The challenge
The client processed roughly 1,400 new business KYC applications monthly across UK and US-East markets. Each application packet ran 40–60 pages: certificates of incorporation, beneficial ownership declarations, source-of-funds documentation, sanctions screening, and country-specific overlays.
The review queue had stretched to five business days end-to-end. Two compliance officers carried the workload and were burning out. The backlog had grown from zero at the start of the year to roughly 380 in-flight packets. Sales escalated daily as deals stalled in onboarding.
Leadership set two hard constraints: no outsourcing approval decisions offshore, and no fully automated decisioning — the regulatory risk was real and the edge cases genuinely required human judgment. They wanted humans in the loop, but in fewer loops.
The solution
We engaged through the AI & Automation service line — specifically Document & Data Automation and RAG & Knowledge Systems — and built a three-stage pipeline:
- 1OCR/IDP layer. AWS Textract with tuned post-processing extracted structured data from every document: incorporation details, UBO names, jurisdictions, dates, sanctions identifiers.
- 2Reasoning step. A Claude-based reasoning layer, operating against a RAG index of the client's KYC policy, jurisdiction-specific rules, and sanctions list snapshots, produced a structured risk summary per packet with explicit citations back to source documents.
- 3Routing layer. Each packet was classified clean, flagged, or edge case.
- Clean packets reached reviewers with a one-page summary and pre-filled checklist — review time dropped under 15 minutes.
- Flagged packets carried the specific concerns and the policy clauses they triggered.
- Edge cases routed to a senior compliance officer with the full reasoning trace.
The human-in-the-loop design was non-negotiable: every approval decision stayed with a named human reviewer, every reasoning step was logged with citations, a compliance officer ran a daily 5% sample audit for the first three months, and an external auditor verified the audit trail met evidentiary standards before go-live.
How we delivered
Weeks 1–3: Scoping with the regulator in the room
The scoping workshop included the head of compliance, the external auditor, and general counsel. The output was a written boundary document: what the pipeline would and would not do, what the audit trail had to contain, and what triggered manual override. That document became the specification.
Weeks 3–6: The document and reasoning layers
The RAG layer indexed the client's KYC policy, the FCA and FinCEN guidance it referenced, and weekly sanctions list snapshots. The reasoning step ran on Claude with a system prompt requiring citations back to source documents for every claim in the risk summary.
Weeks 6–9: Routing and the human interface
The reviewer interface was built inside the client's existing case management tool, so compliance officers stayed in their workflow — one-page summary, citations, and source documents side by side.
The inflection point
In week 7, the model cited a sanctions list snapshot that was three days stale. The packet would have been correctly flagged anyway, but the citation was inaccurate — and in this domain, an inaccurate citation is a failure. The index refresh job was tightened to hourly, with a freshness check surfaced in the audit log.
Weeks 9–11: Parallel run and cutover
The pipeline ran in parallel with the existing process for two weeks. The model agreed with the human reviewer on 96% of clean packets and surfaced two issues the human had missed on flagged packets. The audit caught zero false-negatives on edge cases. Cutover happened at week 11.
What ongoing looks like
- Daily 5% sample audit for the first three months, then 2%.
- Weekly review of any packet where model and human classifications disagreed.
- Monthly retraining against new jurisdiction overlays and policy changes.
