What a human can do now
A compliance officer at a Canadian fintech can monitor OSFI, FINTRAC, and CSA simultaneously and receive a structured, reasoned briefing within minutes of a regulatory update being published.
Previously, this required an analyst to manually read each source, cross-reference updates against internal processes, assess materiality, and write up a recommended action. In a scaling environment with multiple regulated product lines and quarterly release cycles, that process requires increasing headcount to maintain. The automated system scales without headcount.
Live example
During development, the system processed a live FINTRAC update on extortion-related money laundering. It correctly identified AML Transaction Monitoring as the primary affected workflow, flagged KYC Onboarding as a secondary impact, and caught a non-obvious connection to Data Retention and Privacy through an information-sharing obligation the primary mapping missed.
The information-sharing obligation wasn't flagged in the primary mapping because it wasn't the direct subject of the update. The critic layer, running a second pass over the full reasoning chain, identified it as a downstream consequence. In a manual process, that connection surfaces weeks later -- or not at all.
How the AI is used
The system handles four things: detecting new regulatory updates by scraping OSFI, FINTRAC, and CSA; mapping changes to affected workflows using semantic reasoning against a workflow library; generating recommended actions with confidence levels; and auditing its own mapping with a critic layer that checks for missed workflows, false positives, and miscalibrated confidence.
The critic output appears in the same Slack briefing so the compliance officer sees where the AI is uncertain, not just its conclusions.
Where AI stops
The system never triggers a process change. A compliance officer must approve the mapping before anything happens downstream, with their name and timestamp logged against every decision. Override decisions require a documented reason.
This boundary exists because a misclassified obligation or missed filing deadline is not just a product bug -- it could be a regulatory violation. The compliance officer's role shifts from manual research to judgment, accountability, and remediation oversight.
On approval, the system automatically notifies the process owner of each affected workflow with the recommended action, source link, and a calculated remediation deadline. The audit trail captures the full chain from regulatory update to human decision to owner notification.
What breaks first
Failure Point 1 — Workflow Library
At five workflows Claude reasons over everything in context. At 500, it fails on context limits, latency, and cost. The fix is a vector store with semantic retrieval.
Failure Point 2 — Hallucinated Confidence
The mapping engine may flag connections that sound plausible but don't reflect real regulatory obligation. The critic layer watches for this. At higher volume, confidence thresholds and feedback loops from logged override decisions would manage false positive rates.
Failure Point 3 — Source Coverage
The scraper monitors three bodies today. A dedicated scraper per body works short term, but a more resilient architecture would use a generalized scraper or integrate with an existing regulatory intelligence feed to avoid maintaining custom parsers across a growing list of sources.
Next steps
Optimize Slack output for readability at scale. Currently the briefing shows the full reasoning per workflow -- a production version would show a two-sentence summary with full reasoning available on demand, to reduce notification fatigue.
Back to portfolio