for KYC false-positive return	High	Exceptions	R-04
F-05	Quarter-end behavior is a separate process, undocumented	Medium	Temporal	R-05
F-06	RM-territory tie-breaks introduce monthly calendar coupling	Medium	Temporal	R-05
F-07	"Account opened" status flag does not mean what AP/funding assumes	Medium	Semantics	R-02
F-08	Off-channel email loops carry process state for 28% of cases	Medium	Operations	R-04
F-09	Two upstream systems disagree on "active" relationship status	Medium	Data	R-02
F-10	Risk-profile RM override is not logged separately from initial profile	Low	Audit	R-06
F-11	KYC vendor confidence scores are coerced to binary on import	Low	Data	R-04
F-12	RM-assignment record retains stale territory associations	Low	Data	R-06

Detailed findings — High severity

F-01 "Approved" carries four operationally distinct meanings. High

DomainSemantics

AffectsCompliance, KYC, Front office, Account ops

Evidence11 interviews

Cross-refF-07, F-09 · R-02

Observation

Four operating teams use the term "approved" in routine communication, each with a different operational meaning (see § 03 table). Translation between meanings is performed in real time by human operators, principally the senior compliance lead and two onboarding-team leads. There is no system-of-record entity for "approval state"; the state is reconstructed from a combination of compliance-system flags, free-text notes, and operator memory.

Impact on AI integration

Any AI-assisted step that consumes or produces an "approved" signal will operate on whichever meaning is implicit in its input data — and will not be aware that a different meaning is held by its downstream consumer. The Q2 platform's draft requirements use "approved" 23 times, in at least three of the four senses, without distinguishing them. Production deployment against this ambiguity will produce decisions that pass each isolated review but fail end-to-end consistency.

Recommendation reference

R-02. Resolution requires definitional work in the PRISM (Appendix A § Roles / § Artifacts) before the platform program proceeds.

F-02 Free-text comment field carries load-bearing instructions. High

DomainData

AffectsAll onboarding stages

EvidenceSample of 40 cases

Cross-refF-08 · R-02, R-04

Observation

The "Additional Notes" field on the onboarding case record is nominally advisory. Of 40 sampled cases, 7 (≈18%) contained instructions in this field that materially affected processing — examples include "hold funding pending RM call to client", "split account per email of 14 Feb, see thread", and "escalate FX on first deposit, do not auto-route." Reduced to processing-critical instructions, the rate is ≈6%. Onboarding-team operators visually scan this field before each stage transition; the system does not.

Impact on AI integration

Direct: an AI-assisted onboarding workflow that does not parse and act on Additional Notes content will, in 6% of production cases, take actions the comment explicitly instructs against. Indirect: even an AI workflow that does parse the field will encounter free-text instructions whose meaning depends on context not present in the case record (e.g., "see thread"). Resolution requires structuring the instruction space, not training a parser against unstructured text.

Recommendation reference

R-02 (definitional), R-04 (operational). The structured instruction set is partially specified in the draft PRISM Appendix A § Exceptions; full enumeration requires further engagement.

F-03 Compliance approval depends materially on a single operator. High

DomainOperations

AffectsCompliance approval stage

EvidenceInterviews; case sample

Cross-refGF-04, GF-09 · R-03

Observation

The senior compliance lead (referenced in operations as "Sue M.") is the documented or undocumented decision-maker on roughly 70% of compliance approvals, and on 100% of cases involving adverse-media follow-up, politically exposed person flags, or non-US source-of-wealth attestations. Two designated alternates exist on paper; in our case sample, both alternates collectively handled 4% of complex approvals. Sue M. is approaching retirement on a stated timeline of 18 — 24 months.

Impact on AI integration

Two distinct risks. (a) The Q2 platform's compliance-approval logic will be derived, formally or informally, from Sue M.'s historical decisions; her reasoning is largely tacit and documented patchily. (b) The platform program is scheduled to deploy in a window during which Sue M. will be transitioning. The institution faces simultaneous loss of the human authority and arrival of the automated authority — a transition pattern with poor precedent in our experience.

Recommendation reference

R-03. Recommended approach involves explicit knowledge-elicitation interviews with Sue M. before the program proceeds, structured against the PRISM Decision Authority section.

F-04 No explicit error contract for KYC false-positive return. High

DomainExceptions

AffectsKYC screening, Compliance approval

EvidenceObservation, ticket sample

Cross-refGF-02, GF-06 · R-04

Observation

When the external KYC vendor returns an adverse-media match that the operator judges to be a false positive, the resolution path is undocumented. In our observation sessions, three different operators handled three substantially similar false-positive cases via three different mechanisms: (a) marking the case "cleared with notes," (b) re-running the screening with a narrowed name string, (c) opening a manual ticket to compliance with an attached email summary. None of the three is wrong; they are not the same path; the system retains different evidence in each.

Impact on AI integration

The Q2 platform contemplates AI-assisted false-positive triage as a primary efficiency lever. The current process has no canonical error contract for this case class; therefore, no canonical training signal exists for an AI assistant. Whatever signal is constructed will encode one of the three observed paths, marginalizing the other two — including, in some cases, the path that produced the highest-quality audit trail.

Recommendation reference

R-04. The error contract for this case class is the worked example in PRISM § Exceptions Appendix A.

Detailed findings — Medium severity (summarized)

Findings F-05 through F-09 are detailed in the supplementary findings appendix delivered alongside this report (omitted here for brevity). Each follows the same structure as F-01 through F-04 above.

Detailed findings — Low severity (summarized)

Findings F-10 through F-12 are documented at one paragraph each in the supplementary appendix. None block the Q2 program but each warrants attention in subsequent specification iteration.

§ 05Gap-filler inventory

"Gap-fillers" are the human accommodations that enable the current process to function despite documentation gaps. Each entry below identifies a specific accommodation, the operator(s) performing it, the failure that would result if the accommodation ceased, and the residual concentration risk if the operator left the role.

ID	Accommodation	Operator(s)	Concentration	If removed
GF-01	Re-keying applicant data into KYC vendor format	2 onboarding ops	Low	Mechanical; replaceable
GF-02	Adjudication of KYC false positives	1 senior, 2 alternates	High	FP rate would drive ≈40% rejection
GF-03	Translation between operators' meanings of "approved"	Sue M., 2 onboarding leads	High	Cross-team handoffs would stall
GF-04	Sue M.'s tacit decision rules for complex compliance	Sue M.	High	≈70% of complex approvals
GF-05	RM judgment override on risk profile	~30 RMs	Low	Distributed; pattern-based
GF-06	Email-thread context for Additional Notes references	Onboarding ops, RMs	Med	~6% of cases blocked or wrongly routed
GF-07	Quarter-end "second-look" review queue	Sue M., 1 alternate	High	Quarter-end duplicate-approval risk
GF-08	RM-territory tie-break in monthly RM meeting	WM divisional manager	Med	Assignment delays; RM disputes
GF-09	Manual reconciliation of customer-master DOB exceptions	Account ops, 2 ops	Med	≈3% of accounts blocked at opening
GF-10	Wire-ops cutoff awareness for funding stage	Treasury liaison	Med	Same-day funding failures, ≈8% impact
GF-11	Holdback rule application (manual interpretation)	Treasury liaison, RM	Med	Funding-policy violations on first deposits
GF-12	Adverse-media match narrowing (search-string judgment)	1 senior, 2 alternates	High	FP rate up; throughput halved
GF-13	"Need more info" chase to RM (off-channel)	Onboarding ops	Low	Mechanical; replaceable
GF-14	Document-format normalization (PDF / paper / image)	Onboarding ops	Low	Mechanical; replaceable
GF-15	Source-of-wealth attestation interpretation (non-US)	Sue M.	High	100% of non-US cases
GF-16	Customer-master "active" status reconciliation	Account ops, 1 ops	Med	Cross-system inconsistencies
GF-17	Voided-account reason-code interpretation	AP supervisor	Low	Audit-evidence drift

Concentration analysis

Of 17 identified gap-fillers, 6 are classified High concentration risk. Of these 6, four involve Sue M. either solely or as the principal operator. The remaining two concentrate in the same KYC operations sub-team. The Q2 program timeline overlaps Sue M.'s stated retirement window. Recommendation R-03 addresses this.

§ 06AI integration risk assessment

This section assesses the integration risks specific to the Q2 2026 onboarding platform program (project code WM-OPS-401) as currently scoped per the program PRD rev. 0.4 dated 18 February 2026. Scope statements in the PRD have been mapped against the findings and gap-fillers above. Risks are characterized by likelihood (in the AI-deployed configuration) and consequence.

Risk	Source	Likelihood	Consequence	Class
AI-assisted compliance approval signs cases under one definition of "approved" while downstream systems consume another	F-01, F-07	High	Audit findings; potential restatement of approval records	High
Free-text instructions in Additional Notes silently overridden by AI workflow	F-02	High	Wrong-action outcomes in ≈6% of cases; client-facing errors	High
Loss of senior compliance operator within program window without elicitation of tacit decision rules	F-03, GF-04, GF-15	High	Program retraining required mid-deployment; operational gap	High
AI false-positive triage trained against any single one of three observed resolution paths	F-04, GF-02, GF-12	High	Throughput regression; audit-trail inconsistency	Med
AI workflow proceeds during quarter-end without the supplemental review sweep	F-05, GF-07	Med	Re-emergence of duplicate-approval class historically caught by Sue M.'s queue	Med
RM territory tie-breaks coupled to AI assignment without monthly meeting input	F-06, GF-08	Med	RM revenue disputes; assignment churn	Low
Off-channel email loops not represented in workflow state, leading to AI premature progression	F-08, GF-06	Med	Cases progress before required human input received	Med
KYC vendor confidence scores binarized at AI input boundary	F-11	Low	Loss of upstream signal that could inform AI confidence	Low

Aggregated assessment

The Q2 program in its current form is, in our judgment, likely to deliver against its throughput and cost-reduction objectives while introducing a class of consistency and audit risks that will require remediation in flight. The program's risk profile is meaningfully improved if the recommendations in § 07 are completed before the platform's compliance-approval and false-positive-triage components reach production.

We do not recommend cancelling the program. We recommend separating the high-confidence components (document re-keying, document-format normalization, vendor-data ingestion — gap-fillers GF-01, GF-13, GF-14) from the components that depend on contested semantics (compliance approval, false-positive triage, free-text instruction handling — gap-fillers GF-02 — GF-04, GF-06, GF-12, GF-15). The first set can proceed against the current documentation. The second set requires the PRISM work described in R-01.

Component-level readiness

The matrix below maps the Q2 program's nine workflow components to the readiness state observed in this audit. A component is rated "Ready" if its documented behavior matches its observed behavior closely enough to be a defensible AI training and validation target. "Conditional" components require specific PRISM work before being integration-ready. "Not ready" components require substantive process redesign before any AI involvement is appropriate.

Component (Q2 PRD)	Documented?	Observed match?	Gap-fillers	Readiness
Application intake & document classification	Yes	Yes	GF-01, GF-14	Ready
KYC vendor request packaging	Yes	Yes	GF-13	Ready
Adverse-media false-positive triage	Partial	No	GF-02, GF-12	Not ready
Risk-profile generation	Yes	Partial	GF-05	Conditional
Compliance-approval assistance	Partial	No	GF-03, GF-04, GF-15	Not ready
Account-opening orchestration	Yes	Partial	GF-09, GF-16	Conditional
Funding orchestration	Partial	Partial	GF-10, GF-11	Conditional
RM assignment	Yes	Partial	GF-08	Conditional
Customer-communication generation	No	n/a	—	Conditional

Two components are Ready as scoped. Two are Not Ready. Five are Conditional, awaiting specification work for which the draft PRISM is the foundation. The Ready components alone account for approximately 35% of the projected program benefit per the Q2 PRD's value model. We believe a phased deployment that ships the Ready components to production while the PRISM work proceeds against the Conditional and Not Ready components is achievable inside the program's stated timeline.

This phasing is the substantive recommendation embedded in R-07.

§ 07Recommendations

Recommendations are ordered by priority. Each recommendation identifies the findings it addresses, the proposed effort, and a timing window relative to the Q2 platform program's stated milestones. P0 recommendations are those we believe must be completed before the Q2 program advances to its build phase; P1 recommendations are required before production deployment of the affected components; P2 recommendations are advisable within 6 months of deployment.

R-01 Complete the PRISM (Process Resource and Interaction Specification) before the Q2 build phase advances. P0

Addresses: F-01, F-02, F-04, F-05, F-08 · Effort: 8 — 10 weeks · Window: Mar — May 2026

Continue the specification work begun during this engagement until the document achieves closure under both the ClosureCompletion review (semantic and structural) and the Simulator review (deterministic and adversarial). The specimen excerpt in Appendix A reflects the state at engagement end. The remaining work primarily concerns the exception taxonomy (F-04), the structured replacement for free-text Additional Notes content (F-02), and the disambiguation of "approved" across Actor definitions (F-01). We estimate 8 — 10 weeks at a 1.5-FTE staffing level. The deliverable becomes the input to the Q2 program in lieu of the current onboarding documentation.

R-02 Resolve the four meanings of "approved" with named, distinct artifact attributes. P0

Addresses: F-01, F-07, F-09 · Effort: 2 weeks · Window: Concurrent with R-01

Define, in the PRISM Artifacts section, four distinct attributes on the case record: kyc_clearance_state, compliance_approval_state, account_opening_state, and front_office_funded_state. Each carries a defined enumerated value set, an authoritative source-of-truth system, and explicit transition rules. The colloquial term "approved" is not used in the PRISM or in any AI-assisted component; downstream consumers reference the specific attribute relevant to their decision. This is the single definitional change with the largest leverage in the program.

R-03 Conduct structured knowledge-elicitation with Sue M. against the PRISM Decision Authority section. P0

Addresses: F-03, GF-04, GF-15 · Effort: 4 — 6 weeks · Window: Now — June 2026

Schedule and conduct interviews — minimum eight sessions of two hours, against case-based prompts derived from the PRISM Decision Authority and Exception sections. Output is a documented decision-rule annex to the PRISM, reviewed and confirmed by Sue M., that captures the tacit reasoning currently held by a single individual. This work is independent of, and must precede, any AI-assisted decision-support implementation in the compliance approval stage. We recommend Northway begin this work without waiting for further consulting input; the structure of the elicitation can be transmitted in a one-day workshop.

R-04 Replace free-text Additional Notes with a structured instruction set and explicit error contracts. P1

Addresses: F-02, F-04, F-08, F-11 · Effort: 6 weeks · Window: May — June 2026

Inventory the load-bearing instructions currently expressed in free-text Notes. From this inventory, derive a structured instruction taxonomy with enumerated values and validity windows. Specify error contracts for each KYC, compliance, and account-opening exception class — the resolution path, the actor authorized, the audit retention, and the propagation rule for downstream consumers. The structured taxonomy and the error contracts are sections of the PRISM; we estimate 6 weeks to complete both at the level of detail required for AI-assisted handling.

R-05 Document quarter-end and monthly-meeting calendar coupling explicitly in the temporal rules. P1

Addresses: F-05, F-06, GF-07, GF-08 · Effort: 1 week · Window: After R-01

The current process behaves materially differently at quarter-end and around the monthly RM meeting. Both are temporal couplings absent from the documentation but present in the running process. Document these explicitly in the PRISM Temporal Rules section, including the supplemental quarter-end review sweep (currently held in Sue M.'s personal queue) and the RM territory tie-break dependency. Whatever automation replaces these, the PRISM must specify the calendar conditions under which the alternate path applies.

R-06 Separate audit-evidence capture from operational state for risk-profile and territory data. P2

Addresses: F-10, F-12 · Effort: 2 weeks · Window: Post-deployment, Q3 2026

Two of the lower-severity findings concern audit-evidence drift — overrides not separately logged, stale territory associations not explicitly tombstoned. Neither blocks the Q2 program, but both will become difficult to remediate after AI is in production because the AI will produce its own analogous evidence patterns. Specify both during the PRISM work, even though deployment of the fixes can wait.

R-07 Phase the Q2 program: ship Ready components, hold Conditional and Not Ready components for PRISM completion. P0

Addresses: All findings collectively · Effort: Program-level decision · Window: Immediate

Per § 06 component-level readiness analysis, ship the two Ready components (application intake/document classification and KYC vendor request packaging) on the Q2 timeline. Hold the two Not Ready components (false-positive triage, compliance-approval assistance) until R-01 and R-04 complete. Treat the five Conditional components individually based on R-02, R-03, R-04, R-05 progress. This phasing preserves approximately 35% of program benefit on schedule while protecting the institution from the consistency and audit risks identified in this report. We have prepared a detailed phasing proposal as a separate working document, available on request.

§ 08Closing

This report represents the product of two weeks of focused engagement with Northway Financial Group's Wealth Management onboarding operations. We are grateful for the time and candor of the eleven individuals who participated in interviews, and for the access and document support provided by the Wealth Management Operations leadership.

The findings above are unflattering only in the specific sense that they describe a process running on accommodations its documentation does not capture. This is, in our experience, the universal state of mature business processes prior to formal specification work. The presence of seventeen gap-fillers in this process is not evidence of operational deficiency; it is evidence that competent humans have been quietly doing the work the documentation did not specify, for a number of years, with skill and judgment. The purpose of this report is not to fault that work. It is to make the work visible — so that the next generation of automation has the chance to inherit the substance of the accommodations, not merely the documented surface.

The recommendation set above is, we believe, achievable within the existing program timeline given a focused 8 — 10 week specification effort. We are available to discuss the recommendations in detail at the convenience of the Northway team, and to scope any subsequent engagement against the Conditional and Not Ready components identified in § 06.

Engagement principal

Buzz Moschetti

Moschetti Consulting

inquiries@moschetticonsulting.com

Report status

Final · Rev 1.0
Issued 28 March 2026
Confidential — Northway internal use

App. ADraft PRISM (excerpt)

The following is an excerpt from the draft PRISM for Northway Private Client Onboarding, in the state at engagement end. The full draft (~46 pages) is delivered as a separate Markdown document. The excerpt reproduced here demonstrates the format and the level of definitional rigor characteristic of a specification ready to be input to AI-assisted implementation. Note in particular the explicit disambiguation of "approved" across artifact attributes (per R-02), and the explicit specification of one exception class (per R-04).

---
spec_id: nfg-private-client-onboarding
version: 0.4 (engagement end · pre-closure)
owner: head-of-wm-operations
scope: us-domiciled individual and joint accounts; trust and entity excluded
closure_status: incomplete; ~62% of dimensions resolved
---

# Private Client Onboarding

## Purpose

To onboard a private wealth client from application receipt
through funded-account state with a complete authorization and
audit record sufficient to satisfy the firm's regulatory
attestations and the client's expectations regarding speed
and accuracy.

## Roles

- `applicant` — natural person; subject of the onboarding case.
- `relationship_manager` — named role; one per case after assignment.
- `kyc_operator` — named role; one per business unit.
- `compliance_lead` — named role; enterprise-wide. # incumbent: see R-03
- `account_ops_specialist` — named role; one per paying entity.
- `treasury_liaison` — named role; one per region.

## Artifacts

### case

The onboarding case record. Created on application receipt;
terminates on funded state or rejection.

Required attributes:
- `id` — immutable, system-assigned.
- `kyc_clearance_state` — one of:
    `pending`, `vendor_returned`, `cleared`, `cleared_with_notes`,
    `false_positive_resolved`, `held_for_review`, `rejected`.
- `compliance_approval_state` — one of:
    `not_required`, `pending`, `approved`, `held`, `denied`.
    # PER R-02: this is one of four formerly-conflated
    # meanings of "approved." See also account_opening_state.
- `account_opening_state` — one of:
    `not_yet_initiated`, `initiated`, `documents_pending`,
    `opened_inactive`, `opened_active`, `void`.
- `front_office_funded_state` — one of:
    `not_yet_funded`, `wire_pending`, `funded`, `holdback_applied`.

## Exception class · KYC adverse-media false positive

# PER R-04 / F-04: prior to this specification, the resolution path
# for this exception class was not canonical; three observed paths.
# This section pins down the canonical path.

### Detection

KYC vendor return contains an adverse-media match for which
the `kyc_operator` judges, on inspection, that the matched
record refers to an entity other than the `applicant`.

### Resolution path

1. `kyc_operator` records the false-positive judgment in
   structured field `case.kyc_fp_judgment`, with required
   reason code from enumerated set
   `{name_collision, dob_mismatch, jurisdiction_mismatch, other}`.
2. `compliance_lead` reviews the recorded judgment.
   - If accepted: `case.kyc_clearance_state ← false_positive_resolved`.
   - If rejected: `case.kyc_clearance_state ← held_for_review`,
     with `compliance_lead` rationale appended.
3. Audit evidence retained: `kyc_operator` judgment,
   `compliance_lead` review action, and the original vendor
   match payload. Retention period: 7 years from case
   termination.

### Authority

The judgment is initiated by `kyc_operator` (any). The
acceptance is reserved to `compliance_lead`; not delegable
below role.

### Autonomy boundary

This decision class is never autonomous.
AI assistance permitted at: detection (proposing reason
code), evidence assembly, and audit-trail synthesis. AI
assistance not permitted at: judgment recording, judgment
acceptance, rejection rationale.

Closure status of the draft specification

Per the methodology, a PRISM (Process Resource and Interaction Specification) is considered "settled" when both the ClosureCompletion review (semantic and structural) and the Simulator review (deterministic and adversarial) report high confidence. The draft above has been through one ClosureCompletion pass at engagement end, returning the findings table below. Resolution of these findings is the principal remaining work in R-01.

ID	Finding (ClosureCompletion review of PRISM draft v0.4)	Resolution
CC-01	Actor `compliance_lead` is referenced 47 times but has no defined succession protocol; current incumbent is referenced informally in commentary.	Open · See R-03
CC-02	Artifact `case` lacks an `applicant_residency` attribute, but `compliance_approval_state` transition rules reference jurisdiction.	Open · 1 day
CC-03	Exception class for "RM override of risk profile" is described in commentary but not formalized.	Open · 3 days
CC-04	Temporal rule for quarter-end supplemental review is mentioned in narrative but not declared as a scheduled actor action.	Open · See R-05
CC-05	The transition `kyc_clearance_state.cleared_with_notes → ?` has no defined consumer behavior; downstream stages may treat this state inconsistently.	Open · 2 days
CC-06	Artifact attribute `front_office_funded_state.holdback_applied` does not specify how holdback amount is propagated to subsequent transactions.	Open · 4 days
CC-07	"Documents pending" in `account_opening_state` does not enumerate which documents constitute a holdable subset.	Open · 2 days
CC-08	Audit retention is specified for the KYC false-positive exception but not enumerated for other exception classes.	Open · 5 days

None of these findings is exotic. Each is the kind of ambiguity a competent operator resolves silently. Each is also a place where AI deployed against the v0.4 draft would either fail or encode a specific resolution path that may diverge from the institution's intended one. The draft proceeds to v0.5 once these are resolved, then to Simulator review.

The full PRISM draft, including the unredacted findings, is delivered as nfg-onboarding-prism-v0.4.md alongside this report.

App. BInterviewees and source documents

Interviewees

The following individuals were interviewed during this engagement. Names are redacted in this version of the report at the request of Northway HR; the unredacted version is delivered separately to the engagement sponsor.

Role	Function	Sessions	Date(s)
Head of Wealth Management Operations	Sponsor	2	14 Mar, 28 Mar
Head of Onboarding Operations	Operations lead	2	15 Mar, 26 Mar
Senior Compliance Lead ("Sue M.")	Decision authority	2	17 Mar, 24 Mar
Compliance Operations Specialist (×2)	Operators	1 each	18 Mar, 19 Mar
KYC Operations Lead	Operations lead	1	18 Mar
KYC Operations Specialist (×2)	Operators	1 each	19 Mar
Account Opening Specialist (×2)	Operators	1 each	20 Mar
Treasury Liaison (Wealth)	Funding interface	1	21 Mar
Wealth Management Divisional Manager	RM organization	1	24 Mar

Source documents reviewed

Document	Version	Date
Northway WM Operations Manual — Onboarding	rev. 7.2	Sep 2024
Onboarding training materials (decks & videos)	2024 cohort	2024
Q2 2026 Onboarding Platform PRD (project WM-OPS-401)	rev. 0.4 draft	Feb 2026
External KYC vendor SOC-2 report and integration spec	2025	2025
Internal Audit findings — onboarding scope	2024 — 2025	—
Prior consulting outputs (firms redacted)	2 engagements	2022, 2024
Compliance attestation log — last 4 quarters	—	—
Onboarding case sample (40 cases, anonymized)	—	Dec 2025 — Feb 2026

Systems accessed (read-only)

Onboarding workflow system; KYC vendor portal; document-management system; customer master; ticketing system; compliance attestation log. Read-only access provisioned via Northway IT under engagement-specific credentials, deprovisioned at engagement close.

Methodology references

The methodology applied in this engagement is described in the Moschetti Consulting field notes series, available at moschetticonsulting.com/field-notes. The PRISM (Process Resource and Interaction Specification) format is described in field note №03; the failure-mode taxonomy underlying the findings classification is described in field note №02.

— End of report —