Technical Visual

System Architecture
Diagram

Full production architecture: 8 layers from signal ingestion through regulatory filing. 5 parallel agents, 5 peer source tools, graph-based correlation engine, mandatory HITL gate. Architecture v2.1 · Fraud Detection Agentic AI.

Layer 1 · Signal Ingestion
All fraud-triggering events are ingested into a unified event stream. The platform monitors transaction channels, authentication systems, device telemetry, and behavioral signals simultaneously.
Wire / SWIFT / Fedwire
Zelle / P2P Payments
ACH Origination
Credential Change Events
Device Fingerprint Signals
Login Anomalies
Transport: Apache Kafka → Event normalization topics → Orchestrator consumer group
Layer 2 · Orchestrator
Event Classification

Consumes normalized event. Classifies fraud type based on event signature: ATO (credential + new device + wire), BEC (first-time payee + wire + email metadata), Synthetic (SSN anomaly + credit velocity), Mule (P2P flow + device clustering).

Agent Dispatch

Dispatches all 5 source tools and all 5 agents simultaneously. Not sequentially — parallel execution. Each agent receives the same normalized event record. Total dispatch latency: <50ms.

↓ ↓ ↓ ↓ ↓   (Parallel)
Layer 3 · 5 Peer Source Tools — Parallel Execution · Equal Authority
All five source tools execute simultaneously. No source has authority over another. Each returns its signal payload independently. Conflicting signals are resolved by the Correlation Engine (Layer 5), not at this layer.
ML INFERENCE
XGBoost + Graph Neural Net
Real-time · <200ms
ACCT HISTORY
FIS / Fiserv Core
36-Month Baseline
BIOMETRICS
BioCatch · ThreatMetrix
Sardine · Session
REG ENGINE
BSA-AML · Reg E
FFIEC · CFPB
CASE QUEUE
Actimize · Verafin
SAR Pre-fill
↓ ↓ ↓ ↓ ↓   (Parallel)
Layer 4 · 5 Sub-Agents — Parallel Execution
Five specialized agents operate simultaneously on the same normalized event record. Each agent is a complete domain expert — no agent needs to wait for another. Typical total agent execution: 8–15 seconds for Scenarios 01–04.
AGENT 1 · TXN-RISK
Transaction Risk Scorer

Produces 0–100 risk score from XGBoost ensemble (tabular features) fused with GNN output (graph topology). Returns: risk score, top contributing features (SHAP values), GNN neighborhood risk propagation map, mule network indicators.

AGENT 2 · ACCT-STATE
Account State Analyzer

Retrieves 36-month baseline from FIS/Fiserv. Computes deviation scores for: amount (raw + percentile), velocity (24h/7d/30d), payee concentration, geographic access, login frequency. Returns: baseline summary, deviation vector, ATO probability, risk trajectory chart.

AGENT 3 · BIO-BEHAV
Behavioral Biometrics

Queries BioCatch, ThreatMetrix, and Sardine APIs with session correlation token. Returns: behavioral risk score (0–100), device fingerprint match/mismatch, session anomaly type (credential stuffing/RAT/bot-overlay), device-to-account history.

AGENT 4 · REG-COMP
Regulatory Compliance

Applies deterministic regulatory rules to the event. Returns: Reg E obligation (yes/no/complex), 5-day clock start timestamp, SAR obligation (yes/no), CTR threshold exceeded (yes/no), OFAC blocking required (yes/no), all deadline timestamps.

AGENT 5 · CASE-MGT
Case Management Agent

Assembles all agent outputs into a complete HITL decision packet. Produces: fraud narrative (plain-language summary with evidence citations), SAR narrative draft (FinCEN field-compliant), Reg E determination memo, evidence exhibit package, priority classification (P0/P1), all regulatory deadline display fields. Writes back to Actimize/Verafin via REST API.

Layer 5 · Correlation Engine
Signal Fusion

Graph-based signal fusion combines all 5 agent outputs into a unified confidence score. Conflicting signals are resolved by weight matrix calibrated to fraud type. ATO weight profile differs from BEC and Mule weight profiles.

Evidence Assembly

Assembles ordered evidence chain with confidence annotation. Each signal is ranked by contribution weight. Low-confidence signals are flagged for analyst attention rather than excluded. Chain is fully reproducible for examination.

Layer 6 · LLM Reasoning — Claude Sonnet
Fraud Narrative

Plain-language fraud case narrative for analyst and examiner use. Cites specific evidence. Explains fraud mechanism and signal correlation.

SAR Draft

FinCEN BSA SAR form pre-populated. All required fields completed. Subject information, transaction detail, suspicious activity description all drafted.

Reg E Memo

Reg E determination memorandum: unauthorized transaction analysis, applicable provisions cited, provisional credit recommendation with regulatory basis.

Evidence Chain

Complete evidence exhibit package: agent output summaries, signal weights, source citations, confidence annotations, timeline of events.

Layer 7 🔒 · Mandatory HITL Gate

The HITL gate is a hard architectural boundary. No regulatory action proceeds without explicit Fraud Analyst approval. This layer cannot be bypassed, configured for auto-approval, or overridden by any system setting. The 5 gates are hardcoded at the system level.

GATE 1
Reg E Provisional Credit Decision
GATE 2
SAR Filing Authorization
GATE 3
Wire Recall Authorization
GATE 4
Account Freeze / Closure
GATE 5
OFAC Block Report
Fraud Analyst Identity · Timestamp · Decision · Rationale — All Immutably Logged · Reproducible on Demand
Layer 8 · Regulatory Filing Outputs
After HITL approval, the system executes the authorized regulatory actions. All filings are submitted by the authorized human — not auto-submitted by the agent.
SAR FILING

FinCEN BSA E-Filing API (31 U.S.C. §5318(g)). BSA Officer is filer of record. SAR number returned and logged. T-30 deadline satisfied.

REG E CREDIT

Provisional credit applied in core banking (12 C.F.R. §1005.11). Customer notification generated. 5 business-day compliance logged.

CTR FILING

FinCEN CTR E-Filing for qualifying cash events (31 CFR §1010.311). 15 calendar-day deadline satisfied. Pre-populated from transaction data.

OFAC REPORT

Form TDF-90-22.50 submitted to OFAC (31 CFR §501.603). Account blocked in core banking. 10 business-day deadline satisfied.

Architecture Legend
Signal & HITL

Signal ingestion (L1) and HITL gate (L7) — the entry and mandatory human checkpoint. Red denotes the highest urgency layers.

Parallel Execution

Source tools (L3) and agents (L4) — both layers execute in parallel. 5 tools and 5 agents run simultaneously, not sequentially.

LLM Reasoning

Claude Sonnet LLM (L6) generates narrative, SAR draft, Reg E memo, and evidence chain from the correlation engine output.

Regulatory Outputs

Post-HITL filing layer (L8). SAR, Reg E credit, CTR, OFAC report. All submitted by authorized humans — never auto-filed by the agent.

Integration Map

External System Connections

Core Banking
FIS Horizon / Systematics
Fiserv DNA / Signature / Premier
Read-only REST API · Account + Transaction data · 36-month history
Fraud Case Management
NICE Actimize FRAML
Verafin Platform
Bidirectional REST + Webhook · Alert inbound · HITL packet writeback
Behavioral Biometrics
BioCatch Enterprise API
ThreatMetrix (LexisNexis Risk)
Sardine SDK
Session correlation token · REST API · JS/Mobile SDK instrumentation
ML Infrastructure
XGBoost (CAIBots Managed)
Graph Neural Net (PyTorch Geometric)
Managed cloud service · MLflow model versioning · Weekly retraining
Regulatory Filing
FinCEN BSA E-Filing API
OFAC Report (TDF-90-22.50)
SAR + CTR pre-population · Analyst submits · Confirmation numbers logged
LLM Reasoning
Anthropic Claude Sonnet API
claude-sonnet-4-20250514
Fraud narrative · SAR draft · Reg E memo · Scenario 05 Live AI

Want a Walkthrough?

In the architecture call we map each layer of this diagram to your existing stack — core banking, fraud platform, behavioral biometrics provider, and regulatory filing workflow.

Schedule Architecture Call → Implementation Guide