AI for fintech, shipped
— not pitched.

An `ai for fintech` engagement with us ships production AI workflows on your stack — not slide decks, not vendor pitches. The day-to-day: scope which workflow moves a P&L line (most often KYC tier-2 enrichment, AI fraud detection at the auth boundary, transaction monitoring re-rank, AI credit decisioning + ECOA Reg B adverse-action handling, AML alert re-rank, or an asset-management research copilot), assign each workflow to its governing regulatory framework (SR 11-7 for model risk · ECOA Reg B + CFPB Circular 2023-03 for lending · BSA/AML for transaction monitoring · MiFID II + SEC 17a-4 for trading · GLBA Safeguards for NPI · OCC Bulletin 2021-30 for third-party vendor risk · SOX for ICFR if outputs reach financial reporting), pick the right model per workflow (Sonnet 4.6 for boundary-band reasoning + ECOA principal-reason extraction, Haiku 4.5 for high-volume KYC classification + inline Card-auth fraud screening, GPT-5.4-mini for structured field extraction), build it against your existing platforms (Alloy / Persona / Plaid / Unit21 / Quantexa / Feedzai / Sardine — we integrate, we don't replace), ship behind a model-risk approval flag with the validation evidence compiled, then operate the workflow long enough to prove per-decision cost-of-ownership before scaling. We're a fintech AI development partner — not a vendor selling a packaged risk product.

Every workflow that touches transaction monitoring or AML sits one step away from a Bank Secrecy Act SAR filing — and the rule we apply is verbatim: AI does classification, prioritization, alert re-ranking, case enrichment, and analyst summarization — never the SAR-filing decision itself. The BSA Officer (or your firm's designated SAR signer) is named in the pipeline as the human approver; the 30-day FinCEN filing clock starts when a knowledgeable person identifies suspicious activity, not when a model classifies it. Our pipelines mark every alert with the model's role (advisory · suppressive · enriching) and route any case in the SAR-boundary band to a named analyst for review before any case closure. Audit log captures the model's reasoning + the analyst's reasoning + the filing decision — separately, with the filing decision attributed to the human filer. ComplyAdvantage, Unit21, and Quantexa are the benchmark platforms we ship into; we don't replace them, we add the re-ranking + enrichment layer.

Credit decisioning under our pipeline is structured around three obligations CFPB Circular 2023-03 makes explicit: (1) the adverse-action notice cites specific principal reasons reflecting the actual reasons for denial — not a generic 'insufficient credit history' or 'the model declined the application'; (2) the principal reasons are derived from the model's actual decision logic, not a post-hoc explanation the lender doesn't trust; (3) the lender's compliance team can audit the principal-reason extraction. We ship Sonnet 4.6 over the model's input features + score rationale, producing ECOA-compliant adverse-action language the underwriter reviews and signs. Parallel to that, we ship a disparate-impact monitor running nightly against the lender's protected-class fields — alerting compliance + model-risk lead when the four-fifths rule threshold is approached, not waiting for a quarterly review. The model is advisory + explanatory; the underwriter signs every adverse-action notice. Reg B's specific-reasons requirement (§1002.9(a)(2)) is the design constraint, not a compliance checkbox added at the end.

Model-risk governance is a first-class output of every pilot we ship — not a year-2 retrofit. Per workflow, we deliver: a model inventory entry (per the firm's SR 11-7-aligned inventory format, or we'll draft the inventory format if the firm doesn't yet have one), validation evidence (in-time + holdout backtest, performance metrics, fairness-monitoring config), ongoing-use monitoring (drift detection, performance alerts, fairness alerts), a fallback policy (what happens when the model fails or degrades), and an exit plan. For third-party models (the vendor LLM tier — Anthropic / OpenAI), OCC Bulletin 2021-30 applies: the model-risk lead gets the vendor's SOC 2, retention terms, version-tracking policy, and a documented exit plan. We've found the firms that get this paperwork right at the pilot stage ship workflow #2 in 4 weeks instead of 12 — the model-risk lead and the CCO have already aligned on the framework, so workflow #2 inherits the posture rather than re-litigating it.

Neither — we're a development partner, not a reseller, and we integrate with the fintech platforms you already run rather than replace them. Alloy is strong for unified onboarding + risk; Persona is strong for identity verification at scale; Plaid is the bureau-equivalent for bank data; ComplyAdvantage is strong on adverse-media + sanctions; Unit21 and Quantexa are strong case-management + investigation platforms; Sardine and Feedzai are strong on real-time fraud at the auth boundary; Ramp and Brex are the corporate-card stacks we sometimes build adjacent to. Each is the right answer for some firms. We build when the workflow needs to read from your firm's own transaction graph, your firm's own chargeback history, your firm's own thesis / playbook / policy — rather than a vendor's default thresholds. We'll say in the audit if a packaged product is the better answer for the workflow; we've recommended Alloy + ComplyAdvantage to firms whose scope wasn't worth a custom build.

Anywhere a model output influences a trading decision, MiFID II Article 17(2) applies (effective systems + risk controls + kill switches + pre-trade limits + algorithm-change recording, with compliance + risk functions named accountable). SEC Rule 17a-4 layers in electronic-record retention obligations — WORM-equivalent, retention periods aligned to record type (typically 3–6 years, with specific record types longer). Our pattern for trading-adjacent workflows: model produces research summaries + buy/sell candidates with reasoning chains; PM / trader reviews and decides; execution goes through your existing OMS/EMS with the model recorded as an input, never an executor. Every model call audit-logged, every reasoning chain retained WORM-style, every algorithm change versioned and recorded. We work alongside your compliance function — not adjacent to it — to make sure the workflow ships with the recording obligation handled at the pipeline layer, not bolted on later.

Per-decision cost varies by rail (see §1.5 for the per-rail breakdown). Card auth typically runs $0.006/screen on Haiku 4.5 because of the 200ms latency budget. ACH typically runs $0.004/screen — same model, more relaxed batch tolerance. RTP runs $0.012/screen (Haiku 4.5 + GPT-5.4-mini parallel for the 15-second finality window). Wire runs $0.021/screen on Sonnet 4.6 because the rail is irrevocable and false-decline cost dominates — running the reasoning model with full counterparty + beneficiary-history context is the right answer. FedNow lands at $0.014/screen with model selection by transaction size (Haiku 4.5 for volume; Sonnet 4.6 for any transaction over a firm-set high-value threshold). The economic story isn't the per-decision $ — it's the chargeback dispute economics on Card, the irrevocability premium on Wire, and the merchant-satisfaction cost of a false decline on ACH. We model all of that in the audit, per your rail mix, before scoping the pilot.

Customer NPI (nonpublic personal information) under GLBA Safeguards Rule is the design constraint for any fintech AI workflow touching account-level data. Our default deployment for NPI-touching workflows: vendor BYOK encryption with retention=0 (Anthropic Claude on AWS Bedrock with customer-managed KMS keys, or Azure OpenAI with retention disabled) — same posture as legal ring-2 / healthcare PHI tier-2. We don't fine-tune on raw NPI; instead, we build retrieval indexes over de-identified or tokenized customer data with the re-identification key held inside your tenant. Any audit-log entry that includes NPI is stored under your firm's encryption-at-rest + access-control posture, not the vendor's. GLBA's required information-security program elements (designate qualified person, written program, risk assessment, monitoring, training) are not a checkbox the AI workflow ticks — they're the operating posture the workflow inherits from your existing safeguards program. If your firm hasn't yet named a qualified-individual for the program, we'll flag that in the audit before any data touches a model.

Four-to-eight weeks. Weeks 1–2 are the audit (overlap with the pilot scope — operator shadow, workflow scoring, regulatory-framework mapping, model-risk inventory draft). Weeks 3–6 are the build: integrate with your platform stack, build the pipeline, generate the SR 11-7 validation evidence (in-time + holdout backtest, monitoring config, fallback policy), align the regulatory boundary (CFPB / ECOA / BSA / MiFID II / SEC 17a-4) per the workflow scope, ship behind a model-risk approval flag, eval against your own data. **Walk-away point at week 6**: if the eval metric won't move on your data, we stop before production hardening — no phase 2, no scope-creep into a year-long implementation. Weeks 7–8 are production hardening: Langfuse traces, model-monitoring alerting, record-retention pipeline aligned to SEC Rule 17a-4, third-party-risk paperwork (OCC Bulletin 2021-30) filed, kill switches wired in for trading + payment-rail workflows. Most engagements that pass the week-6 gate ship workflow #2 in 4 weeks against the same infrastructure.

Three tiers, pricing-locked across our service cluster. (1) Fintech AI audit: $3K fixed, 1–2 weeks. Operator shadow with Head of Risk / CCO / Head of Payments / model-risk lead; workflow scoring by per-decision $ × decisions/month × regulatory exposure; framework-boundary mapping per candidate (SR 11-7 / OCC 2021-30 / ECOA / CFPB / BSA / GLBA / MiFID II / SEC 17a-4 / SOX); model-risk inventory entries drafted; an honest list of workflows that won't pay back yet. (2) Pilot to production: $10–25K fixed, 4–8 weeks. One workflow shipped end-to-end on your stack, model-risk reviewed, framework-boundary explicit, with the walk-away point at week 6. (3) Continuous fintech AI team: from $5K/month, no annual contract. Embedded PM + AI engineer + model-risk analyst shipping the next workflow on your roadmap, with per-workflow monthly performance + fairness + drift reporting and quarterly model-risk committee briefing prep. Most `ai for fintech` engagements we run start with the audit, ship the first workflow on the pilot, then move to monthly for workflows two through five. Per-decision cost reported monthly on every shipped workflow — no $/decision number, no engagement.