Open-source KYC/AML compliance — 17 human-in-the-loop checkpoints, free public data sources, zero vendor lock-in.
Your compliance team deserves better tools. This plugin automates the repetitive parts of customer onboarding (sanctions screening, PEP checks, adverse media, risk scoring, report generation) while keeping a trained analyst in control of every decision. Built on free public data. Runs on any Claude client.
Note: Claude Cowork and plugins are currently in research preview. This plugin is an experimental open-source project and should be evaluated accordingly. See Disclaimer below.
Demo Slides (PDF) — 22-page walkthrough of the full onboarding workflow and output samples.
git clone https://github.com/vyayasan/kyc-analyst.git
pip install -r requirements.txtThen in Claude Cowork:
/kyc:onboard-interactive "Jane Smith" -- UK resident, salaried employee, standard risk
See QUICK_START_GUIDE.md for a 10-minute walkthrough, or keep reading for how it works.
Compliance analysts at small teams spend most of their time on tasks that shouldn't require expensive platforms: navigating public websites, screening free databases, calculating risk scores using published formulas, and writing reports.
The underlying data sources — OFAC, UN, EU sanctions lists, Companies House, OpenSanctions — are all free. The risk formulas (MLR 2017, FinCEN CDD) are publicly documented. The workflows are well-understood.
Yet teams pay tens of thousands per year for platforms that essentially orchestrate access to these free resources.
This plugin does the same orchestration while enforcing 17 mandatory human-in-the-loop checkpoints. No auto-approvals. No skipping. The analyst stays in control of every decision.
Caveat: These are early-stage results from a single pilot. They are not guaranteed, not independently audited, and may not be representative of all compliance environments. Your results will vary depending on case complexity, team experience, jurisdiction, and workflow configuration.
One UK fintech ran this plugin for 30 days with a team of 5 compliance analysts on standard-risk individual onboarding cases:
| Metric | Before | After | Notes |
|---|---|---|---|
| Time per case | ~95 min | ~27 min | Standard individual cases only |
| Tooling cost | Annual platform subscription | Claude Pro subscription | Does not include analyst time or overhead |
| Legal review | — | Approved for pilot use | Firm-specific legal assessment |
These numbers reflect one team's experience with one type of case. Enhanced due diligence, complex corporate structures, and multi-jurisdiction cases will take longer.
| 🔓 KYC Analyst | 🏢 Commercial Platforms | 📋 Manual Process | |
|---|---|---|---|
| 💰 Cost | Free forever (MIT) | $10K–$100K+/yr | Analyst time only |
| 🔍 Data sources | Public (OFAC, UN, EU, CH, ICIJ) | Proprietary | Manual lookup |
| 🛡️ Human oversight | 17 mandatory checkpoints | Configurable | Fully manual |
| 📝 Audit trail | Immutable, timestamped, auto-generated | Varies | Often missing |
| 🧮 Risk model | Deterministic — show your math | Typically opaque | Spreadsheet |
| ⏱️ Time per case | ~27 min (pilot) | ~15–30 min | ~95 min |
| 🔗 Vendor lock-in | None — plain markdown, portable | High | None |
| 🔧 Customization | Fork and modify anything | Config only | Unlimited but slow |
| 🌍 Jurisdictions | UK, EU, US, MENA (extensible) | Depends on plan | Analyst knowledge |
Open in Excalidraw · Editable source file included in repo
Customer docs ──> Claude extracts ──> Analyst verifies
│
[STAGEGATE 1-5]
│
Step 0: 6 mandatory searches ────────> Analyst reviews each
• Adverse media (72+ sources) │
• ICIJ Offshore Leaks [STAGEGATE 6-12]
• Directorships (Companies House) │
• PEP status (5 databases) │
• Professional background │
• Sanctions (OFAC/UN/EU/UK) │
▼
Risk scoring (deterministic) ────────> Analyst approves
• Geographic 30% │
• Customer 35% [STAGEGATE 13-14]
• Product 25% │
• Channel 10% ▼
PROCEED or ESCALATE
│
[STAGEGATE 15-17]
│
Excel + PDF + Case Folder
Every [STAGEGATE] requires explicit analyst consent before proceeding. 17 total. Zero auto-approvals.
Deterministic four-factor weighted model. Same inputs always produce the same score. No ML, no black boxes.
| Factor | Weight | Inputs |
|---|---|---|
| Geographic | 30% | Country of residence, nationality, transaction corridors |
| Customer | 35% | Customer type, occupation, source of wealth, PEP status |
| Product | 25% | Product type, transaction limits, delivery channel |
| Channel | 10% | Onboarding method, face-to-face vs remote |
| Band | Score | Action |
|---|---|---|
| LOW | 0–20 | Standard CDD |
| MEDIUM | 21–60 | Enhanced monitoring |
| HIGH | 61–80 | Enhanced Due Diligence (EDD) |
| CRITICAL | 81–100 | Senior management review or decline |
Stagegates are the enforcement mechanism. Each gate follows a strict pattern:
GATE ──> PRESENT evidence ──> WAIT for analyst ──> PROCEED only on explicit consent
The plugin will not proceed on silence. If the analyst doesn't respond, the workflow pauses indefinitely. This is by design — regulatory compliance requires affirmative human decisions, not timeouts or defaults.
HITL trigger keywords: ready, continue, begin-step-0, proceed, confirm, compile-report, approve-decision, generate-excel, generate-pdf
| Command | What it does |
|---|---|
| /kyc:onboard | Full customer onboarding with Step 0 independent verification, sanctions screening, PEP checks, risk scoring, and report generation |
| /kyc:onboard-interactive | Same workflow with step-by-step dialog guidance |
| /kyc:screen | Standalone sanctions and PEP screening |
| /kyc:risk | Risk reassessment with updated due diligence |
| /kyc:monitor | Transaction monitoring and AML reporting |
| /kyc:refresh | Periodic customer review |
Upload this plugin folder to Cowork, then run:
/kyc:onboard-interactive "Jane Smith" -- UK resident, salaried employee, standard risk
# Clone the repo
git clone https://github.com/vyayasan/kyc-analyst.git
# Install Python dependencies (for Excel and PDF generation)
pip install -r requirements.txtSee QUICK_START_GUIDE.md for a full walkthrough of your first case.
- Step 0 Independent Verification — 6 mandatory searches across 90+ sources before any due diligence begins
- Deterministic Risk Scoring — Four-factor weighted model with published formulas. Same inputs always produce the same score.
- Excel Dashboard — 4-sheet workbook (Executive Summary, Directorships, Discrepancies, Risk Assessment) via openpyxl
- PDF Report — 17-section compliance report via fpdf2
- Case Folder — Numbered folder structure (001-006) with immutable audit trail
- Multi-jurisdiction — UK/EU (AMLD5, MLR 2017, FCA), US (FinCEN, BSA/AML, OFAC), MENA (CBUAE, SAMA)
Skills and commands are plain markdown files. No compiled code, no proprietary format, no lock-in.
| Platform | How to use | Notes |
|---|---|---|
| Claude Cowork | Upload the plugin folder | Full GUI, recommended for non-technical users |
| Claude Code | git clone + pip install -r requirements.txt |
CLI, works on macOS/Linux/Windows |
| Any Claude client | Copy the commands/ and skills/ markdown files |
Skills are portable — they are just system prompts with domain knowledge |
The plugin uses Claude's native slash command and skill system. If your Claude client supports loading markdown as commands or context, these files will work.
See what the plugin actually produces — sanitized examples from a real onboarding run:
- Step 0 Verification Report — Full 9-section report: customer profile, 6 search results, risk scoring calculation (showing the math), escalation check, decision, and compliance certification
- Audit Trail — Immutable log of all 17 stagegates with timestamps, actors, consent keywords, and evidence references
The plugin also generates a 4-sheet Excel dashboard (.xlsx) and a 6-page formatted PDF report (.pdf) with identical content.
Case folder structure (click to expand)
KYC-20260215-ONB-SMITH-001/
├── 001_CASE_METADATA/
│ └── CASE_METADATA.md
├── 002_STEP_0_SEARCHES/
│ ├── Search_1_Findings.md (Adverse Media)
│ ├── Search_1.5_Findings.md (ICIJ Offshore Leaks)
│ ├── Search_2_Findings.md (Directorships)
│ ├── Search_3_Findings.md (PEP Status)
│ ├── Search_4_Findings.md (Professional Background)
│ ├── Search_5_Findings.md (Sanctions/Crime)
│ └── STEP_0_VERIFICATION_REPORT.md
├── 003_VERIFICATION_OUTCOMES/
├── 004_DECISION_DOCUMENTATION/
├── 005_ESCALATION_BRIEF/ (only if escalation triggered)
└── 006_AUDIT_TRAIL/
└── AUDIT_TRAIL.md (immutable — locked after finalization)
All free and public:
| Source | Coverage |
|---|---|
| OFAC SDN | US sanctions |
| UN Consolidated List | Global sanctions |
| EU Sanctions List | EU sanctions |
| UK HMT | UK sanctions |
| OpenSanctions PEP | 100+ countries |
| Companies House API | All UK entities |
| ICIJ Offshore Leaks | Panama Papers, Paradise Papers, Pandora Papers |
| SEC EDGAR | US public filings |
For premium sources (World-Check, LexisNexis, Dow Jones), add your own API keys via the connector system. See CONNECTORS.md.
Five ready-to-use templates in WORKFLOW_TEMPLATES.md:
| Template | Use case | Estimated time |
|---|---|---|
| Template 1 | Salaried employee, standard risk | 15–20 min |
| Template 2 | HNWI, enhanced due diligence | 45–60 min |
| Template 3 | SME corporate onboarding | 30–40 min |
| Template 4 | Complex corporate, multi-jurisdiction | 60–90 min |
| Template 5 | Existing customer refresh | 20–30 min |
kyc-analyst/
├── .claude-plugin/plugin.json # Plugin manifest
├── .mcp.json # Tool connections (connectors)
├── commands/ # 6 slash commands mapped to regulatory workflows
│ ├── onboard.md # Full onboarding (1,047 lines, 17 stagegates)
│ ├── onboard-interactive.md # Interactive dialog mode
│ ├── screen.md # Sanctions + PEP screening
│ ├── risk.md # Risk reassessment
│ ├── monitor.md # Transaction monitoring
│ └── refresh.md # Periodic review
├── skills/ # Domain knowledge Claude draws on automatically
│ ├── onboarding/SKILL.md # Core onboarding logic + stagegates
│ ├── screening/SKILL.md # Sanctions + PEP screening logic
│ ├── risk-assessment/SKILL.md # Deterministic risk scoring model
│ ├── monitoring/SKILL.md # Transaction monitoring patterns
│ └── refresh/SKILL.md # Periodic review triggers + logic
├── EXAMPLES/ # 5 worked examples with expected outputs
│ ├── 1-Individual-Basic/
│ ├── 2-HNWI-EDD/
│ ├── 3-SME-Company/
│ ├── 4-Escalation-Case/
│ └── 5-Refresh-Case/
├── OUTPUT_TEMPLATES/ # Locked PDF, Excel, and case folder formats
├── docs/ # Workflow diagram, demo slides, sample output
│ ├── kyc-analyst-workflow.svg # 17-stagegate workflow diagram (rendered in README)
│ ├── kyc-analyst-workflow.excalidraw # Editable source (open at excalidraw.com)
├── WORKFLOW_TEMPLATES.md # Copy-paste templates for 5 scenarios
├── QUICK_START_GUIDE.md # 10-minute first case walkthrough
├── CONNECTORS.md # Tool integration guide
├── MCP_INTEGRATION_GUIDE.md # Detailed MCP tool usage patterns
└── requirements.txt # Python dependencies (fpdf2, openpyxl)
- Skills — Domain knowledge for onboarding, screening, risk assessment, transaction monitoring, and KYC refresh. Each skill defines mandatory stagegates that Claude follows automatically.
- Commands — Six slash commands you invoke explicitly. Each one maps to a regulatory workflow.
- Connectors — Tool-agnostic
~~placeholdersyntax that works with Google Drive, Box, Salesforce, Chrome, Slack, and others. Edit.mcp.jsonto point at your specific tool stack. - Stagegates — 17 mandatory checkpoints requiring explicit analyst consent. No auto-approvals, no skipping, no proceeding on silence.
Started as a software engineer at HSBC building consumer lending systems. Spent nearly five years at Thredd (VP Product) — the payment processor behind Revolut, Monzo, Starling, and Zilch — shipping API integrations across Mastercard, Visa, and 95 issuers in 47 countries, and delivering an AI-powered developer portal before the LLM era. At Wonga (Head of Lending Product UK), built the full credit decisioning stack: origination engines, underwriting pipelines, FICO/Mambu integrations, and policy rule interfaces for real-time risk ops across 2M+ customers. Earlier: credit card systems at Discover Financial, wealth management platforms at RBC.
Co-founded an AI compliance startup — Google for Startups Accelerator: AI First (16 of 500 UK startups), NVIDIA Inception, Microsoft for Startups, pre-seed backed by operators from Monzo, ClearBank, Airwallex, and Accel. Now building open-source compliance tooling on Claude.
Writes about agentic AI and fintech at Sandi's Snippets. Spoke at Anthropic Builder Summit London, AI Tinkerers, and Money20/20 Europe.
The thesis: we found that the integration layer compliance platforms charge for has been commoditized by foundation models. The data sources are free. The risk formulas are published. The workflows are well-understood. What remains valuable — domain expertise and human judgment — those belong in the hands of analysts, not behind vendor subscriptions. The right amount of automation is somewhere in the middle: enough to eliminate the repetitive work, not so much that the analyst loses control. That is what the 17 stagegates enforce.
KYC Analyst is the first in a series of open-source compliance plugins. All MIT licensed. All inspectable.
More plugins coming:
| Plugin | What it does | Status |
|---|---|---|
| KYC Analyst | KYC/AML onboarding, sanctions, PEP, risk scoring | ✅ Released |
| Compliance Mailroom | Gmail/Outlook monitoring, document triage, deadline tracking | 🔜 Coming soon |
| Questionnaire Analyst | Security questionnaires, vendor due diligence, client assessments | 🔜 Coming soon |
| SAR Narrative Generator | Suspicious Activity Report drafting (FinCEN BSA, FCA, VARA) | 🔜 Coming soon |
| MLRO Report Generator | Board-ready MLRO reports with trend analysis | 🔜 Coming soon |
| Policy Drafter | Draft compliance policies from regulatory text | 🔜 Coming soon |
Compliance-ready connectors via MCP:
These MCP connectors are already shipped by their respective vendors. This plugin's roadmap includes pre-built integration recipes for each:
| Connector | Who ships it | What it enables for compliance | Plugin integration |
|---|---|---|---|
| Google Workspace (Gmail, Drive, Calendar) | Anthropic | Email monitoring, case file storage, deadline tracking | 🔜 Planned |
| Slack | Salesforce + Anthropic | Escalation alerts, team notifications, analyst handoffs | 🔜 Planned |
| Microsoft 365 (Outlook, SharePoint, Teams) | Anthropic | Document triage, email monitoring (Team/Enterprise) | 🔜 Planned |
| Jira / Confluence | Atlassian | Compliance task tracking, audit finding management | 🔜 Planned |
| Box | Box | Enterprise document management, case file retention | 🔜 Planned |
| Snowflake | Snowflake Labs | Transaction monitoring data pipelines, AML analytics | 🔜 Planned |
| Salesforce / Agentforce | Salesforce | CRM case management, Agentforce agent orchestration | 🔜 Planned |
| ServiceNow | ServiceNow + Community | GRC module integration, incident management | 🔜 Planned |
All connectors use the open Model Context Protocol. No vendor lock-in — swap any connector by editing .mcp.json.
For this plugin:
- Additional jurisdiction packs (APAC, LatAm)
- Corporate structure analysis with UBO identification
- Premium data source connectors (World-Check, LexisNexis, Dow Jones)
- Batch processing for portfolio-level screening
Have a feature request? Open an issue or submit a PR.
This plugin is an experimental open-source tool provided "as is" under the MIT License. It is not a substitute for professional legal, regulatory, or compliance advice.
- Not a regulated product. This plugin is not a licensed compliance platform, not a regulated service, and not approved or endorsed by any regulatory authority (FCA, FinCEN, or otherwise).
- Research preview platform. Claude Cowork and Claude plugins are currently in research preview by Anthropic. Features, availability, and behavior may change without notice.
- No guarantees of accuracy. While this plugin queries public data sources, it cannot guarantee the accuracy, completeness, or timeliness of results. All outputs must be independently verified by a qualified compliance professional.
- Human judgment required. The 17 stagegates exist because AI cannot and should not make compliance decisions autonomously. Every decision in this workflow requires a trained analyst's review and approval.
- Not legal advice. Nothing in this plugin constitutes legal or regulatory advice. Consult qualified legal counsel for your jurisdiction.
- Your responsibility. Users are solely responsible for ensuring that their use of this plugin complies with applicable laws, regulations, and their firm's internal policies. The author accepts no liability for regulatory actions, fines, or losses arising from use of this tool.
- Data source limitations. Public data sources (OFAC, UN, Companies House, etc.) may have latency, gaps, or errors. Premium sources are not included. Screening results from this tool should supplement — not replace — your existing compliance infrastructure.
- Pilot results are illustrative. The early results reported above are from a single unaudited pilot and should not be treated as benchmarks or guarantees.
If in doubt, consult your compliance officer and legal team before deploying this or any automated tool in a production compliance workflow.
Is this actually compliant with AMLD5 / MLR 2017?
This plugin implements the workflow structure described in these regulations (independent verification per Article 10, risk-based approach, ongoing monitoring). However, the plugin itself is not a regulated product and has not been certified by any regulatory authority. Your firm's MLRO and legal team should evaluate whether it meets your specific compliance obligations. The 17 stagegates exist specifically to keep a trained human in control of every decision.
Can this replace World-Check / ComplyAdvantage / LexisNexis?
Not directly. Those platforms provide proprietary data (enhanced PEP lists, beneficial ownership databases, watchlists). This plugin uses only free public sources (OFAC, UN, EU, UK HMT, Companies House, OpenSanctions, ICIJ). For many small teams doing standard CDD on low-to-medium risk individuals, public sources may be sufficient. For enhanced due diligence, you will likely still need premium data — the connector system supports adding those APIs.
How does it handle false positives in sanctions screening?
The plugin presents all potential matches to the analyst at the relevant stagegate and waits for their assessment. It does not auto-dismiss or auto-confirm matches. Common name matches, partial matches, and date-of-birth mismatches are flagged for the analyst to evaluate. The analyst's decision is recorded in the immutable audit trail.
What happens with non-English names or transliterated names?
The plugin searches using the name as provided plus any declared aliases. For transliterated names, the analyst should add all known romanizations as aliases in the initial information-gathering stage. The OFAC SDN list includes alternate spellings, and OpenSanctions handles transliteration variants. However, this is a known limitation — comprehensive multilingual name matching requires specialized tooling.
Is the risk model validated?
The four-factor model uses published regulatory guidance (FATF, EBA, FinCEN) for its weight structure. It is deterministic — same inputs always produce the same score. It has not been independently validated or back-tested against a large dataset. Your firm should calibrate the weights and thresholds to match your risk appetite. The model is transparent (you can see the exact calculation in every report) and can be modified in skills/risk-assessment/SKILL.md.
Why 17 stagegates? Isn't that slow?
Regulatory compliance requires demonstrable human oversight. Each stagegate maps to a specific regulatory requirement (data verification, search authorization, evidence review, risk approval, escalation check, report generation). In practice, most gates take seconds to pass — the analyst reviews the presented evidence and types a keyword like proceed or confirm. The pilot showed 27 minutes end-to-end for a standard case, including all 17 gates.
Can I use this in production?
Claude Cowork and plugins are in research preview. This plugin is experimental. One fintech has used it in a supervised pilot. Whether it is suitable for your production compliance workflow depends on your firm's risk appetite, regulatory obligations, and legal assessment. See the full Disclaimer above.
Is this locked to Claude Cowork?
No. The commands and skills are plain markdown files. They work in Claude Cowork (GUI), Claude Code (CLI), or any Claude client that supports loading markdown as system prompts or slash commands. The Python dependencies (fpdf2, openpyxl) are only needed for Excel and PDF generation. The core compliance workflows are pure markdown.
Found a vulnerability? Report it privately to sandi@vyayasan.com or via LinkedIn. See SECURITY.md for our responsible disclosure policy.
Plugins are just markdown files. Fork the repo, make your changes, and submit a PR. See CONTRIBUTING.md for details on testing, stagegate rules, and jurisdiction support.
Looking for contributors who work in compliance (any country) to add jurisdiction-specific workflows.
