James Aspinwall — February 2026
Know Your Customer is a pipeline problem. Identity verification, sanctions screening, PEP checks, adverse media, risk scoring — each step depends on data from the previous steps, some can run in parallel, and the decision at the end (approve, review, escalate, decline) has regulatory consequences that persist for the life of the relationship.
This agent orchestrates the pipeline. It sequences the checks, parallelizes what can be parallelized, makes the escalate-vs-auto-approve decision, and writes a review summary for each applicant. Edge cases — partial PEP matches, sanctions near-misses — get escalated with reasoning the compliance officer can act on immediately.
The Regulatory Framework
German KYC obligations sit across three layers of regulation.
GwG (Geldwäschegesetz)
The German Money Laundering Act implements EU AML Directives into national law.
Section 10 — General CDD: Identify the customer, verify their identity using reliable documents, identify the beneficial owner, understand the purpose and nature of the business relationship.
Section 14 — Simplified Due Diligence (SDD): Permitted for lower-risk scenarios — listed companies, certain government entities, domestic transactions below thresholds. Lighter documentation, less frequent review.
Section 15 — Enhanced Due Diligence (EDD): Mandatory for PEPs, customers from high-risk third countries, complex or unusual transactions, and any situation the institution’s risk analysis identifies as higher risk. EDD means: senior management approval, source of wealth documentation, enhanced ongoing monitoring.
Section 8 — Record Retention: All KYC data retained for minimum 5 years after the business relationship ends. Maximum 10 years — must be destroyed after. Retention period starts at the end of the calendar year in which the relationship terminates.
Section 43 — Suspicious activity: If during KYC the institution identifies grounds for suspicion, a Verdachtsmeldung must be filed with the FIU.
Section 47 — Tipping off: Criminal offense to inform the applicant that suspicion has been identified.
EU AML Directives and the New AMLR
4AMLD/5AMLD/6AMLD established the framework: CDD tiers, PEP definitions, beneficial ownership registers, crypto coverage.
AMLR (Regulation 2024/1624): The new single EU AML Rulebook. Directly applicable — no transposition. Harmonizes CDD rules across all 27 member states. Key change: prescribes specific KYC refresh intervals (every 5 years for low-risk, every year for high-risk). Takes full effect July 2027.
AMLA (Regulation 2024/1620): The new EU Anti-Money Laundering Authority in Frankfurt. Direct supervision of highest-risk cross-border entities. Operational by 2028.
FATF Recommendations
- Recommendation 1: Risk-based approach — measures proportional to identified risk
- Recommendation 10: Customer due diligence — the global standard for KYC
- Recommendation 12: PEP requirements — senior management approval, source of wealth, enhanced monitoring
- Recommendation 22: PEP requirements for non-financial businesses
Input: Applicant Data
Each onboarding record contains:
| Field | Purpose |
|---|---|
name |
Full legal name |
date_of_birth |
Identity verification, age checks |
nationality |
Geographic risk factor |
document_type |
Passport, Personalausweis, residence permit |
document_id |
Document number |
address |
Residential address |
occupation |
Customer risk factor |
source_of_funds |
Required for EDD |
Acceptable German identity documents (GwG Section 12, BaFin Circular 3/2017):
- German Personalausweis (national identity card) — including eID function for persons 16+
- German Reisepass (passport)
- Recognized foreign passports and identity cards
- Residence permit (Aufenthaltstitel)
- Birth certificate (minors under 16)
All documents must contain a machine-readable zone and verifiable optical security features for Video-Ident use.
For the demo: 20-30 mock applicants with varying risk profiles.
Processing: The Onboarding Pipeline
Phase 1 — Data Collection (Sequential)
Customer data intake and document upload. Must complete before any screening can begin.
Phase 2 — Verification (Parallelized)
Five independent checks run concurrently:
ID Document Verification: OCR, MRZ (machine-readable zone) extraction, security feature validation. For Video-Ident (BaFin Circular 3/2017): trained employees in locked rooms, real-time end-to-end encrypted video, liveness check (customer must move the document, tilt to show holographic features), full recording retained for 5 years.
Germany has also greenlit fully automated identification (GwVideoIdentV draft) — BSI-tested, 2-year trial period, but must NOT be used for persons with higher ML/TF risk indicators.
Sanctions Screening: Checked against: EU Consolidated Financial Sanctions List, UN Security Council Consolidated List, OFAC SDN List (if USD exposure), BaFin/Bundesbank restrictions.
Fuzzy matching is essential — sanctioned individuals use aliases, transliterations, and name variations. The industry uses hybrid algorithms:
| Algorithm | Best For | Typical Threshold |
|---|---|---|
| Jaro-Winkler | Individual names (prefix-weighted) | 0.80-0.90 |
| Levenshtein | Company/entity names | Varies by length |
| Soundex/Metaphone | Phonetic matching | Binary match |
Match score handling:
| Score | Classification | Action |
|---|---|---|
| 95-100 | Hard match | Immediate freeze, escalate to MLRO, decline |
| 85-94 | Near match | Manual review, additional data gathering |
| 75-84 | Possible match | Automated enrichment, context-based resolution |
| < 75 | No match | Auto-clear, log for audit |
PEP Screening: Checked against commercial PEP databases (World-Check, Dow Jones, ComplyAdvantage). The EU definition (Directive 2015/849, Article 3(9)) covers: heads of state/government, ministers, parliamentarians, supreme court members, central bank board members, ambassadors, senior military officers, and state-owned enterprise directors.
Family members (spouse, children, parents) and close associates are also screened.
PEP declassification: minimum 12 months after leaving office (GwG and Directive 2015/849 Article 22). But FATF Recommendation 12 says no fixed time limit — risk assessment continues beyond the statutory minimum. In practice, institutions monitor for 3-5 years.
Adverse Media Screening: Search for negative news coverage: fraud investigations, money laundering allegations, sanctions evasion, corruption, organized crime connections. Multi-language search required.
Beneficial Ownership Identification: For legal entities: identify all natural persons who ultimately own or control more than 25% (GwG threshold). Trace through all layers of corporate structure. Check against the German Transparenzregister (transparency register).
Phase 3 — Risk Assessment (Sequential — depends on Phase 2)
Risk score calculated from four weighted dimensions:
Total Risk Score =
(Customer Risk × 0.40) +
(Geographic Risk × 0.25) +
(Product Risk × 0.20) +
(Channel Risk × 0.15)Customer risk factors: Occupation (cash-intensive = higher), PEP status, adverse media, sanctions screening results, legal structure complexity, source of wealth clarity.
Geographic risk factors: EU high-risk third countries list (most recently updated December 2025 — added Russia, Bolivia, BVI), FATF grey/black list, Transparency International CPI, tax haven/secrecy jurisdiction status.
Product risk factors: Cash-intensive products (higher), private banking, correspondent banking, trade finance, virtual assets.
Channel risk factors: Non-face-to-face onboarding (higher), third-party introduced business.
Classification:
| Category | Score | CDD Level | Review Frequency | Approval |
|---|---|---|---|---|
| Low | 0-25 | SDD permitted | Every 5 years | Auto-approve possible |
| Medium | 26-50 | Standard CDD | Every 2-3 years | Standard review |
| High | 51-75 | EDD required | Every 1 year | Senior compliance officer |
| Prohibited | 76-100 | Decline | N/A | Decline and exit |
Phase 4 — Decision (Sequential — depends on Phase 3)
The LLM evaluates all screening results and risk score, then makes a recommendation:
Auto-approve (low risk, all checks clean): All screening negative, risk score < 25, domestic customer, standard product. The “four eyes” principle (Vier-Augen-Prinzip) can be satisfied with the automated system as one “eye” if it is validated and auditable, with periodic quality assurance sampling as the second.
Manual review queue (medium risk or near-matches): Risk score 26-50, or any screening produced a near-match that was not auto-cleared. L1 analyst reviews.
EDD queue (high risk): PEP hit, high-risk country, complex beneficial ownership structure. Requires senior compliance officer. Source of wealth documentation mandatory. Senior management approval to establish the relationship.
Decline (sanctions hit, prohibited category): Hard sanctions match or prohibited risk profile. No relationship established. If a suspicious pattern was identified during the process, a Verdachtsmeldung may still be required.
Phase 5 — LLM Review Summary
For every applicant, the LLM writes a review summary:
“Applicant: Maria Schneider (DE). German Personalausweis verified via eID. All sanctions lists clear. PEP screening: negative. Adverse media: negative. Risk score: 18/100 (low risk). Source of funds: employment income (Deutsche Telekom, Senior Engineer). No risk indicators identified. Recommendation: auto-approve with standard CDD. Next scheduled review: February 2031.”
For an escalated case:
“Applicant: Viktor Petrov (RU/DE). Russian passport + German residence permit verified via Video-Ident. Sanctions screening: near-match (Jaro-Winkler 0.87) against EU consolidated list entry for Viktor Petrov born 1965-03-12 — applicant born 1978-07-24, different patronymic, different city of birth. Assessment: false positive based on date of birth and name component differences. PEP screening: negative. Geographic risk: HIGH — Russian nationality, Russia added to EU high-risk third countries list December 2025. Adverse media: negative. Risk score: 62/100 (high risk — driven by geographic factor). EDD required. Source of wealth documentation needed. Recommendation: escalate to senior compliance officer for EDD review and senior management approval under GwG Section 15.”
Human-in-the-Loop
The GwG and BaFin guidance are specific about what requires human judgment:
Must be human decisions:
- PEP approval: senior management must approve establishing or continuing a PEP relationship (GwG Section 15)
- Sanctions match disposition: compliance officer reviews all confirmed and near-matches
- EDD decisions: high-risk customer acceptance
- STR filing: decision to report suspicion to FIU
- Customer exit/de-risking: termination for AML reasons
- Any case where automated systems produce ambiguous or conflicting results
Can be automated (with conditions):
- Low-risk auto-approval: BaFin permits this if subject to “meaningful human intervention,” the final decision is not AI-determined for any higher-risk indicators, and comprehensive audit trails and model validation exist
- Fuzzy match auto-clearing: when differentiating data (DOB, nationality, document number) conclusively rules out a match — logged with reasoning
- SDD classification: for clearly low-risk profiles meeting all SDD criteria
The four eyes principle (Vier-Augen-Prinzip): Deeply embedded in German banking governance. Critical compliance decisions require two independent reviewers. For EDD cases: analyst prepares, senior reviewer approves. For auto-approved low-risk: one “eye” is the validated system, the second is periodic QA sampling.
Ongoing Monitoring (Post-Onboarding)
KYC is not a one-time event. GwG Section 10(1) no. 5 requires ongoing monitoring:
- Re-screening against sanctions and PEP lists on every list update
- Transaction monitoring for consistency with known customer profile
- Periodic KYC refresh: annually for high-risk, every 2-3 years for medium, every 5 years for low
- Event-driven refresh triggers: sanctions list updates, customer data changes, transaction anomalies, adverse media hits, PEP status changes, beneficial ownership changes
The industry is moving toward perpetual KYC (pKYC): continuous automated monitoring replacing periodic batch reviews. Event-driven triggers rather than calendar-based reviews. Targeted refreshes focused on specific changes rather than full re-review.
Data Protection: GDPR Intersection
KYC processing is a legal obligation under GwG — GDPR Article 6(1)(c) provides the lawful basis. Consent is not required and should not be relied upon (it could be withdrawn).
Right to erasure vs AML retention: GDPR Article 17(3)(b) explicitly exempts data processing for legal obligations. During the 5-year mandatory retention period, institutions can legitimately refuse erasure requests. After 10 years, data must be destroyed.
DPIA (Data Protection Impact Assessment): Required under GDPR Article 35 for systematic, large-scale processing of special category data — biometric data in Video-Ident qualifies.
Testing and Demo Scope
Test Scenarios
Clean passes (15-20 applicants): Standard German and EU citizens, valid documents, no screening hits, low risk scores. Show auto-approval in under 5 minutes.
PEP hits (3-5 applicants):
- Active PEP: current Bundestag member. EDD triggered, senior management approval required.
- PEP family member: spouse of EU commissioner. RCA flagged, same EDD requirements.
- Former PEP within 12 months: recently left office. EDD still required.
- Former PEP beyond 12 months: risk assessment determines if EDD needed.
Sanctions near-matches (2-3 applicants):
- High-confidence near-match: same name, similar DOB, different patronymic. Show the analyst resolving it with differentiating data.
- Low-confidence near-match: common name overlap, clearly different person. Show auto-clearing with documented reasoning.
Hard sanctions match (1-2 applicants):
- Name exactly on EU consolidated list. Show immediate decline, full audit trail, potential STR consideration.
Demo Flow
Run through 5 applicants live:
-
Clean pass: German citizen, Personalausweis, employed at Siemens. All checks clear in parallel. Auto-approved in 47 seconds. Dashboard shows green pipeline with pass indicators at each step.
-
PEP hit: Applicant’s father is a current state minister. PEP database returns match on family member. Risk score jumps to 58. Pipeline halts at decision point. LLM writes escalation summary with PEP relationship detail. “Awaiting senior compliance officer review.”
-
Sanctions near-miss: Russian applicant. Name scores 0.87 Jaro-Winkler against a sanctioned individual. But DOB is 13 years different. LLM evaluates: “Near-match resolved as false positive — date of birth difference (1978 vs 1965) and patronymic mismatch provide sufficient differentiation. Geographic risk remains HIGH due to Russian nationality on EU high-risk third countries list. EDD required.” Pipeline continues to EDD queue.
-
Auto-approve edge case: Dual national (German/Tunisian). Tunisian nationality triggers geographic risk assessment but Tunisia is not on the high-risk list. No other risk indicators. Risk score: 32. Standard CDD. Approved with note: “Reviewed: geographic risk factor assessed as manageable.”
-
Hard sanctions match: Name exactly matches EU consolidated list entry. Pipeline stops immediately. Red indicators across the board. LLM: “Hard sanctions match confirmed. Applicant [name] appears on EU Consolidated Financial Sanctions List (entry added [date], legal basis [Council Regulation]). Recommendation: decline, do not establish business relationship. Consider STR filing if suspicious pattern identified during application.”
The pipeline visualization — steps with pass/fail indicators, parallel screening running simultaneously, decision points where the system pauses for human input — is more important than the depth of any single check. It tells the story: this is orchestration, not just screening.
Running Under the MCP Orchestrator
MCP Tools:
-
kyc_start_onboarding— initiates pipeline for a new applicant -
kyc_verify_identity— runs ID document verification -
kyc_screen_sanctions— checks against all required sanctions lists -
kyc_screen_pep— runs PEP and RCA screening -
kyc_calculate_risk— computes weighted risk score -
kyc_decision— LLM evaluates all results, recommends approve/review/escalate/decline -
kyc_review_summary— generates human-readable review summary -
kyc_pipeline_status— returns current state of all in-flight onboarding cases
System Prompt Context: GwG CDD tier definitions, sanctions list identifiers, PEP category definitions, risk scoring weights and thresholds, institution’s risk appetite statement, escalation authority matrix.
Trigger Conditions:
- On-demand: new customer application received
- Event-driven: sanctions list update triggers batch re-screening
- Scheduled: periodic KYC refresh for existing customers
Output: For each applicant: screening results, risk score with breakdown, CDD tier determination, decision recommendation with reasoning, review summary. Feeds into the unified dashboard timeline.
The Value Proposition
A compliance analyst manually processing a standard KYC application takes 30-60 minutes. High-risk cases take hours to days. Multiply by thousands of applications per month.
The orchestrator processes low-risk cases in under a minute. It does not skip any check — it runs them in parallel instead of sequentially. It does not make EDD decisions — it presents the evidence and writes the summary so the compliance officer can decide immediately instead of spending an hour assembling the same information.
For the cases that matter — the PEP hits, the sanctions near-misses, the complex beneficial ownership structures — the agent’s value is not speed. It is completeness. Every list was checked. Every screening result is documented. The summary explains why this case needs attention and what specifically triggered the escalation.
The compliance officer opens the case and already knows what they are looking at.
Beyond Recommendation: Execute the Decision
Currently, the agent runs the pipeline, scores the risk, and recommends approve/review/escalate/decline. The next step: a one-click “Execute” button that carries out the decision — auto-approve triggers account provisioning, EDD escalation routes the case to the senior compliance officer’s queue with a pre-filled checklist and source-of-wealth request letter, decline sends the rejection notice and archives the application with full audit trail.
For ongoing monitoring: the agent does not just flag KYC refresh due dates — it initiates the refresh workflow, pulls updated sanctions/PEP screening, and presents the delta to the reviewer. Event-driven triggers (sanctions list update, beneficial ownership change) automatically re-screen affected customers and surface only the cases that changed.
The consulting differentiator: This agent speaks GwG. It knows that a Personalausweis requires eID verification for persons 16+, that Video-Ident under BaFin Circular 3/2017 requires trained employees in locked rooms with end-to-end encrypted video, and that fully automated identification under GwVideoIdentV must NOT be used for persons with higher ML/TF risk indicators. It knows PEP declassification rules differ between GwG (12-month minimum) and FATF Recommendation 12 (no fixed time limit). Generic onboarding tools check boxes. This agent understands why each box exists.