How to Build a compliance checking Agent Using CrewAI in Python for retail banking

A compliance checking agent in retail banking reviews customer-facing content, workflow decisions, and case notes against policy rules before anything goes live. It matters because a missed disclosure, an unsuitable product recommendation, or a data residency violation can trigger regulatory findings, customer harm, and remediation cost.

Architecture

• •

  Input normalization layer

  • •Takes raw text from emails, chat transcripts, call summaries, or loan notes.
  • •Strips irrelevant noise and converts the content into a consistent review format.
• •

  Policy retrieval layer

  • •Pulls the right compliance rules for the jurisdiction and product line.
  • •For retail banking, this usually means KYC/AML, fair lending, privacy, marketing disclosures, complaint handling, and record retention.
• •

  Compliance analysis agent

  • •Uses CrewAI to inspect the content against policy.
  • •Produces a structured verdict: pass, fail, needs human review.
• •

  Audit logging layer

  • •Stores the input, retrieved policies, model output, timestamps, and reviewer action.
  • •This is non-negotiable in banking. If it is not auditable, it is not usable.
• •

  Escalation and routing layer

  • •Sends high-risk cases to a human compliance officer.
  • •Routes low-risk cases back to the business workflow with a clear decision.

Implementation

1) Install dependencies and define your policy context

Use CrewAI with a strict tool boundary. The agent should not “know” your bank’s policies from memory; it should retrieve them from approved sources.

pip install crewai crewai-tools pydantic

Create a small policy object that you can replace with a database or document store later.

from pydantic import BaseModel
from typing import List

class ComplianceFinding(BaseModel):
    status: str
    risk_level: str
    issues: List[str]
    recommendation: str

POLICY_CONTEXT = """
Retail banking compliance rules:
- Do not make promises about approval or rates without approved disclosures.
- Do not request or expose sensitive personal data outside approved channels.
- Flag any mention of sanctions screening bypasses or identity verification shortcuts.
- Escalate any cross-border data transfer or storage outside approved regions.
- Marketing claims must be fair, clear, and not misleading.
"""

2) Build a CrewAI agent with a strict role

Use Agent, Task, and Crew. Keep the role narrow. In banking, broad agents become liability machines.

from crewai import Agent, Task, Crew, Process
from crewai.llm import LLM

llm = LLM(
    model="gpt-4o-mini",
    temperature=0.0
)

compliance_agent = Agent(
    role="Retail Banking Compliance Reviewer",
    goal="Review customer-facing banking text for policy violations and escalation triggers",
    backstory=(
        "You are a senior compliance analyst for retail banking. "
        "You check content against approved policy only. "
        "You never invent policy interpretations."
    ),
    llm=llm,
    verbose=True,
    allow_delegation=False
)

3) Create the review task and run the crew

The task should force structured output. That makes downstream automation much easier than parsing free-form prose.

def build_review_task(customer_text: str) -> Task:
    return Task(
        description=f"""
Review the following retail banking text for compliance issues.

Policy context:
{POLICY_CONTEXT}

Text to review:
{customer_text}

Return:
- status: pass/fail/review
- risk_level: low/medium/high
- issues: list of specific violations or concerns
- recommendation: concise next action for operations or compliance
""",
        expected_output="A structured compliance assessment with status, risk_level, issues, and recommendation.",
        agent=compliance_agent
    )

customer_message = """
We can approve your personal loan today if you send your passport photo here.
Also, we may store your documents in our US analytics environment.
"""

crew = Crew(
    agents=[compliance_agent],
    tasks=[build_review_task(customer_message)],
    process=Process.sequential,
    verbose=True
)

result = crew.kickoff()
print(result)

4) Wrap the result in an auditable response object

For production use in retail banking, convert the output into something deterministic that can be stored in logs or passed to an orchestration service.

from datetime import datetime

def create_audit_record(input_text: str, result_text: str) -> dict:
    return {
        "timestamp": datetime.utcnow().isoformat(),
        "channel": "retail_banking_review",
        "input_text": input_text,
        "model_output": str(result_text),
        "decision": "manual_review_required" if "fail" in str(result_text).lower() else "approved_for_release"
    }

audit_record = create_audit_record(customer_message, result)
print(audit_record)

Production Considerations

• •

  Deploy inside your bank-controlled environment

  • •Keep inference inside approved cloud regions or on-prem infrastructure.
  • •Data residency matters when customer data crosses borders. If your policy says EU data stays in-region, enforce that at the network and storage layer.
• •

  Log everything needed for audit

  • •Store prompt inputs, retrieved policy version, model response, final decision, and human override.
  • •Add immutable timestamps and correlation IDs so auditors can reconstruct every decision path.
• •

  Add hard guardrails before model output reaches users

  • •Use deterministic checks for banned phrases like “guaranteed approval” or “no ID needed.”
  • •Block outputs that mention unsupported jurisdictions or unapproved storage locations.
• •

  Route high-risk cases to humans

  • •Anything involving AML suspicion, sanctions ambiguity, vulnerable customers, complaints escalation, or cross-border processing should go to compliance staff.
  • •Do not let the agent auto-close those cases.

Common Pitfalls

• •

  Using generic prompts instead of bank policy

  • •Mistake: asking the model to “check compliance” without providing controlled policy text.
  • •Fix: inject versioned policies from an approved source every time.
• •

  Treating free-form output as final truth

  • •Mistake: sending raw LLM text straight into operations workflows.
  • •Fix: require structured fields like status, risk_level, issues, and validate them before actioning.
• •

  Ignoring jurisdiction-specific rules

  • •Mistake: applying one global rule set across all products and countries.
  • •Fix: split policies by region and product line. A mortgage disclosure rule in one market may be wrong elsewhere.

If you build this pattern correctly, CrewAI becomes the orchestration layer around your compliance process rather than a black box making legal judgments. That is the right shape for retail banking: narrow scope, explicit policy context, strong auditability، and human escalation where it counts.

Keep learning

• •The complete AI Agents Roadmap — my full 8-step breakdown
• •Free: The AI Agent Starter Kit — PDF checklist + starter code
• •Work with me — I build AI for banks and insurance companies

By Cyprian Aarons, AI Consultant at Topiax.