Prepared for Jimmy — February 2026
Before the Meeting
Know Your Audience
Solaris SE is under pressure. BaFin has been watching them since 2022 with a special representative on-site. In June 2025, they were fined EUR 500,000 for repeatedly exceeding large exposure limits. Since early 2023, they cannot accept new corporate clients without BaFin’s prior written approval. Their AML controls are under special monitoring.
Every person in the room knows this. You do not need to say it out loud. But everything you show should quietly answer the question they are already asking: “Can this help us get BaFin off our back?”
Two Audiences, One Room
Management cares about: risk reduction, regulatory compliance, cost, speed of deployment, and whether this makes the next BaFin examination go better.
Technical staff cares about: architecture, integration points, data flows, what is real vs. synthetic, and whether this fits their existing stack. Solaris runs Ruby, Elixir, Kotlin, Java, Python, and Go on AWS. They use Mambu for core banking. They already have engineers who know the BEAM.
Speak to management first. Let the demo win the technical people.
What You Are Selling
You are not selling AI. You are selling “AI that speaks BaFin.” The agents are domain-specific adapters with pre-built regulatory integrations — goAML submission formatting, COREP template pre-population, DORA incident classification, CRR exposure calculation. Generic AI cannot do this. That regulatory depth is the moat.
The pitch in one sentence: “AI that not only tells you what to do, but can do it for you — with appropriate oversight.”
The Presentation (20 minutes)
Slide 1 — Opening (1 minute)
“Thank you for the time. I will keep this short and show more than I tell.
You are a fully licensed German bank under BaFin supervision. You run Banking-as-a-Service infrastructure for fintechs across Europe. Every engineering decision you make carries regulatory weight.
We build AI agents that understand that weight. Not generic chatbots — specialized compliance agents that know the difference between a Rundschreiben and a Konsultation, that can calculate CRR exposure limits and draft a BaFin notification in the same breath.
I am going to show you five of them working together. It takes five minutes.”
Slide 2 — The Problem (2 minutes)
“Every German bank faces the same operational burden. Let me put some numbers on it.”
| Task | Manual Effort | Volume |
|---|---|---|
| Processing a standard KYC application | 30-60 minutes | Thousands per month |
| Investigating an AML alert | 30-120 minutes per alert | 5,000-50,000 alerts/month (industry) |
| Assessing a regulatory change for compliance gaps | 2-3 days | 200-400 changes per year |
| Detecting an exposure limit breach from overnight FX movement | Next morning, maybe | Continuous risk |
| Classifying and reporting a major ICT incident per DORA | 4-hour clock starts on detection | Every incident |
“Your compliance teams are doing this work manually, slowly, and — inevitably — incompletely. Not because they are not good. Because the volume is inhuman.
The question is not whether AI can help. The question is whether AI can help in a way that BaFin accepts. That is what we built.”
Slide 3 — The Five Agents (3 minutes)
“Five agents. Each one handles a specific compliance domain. All five feed into a single timeline with a unified audit trail.”
| Agent | What It Does | Regulatory Basis |
|---|---|---|
| Compliance Monitor | Scans every transaction for money laundering patterns. Drafts Verdachtsmeldung narratives. | GwG §25h KWG, §43 GwG |
| Regulatory Tracker | Monitors BaFin and EBA feeds. Classifies new regulations. Maps to your controls. Flags gaps. | MaRisk AT 4.4.2 |
| API Anomaly Detector | Monitors API telemetry. Detects attacks and degradation. Drafts DORA incident reports. | DORA Articles 17-19, BAIT |
| Exposure Monitor | Calculates counterparty exposure against CRR limits. Alerts on threshold approaches. Drafts BaFin breach notifications. | CRR Articles 387-403 |
| KYC Orchestrator | Runs the full onboarding pipeline — ID verification, sanctions, PEP, risk scoring — in parallel. | GwG §§10-15 |
“Every agent follows the same pattern: ingest data, detect patterns, generate a narrative explanation, and present it to a human for decision. The AI recommends. Your people decide. Full audit trail at every step.
This is not a design choice. It is a legal requirement under the EU AI Act, BaFin’s AI Principles, and the GwG. We built it that way from the start.”
Slide 4 — Architecture (2 minutes)
Show the hub-and-spoke diagram from the orchestrator article.
“One orchestrator, five specialized agents, one unified timeline. No agent talks directly to another agent. Everything flows through the hub.
The orchestrator routes events — transactions, RSS feeds, API telemetry, portfolio changes, KYC applications — to the right agent. It collects outputs into a single timeline. It enforces the governance rules: human approval checkpoints, audit logging, SLA tracking, escalation.
Twenty-five MCP tools across the five agents. All exposed through a single server. Each agent has its own system prompt with regulatory context — GwG thresholds, CRR limits, DORA classification criteria, FATF typologies.
For the technical team: each customer gets a dedicated instance — one Docker container in its own VPC. No shared databases, no multi-tenant complexity. Your data never touches another customer’s infrastructure. The application runs as a single process with one parallel worker per agent domain. The MCP protocol provides the tool interface. It integrates via REST APIs and webhooks with your existing stack.”
Slide 5 — EU AI Act Compliance (2 minutes)
“Every agent in this system is classified as high-risk AI under the EU AI Act. The compliance deadline is August 2, 2026 — six months from now.
We designed for it from day one.”
| EU AI Act Requirement | How We Address It |
|---|---|
| Art. 9 — Risk management | Each agent’s operating boundaries are defined and documented |
| Art. 12 — Record-keeping | Unified timeline with 5-year retention. Every AI recommendation and human decision logged |
| Art. 13 — Transparency | Every alert includes the rule that triggered it, the data that matched, and the confidence level |
| Art. 14 — Human oversight | No agent takes irreversible action without human approval |
| Art. 15 — Accuracy | Detection accuracy targets defined per agent. Back-testing before rule changes |
“Penalties under the AI Act go up to EUR 35 million or 7% of worldwide turnover. This is not optional compliance. And the clock is ticking.”
Slide 6 — Beyond Recommendations: Autonomous Operations (2 minutes)
“Right now, the agents analyze, recommend, and log. The human reads the recommendation and acts on it manually.
The next step — and this is where the real value lives — is one-click execution.”
| Agent | Recommendation | One-Click Execution |
|---|---|---|
| Compliance Monitor | “File Verdachtsmeldung” | Pre-populate goAML submission, stage for MLRO sign-off |
| Exposure Monitor | “Accelerate syndication” | Initiate workflow, notify portfolio management, draft term sheet |
| Regulatory Tracker | “3 gaps identified” | Create remediation tickets with owners and deadlines |
| API Anomaly Detector | “Enable enhanced rate limiting” | Push config to API gateway with auto-revert timer |
| KYC Orchestrator | “Escalate to EDD” | Route to senior compliance officer with pre-filled checklist |
“Every executable action has guardrails. Approval workflows — configurable per action type. Rollback mechanisms — every action is reversible. Audit trails — who approved, when it executed, what changed.
This is not AI replacing your compliance team. This is AI doing the preparation so your compliance team starts with a pre-filled form instead of a blank page. They still review. They still decide. They still sign off. But they do it in seconds instead of hours.”
Slide 7 — The Differentiator (1 minute)
“Let me be direct about why generic AI cannot do this.
BaFin reporting, COREP filing, goAML submissions, DORA incident reports with 101 structured data points — these are not ‘write me a report’ tasks. They require domain-specific templates, regulatory knowledge, and integration with industry-standard submission systems.
Our agents are adapters. They speak BaFin. They know GwG section numbers, CRR article references, MaRisk escalation chains. They know the difference between a passive exposure breach — where BaFin is more lenient — and an active breach that requires immediate notification.
You cannot get this from ChatGPT and a prompt. This is specialized. This is what we do.”
Slide 8 — What We Need From You (1 minute)
“The technology works. You will see it in the demo. But to build a credible business case — one your board and BaFin’s special representative can evaluate — we need your operational baseline.
Specifically:”
- What is your current alert volume? AML alerts per month, false positive rate, average investigation time.
- How many people handle compliance tasks? KYC reviewers, compliance analysts, risk officers, IT security.
- What is your incident volume? API incidents per month, exposure limit approaches, regulatory changes assessed per year.
- What are the rough cost structures? Headcount per function and salary bands — enough to model ROI.
“We do not need this today. But before we can give you a cost-reduction number, we need your numbers. The demo proves the capability. The business case requires the baseline.”
The Live Demo (5 minutes)
Setup
Before the meeting:
- Dashboard open in a browser tab, showing the unified timeline. All five agent health indicators green in the header.
- Transaction data feed ready to start.
- BaFin RSS feed loaded (real, live data).
- Exposure portfolio loaded with EuroAuto AG at 74% utilization.
- KYC pipeline ready with 5 pre-loaded applicants.
Minute 1 — The Stream
What you do: Start the transaction feed. Normal payments scroll through the timeline — salary deposits, utility bills, retail purchases.
What you say:
“This is a live transaction stream. Normal banking activity — salaries, bills, standard transfers. All five agents are running. The dashboard is green. Nothing interesting yet.
Watch the Compliance Monitor panel.”
Minute 2 — Compliance Monitor Fires
What happens: Eight transfers from the same sender appear — each EUR 9,750, spread across 36 hours. The Compliance Monitor flags the structuring pattern. Risk score: 87/100. A timeline entry appears in red.
What you say:
“There it is. Eight transfers from the same sender, each just under the EUR 10,000 reporting threshold. Total: EUR 78,000. The rule engine detected structuring — that is when someone splits a large payment into smaller ones to avoid triggering a Suspicious Activity Report.
Look at what the agent produced.”
Point to the screen:
“Risk score: 87 out of 100. The narrative cites GwG Section 43 and the FATF structuring typology. It calculated the deviation from baseline — this customer normally moves EUR 2,100 per month, and just moved EUR 78,000 in 36 hours. That is a 37x deviation.
The status says ‘Action Required — MLRO Review.’ The SLA clock has started: 24 hours. The MLRO opens this, reads the draft Verdachtsmeldung, edits one sentence if needed, and files. Not three hours of research. Three minutes of review.”
Minute 3 — Exposure Monitor Fires
What happens: A EUR 120 million drawdown on a revolving credit facility pushes EuroAuto AG from 74% to 87% of the CRR large exposure limit. The gauge on the dashboard slides from green to orange.
What you say:
“Now look at the Exposure Monitor. EuroAuto AG just drew down EUR 120 million on their credit facility. Their utilization jumped from 74% to 87% of the CRR limit — that is 25% of Tier 1 capital.
The agent fired immediately. Not at the next quarterly COREP filing. Not when someone opens a spreadsheet tomorrow morning. Right now.
Three recommended actions: freeze new approvals to this group without CRO pre-approval, accelerate the EUR 200 million syndication of the term loan, evaluate purchasing EUR 150 million in CDS protection. Each one has a cost-benefit estimate.
The CRO reviews, taps approve on the syndication recommendation, and the utilization drops back to 72%. Full audit trail.”
If the audience reacts to this — and they should, given Solaris was fined for exactly this failure — pause and let them absorb it.
Minute 4 — Regulatory Tracker Fires
What happens: A new bulletin appears on the real BaFin RSS feed. The agent classifies it, maps it to existing controls, and identifies 3 gaps.
What you say:
“This is real. That bulletin just appeared on BaFin’s public RSS feed. The agent picked it up, classified it as HIGH relevance — it affects risk management and lending — and mapped it against your existing controls.
Result: 3 gaps. No control for ESG risk in market risk management. No social risk assessment framework. No ESG data governance policy. Each gap has a priority, a recommended owner, and a remediation deadline aligned to the expected BaFin transposition timeline.
The compliance officer reviews, adjusts one classification, approves. What normally takes the compliance team 2-3 days — reading the regulation, assessing applicability, mapping to controls, writing the assessment — just happened in minutes.
And remember: MaRisk AT 4.4.2 makes this the compliance officer’s personal responsibility. This agent does not replace that responsibility. It makes it possible to meet it for 200-400 regulatory changes per year.”
Minute 5 — The Timeline
What you do: Switch to the unified timeline view. Three events from three agents in four minutes.
What you say:
“Step back and look at the timeline. Three events from three different agents in four minutes. A structuring alert with a draft SAR. An exposure limit warning with three remediation options. A regulatory gap analysis with ownership assignments.
The compliance officer sees the SAR draft and the gap assessment. The CRO sees the exposure warning. The CISO sees all five agents healthy, no security incidents.
Same data. Different views. One audit trail.
When a BaFin examiner asks ‘how do you monitor this?’ — the answer is this timeline. Complete, documented, timestamped, with every AI recommendation and every human decision logged.”
Bonus (if time and interest)
If the audience is engaged and wants to see more:
API Anomaly Detector: Show the credential stuffing scenario — 847 unique IPs, auth failures spiking 400%, headless browser User-Agents. The agent generates the incident narrative with MITRE ATT&CK mapping and a DORA report draft.
“This detected a credential stuffing attack — not just ‘error rate went up,’ but ‘here are the 847 source IPs, here is the attack pattern, here is the MITRE ATT&CK classification, and here is your DORA incident report pre-populated with all 101 required fields.’”
KYC Orchestrator: Run through 2-3 applicants — one clean pass (auto-approved in 47 seconds), one PEP hit (escalated with reasoning).
“Clean applicant: German citizen, Personalausweis, employed at Siemens. Five checks ran in parallel. Auto-approved in 47 seconds. Now this one — the applicant’s father is a current state minister. PEP database matched on family member. Risk score jumped to 58. The pipeline halted. The agent wrote the escalation summary. ‘Awaiting senior compliance officer review.’ That is the Vier-Augen-Prinzip enforced by architecture, not by a Post-it note on someone’s monitor.”
After the Demo
Questions to Expect and How to Answer
“Is this using real data?”
“The transaction data, KYC records, exposure portfolio, and API telemetry are all synthetic. No real customer data. The Regulatory Tracker is the exception — it uses real BaFin and EBA public feeds. Zero cost, zero data risk.”
“How long does deployment take?”
“Each customer gets a dedicated instance — a single Docker container in its own VPC. The platform itself deploys in minutes. The integration work is connecting to your data streams — transaction feeds, API telemetry, portfolio systems. That timeline depends on your infrastructure, your data formats, and your security requirements. We would need a scoping conversation to give you a number.”
“How does this fit with our existing compliance tools?”
“The agents are additive, not replacements. They sit alongside your existing GRC platform, your transaction monitoring system, your KYC workflow. They add the AI layer — the narrative generation, the gap detection, the cross-domain correlation — on top of what you already have.”
“What about the EU AI Act?”
“Every agent is designed for high-risk AI compliance under the EU AI Act. Human oversight at every decision point. Full audit trail. Explainable outputs. The compliance deadline is August 2, 2026. We can help you meet it.”
“What does this cost?”
“Per-instance pricing — each customer gets dedicated infrastructure: compute, storage, VPC, database. AI API usage is metered on top. We offer transparent cost breakdowns per instance. For organizations running multiple business units, each unit gets its own instance under a single contract with consolidated billing and volume discounts.
To build a credible model specific to you, we need your operational baseline — alert volumes, headcount, investigation times. The demo proves the capability. The business case requires your numbers. We would propose a scoping engagement to collect that data and deliver a cost-benefit analysis.”
“Can we try this with our own data?”
“Yes. A pilot engagement with a single agent — the Compliance Monitor is the typical starting point — running alongside your existing systems. No production impact. We compare the agent’s output against your current process: detection rate, false positive rate, time to investigation, narrative quality. That gives you hard numbers.”
If Someone Asks About Elixir
Solaris uses Elixir in production for their consumer loan engine. If a technical person asks about the stack:
“The platform runs on the same technology stack you use for your lending products. Your engineers already know the ecosystem. No technology evangelism required — it runs on familiar ground.”
Do not oversell the tech stack match. Let them discover it. If they ask, confirm. If they do not ask, the demo speaks for itself.
Key Numbers to Have Ready
Keep these in your back pocket. Do not recite them unprompted — use them when a question opens the door.
| Fact | Number | Source |
|---|---|---|
| BaFin fine for exposure limit breaches | EUR 500,000 (June 2025) | BaFin enforcement notice |
| CRR large exposure limit | 25% of Tier 1 capital | CRR Article 395(1) |
| EU AI Act high-risk compliance deadline | August 2, 2026 | Regulation 2024/1689 |
| EU AI Act maximum penalty | EUR 35M or 7% of worldwide turnover | Regulation 2024/1689 |
| DORA initial incident notification | 4 hours from classification as major | DORA Article 19 |
| DORA final report data points | 101 structured fields | Commission Delegated Regulation 2024/1772 |
| Verdachtsmeldung filing deadline | “Without delay” — practically 24-72 hours | GwG §43 |
| Industry AML alert false positive rate | 95-99% | Industry benchmark |
| Regulatory changes per year for mid-size German bank | 200-400 | MaRisk AT 4.4.2 scope |
| Manual KYC processing time | 30-60 minutes per standard application | Industry benchmark |
| Manual AML alert investigation time | 30-120 minutes per alert | Industry benchmark |
| GwG penalties | Up to EUR 5M or 10% of annual group turnover | GwG §56 |
The One Thing to Remember
If you forget everything else, remember this:
The demo is not about AI. It is about the audit trail.
Every person in that room — management and technical — is thinking about the next BaFin examination. The special representative is still on-site. The fine was five months ago. When you show the unified timeline with every detection, every recommendation, every human decision logged and timestamped, you are showing them the answer to the question the examiner will ask.
“How do you monitor this?”
That timeline is the answer. Everything else is detail.