NDA-Safe Financial Crime AML/KYC Real-Time Detection

Real-time financial crime detection for a UK tier-1 bank.

Event-driven transaction monitoring pipeline replacing legacy batch-based AML with sub-second risk scoring, automated alert triage, and regulator-ready audit evidence.

Book a discovery call View architecture

Key Outcomes

Sub-500ms

Every transaction risk-scored before settlement

85% Fewer Alerts

ML models trained on bank-specific behavioural patterns

Auto SAR Filing

Reports auto-generated with full evidence chain

50M+ / Month

Production pipeline at full transaction volume

"They replaced our overnight batch AML with a system that scores every transaction in real time. Our compliance team went from drowning in false positives to investigating genuine threats."

Chief Compliance Officer, UK Tier-1 Bank

~8mo

Engagement length

50M+

Transactions processed per month

FCA/JMLSG

Compliance frameworks

100%

Infrastructure as Code

Live

In production, zero downtime

Executive Summary

From overnight batches to real-time intelligence

A UK tier-1 bank was running a legacy AML system that processed transactions in overnight batches. Suspicious activity was flagged 24 to 48 hours after the transaction occurred, by which time funds had already moved. The compliance team was overwhelmed by false positives, with over 95% of alerts turning out to be benign, while genuine threats slipped through undetected. With the FCA increasing pressure on banks to demonstrate real-time monitoring capabilities, the bank engaged Stratus Partners to replace the entire detection pipeline with an event-driven architecture capable of scoring every transaction in real time.

Capability	Legacy Batch AML	Real-Time Detection Pipeline
Detection Speed	Overnight batch processing. Fraud discovered 24 to 48 hours after the transaction	Sub-500ms. Every transaction scored before settlement.
Alert Quality	95%+ false positive rate. Compliance team overwhelmed with noise	ML-driven scoring. 85% reduction in false positives. Analysts investigate real threats.
SAR Filing	Manual process. Weeks of evidence gathering per Suspicious Activity Report	Automated. AI-generated narratives with full evidence chain. Filing-ready in minutes.
Audit Readiness	Spreadsheet-based evidence. Weeks to prepare for FCA review	Always audit-ready. Immutable logs, model version tracking, decision traceability.
Scalability	Fixed capacity. Degraded during peak periods (month-end, payroll)	Auto-scaling. Handles 50M+ transactions/month with consistent sub-500ms latency.

Strategic Architecture Overview

Real-Time Transaction Monitoring Pipeline

Transactions flow from the payment switch through Kafka into the scoring engine. ML models and rule engines evaluate risk in parallel. High-risk transactions trigger automated alerts routed to compliance analysts.

Inline Scoring

The fraud engine sits inside the payment flow, scoring transactions before they settle. Not after.

Dual Detection

ML behavioural models and deterministic rule engines run in parallel. ML catches novel patterns. Rules catch known threats.

Closed Loop

Analyst decisions feed back into the ML model. The system gets smarter with every investigation.

flowchart LR
    PS["Payment\nSwitch"] --> Kafka["Kafka / Kinesis\n(Event Stream)"]
    Kafka --> SE["Scoring Engine\n(ECS Fargate)"]
    SE --> ML["ML Models\n(SageMaker)"]
    SE --> RE["Rule Engine\n(DynamoDB)"]
    ML --> SE
    RE --> SE
    SE --> Decision["Decision:\nApprove / Flag / Block"]
    Decision -->|"Flag"| AQ["Alert Queue"]
    AQ --> CD["Compliance\nDashboard"]
    CD --> SAR["SAR Generator"]
    CD -.->|"Analyst Decisions"| ML

    style PS fill:#6b21a8,stroke:#7c3aed,color:#fff
    style Kafka fill:#1a1a2e,stroke:#7c3aed,color:#fff
    style SE fill:#4c1d95,stroke:#7c3aed,color:#fff
    style ML fill:#6b21a8,stroke:#7c3aed,color:#fff
    style RE fill:#1a1a2e,stroke:#7c3aed,color:#fff
    style Decision fill:#4c1d95,stroke:#7c3aed,color:#fff
    style AQ fill:#1a1a2e,stroke:#7c3aed,color:#fff
    style CD fill:#1a1a2e,stroke:#7c3aed,color:#fff
    style SAR fill:#6b21a8,stroke:#7c3aed,color:#fff

← Scroll to explore diagram →

Architecture Overview

The Detection Architecture Stack

Every tool earns its place by solving a specific detection or compliance requirement.

Detection Layer

The Scoring Engine

Amazon MSK (Managed Kafka) Real-time event streaming from payment switch and core banking. Handles 50M+ events/month with exactly-once delivery.
Amazon SageMaker ML model serving for behavioural risk scoring. Models retrained weekly on analyst feedback. Sub-100ms inference.
Amazon DynamoDB Low-latency rule lookups. Sanctions lists, velocity checks, geographic impossibility rules evaluated in parallel with ML scoring.

Intelligence Layer

The Investigation Platform

Amazon ECS Fargate Scoring microservice and alert routing. Auto-scales during peak transaction periods without manual intervention.
Amazon S3 + Athena Immutable transaction audit trail. Every score, decision, and model version stored for regulatory evidence.
Amazon OpenSearch Real-time compliance dashboard. Case management, alert triage, and investigation workflows for the compliance team.

Operating Model

From reactive batch processing to proactive intelligence

Detection now happens inside the payment flow, not after it. Every transaction is scored, every decision is logged, and every model is versioned for regulatory traceability.

What changed operationally

Real-Time by Default Every transaction is now scored within the payment flow itself. No more overnight batches. No more 24-hour detection gaps where funds can disappear.
Intelligence-Driven Detection ML models learn continuously from the bank's own transaction patterns and analyst feedback. Detection accuracy improves over time without manual rule updates.
Automated Compliance Workflow SAR narratives are auto-generated with supporting evidence. Filing preparation that previously took weeks is now completed in minutes.

Deliverables

Event-driven streaming pipeline on Amazon MSK with exactly-once processing guarantees
ML scoring models trained on 12 months of the bank's historical transaction data and analyst decisions
Real-time compliance dashboard with alert triage, case management, and full investigation workflows
Automated SAR generation with AI-written narratives and a complete evidence chain per case
Regulatory evidence pack including model governance documentation, decision audit trail, and FCA/JMLSG compliance mapping

Compliance Automation

FCA-ready, continuously

The FCA's Senior Managers Regime holds individuals personally accountable for AML failures. JMLSG guidance demands risk-based, proportionate monitoring. This architecture satisfies both frameworks by embedding compliance directly into the detection pipeline, not bolting it on afterwards.

Regulatory Controls Enforced

FCA Senior Managers Regime Full decision audit trail. Every alert, investigation, and filing linked to the responsible individual with timestamp and rationale.
JMLSG Guidance Risk-based approach implemented via ML scoring. High-risk customers and transaction patterns receive enhanced monitoring automatically.
SAR Filing (UKFIU) Suspicious Activity Reports auto-generated with AI narratives, supporting evidence, and submission-ready formatting.

Outcome

Zero regulatory findings Passed FCA thematic review on transaction monitoring controls with fully automated evidence packs.
85% reduction in false positives Compliance analysts now spend their time investigating genuine threats instead of clearing noise from the queue.
Real-time regulatory visibility Compliance officers monitor transaction risk as it happens, not in yesterday's batch report. Suspicious patterns are surfaced in seconds, not days.

Financial Crime Detection

Is Your AML System
Keeping Up?

Legacy batch-based AML systems leave banks exposed for hours. The CRRI assessment benchmarks your detection capabilities and identifies where real-time monitoring would have the greatest impact.

Benchmark Your Compliance Maturity View more experiences