Onboarding & KYC agent
We design, build and deploy an AI agent that classifies each onboarding document, routes it to the right check, reconciles identity, address and the application form, and hands your compliance officer a clean, evidenced KYC packet — while the accept-or-refer decision stays with a human.

At a glance
Onboarding is where deals stall and where AML/CDD risk enters — faster, consistent verification wins customers you lose to slow sign-up and closes the gaps a BNM audit looks for.
A routing front-end into per-document checks, vision/OCR on MyKad and utility bills, sanctions/PEP lookups, and BNM AML/CFT + PDPA-grade controls and audit trail.
What changes when it works
Time per application
Manual KYC review today
~20–30 min
With the agent
~4–7 min
Time saved
≈ 15–23 minutes saved per applicant — about 75–115 hours a month at 300 onboardings, roughly half a full-time reviewer. And every applicant it clears in minutes instead of days is a customer you keep instead of losing to a competitor's faster sign-up.
Indicative; actual time depends on the number of documents, screening depth and case complexity.
Our agentic development process
Every use case follows the same seven stages — from framing the problem to production.
Our process, built on Anthropic's agent guidance and the Agent GPA eval framework: Building Effective Agents · Agent GPA
Stage 1 · Frame
The business problem
A Malaysian bank, insurer or fintech onboards each new customer as a bundle — MyKad or passport, a selfie, proof of address, and the application form — then a compliance officer has to verify identity, confirm the address, screen against sanctions and PEP lists, and check every field agrees before an account can open. Most of that time goes to the mechanical part: classifying documents and matching them against each other, not judging risk. It is slow, applicants drop off while they wait, and two officers apply slightly different diligence to the same file — exactly the inconsistency a BNM AML/CFT review flags.
Stage 2 · Map
The manual workflow today
- 01Open the onboarding bundle and each document
- 02Work out what each document is and read the fields by eye
- 03Cross-check name, IC/passport number and address across documents
- 04Screen the applicant against sanctions and PEP lists
- 05Chase missing documents, poor scans or mismatches
- 06Only then make the accept, refer or reject call
Where it breaks: The bottleneck is classifying and matching documents, not judging risk — the slow, repetitive part that clogs at volume, drifts as fatigue sets in, and varies between officers.
Stage 3 · Design
The agentic workflow
We build it as a routing workflow: the agent classifies each incoming document, dispatches it to the right specialised check (identity, address, screening), then reconciles the results into one evidenced KYC packet — re-requesting only what's genuinely missing and escalating anything it can't clear to a human.
Re-routes and re-requests only when a document is misclassified, unreadable or missing — otherwise it keeps moving.
Watch a case flow through the agent — it does the reading and matching; a human still makes the decision.
See it in action
In the onboarding bundle
What the agent flags
- Name & IC number match across MyKad and the application form
- Sanctions & PEP screening: no match
- Proof-of-address document present and legible
Every flag cites the exact document & field · your officer makes the accept/refer call · ~RM 0.50–1.10 per applicant.
Step by step
- 1
Classify each document
The agent reads every file in the bundle and works out what each one is — MyKad, passport, selfie, utility bill, bank statement, application form — including scans and phone photos, so the right checks run on the right documents.
- 2
Route to the right check
Each document is dispatched to its specialised handler: identity documents to identity verification, address proofs to address matching, the applicant's details to sanctions and PEP screening — the routing that keeps each check focused and accurate.
- 3
Extract and verify fields
It pulls the fields that matter into a structured record — name, IC/passport number, date of birth, address, nationality — tagging the source document for each, and checking documents are legible and in date.
- 4
Cross-match and screen
It reconciles those fields against each other — name and IC on MyKad vs the form, address on the bill vs the form — and screens the applicant against sanctions and PEP watchlists, keeping the evidence for each result.
- 5
Assemble the KYC packet
It produces a one-page packet: the applicant, the checks that passed, the screening result, and the two or three items to look at — each with the detail and the document it came from.
- 6
Hand to a human
The compliance officer reviews the flagged items and makes the accept, refer or reject decision. Nothing is auto-approved.
Stage 4 · Build
How we build it with Claude
It's wired straight into your onboarding intake and screening provider through connected tools — no manual exports — and it works from the applicant's live case record, not a stale copy, so a re-submitted document updates the packet. Guardrails and a full audit trail are built in from day one: every classification and every flag traces back to the exact document and field it came from, and no account opens without your officer's decision.
Integrations
- Onboarding intake / origination system
- Document store or upload inbox
- Sanctions / PEP screening provider
- Optional: core banking or policy admin system (read-only)
Under the hood
- Pattern: a routing workflow on the Claude Agent SDK — a classifier front-end dispatches each document to a per-type check chain, each tool exposed via an in-process MCP server.
- Context: the whole bundle is loaded — text plus vision for MyKad, passports and utility-bill photos — with the applicant's live case record pulled fresh (not a stale copy) and long submissions compacted so nothing is silently dropped.
- Tools: a document classifier, a vision/OCR field extractor, an address/identity matcher, and a read-only sanctions/PEP screening lookup — read tools separated from any write, which goes to the review queue only.
- Guardrails: schema-locked JSON output, no write access to the core banking / policy admin system, least-privilege, and a hard rule that no account is opened without a human accept decision.
- Untrusted input: every submitted document is treated as untrusted (prompt-injection resistant) — a doctored PDF or a caption inside an image can't steer the agent's classification or decision.
- Recovery & escalation: a misclassified, unreadable or missing document is re-routed or re-requested; low screening confidence or an ambiguous match escalates to the officer — it never guesses an identity or a screening result.
- Observability & audit: every classification, tool call, screening hit and the final packet are logged and traceable, with the officer's decision captured against it — a machine-readable BNM/PDPA audit trail, not a screenshot.
- Eval harness: a golden set of historical onboardings — including impersonation attempts, mismatched addresses and true sanctions hits — with deterministic checks plus an LLM-as-judge on the fuzzy calls, regression-tested on every change before it touches a live applicant.
Stage 5 · Architect
Single model or multi-agent?
Onboarding is heterogeneous — different document types need different checks — so we route with a classifier and lean on tiering (Haiku for the obvious, Sonnet for reasoning, Opus for the borderline), not a multi-agent swarm. One well-instrumented, tiered pipeline is reliable, cheaper and easier to audit.
We reserve multi-agent designs (≈15× the tokens) for genuinely parallel, breadth-first work — not for a single applicant's tightly-coupled file.
Which model does what
Classify documents & extract fields (incl. scans)
Reliable vision and structured extraction on messy MyKad photos, passports and utility bills.
Route high-volume, clear-cut documents
Cheapest and fastest for the bulk of obvious classifications and simple field checks.
Reconcile & reason across the bundle
The workhorse — strong reasoning at moderate cost; handles cross-matching and screening review.
Adjudicate ambiguous / borderline cases
Invoked only when Sonnet flags low confidence or a possible screening match — a small fraction of applicants.
What it costs — an estimate
AI usage — per applicant
input documents + classification + reasoning + output packet, at Claude Sonnet token rates
~RM 0.50–1.10
AI usage — at 300 onboardings/month
roughly half with the Batch API for overnight, non-urgent runs
~RM 150–330 / month
Build (one-off)
a focused single onboarding flow is a few weeks of engineering; we quote fixed after a short discovery
scoped per integration
Ongoing
small next to the manual-review time it removes and the drop-offs it recovers
monitoring + support
Indicative only, shown in Ringgit at roughly RM 4.70 to the USD; per-token rates follow Anthropic's published pricing (confirm current figures). Screening list access is priced by your provider, separate from AI usage. Actual AI usage depends on document sizes and monthly volume.
Stage 6 · Evaluate
How we measure success
- Deterministic checks first — document classified correctly, fields match, required documents present
- Self-verification — the agent re-checks its match and screening result before surfacing them
- Business KPIs — reviewer time per applicant, onboarding drop-off, consistency, and true hits caught
We score the agent with the Agent GPA framework — Goal, Plan, Action, a current standard for agent reliability — on top of the human baseline. (reference)
Setting the baseline
First we measure the current manual onboarding on a sample — time per applicant, how consistently two officers reach the same conclusion, and how many mismatches or screening hits slip through. That human baseline is what every agent metric is measured against, so the lift is provable rather than assumed.
What we test — Goal · Plan · Action
Agreement with a senior compliance officer
Its packet, flags and recommended action match an expert's on held-out onboardings
Required checks executed
Every mandated CDD check — identity, address, screening — is run, nothing skipped
Correct routing
Each document is dispatched to the right check for its type
Document classification accuracy
Each document is identified as the right type
Field extraction accuracy
Did it read each field — name, IC/passport, address — correctly?
Screening recall (true-hit catch rate)
Of the real sanctions/PEP hits in the golden set, the share it surfaces — any miss is a release-blocker, and every possible match is escalated to the officer, never auto-cleared.
No hallucinated details
Every field in the packet traces to a source document
The go-live gate
The agent does not touch a live applicant until it beats the human baseline and clears these GPA targets on a golden set of historical onboardings — including impersonation attempts and true screening hits. Every change is regression-tested against the same set before it ships.
Stage 7 · Deliver
How we'd deliver it
We start with a proof-of-concept on your real historical onboardings — including the messy scans, mismatches and true screening hits — and prove reliability before it touches a live applicant. A focused single-flow rollout is a matter of weeks.
Free consultation
Is your compliance team classifying and matching KYC documents by hand?
Tell us your onboarding flow and volumes and we'll tell you honestly whether an onboarding & KYC agent is worth building — and what it would take.
Related use cases
Frequently asked questions
- Does the agent open accounts or approve customers?
- No. It classifies, verifies, screens and flags; a human compliance officer makes the accept, refer or reject decision. Human-in-the-loop is essential for regulated onboarding in Malaysia.
- How is it kept compliant with BNM AML/CFT and PDPA?
- With a full audit trail so every onboarding decision can be reconstructed, screening evidence retained, and PDPA-aligned handling of where identity data is processed, stored and accessed. Treat this as a starting point for your compliance team, not legal advice.
- Can it screen against sanctions and PEP lists?
- Yes — it connects to your screening provider as a read-only lookup and retains the evidence for each result. A possible match is always escalated to your officer, never cleared automatically.
- How long does it take to deploy?
- A proof-of-concept for one focused onboarding flow is usually a matter of weeks; a full rollout takes longer, mostly because of integration and getting officers comfortable, not the AI.
Examples are based on real, anonymised engagements; details are generalised. Anchor Sprint is a member of the Anthropic Claude Partner Network — a deployment and rollout partner, not a reseller. This is general information, not legal or compliance advice.
