The cost of being wrong.

Most software bugs are recoverable. You roll back, you patch, you apologise. A non-compliant action in regulated lending is not like that. A call placed without consent has been placed. A collections message sent to the wrong number has been read. The harm is complete the instant the action fires. The only thing an audit trail can do afterward is describe, precisely, how it happened.

Per-violation, multiplied by everything

The terror is in the arithmetic. Statutory damages in this space are priced per action, not per incident. Under the TCPA, an illegal call or text carries $500 in statutory damages, rising to $1,500 where the conduct is willful or knowing (47 U.S.C. §227). The FDCPA caps statutory damages at $1,000 per action (15 U.S.C. §1692k). Read those as unit costs and then remember that automation’s entire promise is volume. A single misconfigured rule does not produce one violation. It produces one per touch, across every account it ran against.

It is not hypothetical. In 2014, Capital One settled TCPA claims for $75.5 million over autodialed collection calls that reached more than 21 million phone numbers, at the time a record. The mechanism was mundane: an automated dialer doing exactly what it was told, at scale, without a gate in front of it.

The penalties scale with you

The supervisory numbers are larger still. In December 2022 the CFPB ordered Wells Fargo to pay roughly $3.7 billion (more than $2 billion in redress plus a $1.7 billion penalty) over mismanagement affecting 16 million accounts. In September 2024 it banned Navient from federal student-loan servicing permanently and ordered $120 million in penalties and redress. These are not pricing errors. They are operations failures: the work around the loan, done wrong, at scale.

The pattern crosses borders. In 2024 the UK’s FCA fined HSBC £6,280,100, TSB £10,910,500 and Volkswagen Financial Services (UK) £5,397,600, all for unfair treatment of customers in financial difficulty. And the largest figure of all is a redress total: UK payment-protection-insurance mis-selling cost firms around £38.3 billion between 2011 and 2019, the largest consumer-redress exercise in the country’s history. A whole industry’s process, wrong, paid for after the fact.

Audit explains. Validation prevents.

Every dollar above was assessed after the harm. That is what post-hoc governance buys you: a faithful account of a loss you have already taken. It is necessary and it is not enough. The only control that changes the arithmetic is one that sits in front of the action.

That is the whole design intent of KrimOS. Every proposed action is checked against law, policy, consent and context before it can execute. What fails to clear never fires. Validated before it acts. When the unit cost of a wrong action is $500 and the unit volume is millions, prevention isn’t a compliance nicety. It is the only number that scales in your favour.