Open standards & artifacts for accountable systems.

Worked example

Permanent link /examples/automated-account-lock

Automated account lock & eligibility flip

An end-to-end fraud lock scenario showing receipts, owners, clocks, exceptions, and remedies.

Scenario

Fraud-triggered lock with contestable remedies

An automated lock must remain enforceable even under fraud risk, legal holds, or safety escalations.

Overview

End-to-end scenario

A fraud model freezes access after detecting anomalous behavior. The system must still issue a receipt, assign authority, and deliver a remedy within bounded clocks.

  1. Trigger + receipt: Fraud model crosses threshold. System issues a receipt to the user and logs the decision payload.
  2. Acknowledgment clock: Within 2 hours, Risk Ops acknowledges the case, confirms owner, and publishes the review ETA.
  3. Review clock: Within 24 hours, a human reviewer validates the lock, flags exceptions, or reverses the decision.
  4. Remedy clock: Within 72 hours, the system provides remedy: unlock, compensation, or safe fallback for critical access.

Receipt

Immediate receipt issued to the impacted person

The receipt is proof that a decision happened, who owns it, and how to contest it.

{
  "schema_version": "1.0.0",
  "receipt_id": "RCP-2026-0441",
  "issued_at": "2026-02-14T14:03:22Z",
  "owner": {
    "name": "Risk Operations",
    "role": "System owner",
    "contact": "risk-ops@company.example",
    "on_call": true
  },
  "subject": {
    "id": "usr-103991",
    "type": "account"
  },
  "action": {
    "class": "WRITE",
    "description": "Lock account access for review",
    "reversible": true,
    "tools": ["fraud_model", "account_admin_api"]
  },
  "decision": {
    "decision_type": "account_lock",
    "reason_codes": ["FRAUD-THRESHOLD", "VELOCITY-SPIKE"],
    "inputs": ["score:0.93", "velocity:4.2x"]
  },
  "clocks": {
    "ack": { "hours": 2 },
    "review": { "hours": 24 },
    "remedy": { "hours": 72 }
  },
  "appeal_path": {
    "url": "/appeals/account-lock",
    "channel": "in-app form",
    "expected_response": "Human review within 24 hours"
  },
  "evidence_pack": {
    "href": "/evidence-packs/std-02#std-02-2-1",
    "standard_refs": ["STD-01.1.1", "STD-02.2.1"]
  }
}

Receipt includes clause references (STD-01.1.1, STD-02.2.1), the appeal path, and the evidence pack anchor used during review. Align payloads to the canonical receipt schema.

Owner + authority

Named owner and escalation authority

The lock cannot be anonymous. Ownership is explicit and time-bound.

  • Owner: Risk Operations (primary steward responsible for acknowledgement).
  • Authority: Fraud Steward (on-call) empowered to reverse the lock without manager approval.
  • Escalation: Security & Legal Review Board if the case hits irreversibility or legal hold criteria.

Clocks

Acknowledgment, review, and remedy clocks

Each clock is visible to the person impacted and logged in the decision record.

Ack clock

2 hours

Owner confirms the case is assigned and shares review ETA.

Review clock

24 hours

Human reviewer validates the lock, exception, or reversal.

Remedy clock

72 hours

Unlock, compensate, or provide a safe fallback path.

Exception handling

Bounded exceptions for security or legal holds

Exceptions never erase the receipt or clocks. They only delay specific actions.

  • Security exception: Lock can remain in place, but acknowledgment and review clocks still run with a maximum 72-hour extension.
  • Legal hold: Remedy may be delayed, but a partial access fallback (read-only statements, withdrawal visibility) is required.
  • Escalation: Exceptions are logged in the Exceptions register with steward review cadence.

Remedy path

Remedy must be visible, reversible, and time-bound

A remedy path guarantees contestability and reduces collateral harm.

  • Primary remedy: Unlock the account and restore eligibility within the remedy clock when no fraud is confirmed.
  • Alternative remedy: Provide a safe fallback (manual review queue, limited access) if the lock must stand.
  • Compensation: Issue credits for service downtime tied to the decision log.

Generated artifacts

Decision log, evidence packs, and appeal record

These artifacts prove the system is proof-carrying, not just policy-driven.

Decision log entry

MEC-01 record of the model output, dissenting reviewer notes, and review outcome.

Open artifact

Evidence pack list

Proof bundle for STD-01 and STD-02 clauses tied to contestability and remedy.

Open artifact

Appeal intake record

MEC-06 appeal path captures the dispute, pre-filled context, and decision trace.

Open artifact

Exception log

Bounded exception entry if the lock is tied to security or legal hold.

Open artifact

Glossary anchors

Glossary anchors used

This worked example ties back to glossary terms that bind clocks, artifacts, and ownership.