Live Oak Labs Bankability Report
Northwind Capital
- Report type
- Company Bankability Report
- Status
- Illustrative internal draft
- Programme fit
- Embedded SMB Finance
- Use case
- Embedded working-capital tooling for vertical SaaS platforms selling into SMB banking
- Generated
- 2026-07-13
- Recommended decision
- Advance to structured diligence remediation.
Composite bankability
Diligence-ready. Advance to structured diligence remediation.
Executive Bankability Score
| Dimension | Score | Status | Notes |
|---|---|---|---|
| Bank Workflow Fit | 94/100 | Green | Product is tied to a real bank-owned workflow with a named owner and credible pull. |
| Diligence Readiness | 77/100 | Yellow | Diligence posture is coming together; several artifacts are still missing or draft. |
| Integration Clarity | 22/100 | Red | Integration posture demands too much bank engineering or too much production access for a first pilot. |
| AI / Model-Risk Readiness | — | N/A | AI section was skipped; excluded from composite. |
| UK Legibility | — | N/A | UK section was skipped; excluded from composite. |
| Pilot Readiness | 77/100 | Yellow | Pilot has the outline of a controlled test but is missing metrics, kill criteria, or ownership. |
| Composite | 68/100 | Yellow | Diligence-ready |
| Overall decision | Advance to structured diligence remediation. |
Dimension detail
Bank Workflow Fit
Product is tied to a real bank-owned workflow with a named owner and credible pull.
Top signals
- WF-001Named bank workflow owner
- WF-002Primary workflow specified
- WF-003Evidence of buyer pull
Diligence Readiness
Diligence posture is coming together; several artifacts are still missing or draft.
Top signals
- DI-001SOC 2 / ISO evidence
- DI-006Encryption posture
- DI-002Penetration test status
Integration Clarity
Integration posture demands too much bank engineering or too much production access for a first pilot.
Top signals
- IN-002No production write access in first pilot
- IN-004API / webhook ingestion available
- IN-001Integration posture
Top gaps
- IN-003No live customer data in first pilot
- IN-006Exit / portability posture
AI / Model Risk
AI section was skipped; excluded from composite.
UK Legibility
UK section was skipped; excluded from composite.
Pilot Readiness
Pilot has the outline of a controlled test but is missing metrics, kill criteria, or ownership.
Top signals
- PI-001Pilot objective
- PI-002Success metric
- PI-003Kill criteria
Top gaps
- PI-004Bounded scope
Company and Product Summary
Core argumentNorthwind Capital is described as: Embedded working-capital tooling for vertical SaaS platforms selling into SMB banking.
Operational design
- Target workflow: SMB working-capital origination via partner vertical SaaS.
- Named bank owner: Head of SMB Lending.
- Stage: seed.
Execution artifact
Northwind Capital Evidence Dossier
Governance test
Can a bank product owner, risk officer, compliance reviewer, and model-risk reviewer understand what this records, what it does not, who controls it, and how evidence is verified?
Strategic Fit With Live Oak Labs
Core argumentProgramme fit: Embedded SMB Finance.
Operational design
- Enter the programme under bounded labels — not a general 'trust layer' claim.
- Anchor to one bank workflow rather than a portfolio pitch.
Execution artifact
Live Oak Use-Case Memo
Governance test
Does the company enter with one bounded workflow rather than a broad platform claim?
Bank Workflow Fit
Core argumentNorthwind Capital fits where banks need proof that an automated or semi-automated system behaved within approved boundaries.
Operational design
- Primary workflow: SMB working-capital origination via partner vertical SaaS.
- Current workaround: Manual referrals emailed weekly from partner platforms.
- Evidence of pull: medium.
Execution artifact
Bank Workflow Fit Map
Governance test
If the workflow owner and evidence buyer cannot be named, the offering becomes too abstract to underwrite.
Integration Surface
Core argumentThe product should be easiest to adopt when it acts as a sidecar, not a core production system.
Operational design
- Posture: core read.
- Production access in first pilot: no.
- Live customer data in first pilot: yes.
Execution artifact
Integration Surface Map
Governance test
The first pilot should remain read-only or evidence-only and require no production write access.
Data-Flow Map
Core argumentEvidence capture can easily become data overcollection. The data model must be narrow, intentional, and reviewable.
| Data class | Pilot posture |
|---|---|
| Vendor documents | Allowed with permission |
| System logs (event IDs, timestamps) | Allowed if non-sensitive |
| AI outputs (summaries, recommendations) | Allowed with model-risk review |
| Human approvals | Allowed |
| Customer PII | Approved |
| Model prompts / retrieved context | Redact or hash where possible |
Execution artifact
Data-Flow Map
Governance test
No data-flow map, no pilot.
Bank Diligence Pack Status
Core argumentA product that sells trust infrastructure must be stronger than the average early-stage SaaS on its own diligence posture.
| Evidence item | Status |
|---|---|
| SOC 2 / ISO | in progress |
| Pen test | planned |
| Incident response | draft |
| DR / BCP | draft |
| Subprocessor register | needs register |
| Encryption | planned documented |
Execution artifact
Bank Diligence Pack v0.1
Governance test
Is there enough evidence to survive a formal vendor-risk review?
RACI / Control Ownership
Core argumentThe product must clarify whether it records evidence, verifies evidence, interprets evidence, or makes decisions — those are different control roles.
Operational design
- Bank remains accountable for regulated decisions.
- Accountable owner (this side): Bank Head of SMB Lending.
- Responsible owner (this side): Northwind product lead.
- Escalation path: Bank SMB → Chief Credit Officer.
Execution artifact
Pilot RACI Matrix
Governance test
The company should not be positioned as the party that certifies a vendor, AI system, or regulated process unless the legal and assurance model supports that claim.
Operating Risk Posture
Core argumentA bank-embedded product must be a risk-managed environment: it cannot reduce opacity while creating new uncontrolled data, cyber, model, or operational exposure.
Operational design
- Live customer data in first pilot: yes — needs written approval.
- Production access: no.
- No customer-impacting action in first pilot.
- No unreviewed AI-generated compliance determinations.
Execution artifact
Risk Register
Governance test
If security, subcontractor, model-monitoring, or incident posture is inadequate only at the end of the programme, the company has not been accelerated — it has been exposed.
UK Beachhead Readiness
Core argumentUK financial institutions place heavy emphasis on operational resilience, outsourcing controls, data governance, auditability, and accountable technology use.
Operational design
- Likely path: UK section skipped.
- Buyer archetype: not named.
- Partner archetype: not named.
Execution artifact
UK Beachhead Pack v0.1
Governance test
Do not claim UK compliance. Claim: 'helps produce reviewable evidence for UK compliance, operational resilience, vendor diligence, and AI governance workflows.'
Regulatory Pathway
Core argumentThe product is best positioned as non-regulated B2B infrastructure if it does not make regulated decisions, advise consumers, approve credit, initiate payments, or act as a regulated intermediary.
Operational design
- Preliminary pathway: not yet chosen.
- Pathway must be counsel-reviewed. Triage, not legal advice.
Execution artifact
Regulatory Pathway Memo
Governance test
Avoid: 'certifies compliance', 'approves vendors', 'automates regulatory approval', 'makes AI compliant', 'eliminates bank diligence'.
AI / Model-Risk Classification
Core argumentAI products must be governed by autonomy level, not generic 'AI safety' claims.
Operational design
- AI section was skipped — no autonomy classification available.
Execution artifact
AI Governance File
Governance test
The first pilot should focus on evidence capture for AI-assisted review, not autonomous action.
Commercial ROI Model
Core argumentThe commercial value is not 'better logs' — it is diligence-cycle compression, audit-prep reduction, incident reconstruction, and risk-review confidence.
Operational design
- ROI = (cost reduction + risk reduction) / (integration cost + oversight cost).
- Model at least three quantified value drivers before Decision Day.
Execution artifact
Pilot ROI Worksheet
Governance test
If it only saves time for the startup, the bank may not care. The ROI case must show value to the bank reviewer.
Mentor Pod Assignment
Core argumentMentor density is the substitute for vague ecosystem access: pods must have defined roles, review cadences, and deliverable responsibilities.
Operational design
- Product sponsor, integration architect, third-party-risk reviewer, cybersecurity reviewer, compliance lead.
- Model-risk reviewer, operational-resilience reviewer, UK regulatory advisor, commercial buyer coach.
- Every mentor session ends with: objection, required evidence, artifact change, owner, due date.
Execution artifact
Mentor Pod Review Notes
Governance test
The pod must produce artifact changes, not general feedback.
Market Validation Log
Core argumentObjections are not bad; they are the raw material for bankability.
Operational design
- Log every reviewer objection with severity and required response.
- Close objections only when the artifact changes or a qualified reviewer accepts the response.
Execution artifact
Market Validation Log
Governance test
An objection is closed only when the report artifact changes.
Pilot Design
Core argumentThe first pilot should be narrow, low-customer-risk, and evidence-obvious.
Operational design
- Objective: Prove origination cycle-time reduction for two SMB partner platforms.
- Duration: 90 days.
- Success metric: Median origination cycle < 10 days across 25 loans.
- Kill criteria: Cycle-time reduction below 20% or credit-quality drift beyond baseline.
Execution artifact
Pilot Design Document
Governance test
The pilot must be rejected if it requires live customer data, production access, or automated regulatory decisioning before baseline diligence is complete.
Decision Day Recommendation
Core argumentRecommended decision: Advance to structured diligence remediation.
Operational design
- Present buyer problem, validated workflow, integration design, data-flow map.
- Present diligence status, risk controls, UK landing plan, pilot economics.
- Make an explicit ask — pilot conversation, UK review, diligence remediation, advisory, or no-go.
Execution artifact
Decision Day Packet
Governance test
The ask should be a controlled evidence pilot, not full bank adoption.
Week 0–12 Programme Plan
Week 0Pre-Mortem and Cohort Charterexpandcollapse
Identify the failure mode before the sprint begins.
Core argumentWeek 0 prevents the programme from wasting bank, mentor, and founder time.
Operational design
- Name the likely failure mode.
- Name the weakest score dimension.
- List missing evidence and data-risk exposure.
- Name buyer, UK, and pilot-scope risks.
- Weakest dimension: Integration Clarity at 22/100.
- Likely failure mode: First pilot ingests live customer data — high approval bar.
Execution artifact
Pre-Mortem Charter
Governance test
No company should begin Week 1 without a bounded workflow, evidence-gap list, and risk posture.
Actions
- Pre-mortem gap 1: First pilot ingests live customer data — high approval bar.
- Pre-mortem gap 2: Pilot scope is not bounded — customer/production exposure will slow approval.
- Pre-mortem gap 3: No exit / portability posture — UK operational-resilience gap.
Week 1Bank Workflow Orientationexpandcollapse
Translate the pitch into a bank-owned workflow.
Core argumentA fintech is not bankable until it maps to a bank-owned workflow.
Operational design
- Chosen workflow: SMB working-capital origination via partner vertical SaaS.
- Name the workflow, bank owner, and control owner.
- Document current pain, workaround, and measurable value.
- Identify the operating risk category.
Execution artifact
Live Oak Use-Case Memo
Governance test
Can a bank buyer understand what this solves and who owns it?
Actions
- Interview the target workflow owner (or their proxy) within 5 days.
- Draft one-page use-case memo with named buyer and measurable friction.
Week 2Bank Pain and Buyer Validationexpandcollapse
Prove the problem is real, budgeted, and painful.
Core argumentThe problem must be real, budgeted, and painful enough to justify diligence.
Operational design
- Confirm buyer owner and budget owner.
- Quantify friction cost and urgency.
- Map the procurement path and decision criteria.
Execution artifact
Bank Workflow Fit Map
Governance test
A vague 'bank innovation' buyer is not enough — is the owner named?
Actions
- Log 3–5 buyer conversations in the Market Validation Log.
- Convert one objection into a required-evidence line item.
Week 3Technical Integration and Data Flowexpandcollapse
Map every point where the product touches bank systems and data.
Core argumentBank readiness depends on knowing where you touch bank systems and data.
Operational design
- Document APIs, webhooks, logs, and manual paths.
- Draw data inputs, outputs, auth, and hosting.
- State the exit / portability path.
Execution artifact
Integration Surface Map + Data-Flow Map
Governance test
No data-flow map, no pilot.
Actions
- Produce an evidence-sidecar architecture diagram for the first pilot.
- State explicitly what the first pilot will NOT touch.
- Weak integration score — redesign first pilot as a strict sidecar with no core writes.
- Document exit / portability path in the architecture diagram.
Week 4Diligence Readiness Sprintexpandcollapse
Assemble the vendor-review evidence pack.
Core argumentThe post-demo bottleneck is vendor onboarding, not founder storytelling.
Operational design
- Publish SOC 2 / ISO posture (or credible roadmap).
- Publish pen-test, IR, DR/BCP, subprocessor, retention posture.
- Publish encryption architecture, IAM model, and audit log design.
Execution artifact
Bank Diligence Pack v0.1
Governance test
Does the company have enough evidence for a serious vendor-risk review?
Actions
- Draft evidence-verification specification.
- Post subprocessor register with owners.
- Weak diligence score — commission SOC 2 readiness assessment this month.
- Publish subprocessor register with data-flow annotations.
Week 5UK Beachhead Weekexpandcollapse
Translate US assumptions into UK regulatory and buyer terms.
Core argumentThe UK track is a regulatory and buyer-translation exercise, not a branding one.
Operational design
- Map bank partner → authorised institution / principal / partner.
- Map vendor diligence → operational resilience / outsourcing controls.
- Map AI tooling → accountability, oversight, explainability.
Execution artifact
UK Translation Matrix + UK Beachhead Pack v0.1
Governance test
Can the company explain its UK path without overclaiming regulatory status?
Actions
- Have UK counsel review the pathway memo before Week 8.
- Name the first UK buyer archetype and partner archetype.
Week 6AI / Model-Risk and Control Ownershipexpandcollapse
Classify AI on autonomy and instrument the controls.
Core argumentAI products need governance by autonomy level, not generic 'AI safety' claims.
Operational design
- Classify each AI function on the Operator/Collaborator/Consultant/Approver/Observer spectrum.
- Document human boundary, override, drift, escalation, and kill switch.
- Name accountable owner per AI function.
Execution artifact
AI Governance File
Governance test
Does the company preserve bank accountability at every autonomy level?
Actions
- Freeze prompt/output logging policy.
- Draft kill-switch runbook.
Week 7RACI and Operating Riskexpandcollapse
Clarify who owns every material risk.
Core argumentBank-fintech partnerships fail when control ownership is ambiguous.
Operational design
- Draft pilot RACI across incidents, disputes, model changes, data access, releases, outages.
- Publish risk register with severity and control.
- Name termination process and exit plan owner.
Execution artifact
Pilot RACI Matrix + Risk Register
Governance test
Can the bank tell who owns every material risk?
Actions
- Have risk register reviewed by a third-party-risk advisor.
- Confirm every 'A' in RACI is a real, named person.
Week 8Pilot Design Sprintexpandcollapse
Design a controlled, approvable first pilot.
Core argumentThe first pilot must be narrow enough to approve and meaningful enough to matter.
Operational design
- Define objective, scope, out-of-scope, users, data set.
- Define success metric, kill criteria, duration, fallback.
- State evidence output.
Execution artifact
Pilot Design Document
Governance test
Would a bank operating committee approve this controlled test?
Actions
- Confirm no live customer data and no production write access in first pilot.
- Confirm accountable owner on the bank side.
Week 9Commercial ROI and Evidence Roomexpandcollapse
Assemble the buyer-ready decision packet.
Core argumentA bank will not adopt a tool because it is interesting — it needs a decision package.
Operational design
- Model ROI: cost reduction, risk reduction, oversight cost, integration cost.
- Publish evidence room index.
- Produce buyer-ready presentation and UK Beachhead Pack update.
Execution artifact
Buyer-Ready Packet (diligence + pilot + UK + ROI + evidence register)
Governance test
Can the company enter Decision Day with reviewable evidence instead of claims?
Actions
- Validate ROI baseline with two bank-side reviewers.
- Freeze evidence room v1.0.
Week 10Decision Dayexpandcollapse
Present a bank-readiness decision, not a pitch.
Core argumentDecision Day is a bank-readiness decision, not a pitch event.
Operational design
- Present buyer problem, validated workflow, integration design, data-flow map.
- Present diligence status, risk controls, UK landing plan, pilot economics.
- Make an explicit ask.
Execution artifact
Decision Day Packet
Governance test
The decision should be one of: advance to pilot, advance to UK review, advance to diligence remediation, continue advisory, or no-go.
Actions
- Circulate the Decision Day Packet to reviewers 5 business days before the session.
- Log the decision and named next step against every open objection.
Week 11Post-Mortem I: Evidence Auditexpandcollapse
Ask whether the sprint produced bank-reviewable artifacts.
Core argumentWeek 11 asks whether the report and sprint produced bank-reviewable artifacts.
Operational design
- Review missing evidence and unresolved objections.
- Record score movement across the 6 dimensions.
- Log mentor notes, buyer feedback, and counsel-review items.
Execution artifact
Post-Mortem Evidence Audit
Governance test
What changed because of the sprint?
Actions
- For every open objection, name owner + due date.
- Version-tag every artifact touched during the sprint.
Week 12Post-Mortem II: Pilot / Cohort Readinessexpandcollapse
Convert the sprint into a 30/60/90-day execution plan.
Core argumentWeek 12 converts the sprint into a 30/60/90-day execution plan.
Operational design
- Finalise pilot recommendation and unresolved blockers.
- Record legal, security, and UK review needs.
- State commercial next step.
Execution artifact
Cohort Readiness Memo
Governance test
Is the company ready for pilot, remediation, advisory support, or no-go?
Actions
- Produce the Cohort Readiness Memo with an explicit decision recommendation.
- Hand the 30/60/90 plan to the founder team with owners assigned.
30 / 60 / 90-Day Follow-Up Plan
Day 30
Due 2026-08-12
Close foundational evidence gaps.
- ProductFinalise use-case memo and evidence schema for the first workflow.
- SecurityProduce architecture, IAM, encryption, subcontractor, and incident docs.
- DataComplete data-flow and retention map.
- AI governanceClassify AI functions using the autonomy spectrum.
- LegalDraft non-regulated B2B positioning memo.
- UKDraft UK Beachhead Pack v0.1.
- CommercialIdentify first three buyer personas and pilot sponsors.
- ArchitecturePublish updated Integration Surface Map v0.2.
- SecurityClose top 3 diligence gaps and refresh evidence index.
Output: 30-Day Evidence Completion Check
Day 60
Due 2026-09-11
Move from artifact creation to reviewer feedback.
- ProductBuild pilot evidence capture workflow.
- RiskComplete pilot RACI.
- CyberComplete security evidence index and close pen-test gaps.
- ComplianceDefine review and export format.
- UKReview data, regulatory, and resilience posture with UK advisor.
- CommercialSecure pilot-design feedback from 3–5 bank reviewers.
Output: 60-Day Reviewer Feedback Memo
Day 90
Due 2026-10-11
Prepare a controlled pilot or a no-go decision.
- PilotRun controlled evidence replay against success metrics.
- MetricsMeasure cycle-time reduction and completeness against baseline.
- AuditExport evidence bundle and test reviewer usability.
- LegalFinalise pilot agreement template.
- UKConfirm UK pilot or Digital Sandbox path if appropriate.
- CapitalDecide whether the company is ready for a strategic seed / pre-seed conversation.
Output: 90-Day Pilot Readiness Packet
Evidence Register
| Claim / artifact | Status |
|---|---|
| Product positioning | Proposed / illustrative |
| Bank workflow use case | Proposed |
| Non-regulated B2B pathway | Preliminary; counsel review required |
| UK beachhead thesis | Skipped |
| AI governance use case | Skipped |
| Diligence-pack requirements | Aligned with Live Oak Labs framework |
| Pilot design | Proposed |
| ROI metrics | Proposed baseline; needs buyer validation |
| Security posture | Partial |
| Data-flow map | To be supplied |
| Evidence verification method | To be supplied |
| UK regulatory posture | Counsel review required |
Final Bankability Verdict
Northwind Capital is not yet ready for a bank pilot. Composite 68/100 — Diligence-ready. Advance to structured diligence remediation.