SignalKYC: Identity Risk Investigator

SignalKYC is an agent that checks onboarding data, links related identity signals, and explains why a user should be approved, stepped up, or reviewed.

Comment

Inspiration

Most KYC tools treat each signup as a form to check, not a case to investigate. Identity fraud rarely shows up in one field. It appears when you connect signals: a device used by three accounts, an IP tied to a fraud cluster, a phone linked to a flagged case from last month. Analysts already know this, but they have to chase those connections across separate tools and reconcile them by hand.

We wanted to build the investigation layer that sits between raw signals and the final decision, one that links those signals into a live graph, walks the relationships, and explains what it found. Jac was a natural fit because the problem is graph-shaped and walkers are exactly the right tool for agents that need to move through linked entities instead of scoring isolated records.

What it does

SignalKYC is an autonomous KYC investigation agent for fintech onboarding. When a new applicant submits their details, SignalKYC ingests the signals, builds or updates a live identity graph of the applicant's email, phone, device, IP, and document metadata, and then investigates suspicious links across that graph.

The investigation follows connected paths, checks against prior fraud clusters, fires deterministic risk rules on high-signal patterns, and then runs an LLM-powered reasoning step using by llm() to evaluate ambiguous evidence. Every case ends with one of three decisions:

  • Approve when the graph is clean and signals are consistent
  • Step-up verification when the case is suspicious but one more check can resolve it
  • Manual review when the graph shows meaningful linked risk or unresolved contradictions

Every decision includes a full reasoning chain. Analysts can see which nodes were traversed, which rules fired, and why the outcome was reached.

* Project Video · Live Demo Video *

How we built it

The backend is written entirely in Jac. Identity entities are modeled as graph nodes: User, Email, Phone, Device, IP, and FraudCluster. Relationships between them are graph edges: used_by, shared_with, flagged_as, and part_of_cluster. The investigation logic runs as Jac walkers that physically traverse those edges and accumulate evidence.

The core walkers are:

  • ingest_signup.jac — creates or resolves entities and links them to existing graph history
  • build_graph.jac — normalizes and connects entity relationships
  • investigate.jac — orchestrates the full pipeline
  • fraud_agent.jac — runs the stateful FraudInvestigationAgent with by llm() reasoning
  • decision.jac — calculates risk score, confidence, and formats the output
  • memory.jac — persists outcomes so future cases carry risk history forward

The frontend is Next.js 15 with TypeScript. We built a purpose-designed investigation UI with React Flow for the identity graph, Framer Motion for the animated agent reasoning panel, and shadcn/ui components for the dashboard and decision output. State management runs on Zustand. The frontend also includes a full offline simulation layer so the demo runs without a live backend.

Challenges we ran into

The biggest challenge was designing the investigation flow so that walkers do real work rather than acting as thin wrappers around a single LLM call. We had to figure out the right division between deterministic rule logic, which fires fast on high-confidence signals, and the by llm() reasoning step, which handles ambiguous cases. Getting that boundary right took several iterations.

Connecting the frontend investigation UI to the Jac backend also required careful API design. The response from the backend needed to carry enough structured data for the graph visualization, the reasoning panel, and the decision output to all render correctly at the same time.

Building the fraud cluster propagation logic was also harder than expected. When a new applicant shares a device with a prior fraud cluster member, the risk needs to propagate through the part_of_cluster edge correctly without creating false positives on shared public infrastructure like university IPs or shared mobile carrier IDs.

Accomplishments that we're proud of

The walker architecture maps directly onto the product story. The agent does not fake investigation behavior through a prompt. It actually traverses the graph, follows edges, checks cluster memberships, and builds a decision trail from node and edge evidence. That is a real agentic system, not a chatbot with a fraud-sounding UI.

We are also proud of the explainability layer. Every outcome includes a human-readable reasoning chain that a compliance analyst can read, verify, and use as an audit trail. That is something most KYC tools still do not offer.

The investigation UI came out well too. The animated agent reasoning panel, the live React Flow graph with suspicious path highlighting, and the decision output panel work together as a coherent product experience.

What we learned

Building in Jac made us think differently about agent design. The graph-native primitives push you toward modeling the actual relationships in your problem rather than forcing everything into flat records or REST endpoints. Once we modeled the KYC problem as a property graph, the walker logic followed naturally.

We also learned that explainability is not easy to add after the fact. It has to be built into the investigation flow from the start. Every step the walker takes needs to produce a readable output, not just a risk increment. That shaped how we structured the agent_memory object that passes between walkers.

What's next for SignalKYC: Identity Risk Investigator

The immediate next step is connecting SignalKYC to real onboarding data through webhooks with providers like Stripe, Plaid, and Persona, so the graph builds from live signals rather than seeded data.

After that, the most valuable upgrade is continuous post-approval monitoring. KYC is moving toward ongoing risk review, not just one-time verification. New signals can emerge after approval, and the graph structure of SignalKYC is already designed to support reassessment of linked identities over time.

Longer term, the plan includes multi-tenant graph partitioning for enterprise use, real-time WebSocket investigation feeds, and a regulatory report generation layer for AML and compliance workflows.

Built With

Share this project:

Updates