Every fintech startup has a compliance policy. Almost none have a compliance policy for their AI tools. CLAUDE.md is how you close that gap.
What CLAUDE.md actually is
CLAUDE.md is a configuration file at the root of a project that tells Claude Code how to behave when working in that codebase. It defines coding standards, data handling rules, prohibited patterns, and required practices. Claude Code reads it before every action.
In a generic project, CLAUDE.md might say: "Use TypeScript. Follow the existing naming conventions. Write tests for new functions."
In a fintech project, it should say much more.
What a fintech CLAUDE.md contains
Here is what a real CLAUDE.md looks like for a payments processing project:
Data classification rules: PII fields (name, email, SSN) must never appear in log statements, error messages, or console output. Payment card data must never be stored outside the tokenized payment processor. Account balances must be stored as integers (cents), never floating-point numbers.
Access control patterns: Every API route that returns financial data must verify the user's session and role. Admin endpoints require role-based access checks before any database query. No endpoint should return data for users other than the authenticated user unless the caller has an explicit admin role.
Audit trail requirements: Every write operation to financial tables must create an audit log entry with the user ID, timestamp, action type, and a description of what changed. Audit logs must never be deletable through the application.
Error handling standards: Financial operations must use database transactions. If any step fails, the entire operation rolls back. Error responses to the client must never include stack traces, database column names, or internal system details.
Why this is a compliance document
Look at that list again. Every rule in it maps directly to a regulatory requirement. PCI DSS requires that cardholder data not be stored in logs. SOX compliance requires audit trails for financial transactions. Bank Secrecy Act compliance requires access controls on account data.
The CLAUDE.md is not a preference file. It is a governance document that ensures every developer and every AI tool working in the codebase follows the same compliance rules. It is version-controlled, reviewable, and auditable.
When a regulator asks "how do you ensure that AI tools follow your compliance standards," the CLAUDE.md is the answer. It is a written, enforced, and versioned policy that governs AI behavior in your codebase.
What happens without it
Without a CLAUDE.md, every developer using Claude Code in your fintech codebase makes their own decisions about data handling, error logging, and access control. The AI follows whatever conventions it infers from the existing code. If the existing code has inconsistencies, the AI replicates those inconsistencies.
You end up with some endpoints that log PII and some that do not. Some routes that check permissions and some that do not. Some operations that create audit trails and some that skip them. The compliance gaps accumulate silently.
How to build it
Start with your existing compliance policies. Every rule that applies to human developers applies to AI tools. Translate each rule into a concrete instruction that Claude Code can follow.
Review it with your compliance officer. They should recognize every rule in the CLAUDE.md as something they already require. If the CLAUDE.md contains a rule your compliance policy does not, you found a gap in the policy. If your compliance policy contains a rule the CLAUDE.md does not, you found a gap in the configuration.
Version it, review it quarterly, and update it when regulations change.
Book a governance sprint — our governance sprints start by building this document with your team.
Get posts like this in your inbox
No spam. New articles on AI strategy, governance, and building with AI for small business.