🏛️ Reference Architecture – KYC / AML Integration

1. Business Context

• Business Drivers:

  • Regulatory compliance (RBI, SEBI, FATCA, OFAC, FIU-IND).

  • Prevent fraud, money laundering, terrorism financing.

  • Speed up customer onboarding & reduce false positives.

• Key Business Capabilities:

  • Customer Due Diligence (CDD), Enhanced Due Diligence (EDD).

  • Sanctions & Watchlist screening.

  • AML transaction monitoring.

  • Regulatory reporting (STR, CTR, NTR, CBWR).

2. Conceptual Architecture

• Customer Onboarding Journey:

  1. Customer submits KYC documents (ID proof, address proof, PAN, Aadhaar, etc.).

  2. Data flows via API Gateway into bank’s KYC microservice.

  3. Real-time integration with external partners:

     • Fenergo (CDD/EDD workflows).

     • Experian / CIBIL (Credit score).

     • Dow Jones / Refinitiv (Sanctions screening).

  4. AML engine (Actimize, SAS, or bank’s in-house system) receives transactions via event bus (Kafka/NATS).

  5. AML generates alerts → case management system → Compliance officer review.

  6. Audit log + regulatory reporting (FIU-IND).

3. Logical Architecture

Layers & Responsibilities:

• Channel Layer

  • Mobile app / Web app / Branch UI.

  • Input validation + document upload.

• Integration Layer

  • API Gateway (Apigee / Azure API Mgmt).

  • Service Mesh (Istio on AKS).

  • Partner Adapters (Fenergo, Experian, Actimize).

• Microservices Layer

  • KYC Service (OCR, Doc verification, e-KYC API to UIDAI).

  • Sanctions Screening Service (REST/SOAP APIs to Refinitiv, Dow Jones).

  • AML Orchestration Service (real-time rules engine).

  • Regulatory Reporting Service (CTR/STR generation).

• Data Layer

  • Customer 360 DB (PostgreSQL / Azure SQL).

  • AML Event Store (Kafka topics, NoSQL DB).

  • Case Mgmt DB (MongoDB).

  • Audit DB (immutable logs in Elasticsearch).

• Security Layer

  • IAM (Azure AD, SailPoint).

  • PKI encryption for partner API calls.

  • Tokenization for PII/PCI data.

  • SIEM (Splunk, Sentinel) for monitoring suspicious activity.

4. Technology Reference

• KYC: Fenergo, Nucleus FinnOne Neo add-ons, in-house microservices.

• AML: NICE Actimize / SAS AML / Oracle Mantas.

• Data Integration: Kafka, Azure Event Hub, MuleSoft, Informatica.

• Compliance Reporting: Actimize ETL → FIU-IND XML Schema.

• Monitoring: ELK / Grafana dashboards for transaction flow.

5. Deployment & Ops

• Cloud-first: Deployed on AKS/EKS with Istio.

• Active-Active: HA for partner API connectivity.

• Resilience: Retry queues for failed partner API calls.

• Chaos Engineering: Test resilience for partner API downtime.

• Observability: Tracing (Jaeger/Zipkin), logs (ELK), metrics (Prometheus).

6. Security & Compliance

• Zero Trust Security: Validate every API call.

• Regulatory Controls: FATCA, AMLA 2002 (India), PCI DSS, GDPR.

• Data Privacy: Pseudonymization, consent mgmt.

• Auditability: Immutable logs stored in WORM storage.

7. KPIs

• Onboarding TAT (Target: < 15 min for retail).

• % False Positives reduced in AML.

• % Alerts closed within SLA.

• % API uptime (99.99%).

• Compliance SLA adherence (100% STR submission before deadline).

• Number of alerts per 1,000 transactions.

• Average investigation time per AML case.

• SLA adherence with regulators.

8 Reference Architecture Flow

1. Customer onboarding request (mobile/web/branch).

2. API Gateway routes to KYC service.

3. Identity verification → document/biometric checks.

4. Customer data enriched in MDM.

5. Screening against sanctions/PEP lists.

6. Risk score calculated → if high risk → EDD (Enhanced Due Diligence).

7. Customer onboarded if passed.

8. Transactions monitored in near real-time → flagged suspicious → sent to AML case management.

9. Compliance officer reviews case → escalate/report to FIU-IND / regulator.

9. Risks & Mitigation

✅ “Here’s the KYC/AML reference architecture I designed: A layered architecture where onboarding apps connect via API Gateway, KYC services integrate with external partners like Fenergo and Refinitiv, AML is driven by an event bus into Actimize, and reporting is automated into FIU-IND. Security is enforced by Zero Trust + IAM + tokenization. This setup ensures compliance by design, resilience, and fast onboarding.”

Customer Onboarding Time

Exactly ✅ — when we say Customer Onboarding Time as a KPI in banking, it includes the entire compliance journey, not just account creation.

That means:

1. KYC (Know Your Customer)

   • ID proof collection, document verification (passport, PAN, Aadhaar, driver’s license, etc.).

   • Biometric checks (face, liveness).

   • Cross-verification with government APIs (UIDAI, NSDL, CKYC in India, etc.).

2. CDD (Customer Due Diligence)

   • Risk assessment based on geography, product, channel, occupation, transaction type.

   • Low/Medium risk → fast-track approval.

   • High risk → flagged for EDD.

3. EDD (Enhanced Due Diligence)

   • Required for high-risk customers (e.g., PEPs, cross-border clients, high-value accounts).

   • Deep-dive checks → source of funds, adverse media search, multiple external data providers (Dow Jones, Refinitiv, World-Check).

4. AML (Anti-Money Laundering Screening & Monitoring)

   • Real-time sanction/PEP list screening at onboarding.

   • AML transaction monitoring usually continues post-onboarding but the first-time baseline check happens during onboarding.

📌 So, the Customer Onboarding Time KPI =👉 Time taken from customer application submission (via branch, web, or mobile)👉 To successful onboarding decision (approval/rejection) after KYC + CDD/EDD + AML checks are completed.

🔹 In digital-first banks, the target is < 5–10 minutes for low/medium risk customers (using automated KYC/CDD/AML integrations).🔹 For high-risk (EDD), it can take 24–48 hours since compliance officers need to review.

🌍 Transformation Story: Modernizing KYC / AML Architecture

1. Current State (As-Is)

• Legacy monolithic KYC/AML system (often bundled in LOS/LMS or CBS).

• Batch-based sanctions & AML checks (overnight jobs).

• Manual onboarding (customer uploads docs → back-office staff verifies).

• Multiple siloed systems (KYC in LOS, AML in CBS, Sanctions check in Excel tools).

• Compliance reporting (STR, CTR) prepared manually and uploaded to FIU-IND.

• High onboarding TAT (2–3 days for retail, 1–2 weeks for corporate).

• Risks:

  • High false positives in AML alerts.

  • Inconsistent audit logs.

  • No partner API ecosystem.

  • Poor scalability.

2. Target State (To-Be)

• API-first, event-driven, microservices-based KYC/AML architecture.

• KYC microservice connects to UIDAI (e-KYC), NSDL (PAN), CKYC registry.

• Fenergo integration for CDD/EDD workflows (configurable rule engine).

• Actimize AML integrated via Kafka → near real-time monitoring.

• Experian/CIBIL → credit score API integration.

• Experian Hunter → fraud score.

• Automated compliance reporting → CTR/STR/NTR/CBWR generated via ETL → FIU-IND portal.

• Zero Trust Security + SailPoint for identity governance.

• Audit by design: immutable logs in Elasticsearch/WORM storage.

• Cloud-native deployment on AKS with Istio service mesh.

3. Migration Approach – Step by Step

Phase 1 – Discovery & Assessment

• Build application inventory of all KYC/AML systems.

• Conduct workshops with Compliance, Risk, Ops teams.

• Use CAST Highlight / AIP to analyze legacy code for complexity.

• Capture metadata in CMDB (ServiceNow): criticality, vendor dependency, business capability, data sensitivity.

• Identify pain points (e.g., manual onboarding, batch delays).

Phase 2 – Business Capability Mapping

• Define capabilities:

  • KYC (Doc verification, Sanctions screening, CDD/EDD).

  • AML (Transaction monitoring, Fraud detection).

  • Regulatory Reporting.

  • Case Management.

• Map capabilities → services → applications → data → technology.

• Identify gaps (no API integration, no real-time monitoring).

Phase 3 – Technology Selection

• Compare vendors using Gartner Magic Quadrant + RFP evaluation.

• Decide:

  • KYC → Fenergo + UIDAI/CKYC API integration.

  • AML → NICE Actimize on Azure.

  • Integration → Kafka + API Gateway + Istio.

  • Audit & Reporting → ELK + Actimize ETL → FIU-IND.

Phase 4 – Target Architecture Design

• Build conceptual → logical → physical architecture.

• Define integration adapters for legacy CBS (Finacle / TCS BaNCS).

• Define canonical data model (Customer 360, Transaction 360).

• Define security architecture:

  • IAM via Azure AD.

  • Identity governance via SailPoint.

  • Tokenization of PII.

  • SIEM for fraud alerts.

Phase 5 – Implementation & Migration

• Pilot: Retail onboarding flow (personal loans).

• Parallel Run: Modernized KYC/AML + legacy LOS.

• Reconciliation jobs ensure both DBs are in sync.

• Data migration: Cleanse customer profiles, load into new Customer 360.

• Build real-time APIs for partner screening (Refinitiv, Dow Jones).

Phase 6 – Compliance & Reporting

• Automate CTR, STR, NTR, CBWR reports → FIU-IND.

• Audit logs → immutable storage.

• Compliance dashboards for regulators.

Phase 7 – Operations & Continuous Improvement

• DevSecOps pipeline with automated scanning (SAST/DAST).

• Chaos engineering to simulate AML vendor downtime.

• Continuous ML retraining → reduce false positives in AML alerts.

• KPI dashboards:

  • Onboarding TAT.

  • % False positives reduced.

  • SLA compliance for regulatory reporting.

  • Partner API uptime.

4. Risks & Mitigation

• Data mismatch (new vs legacy DB) → use reconciliation jobs + canonical data model.

• Regulatory fines for non-compliance → automate FIU-IND reporting.

• Partner API downtime → retry queues + fallback batch process.

• High AML false positives → AI/ML retraining + rules tuning.

• Resistance from Ops team → phased rollout + training.

5. Tools & Frameworks

• TOGAF → Architecture Development Method (ADM).

• SABSA → Security architecture.

• CAST Highlight → legacy code complexity.

• Vfunction → microservices extraction from monolith.

• ServiceNow CMDB → Application inventory & metadata.

• Gartner TIME + 6R Strategy → migration categorization.

✅ “As an Enterprise Architect, I drove the KYC/AML modernization by applying TOGAF for the overall roadmap and SABSA for security. We assessed existing LOS/AML systems using CAST and CMDB data, defined capability maps (CDD, AML monitoring, regulatory reporting), and selected vendors like Fenergo and Actimize. We built an event-driven, API-first architecture deployed on AKS with Istio. Compliance was by design with automated FIU-IND reporting. We managed risks like DB reconciliation and API downtime via canonical models and retry queues. This reduced onboarding TAT by 70%, improved compliance accuracy, and gave the bank a scalable partner-ready architecture.”