AWS Architecture Blog

Modernizing KYC with AWS serverless solutions and agentic AI for financial services

Regulators worldwide require financial institutions to implement Know Your Customer (KYC) processes that help prevent money laundering, terrorist financing, fraud, and identity theft. KYC has evolved from a compliance checkbox to a core security function for financial institutions. Financial institutions must modernize their KYC architectures because of several factors: rising transaction volumes, increasing regulatory complexity, and customer demands for instant onboarding. Legacy systems create multiple problems. They slow down compliance processes and expose institutions to both operational risks and regulatory penalties. However, traditional KYC orchestration systems, often built on monolithic architectures, struggle to meet these demands because of latency, availability, and scalability challenges. Their reliance on batch processing and manual handoffs leads to higher operational costs and impediments to real-time compliance validation, reinforcing the need for architectural modernization.

This post extends IBM’s approach to real-time KYC validation using generative AI, as previously discussed in the post IBM Digital KYC on AWS uses Generative AI to transform Client Onboarding and KYC Operations. It transforms compliance operations through autonomous decision-making and intelligent automation using agentic AI, event-driven architecture, and AWS serverless services. The solution addresses the fundamental limitations of traditional rule-based systems. It provides autonomous decision-making, dynamic adaptation, and intelligent automation that transforms compliance operations.

Financial institutions can break down KYC workflows into separate business functions. Amazon Managed Streaming for Apache Kafka (Amazon MSK) handles real-time event streaming, which speeds up processing. Amazon Bedrock automates document analysis and risk assessment with AI. AWS Lambda provides serverless computing that scales on demand and supports instant customer onboarding.

The critical role of KYC

KYC protects financial systems by verifying customer identities and detecting fraud in four ways. It supports regulatory compliance with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. It helps prevent fraud by detecting identity theft and forged documents. It manages risk by assessing customer profiles and monitoring transactions. And it builds customer trust through transparency. As financial institutions broaden their footprint across products, industries, and regions, KYC compliance becomes increasingly complex. Each financial service offering presents unique requirements, from traditional banking to digital wallets, investment systems, and cryptocurrency services. Expansion into retail, SME, and corporate segments brings diverse identity structures and risk profiles. Operating across multiple jurisdictions requires navigation of various regulatory frameworks. These frameworks include the Bank Secrecy Act (BSA) and USA PATRIOT Act in the US, Anti-Money Laundering Directives (AMLD) in the EU, and guidelines from international regulators like the Monetary Authority of Singapore (MAS) and Financial Action Task Force (FATF).

Traditional KYC

Traditional KYC processes verify customer identities, assess risk, and monitor for money laundering. They rely on manual document collection, identity checks across multiple databases, and periodic reviews. While these established processes have served the financial industry for decades, they were designed for a different era with lower transaction volumes, simpler product offerings, and less sophisticated threat landscapes. Today’s digital-first financial environment demands a fundamental reimagining of KYC at scale.

Current challenges

Legacy systems create several bottlenecks. They process requests in batches rather than real-time, making instant onboarding impossible. Manual validation across jurisdictions leads to inconsistent compliance. Without event-driven capabilities, these systems can’t integrate with modern AI and machine learning (ML) services or adapt to new fraud patterns without manual reconfiguration.

Cloud-native KYC solution architecture using agentic AI

This architecture illustrates a comprehensive cloud-native real-time KYC validation system designed to process live customer onboarding requests and validate identity information using AI-powered automation. The architecture uses an event-driven pipeline to process high-volume KYC validations securely in under 5 minutes. The system processes real-time KYC requests containing sensitive financial data including PII while maintaining strict security and regulatory compliance requirements across multiple geographies.

High-level Agentic Architecture for real-time KYC

High-level Agentic Architecture for real-time KYC

This architecture diagram illustrates an AI-driven Know Your Customer (KYC) Orchestration Framework built using Amazon Bedrock AgentCore and Amazon Managed Streaming for Apache Kafka (Amazon MSK). The design showcases how multiple specialized AI agents collaborate to automate and optimize KYC workflows, from document ingestion to compliance validation and fraud detection, while maintaining real-time integration with on-premises financial systems.

At the heart of the architecture is the AgentCore Runtime Environment, which provides native orchestration capabilities, session management, and memory persistence. Within this runtime, the KYC Orchestration Supervisor Agent acts as the intelligent coordinator, delegating tasks to five domain-specific sub-agents: Identity Verification, Document Analysis, Fraud Detection, Compliance & Risk, and Customer Experience. Unlike traditional multi-agent systems, AgentCore provides built-in session state management, shared memory across sub-agents, and automatic context preservation throughout asynchronous processing workflows.

The architecture uses asynchronous invocation patterns where MSK consumers trigger AgentCore processing without blocking, enabling sub-5-minute processing times while handling thousands of concurrent KYC requests. Lambda functions serve as the integration layer, consuming events from MSK, invoking AgentCore asynchronously, and publishing results back to Kafka topics for downstream system consumption.

Each sub-agent uses foundation models hosted on Amazon Bedrock for tasks such as optical character recognition (OCR), language processing, behavioral analysis, and regulatory interpretation. These agents operate within the AgentCore Runtime, sharing context through AgentCore Memory (a built-in feature of Bedrock AgentCore that automatically manages session state and context) and accessing external systems through tools defined using OpenAPI schemas and Lambda targets.

The agents use KYC Knowledge Bases, powered by Amazon OpenSearch Serverless and Amazon Simple Storage Service (Amazon S3), to access contextual information from internal policies, compliance rules, vendor documentation, and regulations. This approach provides consistent, explainable, and policy-aligned decision-making. These knowledge bases integrate with AgentCore’s retrieval mechanisms, providing sub-agents with grounded information during processing.

Finally, the solution connects with existing on-premises systems, such as customer management, transaction monitoring, case management, risk/AML systems, and core banking systems. These connections use tools defined with OpenAPI schemas as targets and Lambda-based integrations using AgentCore Gateway. AgentCore Gateway uses these OpenAPI specifications to understand API contracts, handle authentication, validate requests and responses, and manage retries. AgentCore Identity manages authentication and authorization for agents and their tool access, so that only authorized sub-agents can invoke specific tools and access the Knowledge Base. With this approach, financial institutions can achieve an intelligent, scalable, and compliance-aligned KYC process that minimizes manual intervention, improves onboarding speed, and reduces fraud and regulatory risks.

Solution Components

Event-Driven Communication Infrastructure with Amazon MSK

Amazon MSK serves as the communication backbone, enabling asynchronous, real-time message exchange between agentic AI components and enterprise systems. The streaming infrastructure organizes into distinct topic categories supporting bi-directional flows.

Inbound topics capture customer interactions through KYC requests (new applications), document uploads (identity documents), ID verification results (third-party vendor responses), and transaction events (fraud/risk signals). Event listeners pre-process these streams. These listeners filter onboarding requests, prepare documents for OCR, normalize vendor data formats, and correlate transaction signals with customer profiles.

Outbound topics publish KYC decisions with confidence scores and audit trails to core banking systems, route complex cases to human reviewers through case management events, and trigger fraud alerts to security teams. With this decoupled architecture, you can achieve sub-5-minute processing while maintaining full event auditability and allowing independent scaling of individual agents based on workload patterns.

Agentic AI Orchestration Layer

KYC Orchestration Supervisor Agent

The Supervisor Agent implements intelligent routing logic using Amazon Bedrock AgentCore to dynamically determine optimal sub-agent collaboration patterns. Unlike rule-based systems following rigid workflows, the supervisor analyzes case characteristics (document types, customer geography, risk indicators, and historical patterns) to construct context-aware execution plans that invoke sub-agents in parallel or sequentially based on dependencies. The supervisor monitors sub-agent confidence scores to guide decision-making: high confidence (>95%) results in automatic approvals, medium confidence (75-95%) triggers additional verification, and low confidence (<75%) escalates to human review with comprehensive context.

Five Specialized Sub-Agents operate as autonomous decision-makers, each using foundation models for domain-specific tasks:

  • Identity Verification Sub-Agent validates customer identities against watchlists and sanctions databases. It calls third-party verification APIs and uses natural language processing to handle name variations.
  • Document Analysis Sub-Agent extracts data from identity documents using OCR. The agent handles poor image quality and multiple languages and detects forgery by analyzing watermarks and security features.
  • Fraud Detection Sub-Agent identifies suspicious patterns through behavioral analysis. The agent detects multiple applications from the same IP address or inconsistent information across form fields. It correlates current applications with historical fraud cases using semantic similarity search and maintains dynamic risk scores with explainable fraud assessments.
  • Compliance & Risk Sub-Agent supports regulatory adherence by interpreting jurisdiction-specific KYC requirements across different geographies. It translates regulatory frameworks into concrete validation actions and generates compliance attestations with audit trails for regulatory examinations.
  • Customer Experience Sub-Agent optimizes the onboarding journey by analyzing application progress in real time, identifying friction points, and recommending strategies to reduce abandonment while identifying upselling opportunities based on customer profiles.

Intelligent Knowledge Management Architecture

The KYC Knowledge Base implements a retrieval augmented generation (RAG) pattern that grounds agent decisions in factual, current information rather than relying solely on foundation model training. Amazon S3 stores source documents, including regulations from financial authorities, institution-specific compliance rules, internal policies, and vendor documentation, enabled to track changes over time. Documents undergo automated preprocessing for text extraction, metadata enrichment, and quality validation before the system indexes them. Amazon OpenSearch Serverless provides semantic search using vector embeddings generated by Amazon Bedrock. When agents query using natural language questions, the system embeds queries into the same vector space and identifies semantically relevant document chunks through cosine similarity search, improving retrieval accuracy over keyword matching.

Context-aware retrieval enriches queries with case-specific information, including customer jurisdiction, document types, and risk levels – facilitating highly relevant regulatory guidance. This continuous knowledge access keeps agent decisions grounded in institutional knowledge rather than hallucinating responses.

Real-Time Decision Store (Amazon DynamoDB) complements the Knowledge Base with sub-millisecond access to frequently accessed structured data, including current KYC decision status, risk scores, customer interaction history, and dynamic configuration parameters controlling agent behavior.

Secure integration with on-premises financial systems

The architecture integrates with on-premises financial systems through Action Groups bridging the cloud-native agentic layer and existing enterprise infrastructure.

Customer Management Systems receive real-time KYC decisions, updating verification status and account activation flags. Transaction Monitoring Systems consume fraud alerts and risk scores, enabling immediate action on suspicious patterns. Case Management Systems receive escalated cases with comprehensive agent analysis context, accelerating human review. Risk and AML Systems integrate bidirectionally to maintain consistent risk assessments. Core Banking Systems receive approved validations, triggering account activation.

Secure connectivity through AWS Direct Connect or AWS Site-to-Site VPN provides encrypted data transmission over dedicated network paths. API calls include comprehensive audit logging through AWS CloudTrail and Amazon CloudWatch, satisfying regulatory requirements.

Security Considerations

The solution should incorporate multi-layered security controls, continuous monitoring, and automated compliance auditing to meet the rigorous expectations of financial regulators and internal risk teams. Financial institutions should conduct a comprehensive threat modelling to identify risks including introduced by agentic AI systems. For further information please refer Security Guidance.

Conclusion

This KYC architecture uses AWS serverless services and Amazon Bedrock to process validations faster and at scale. The parallel agent execution model is designed to reduce KYC validation time from the typical 3-5 days to near-real time for standard cases. This approach enables exponentially faster processing through simultaneous operation of Document Analysis, Identity Verification, and Fraud Detection agents rather than sequential workflows.

With this architecture, financial institutions can handle high-volume validations through elastic scaling, optimize costs through serverless pay-per-use pricing, and improve accuracy through multi-agent collaboration. Automated document processing and intelligent routing are expected to reduce manual review workload, allowing each compliance specialist to handle up to 4x their current caseload while focusing on complex cases requiring human expertise. Explainable AI decisions with comprehensive audit trails support regulatory compliance and enable rapid audit responses.

Event-driven architecture and agentic AI help financial institutions compete in digital landscapes while meeting regulatory requirements.

Note: The architecture presented here is for reference purposes only. IBM and AWS will work closely with you to execute a Proof of Concept and implementation plan in accordance with industry standards and compliance requirements.

Further Reading

IBM Consulting is an AWS Premier Tier Services Partner that helps customers who use AWS to harness the power of innovation and drive their business transformation. They are recognized as a Global Systems Integrator (GSI) for over 30 competencies, including Financial Services Consulting. For additional information, please contact an IBM Representative.

About the authors

Neeraj Kaushik

Neeraj Kaushik

Neeraj Kaushik is an AWS Ambassador, Client Growth Leader and Open Group Certified Distinguish Architect at IBM with two decades of IT experience in client-facing sales and delivery roles spanning various industries including Travel and Transportation, Banking, Retail, Education, Healthcare, and Anti-Human Trafficking. As a trusted advisor, he works directly with the client executive and architects on business strategy to define a technology roadmap. As a hands-on AWS Professional Certified Architect and Natural Language Processing Expert, he has led multiple complex cloud modernization programs and AI Initiatives.

Amit Deshpande

Amit Deshpande

Amit Deshpande is an Executive Architect at IBM and has 23+ years of experience in IT industry. He is an IBM Certified L3 and Open Group Certified Distinguished Architect. Amit is AWS certified Solution Architect and was instrumental in setting up IBM Consulting AWS GenAI Lab. He has extensive experience in leading multiple complex projects in Microservices/API, Integration, Event Driven, Hybrid Cloud Architectures for Banking, Manufacturing and Automotive customers. He has been involved in conceptualization and development of multiple Cloud Assets and Accelerators. Amit is a passionate mentor to several budding Architects in their journey to achieve Architect Profession certifications. He has filed 10 patents in K8S/Containerization area and has authored a book "Build Serverless Apps on Kubernetes with Knative".

Nisha Dekhtawala

Nisha Dekhtawala

Nisha Dekhtawala is a Senior Solutions Architect at AWS. She leads the design and execution of technical validation processes that gate AWS Partner Network program access for ISV partners across Specializations, Partner Funding Programs, and Marketplace badges. Working across Partner Solutions Architects, engineering, and compliance teams, she ensures solution validation remains scalable, secure, and aligned with AWS partner growth objectives—supporting partners applications annually while protecting program integrity. Nisha serves as Lead SME for AWS Certified Solutions Architect - Professional exam development and has been instrumental in simplifying partner validation processes to improve partner experience.

Subhash Sharma

Subhash Sharma

Subhash Sharma is Sr. Partner Solutions Architect at AWS. He has more than 25 years of experience in delivering distributed, scalable, highly available, and secured software products using agentic AI/ML, Microservices, the Internet of Things (IoT), and Blockchain using a DevSecOps approach. In his spare time, Subhash likes to spend time with family and friends, hike, walk on beach, and watch TV.