AI agents for banking & KYC/AML

Onboarding, screening, and case disposition — under strict allowlists.

KYC and AML agents run inside hard allowlists: only sanctioned models, only approved tools, only permitted actions. Every screening decision is explained, dual-controlled, and chained to its evidence — so a SAR or an examiner request is answered with a record, not a reconstruction.

Aligned with BSA/AML · OFAC · FinCEN · FFIEC · SOC 2

MCP Gateway
tool reqtool reqtool reqfirewallallowlistDLP in/outrate limitrisk scoreallowdeny
mcp ▸ managed registry · kill switch armed
The regulatory pressure

In AML, an unexplained decision is an unfiled obligation.

BSA/AML programs demand a documented, defensible basis for every onboarding, screening hit, and case disposition — and OFAC has no tolerance for a sanctioned counterparty slipping through. An agent that can't show why it cleared a name is a finding. Cortex confines the agent to an allowlist, requires dual control on dispositions, and chains every decision to the evidence behind it.

BSA/AMLOFACFinCEN · SARFFIECSOC 2ISO 27001
Regulatory pressure
BSA/AMLOFACFinCEN · SARFFIECSOC 2ISO 27001
Typed objectsCustomer · Case · Alert · Sanction · Disposition
Restrictedssn / dob / tax_idlocked
frameworks ▸ encoded as policy · gated · sealed
Use cases

Every agent boxed in by an allowlist.

Each agent is an identity-bound actor with allowed models, tools, and actions; the MCP gateway denies anything off the list, and dual control gates the disposition.

Customer onboarding (CDD)
  • Runs customer due diligence grounded to verified identity data, with restricted fields (SSN, DOB, tax ID) locked so they never enter a model prompt.
  • Ontology permissions
Sanctions & PEP screening
  • Screens against OFAC and PEP lists through approved tools only — the MCP gateway denies any off-allowlist data source with a 403.
  • MCP Gateway
Transaction monitoring triage
  • Triages AML alerts, explains the typology behind each, and escalates rather than auto-clearing — cost-capped so an alert storm can't blow the budget.
  • Cost governance
Case disposition (dual control)
  • Proposes a disposition; clearing or filing requires a second human approver, and break-glass overrides demand a mandatory audited reason.
  • Oversight & break-glass
SAR narrative assist
  • Drafts SAR narratives grounded to the case evidence, with every assertion chained to its source so the filing's basis is provable.
  • Trust Ledger
Allowlist + dual control + evidence chain

An agent that can only use approved models, tools, and actions — and can't dispose alone.

KYC/AML agents are the most tightly bounded in Cortex: identity binds them to an allowlist, the MCP gateway firewalls every tool call, and case disposition requires dual control. Off-allowlist anything fails closed with a 403, and the basis for every decision is chained to its evidence.

  • Agents bound to allowed models, tools, and actions — off-list calls denied 403
  • MCP gateway firewalls every tool request: allowlist, DLP, rate limit, risk score
  • Case disposition requires dual control; break-glass demands an audited reason
  • Every screening decision chained to its evidence for the SAR and the examiner
MCP Gateway
tool reqtool reqtool reqfirewallallowlistDLP in/outrate limitrisk scoreallowdeny
mcp ▸ managed registry · kill switch armed
Prove it — don't just claim it

The verdicts an examiner will challenge — and lose.

These are the literal runtime responses. Off the allowlist, the agent fails closed, on the record.

runtime · verdicts
Off-list modelmodel not on allowlist403 denied
Off-list toolMCP gateway · not registered404 unregistered
Solo dispositionno second approverHOLD · dual control
Cleared nameevidence chained · approved200 sealed
fail-closed ▸ challenge it and it denies, on the record
  1. 01

    Model the domain

    Map the work to typed ontology objects — Customer, Case, Alert, Sanction, Disposition — with restricted fields like ssn / dob / tax_id locked at the property level.

  2. 02

    Encode the rules

    Translate the obligations above into Policy-as-Code and Action Fabric approvals — the gates fail closed, returning a precise code, not a guess.

  3. 03

    Prove the outcome

    Every run lands in a hash-chained Trust Ledger with signed receipts and 10-hop provenance — a record you can hand the regulator.

4 filtersMCP firewall: allowlist · DLP · rate · risk
2-of-NDual control on case disposition
10-hopProvenance on every screening
256Chained SHA-256 sealing every record
Security & compliance

The tightest controls in the platform, mapped to your BSA program.

Allowlists, the MCP firewall, dual control, DLP, and detection & response are shared across onboarding, screening, and disposition — so you map once, to the obligations your BSA/AML program already documents. Aligned with, never claiming certification you don't hold.

BSA/AML · programOFAC · sanctionsFinCEN · SARFFIEC · examSOC 2 · auditISO 27001 · integrity
FAQ

AI agents for banking & kyc/aml — questions, answered.

How does Cortex stop a KYC agent from using an unapproved tool or model?

Each agent's identity binds it to an allowlist of permitted models, tools, and actions. The MCP gateway firewalls every tool request — allowlist, DLP, rate limit, risk score — and denies anything off-list with a 403, while an unregistered tool returns 404.

Does Cortex enforce dual control on AML case dispositions?

Yes. Disposition agents may only propose; clearing or filing a case requires a second human approver under oversight modes. Break-glass overrides are possible but demand a mandatory audited reason that is sealed into the ledger.

How is the basis for a screening decision documented?

Every screening decision is chained to its evidence in a 10-hop provenance graph and sealed into the tamper-evident Trust Ledger — so a SAR narrative or an examiner request is answered with a verifiable record.

How is customer PII protected during onboarding?

Restricted properties like SSN, date of birth, and tax ID are locked at the ontology property level (deny-by-default once governed) and redacted before any object reaches the model.

More industries

One governed runtime, every regulated vertical.

The controls are the same — the obligations they satisfy differ. Explore another vertical, or see the full set.

Answer the examiner with a record, not a reconstruction.

See the allowlist, the MCP firewall, and the dual-controlled disposition behind every KYC/AML decision.