KYC Pop Audit

PowerPoint Slide
Dashboard
Report
Exceptions
AI Findings

Inspiration KYC and AML controls are often reviewed through samples and narratives, while the real risk lives in the full customer population—expired IDs, CDD gaps, risk-rating drift, and screening exceptions scattered across thousands of rows. We wanted a fast, auditor-shaped workflow: load a population, run consistent rules across every record, see where the book breaks, and turn exception groups into structured findings without starting from a blank Word doc.

What it does KYC PopAudit is a browser-based prototype for population-level KYC testing. You upload a customer file (CSV or XLSX); the app parses and normalizes rows, then runs a declarative rules engine across 100% of records (not a sample). You get a dashboard with severity and category views (Recharts), an exceptions view for drill-down, AI-generated audit findings (streamed from OpenAI) grouped by rule with formal Condition / Criteria / Risk / Recommendation sections, and a printable workpaper (print / save as PDF) that summarizes population, exceptions, and findings.

How we built it We used Vite, React 19, TypeScript, React Router, and Tailwind CSS v4 for the UI and routing. File ingest uses Papa Parse for CSV and SheetJS for Excel, with normalization so rule checks align to column semantics. A dedicated kycRules module encodes rule metadata (id, name, category, severity, field, message) and pure check functions over each row; Vitest covers the rules engine and OpenAI parsing helpers. React context (AuditProvider) holds population, exceptions, findings, and generation state. The Findings flow builds auditor prompts from grouped exceptions, calls the OpenAI Chat Completions API with streaming, and parses the model output into consistent sections for the UI and workpaper.

Challenges we ran into Spreadsheet reality: headers, dates, and flags do not always match what rules expect, so we leaned on normalization and clear mock data contracts. Structured LLM output: auditors want repeatable sections; we constrained the prompt and added normalization/parsing so streamed text still maps to Condition / Criteria / Risk / Recommendation even when the model adds markdown noise. Scope discipline: keeping the experience coherent—upload → metrics → exceptions → AI → workpaper—without a backend meant pushing complexity into client state and tests where it belongs.

Accomplishments that we're proud of True population testing surfaced end-to-end in the UI and workpaper (“100% population — not a sample”). A readable rules catalog (identity, risk rating, CDD/EDD, screening, beneficial ownership, monitoring) that is test-backed and easy to extend. Streaming AI findings that feel like a live audit memo, plus a print-ready workpaper that ties numbers, exceptions, and narrative together. A polished multi-page flow (upload, dashboard, exceptions, findings, workpaper) with theming and charts that still feels lightweight for a hackathon build.

What we learned Compliance work is a product problem: auditors think in populations, exceptions, and workpapers—if the UX matches that mental model, the tech choices matter less. Client-side rule engines are powerful for demos: deterministic checks are fast to iterate and cheap to run at hackathon scale. LLMs are best as drafting assistants when you pin the schema (section headers, word limits, sample IDs) and validate parse results. Types + tests pay off quickly when rules and prompts evolve in parallel.

What's next for KYC Pop Audit Backend and secrets: proxy OpenAI calls through a server, add auth, and never ship keys to the client. Data lineage: column mapping UI, stronger validation, and import templates for messy bank extracts. Deeper audit trail: user actions, rule versions, exception sign-off, and export to Excel / GRC tools. Performance and scale: Web Workers or server-side runs for very large populations, pagination, and incremental re-runs when files change. Rule packs: configurable rule sets by product line or jurisdiction, and optional sampling modes for regression testing against known golden files.