A UK-regulated fintech needed its audit trail and KYC pipeline rewritten from the ground up before its next external audit. Nine months later: zero audit findings, faster onboarding, and a compliance team that finally trusted their own logs.
The client was a UK fintech with a real customer base, real regulatory exposure, and an audit logging system that had grown organically across four years and three engineering generations. The compliance team distrusted the logs. The CTO knew it. The next external audit was nine months away.
Their pain points were the kind that compound:
try/catch + Sentry and not much else.The brief was specific: rebuild the audit log and the KYC pipeline so that the next regulator visit produced a clean letter, and the compliance team stopped double-checking the system manually.
We didn't write code. We sat with the compliance team for half a day a week, walked through actual cases (including ones that had gone wrong), and built an event catalog: every regulatorily significant action, who emits it, what fields it must carry, what its retention rule is. The catalog was the contract — once signed off, it drove every PR.
We replaced the ad-hoc logging with a typed event spec. Every emit goes through a single library that validates, serializes, signs, and persists to a write-once store with hash-chained tamper evidence. Reads happen through a queryable read model. We did not migrate historical events — we rebuilt the one source of truth going forward and kept the legacy system in cold storage.
The pipeline was redesigned around explicit state, not implicit flow. Every customer's verification is a state machine with named states, named transitions, persisted timestamps, and a single source of truth for "where is this customer in onboarding." Vendor calls are wrapped in idempotent adapters with retry policy, circuit breakers, and recorded request/response (subject to PII redaction policy) for the audit trail.
The compliance team got a dashboard built on the new read model. Reports they used to assemble manually (SAR-relevant queries, periodic reviews, aggregate vendor-failure rates) became one-click exports with traceability back to source events.
"Compliance is a code problem before it's a process problem. If your engineers can't write down every regulatorily significant event in a single typed schema, your compliance team is doing the schema in their heads."
The next external audit produced zero findings against the rebuilt subsystems. KYC time-to-decision dropped because the pipeline now retried sensibly on transient vendor failures instead of dead-lettering them. The compliance team's manual report time fell substantially — they now run their own queries instead of asking engineering for one-off pulls.
Most importantly: the in-house engineering team owns the system. We left a single document with the catalog, the state machine, the runbooks, and a sign-off from the compliance lead. Six months after we stepped off, they shipped a sixth vendor adapter without us.
We've shipped fintech and AML-adjacent systems before. We treat regulatory work as engineering, not paperwork. And we don't ship "compliance theatre" — work that looks compliant in a slide deck but fails the moment a regulator pulls a sample of 20 cases at random.
Compliance, AML, KYC, audit-grade systems for regulated fintech. NDA standard.