How to Build a compliance checking Agent Using CrewAI in TypeScript for retail banking
A compliance checking agent in retail banking reviews customer-facing content, product flows, and internal decisions against policy before they go live. It matters because a single non-compliant disclosure, missing suitability check, or bad data handling path can create regulatory exposure, customer harm, and audit findings.
Architecture
- •
Policy knowledge source
- •Store bank policy, product terms, KYC rules, complaints handling rules, and jurisdiction-specific disclosures in a controlled document set.
- •Keep versioning explicit so every decision can be traced to the policy revision used.
- •
Compliance checker agent
- •Use a
Agentwith a narrow role: inspect inputs and return pass/fail plus reasons. - •Keep the output structured so downstream systems can gate releases or escalate.
- •Use a
- •
Task runner
- •Use a
Taskto define the exact review objective, required evidence, and response format. - •Make the task deterministic and avoid open-ended generation.
- •Use a
- •
Crew orchestration
- •Use
Crewto run the checker as part of a larger workflow with escalation or remediation steps. - •For retail banking, this usually means “review → flag → route to human compliance.”
- •Use
- •
Audit logging layer
- •Persist input hashes, policy version, model response, timestamps, reviewer identity, and final disposition.
- •This is what you need when compliance asks why something was approved.
- •
Data boundary controls
- •Enforce residency and PII minimization before anything reaches the model.
- •Mask account numbers, national IDs, addresses, and free-text fields that are not needed for the review.
Implementation
- •
Install CrewAI for TypeScript and define your policy input
The pattern here is simple: sanitize first, then ask the agent to assess against named rules. Do not send raw banking records unless the review truly needs them.
npm install @crew-ai/crew-ai zodimport { Agent, Task, Crew } from "@crew-ai/crew-ai"; import { z } from "zod"; const ComplianceInputSchema = z.object({ productName: z.string(), channel: z.enum(["mobile", "web", "branch", "call-center"]), content: z.string(), jurisdiction: z.string(), policyVersion: z.string(), }); type ComplianceInput = z.infer<typeof ComplianceInputSchema>; const input: ComplianceInput = ComplianceInputSchema.parse({ productName: "Personal Loan", channel: "web", content: "Apply now. Instant approval. No fees. Terms apply. Representative APR available on request.", jurisdiction: "UK", policyVersion: "2026.01", }); - •
Create a narrowly scoped compliance agent
The agent should not be a general assistant. It should only assess compliance risk using the supplied policy context and return structured findings.
const complianceAgent = new Agent({ name: "Retail Banking Compliance Checker", role: "Compliance reviewer for retail banking customer communications", goal: "Identify missing disclosures, misleading claims, unsuitable wording, and data handling risks", backstory: "You review retail banking content against internal policy and jurisdictional rules.", verbose: false, allowDelegation: false, }); const reviewTask = new Task({ description: ` Review the following retail banking content for compliance issues. Product: ${input.productName} Channel: ${input.channel} Jurisdiction: ${input.jurisdiction} Policy Version: ${input.policyVersion} Content: ${input.content} Return: - overallStatus: PASS or FAIL - issues: array of specific problems - rationale: short explanation tied to banking compliance concerns - remediation: exact fix suggestions `, expectedOutput: "A structured compliance assessment with PASS/FAIL status and actionable remediation", agent: complianceAgent, }); - •
Run the crew and force a machine-readable result
In production you want stable parsing. A plain text answer is too risky for automated gating in regulated workflows.
async function runComplianceReview() { const crew = new Crew({ agents: [complianceAgent], tasks: [reviewTask], verbose: false, }); const result = await crew.kickoff(); console.log("Compliance result:"); console.log(result); } runComplianceReview().catch((err) => { console.error("Compliance check failed:", err); process.exit(1); }); - •
Add an audit record around every decision
This is where most teams get lazy. In retail banking you need to prove what was checked, when it was checked, which policy version applied, and what changed after review.
import crypto from "crypto"; function hashPayload(payload: string) { return crypto.createHash("sha256").update(payload).digest("hex"); } async function auditedReview() { const payloadHash = hashPayload(JSON.stringify(input)); const startedAt = new Date().toISOString(); const crew = new Crew({ agents: [complianceAgent], tasks: [reviewTask], verbose: false, }); const result = await crew.kickoff(); const auditRecord = { payloadHash, startedAt, finishedAt: new Date().toISOString(), jurisdiction: input.jurisdiction, policyVersion: input.policyVersion, outcome: String(result), }; // Write this to your immutable audit store / SIEM / database here. console.log(JSON.stringify(auditRecord, null, 2)); }
Production Considerations
- •
Deploy in-region
- •Keep model calls and audit logs inside the required data residency boundary.
- •If your bank operates across regions, route UK customer content to UK-approved infrastructure only.
- •
Monitor false negatives aggressively
- •A missed disclosure is worse than an extra manual review.
- •Track pass/fail rates by product line, channel, and jurisdiction; sample “PASS” outputs for human QA.
- •
Add hard guardrails before model invocation
- •Redact account numbers, card PANs, national IDs, and free-text PII.
- •Reject inputs that exceed allowed scope instead of letting the agent infer from sensitive data.
- •
Keep human override in the loop
- •The agent should recommend; compliance staff should decide on edge cases.
- •Escalate any content involving fees, APRs, affordability language, complaints handling, or vulnerability indicators.
Common Pitfalls
- •
Using a generic assistant instead of a constrained reviewer
- •Problem: it produces helpful prose instead of enforceable compliance output.
- •Fix: narrow
role, disable delegation withallowDelegation: false, and require structured fields in the task output.
- •
Skipping policy versioning
- •Problem: you cannot prove which rule set was applied during an incident review.
- •Fix: pass
policyVersioninto every task and persist it in your audit log alongside the result.
- •
Sending raw customer data into the model
- •Problem: unnecessary PII exposure creates residency and privacy risk.
- •Fix: redact upstream and only send the minimum text needed for compliance analysis.
- •
Treating agent output as final truth
- •Problem: even good models miss jurisdiction-specific details or interpret vague wording incorrectly.
- •Fix: use the agent as a screening layer and require human sign-off for high-risk content paths.
Keep learning
- •The complete AI Agents Roadmap — my full 8-step breakdown
- •Free: The AI Agent Starter Kit — PDF checklist + starter code
- •Work with me — I build AI for banks and insurance companies
By Cyprian Aarons, AI Consultant at Topiax.
Want the complete 8-step roadmap?
Grab the free AI Agent Starter Kit — architecture templates, compliance checklists, and a 7-email deep-dive course.
Get the Starter Kit