Vigil

AI Compliance Investigator that proactively flags suspicious financial activity, investigates and recommends next steps. It builds institutional memory and gets sharper with every investigation!

Comment

Inspiration

Financial crime compliance teams drown in alerts. For every suspicious transaction, an analyst manually pieces together transaction history, KYC records, and the relevant regulations then writes it up, often only to find it was a false positive. In the worst case, that hard won analysis evaporates i.e. the next analyst investigating the same entity starts from scratch. We wanted an agent that doesn't just search and answer, but investigates like an analyst and remembers like an institution so the whole team gets sharper with every case.

What it does

Vigil is an AI compliance investigator for fintech:

  • Proactively monitors:- run a sweep and it ranks the riskiest accounts and tells you where to look first.
  • Investigates end-to-end:- for a flagged entity it autonomously looks up the KYC profile, searches transactions, runs a velocity/pattern check, and grounds red flags in real regulations (BSA/SAR, CTR, OFAC…), then recommends action like filing a SAR.
  • Clears false positives:- it recognizes legitimate activity (e.g. routine supplier runs) and resolves the alert instead of crying wolf.
  • Builds institutional memory:- every case is written back to Elasticsearch, and future investigations recall it via semantic search. Investigate an entity today; in a fresh session tomorrow, Vigil remembers.

It covers five distinct AML typologies in the demo data: velocity/layering, structuring, PEP offshore inflows, a sanctions hit, and a false positive.

How we built it

  • Elastic Cloud Serverless as the data + search layer: four indices (transactions, kyc_records, regulations, case_files), ELSER powered hybrid (keyword + semantic) search, and Elastic Agent Builder tools - four ES|QL tools plus index-search tools exposed over the built in MCP server.
  • Gemini via Google's Agent Development Kit, deployed on Cloud Run. The agent connects to Elastic's MCP server over Streamable HTTP (API-key auth) and auto discovers the tools with a tool whitelist keeping it focused on Vigil's six tools.
  • Write-back memory:- the agent proposes a structured case. The app indexes it into case_files, which the agent later recalls with semantic search.
  • Next.js dashboard (UI + server side API routes acting as a secure backend-for-frontend) on Cloud Run: live agent chat with visible tool calls, a synchronized context panel built from real tool output, live case list and live Elastic/Gemini health status.
  • A synthetic data generator plants the suspicious patterns deterministically (fixed seed) so the demo is reproducible.

Challenges we ran into

MCP tool selection. The Elastic MCP server also exposes built in platform tools and the agent sometimes grabbed the wrong one. We fixed it with a tool whitelist on the ADK toolset.

  • Google Cloud IAM on a fresh project. Two separate 403s . The build service account lacked storage access, and the Cloud Run runtime service account lacked Vertex AI permission. Granting the right roles (and waiting for IAM propagation) unblocked deploys and Gemini calls.
  • Reliable structured output. Parsing case fields out of free form was fragile, so had the agent emit a hidden machine readable block the app parses which gives us clean findings and recommended actions every time.
  • Two MCP result shapes. ES|QL tools return columnar results and index search returns a resource list where both are parsed to drive the context panel.
  • Cold starts. Cloud Run cold starts tripped the health check; keeping a warm instance during the demo solved it.

Accomplishments that we're proud of

  • A real agentic loop with visible multi step tool use and not just a single RAG call!
  • The memory loop working across sessions which grants genuine institutional memory, the key differentiator.
  • Both proactive and reactive, and the agent exonerates false positives, not just flags.
  • A fully live, deployed product (two Cloud Run services + Elastic) with no mock data in the runtime.

What we learned

  • Elastic Agent Builder, MCP, ES|QL, and ELSER hybrid search: defining tools without custom code and exposing them to any MCP client.
  • Google ADK + Cloud Run: building, deploying, and debugging a Gemini agent, including the IAM that real deployments require.
  • The MCP protocol (JSON-RPC over Streamable HTTP) as the clean bridge between a reasoning model and a data platform.
  • A lot of financial- compliance domain knowledge: SAR/CTR thresholds, KYC/CDD, structuring, PEPs, sanctions screening.

What's next for Vigil

  • Agent-native write-back via an Elastic Workflow tool (so the agent files cases itself over MCP).
  • SAR draft generation: auto produce the filing narrative.
  • Multi agent specialists (transaction, KYC, regulatory) under a coordinator.
  • Real time alerting via Elastic Workflows and connectors to live data sources.

Built With

Share this project:

Updates