AI Agents for payments: How to Automate KYC verification (single-agent with LangGraph)
AI agents are a good fit for KYC verification in payments because the work is repetitive, document-heavy, and full of decision points that can be standardized. The business problem is simple: onboarding stalls when analysts have to manually review identity documents, extract data, cross-check sanctions and PEP lists, and chase missing evidence across email and ticketing systems.
A single-agent workflow built with LangGraph gives you a controlled way to automate those steps without turning KYC into an opaque black box. You get deterministic routing, human review where required, and an audit trail that compliance teams can actually use.
The Business Case
- •
Reduce manual review time from 15–25 minutes to 3–7 minutes per applicant
- •In a mid-market payments processor handling 20,000 merchant or wallet onboarding cases per month, that saves roughly 4,000–7,000 analyst hours monthly.
- •The agent handles document parsing, data extraction, policy checks, and evidence assembly before a human approves exceptions.
- •
Cut cost per KYC case by 40–60%
- •If fully loaded analyst cost is $35–$60/hour, manual KYC can land around $10–$25 per case depending on complexity.
- •A single-agent system usually brings that down to $4–$12 per case, mainly by reducing rework and queue time.
- •
Lower error rates on data entry and checklist misses
- •Manual operations commonly see 2–5% field-level errors in names, addresses, registration numbers, or beneficial ownership capture.
- •An agent using structured extraction plus validation rules can push that below 1%, especially for standardized documents like passports, utility bills, certificates of incorporation, and bank statements.
- •
Improve SLA performance for onboarding
- •Payments businesses often target same-day or <24 hour onboarding for low-risk merchants.
- •A single-agent workflow can move first-pass decisions into the 5–15 minute range for clean cases, which reduces abandonment and improves activation rates.
Architecture
A production KYC agent should be boring in the right ways. Keep it to a small number of components so compliance and engineering both understand the failure modes.
- •
Agent orchestration layer: LangGraph
- •Use LangGraph to define the state machine for KYC steps: intake → document classification → extraction → screening → policy check → human escalation.
- •This is better than a free-form agent loop because every transition is explicit and auditable.
- •
LLM application layer: LangChain
- •Use LangChain for prompt templates, structured outputs, tool calling, and retry logic.
- •Keep prompts narrow: one task per node. For example, one chain extracts address fields from proof-of-address documents; another compares extracted data against application form fields.
- •
Data and retrieval layer: PostgreSQL + pgvector
- •Store applicant records, verification results, audit logs, and embeddings for prior case similarity.
- •pgvector helps retrieve prior approved cases or policy snippets so the agent can ground decisions in internal playbooks instead of inventing answers.
- •
Compliance and integration layer
- •Connect to sanctions/PEP providers like Refinitiv World-Check or Dow Jones Risk & Compliance.
- •Integrate with your case management system, CRM, and object storage for documents.
- •Add immutable logging to support audits under SOC 2, GDPR access controls, retention rules, and internal model risk governance. If you operate across banking rails or partner with banks subject to Basel III controls, make sure model oversight fits their third-party risk requirements.
| Component | Purpose | Why it matters |
|---|---|---|
| LangGraph | Workflow control | Deterministic routing and human-in-the-loop gates |
| LangChain | LLM tooling | Structured extraction and tool execution |
| PostgreSQL + pgvector | State + retrieval | Auditability and policy grounding |
| Screening APIs | Sanctions/PEP/adverse media checks | Regulatory coverage |
| Case management system | Analyst escalation | Operational continuity |
What Can Go Wrong
- •
Regulatory risk: false negatives on sanctions or beneficial ownership
- •If the agent misses a sanctioned entity or misreads ownership structure, you have a real AML exposure.
- •Mitigation: keep sanctions screening deterministic via external providers; never let the LLM make final screening decisions. Use the agent to gather evidence and route exceptions only. Maintain thresholds aligned with your AML program and local requirements under GDPR data minimization rules where applicable.
- •
Reputation risk: bad onboarding decisions create downstream fraud
- •Overly aggressive automation can approve synthetic identities or shell merchants that later generate chargebacks or laundering activity.
- •Mitigation: apply risk-tiered routing. Low-risk consumer accounts can auto-progress with strong evidence; higher-risk merchants trigger enhanced due diligence (EDD), source-of-funds checks, or manual approval. Track false acceptance rate by segment weekly.
- •
Operational risk: brittle workflows break when documents vary
- •Real KYC packets are messy: scans are low quality, names don’t match exactly, company registries differ by country.
- •Mitigation: design fallback paths in LangGraph for low-confidence extraction. Require confidence thresholds per field; if passport number confidence drops below your threshold or OCR fails on a utility bill, route to an analyst instead of guessing.
Getting Started
- •
Pick one narrow use case
- •Start with a single segment like low-risk SMB merchant onboarding or consumer wallet KYC in one geography.
- •Do not start with cross-border corporate KYB across five jurisdictions. That turns the pilot into a policy project instead of an engineering project.
- •
Build a human-in-the-loop pilot in 6–8 weeks
- •Keep the team small: 1 product owner, 2 backend engineers, 1 ML/LLM engineer, 1 compliance analyst.
- •Measure three metrics from day one: average handling time, first-pass approval rate, and escalation rate.
- •
Implement controls before scale
- •Add immutable audit logs for every field extracted by the agent.
- •Store prompt versions, model versions, source documents hashes, screening results, and analyst overrides.
- •Make sure retention policies match your legal obligations under GDPR and your internal SOC 2 controls.
- •
Run parallel ops before full cutover
- •For the first month after pilot launch, run the agent alongside manual review on at least 500–1,000 cases.
- •Compare decisions daily. Look specifically at mismatches involving address normalization, beneficial ownership parsing, sanctions hits, and document authenticity flags.
If you build it this way, AI agents do not replace your compliance function. They remove the repetitive work around it so analysts spend time on actual judgment calls instead of copying data between screens.
Keep learning
- •The complete AI Agents Roadmap — my full 8-step breakdown
- •Free: The AI Agent Starter Kit — PDF checklist + starter code
- •Work with me — I build AI for banks and insurance companies
By Cyprian Aarons, AI Consultant at Topiax.
Want the complete 8-step roadmap?
Grab the free AI Agent Starter Kit — architecture templates, compliance checklists, and a 7-email deep-dive course.
Get the Starter Kit