Open source regulatory radar for financial services compliance teams.
GRCX monitors publications from financial regulators — consultation papers, policy statements, Dear CEO letters, supervisory notices — and maps each one against your control frameworks as they land. When the FCA publishes something on Tuesday morning, GRCX catches it within its next polling cycle and tells you which of your controls are affected.
Every regulatory change management tool on the market is closed source and enterprise-priced. GRCX is the only open source option.
Live: grcx.dev · app.grcx.dev
Compliance teams in regulated fintech are drowning in volume. The FCA alone publishes hundreds of items a year. Add the Bank of England, the SEC, MAS, and ESMA, and the reading backlog runs to weeks per publication when triaged manually.
Existing tools — CUBE, Archer Evolv, Ascent, Regology — are filing cabinets. They help compliance teams manage the controls they already know about. None of them are radar: none detect new regulatory publications and map them to affected controls before the team is even aware.
GRCX is radar.
- Monitors regulators via their published feeds (IMAP, RSS, HTTP) — currently BoE, FCA, MAS, SEC, and ESMA.
- Maps each new publication to your control frameworks using an LLM.
- Triages — assesses severity, highlights affected controls, and surfaces a prioritised queue.
- Audits — writes every detection and assessment to a cryptographically chained audit log (SHA-256, append-only, verifiable).
- Surfaces everything in a live dashboard with jurisdiction filtering, severity badges, and flagged-only triage.
Every assessment is subject to human override. Compliance tools are trust products — GRCX augments the compliance team's judgement, it doesn't replace it. Overrides feed back into the resolver, improving accuracy over time.
Built-in:
- ISO 27001
- FCA SYSC
- MAS TRM
- NIST CSF
- BCBS 239
- SOC 2
Custom frameworks via YAML are always supported.
Three layers:
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ SENTINEL │ → │ RESOLVER │ → │ AUDIT LOG │
│ │ │ │ │ │
│ Ingests │ │ LLM maps to │ │ SHA-256 │
│ regulator │ │ frameworks, │ │ chained, │
│ feeds (IMAP, │ │ assesses │ │ append-only, │
│ RSS, HTTP) │ │ severity │ │ verifiable │
└───────────────┘ └───────────────┘ └───────────────┘
↓
┌─────────────┐
│ DASHBOARD │
│ │
│ Triage + │
│ overrides │
└─────────────┘
Adding a new regulator is a config change in grcx.yaml, not a code change.
git clone https://github.com/grcx-dev/grcx.git
cd grcx
uv sync
cp .env.example .env # add your Anthropic API key and SMTP config
source .env
grcx watch --poll 900In a separate terminal, run the dashboard:
flask --app dashboard.app run --port 5001Open http://localhost:5001.
See grcx.yaml for the full configuration reference — regulator feeds, active frameworks, resolver backend, audit log location, alerting.
The LLM that maps publications to controls is configurable via resolver.llm in grcx.yaml. Four backends are supported:
resolver.llm value |
Backend | How it bills | Requires |
|---|---|---|---|
claude-haiku-4-5-… / claude-sonnet-4-… / any claude-* model id |
Anthropic SDK | API tokens charged against ANTHROPIC_API_KEY |
ANTHROPIC_API_KEY env var |
claude-cli (sentinel) |
Shells out to the claude CLI |
Claude Pro/Max subscription of the user running the watcher (no per-token $) | claude CLI installed and authenticated on the host (see below) |
gemini-… (e.g. gemini-2.5-flash) |
Google Gen AI SDK | Google API key — free tier covers grcx volume | GEMINI_API_KEY env var |
anything else (e.g. llama3.3:70b) |
Local Ollama | Free / local compute only | Ollama running on http://localhost:11434 (override with OLLAMA_HOST) |
If you have a Claude Pro / Max / Team subscription, set resolver.llm: claude-cli in grcx.yaml. The resolver will shell out to the standalone claude CLI for each assessment, authenticating as the logged-in user — no Anthropic API tokens are consumed.
Prerequisite — install the standalone claude CLI on the host that runs grcx watch:
npm install -g @anthropic-ai/claude-code
# or, no-npm install:
curl -fsSL https://claude.ai/install.sh | bashThen authenticate it once (claude and follow the login prompt). The VS Code / JetBrains Claude Code extensions ship their own embedded runtime and do not put claude on your shell PATH, so the standalone CLI install is required even if you already use the extension.
Verify with:
which claude && echo "say hi" | claude -p --output-format jsonCaveats:
- Each call ships ~30k tokens of Claude Code system-prompt context per invocation, so a busy
grcx watchconsumes Max-cap budget faster than a raw Anthropic SDK call would. Real-dollar cost is still $0 as long as you stay within the subscription cap. - The host running
grcx watchmust remain logged in to the Claude account being used; if auth expires the resolver will start writingresolver.erroraudit entries until you re-authenticate.
The open source engine is free under MIT. A hosted commercial version — GRCX Cloud — is available at app.grcx.dev:
- Starter — $1,000/mo
- Pro — $3,000/mo
- Enterprise — $10,000+/mo
14-day free trial.
- DORA framework
- GDPR framework
- Trading exchange feeds
- Cross-jurisdictional regulatory intelligence (contradiction detection, ambiguity surfacing, drift tracking)
- Integrations: Jira, PagerDuty, Slack
GRCX is MIT licensed and welcomes contributors. The most useful contributions right now:
- Regulatory feed parsers for jurisdictions not yet covered
- Control framework YAML definitions for frameworks not yet built-in
- Resolver prompt improvements for specific framework/jurisdiction combinations
See CONTRIBUTING.md. Good first issues are tagged good-first-issue.
MIT — see LICENSE.