The compliance gap
Most Islamic financial institutions manage compliance the same way they did twenty years ago: printed standards in binders, obligation tracking in Excel, Shariah board reviews over email, and audit evidence collected in folders of PDFs.
This works until it does not. Regulators ask for evidence of a specific SSB decision from 2022. A compliance officer searches through email threads and meeting minutes. Forty-five minutes later, they find a partial record. The evidence chain is incomplete.
The gap is not knowledge. Compliance teams know the standards. The gap is infrastructure: no structured place to record obligations, no workflow to route SSB reviews, no tamper- evident store for the evidence that reviews happened.
How a modern GRC platform works
The process has three steps. Each one replaces a manual activity with a structured, auditable system.
- 01
Pick a ruleset
The compliance officer selects the applicable standard: AAOIFI, QCB, IFSB, or a custom institutional ruleset. The platform has already ingested and structured these standards. No manual reading. No copy-paste into spreadsheets.
- 02
AI maps obligations to workflows
The platform extracts discrete compliance obligations from the selected standard and maps them to institutional processes. Each obligation is tagged with its source clause, applicability criteria, and the workflow step responsible for satisfying it. Gaps between what the standard requires and what processes currently cover are surfaced automatically.
- 03
Operate with blockchain proof
As the institution operates, each compliance event is recorded and anchored to the Hedera distributed ledger. The result is a tamper-evident, timestamped audit trail that regulators and Shariah boards can verify independently. The evidence does not live in a spreadsheet that can be edited. It lives on a ledger that cannot be.
What changes for compliance teams
The difference is not speed alone. The structure of the work changes.
Obligation extraction
Before
Compliance officers read standards and manually identify requirements
After
AI extracts obligations from AAOIFI and other standards automatically
SSB workflow
Before
Shariah board reviews conducted over email and meeting minutes
After
Structured workflow with timestamped decisions linked to obligations
Audit evidence
Before
Spreadsheets and PDFs that can be edited or deleted
After
Blockchain-anchored records on Hedera, independently verifiable
Gap identification
Before
Manual review of processes against printed standards
After
Real-time gap analysis between obligations and covered workflows
The scholar layer: fatwa certification
A GRC platform that operates in Islamic finance cannot simply be built by engineers. The platform itself must be reviewed and certified as permissible under Islamic law.
ZeroH received fatwa certification from Amanie Advisors in April 2025. The certifying Shariah Supervisory Board includes Dr. Mohamed Ali Elgari (Chairman), Dr. Mohd Daud Bakar, Dr. Muhammad Amin Ali Al-Qattan, and Dr. Osama Al-Dereai.
Fatwa certification is not a marketing credential. It is a prerequisite for deployment in institutions whose regulators require that all technology tools used in compliance operations are themselves Shariah-compliant.
In production
ZeroH is deployed in production at the QFC Digital Asset Lab in Qatar alongside Al Rayan Bank, Google Cloud, and Hedera. The Qatar Financial Centre designated the platform as the "Digital Receipt System" for the blockchain-based proof-of-concept announced in September 2025.
The platform is also deployed for InsureCow, a Takaful-backed digital cattle investment product in Bangladesh structured as a Mudarabah. Each investment is recorded with a blockchain-anchored compliance trail.
ZeroH is a portfolio company of Qatar Development Bank and has won the Finopitch Tokyo 2025 Grand Prize and the Islamic Fintech Awards 2025 Best Startup.
Frequently asked questions
GRC automation replaces manual spreadsheet-based compliance workflows with software that extracts obligations from regulatory standards, maps them to institutional processes, and generates auditable evidence of compliance. For Islamic finance, this includes AAOIFI obligation extraction, Shariah Supervisory Board workflow management, and blockchain-anchored audit trails.
The platform reads AAOIFI standards and uses AI to identify discrete compliance obligations within the text. Each obligation is tagged with its source standard, clause reference, and applicability criteria. These extracted obligations are then mapped to institutional workflows, so compliance teams know exactly which processes need to satisfy which regulatory requirement.
A blockchain-anchored audit trail records each compliance event as a hash on a distributed ledger. This creates tamper-evident proof that a specific action was taken at a specific time. Unlike a database record, which can be modified or deleted, a blockchain record is immutable and independently verifiable. ZeroH anchors audit trails on the Hedera network.
Fatwa certification means a qualified Shariah Supervisory Board has reviewed the platform and issued a formal ruling that its operation is permissible under Islamic law. ZeroH received fatwa certification from Amanie Advisors in April 2025. The certifying board includes Dr. Mohamed Ali Elgari (Chairman), Dr. Mohd Daud Bakar, Dr. Muhammad Amin Ali Al-Qattan, and Dr. Osama Al-Dereai.
The platform routes compliance items to SSB members for review, tracks approval status, records dissenting opinions, and maintains a searchable archive of all SSB decisions. This replaces email chains and meeting minutes with a structured workflow where every decision is timestamped, attributed, and linked to the underlying regulatory obligation.
ZeroH holds SOC 2 Type II, ISO 27001:2022, and GDPR certifications. The platform also has UK Patent Pending GB2604344.8 for its compliance automation technology.
A compliance checklist is a static document. GRC software is a live system. The platform tracks which obligations are satisfied, which are open, and which require SSB review. It surfaces gaps in real time, routes work to the right people, and generates audit-ready evidence. A checklist tells you what to do. GRC software tells you what has been done, by whom, and when.
See the platform in action or read about the Qatar deployment.
Read the Qatar case study