KYC / KYB orchestration
Multi-vendor abstraction across Onfido, Trulioo, Persona and Jumio — so you can switch vendors without rebuilding the journey.
08 — Regulatory technology
Regulatory technology — KYC, AML and rule engines that survive their first audit.
Most regtech is bought, then partially rebuilt. The vendor product gets you 60% of the way; the 40% your business actually needs is the part you have to engineer yourself. We build that 40% — and the integration layer that makes the vendor work properly.
FCA · UK FinCEN · US FINTRAC · Canada
01 — Problem
Where regulatory technology builds usually go wrong.
RegTech vendors solve common problems well. They struggle with anything specific: a configurable rule engine that maps to your particular MLR risk appetite, a KYC orchestration layer that switches vendors without rebuilding the journey, an audit trail that satisfies both FinCEN and the FCA from the same query layer.
The right pattern is vendor + bespoke: the vendor handles the commodity work (identity verification, sanctions screening, basic AML monitoring), and a bespoke layer above handles the orchestration, the configurability and the evidence. That layer is what we build.
Audit-grade evidence is the throughline. Every KYC verification, every monitoring alert, every rule change, every decision needs to be reconstructable from immutable, queryable storage. Most platforms have this aspirationally, not actually.
02 — What we build
End-to-end, audit-ready, in production.
AML transaction monitoring
Rules + model layer, tiered triage, alert investigation workbench and SAR / STR generation.
Sanctions / PEP screening
OFAC, UN, HMT and EU consolidated lists — with fuzzy-match tuning, list-update automation and full hit-management workflow.
Identity vendor abstraction
Switch providers without rebuilding the journey — per-vendor capability surfaced through a normalised verification model.
Configurable rule engines
Business-team-editable rule engines for AML and onboarding — with governance rails and full audit trail.
Audit-grade evidence trails
Immutable, queryable, exportable evidence for every regulated decision and verification.
Regulatory reporting
SAR / STR generation, FATCA / CRS reporting, beneficial-ownership filings — built as reproducible pipelines.
Vulnerability & complaint pipelines
DISP-aligned complaint handling integrated with monitoring — so vulnerability signals surface into AML decisions where appropriate.
03 — Patterns
Build patterns we ship from.
KYC orchestration platform
Normalised verification model, multi-vendor adapters, per-region risk-based-approach configurability.
OnfidoTruliooPersonaAWS Step Functions
Transaction monitoring with model-tiered triage
Rule-driven first-pass + model-scored triage, with alert workbench for investigators and full audit trail.
ComplyAdvantageInternal rule DSLSageMaker
Configurable rule engine with business-team UI
Business-editable rules with governance, versioning, A/B and full audit trail for the rule and the decisions it produces.
Drools / OPAReact workbenchPostgres event-sourcing
Audit evidence ledger
Event-sourced, append-only ledger keyed to every regulated decision — query-ready for regulator submissions.
Postgres event-sourcingS3 / GlacierOpenTelemetry
04 — Regulations
What this work has to comply with.
GlobalFATF RecommendationsUKMLR 2017USBSA / FinCEN AMLCAFINTRAC PCMLTFAUSOFAC sanctionsEUAMLD6GlobalFATCA / CRS
05 — Stack
What we build with.
Identity & KYC
OnfidoTruliooPersonaJumio
AML & sanctions
ComplyAdvantageRefinitiv World-CheckLexisNexis Bridger
Infrastructure
AWS Step FunctionsTemporalPostgres event-sourcingSnowflake
06 — Recent build
A KYC orchestration platform now powering 4 US issuers — built in 11 weeks.
A US card issuing platform was using a single KYC vendor and had outgrown it on both coverage and cost. They needed a second vendor for low-risk applicants (cheaper, faster) and a third vendor for high-risk applicants (deeper verification) — without rebuilding the customer journey three times.
We delivered a KYC orchestration platform in 11 weeks: a normalised verification model above three vendor adapters, with a risk-based-approach routing layer that selected the right vendor per applicant based on declared characteristics and journey signals.
Within six months the client had onboarded three additional issuing programmes onto the same orchestration layer — each with a different vendor mix, none requiring journey changes. The verification cost per applicant fell ~35% across the portfolio.
11 weeks
Build to production
4 programmes
Now on the same platform
35%
Cost-per-verification reduction
07 — FAQs
Questions we get every time.
What’s the difference between buying a KYC vendor and building KYC orchestration?
A KYC vendor verifies an identity. KYC orchestration decides which vendor to use, sequences the verification steps, integrates with your customer journey, manages the evidence layer and gives you the flexibility to switch vendors later. Most firms buy the vendor and then build the orchestration anyway, but build it badly. The right pattern is to plan for orchestration from day one, even if you only use one vendor at launch.
How do you abstract identity vendors without losing per-vendor capability?
A normalised verification model that covers the common cases (identity confirmed, identity inconclusive, identity rejected) plus a vendor-specific capability layer that surfaces vendor-unique features (e.g. Onfido’s facial similarity vs Trulioo’s data-source verification). The journey reads the normalised model by default; specialised flows can read the vendor-specific layer when they need to. Switching vendors then affects only the adapter and any specialised flows — not the main journey.
What’s the right architecture for a configurable AML rule engine?
Three layers: a business-team-editable rule DSL with strong typing and validation; a governance layer that controls who can edit what (an analyst can propose a rule change; a compliance officer must approve it; the rule deploys via A/B); and an audit layer that retains every rule version, every change, every approval and the decisions produced by each rule version. Plus shadow-mode testing for new rules before they go live.
How do you handle false positives in transaction monitoring at scale?
Tiered triage. The rule layer fires alerts; a model layer scores them; investigators see only the high-priority alerts. Lower-priority alerts get auto-closed with full audit trail, retained for periodic sampling and feedback into the model. The model is retrained on investigator outcomes so its scoring improves over time. The non-obvious thing is that the rule layer matters more than the model — overly broad rules create noise the model can’t fully filter, so investing in rule precision is usually higher-leverage than investing in model accuracy.
What evidence does FINTRAC / FinCEN actually ask for in an audit?
Three things consistently: (1) that the controls described in your policies are the controls actually running in production; (2) that every regulated decision can be reconstructed end-to-end from immutable evidence — what was verified, what data was used, what rule fired, who approved; and (3) that exceptions (rule overrides, manual approvals) are themselves audit-trailed and reviewed. The third is where most platforms fall short — exceptions get made and the audit trail records the override but not the reasoning.
— Adjacent practices
Most builds combine two or three.
Scoping a regulatory technology build?
Send us a few sentences. We’ll come back inside three business days with a credible delivery plan and a date.