Creodata AML Platform: End-to-End Financial Crime Compliance
The complete AML/CTF compliance programme on one platform — customer risk assessment, sanctions and PEP screening, transaction monitoring, case management, entity resolution, and explainable AI — for banks, SACCOs, MFIs, and fintechs across East Africa.
Most regulated institutions in East Africa do not have an anti-money-laundering problem so much as a fragmentation problem. Risk scoring lives in one spreadsheet, sanctions screening in a separate tool, transaction alerts in a third system, and the evidence an examiner asks for is scattered across inboxes and shared drives. The Creodata AML Platform brings the whole programme onto one system: customer risk assessment, watchlist management, sanctions and PEP screening, transaction monitoring, case management, entity resolution, explainable AI, ingestion and data quality, regulatory intelligence, a regulator portal, and STR/CTR reporting.
It is built for the institutions that carry these obligations across the region — banks, SACCOs, microfinance institutions, fintechs, payment service providers, mobile-money operators, forex bureaus, insurers, capital-markets intermediaries, and DNFBPs — operating under the FRC in Kenya, the FIA in Uganda, the FIU in Tanzania, and the FIC in Zambia and Rwanda. The platform is a set of independent microservices, so you can start with the capabilities you need today and switch others on later. And it runs the same way whether you deploy to Microsoft Azure or to your own on-premises Kubernetes cluster, with feature parity between the two.
The problem
Point tools and manual process create more risk than they remove. When risk assessment, screening, monitoring, and reporting do not share a common record, three things tend to happen.
- Decisions cannot be reconstructed. When a regulator or auditor asks why a customer was rated low-risk, or why an alert was closed, the answer sits in someone's memory or a deleted email rather than an immutable log.
- Work is duplicated and inconsistent. The same customer is screened in one system, scored in another, and investigated in a third, with no shared view of how those decisions connect.
- Spreadsheets do not scale or survive scrutiny. Manual scoring models and ad-hoc watchlists drift out of date, lack version history, and offer no four-eyes control over the overrides that matter most.
The cost is not only operational. It is audit and enforcement exposure: an AML programme that cannot show its evidence on demand is hard to defend, regardless of how diligent the team actually is.
What the platform does
Each capability below is a real service. Together they cover the AML programme end to end; individually they can be licensed and deployed on their own.
Customer Risk Assessment
A six-factor risk-scoring model — country, industry or business type, product, delivery channel, customer behaviour, and PEP/sanctions exposure — with configurable weights and risk banding. Periodic reviews are scheduled automatically by risk band, and any manual override is protected by four-eyes approval, so the rating you present to an examiner always has a controlled, reviewable history.
Watchlist Management
Screening is only as good as the lists behind it. The platform syncs from commercial providers such as Dow Jones and World-Check, supports manual list upload, and keeps every list versioned. Freshness and coverage dashboards confirm that screening is running against current data rather than a stale snapshot.
Screening (sanctions, PEP, adverse media)
Sanctions, PEP, and adverse-media screening with fuzzy, multi-script, and locale-aware name matching — important in a region where names appear across multiple scripts and spellings. A match-scoring engine surfaces the top three reasons behind each hit, and a structured false-positive workflow keeps analysts focused on genuine matches rather than noise.
Transaction Monitoring
A rule engine with its own DSL — parser, planner, and executor — running in both batch and streaming modes. It ships with a starter pack of 30-plus typology-aligned rules, a typology library, a back-test harness, and a tuning lab, with versioned rule promotion so changes are tested and traceable before they go live.
Case Management
Alerts flow into an assignable queue with a request-for-information (RFI) cycle, SLA pause and resume, manual case creation, and escalation. A linked-case graph shows how cases connect, and an enhanced-due-diligence (EDD) workflow handles the higher-risk reviews that need a deeper look.
Entity Resolution
Resolved entities, links, and clusters, plus a beneficial-ownership (UBO) graph and investigation tooling embedded directly in the case interface — so an analyst can see who is really behind a customer or transaction without leaving the investigation.
AI Inference (explainable)
AI runs on ONNX Runtime with a first-party model registry and in-process scoring. Every AI surface carries an "AI · model · v<version>" label, a SHAP top-three explanation, a confidence percentage, and a human Accept, Modify, or Reject control. Model activation requires four-eyes approval, a kill switch and rollback are always available, and fairness and drift are monitored continuously. Every decision is logged with the model version, an inputs hash, and the SHAP output. The AI assists; the human decides.
Ingestion & Data Quality
Connectors for REST, SFTP, Kafka, CDC, and ISO 20022, with idempotency, replay, a dead-letter queue, a field-mapping UI, and source certification. A companion data-requirements service maps rules to the attributes they need, scores module and rule readiness, and exports evidence packs — so you know your monitoring rules have the data to actually fire.
Regulatory Intelligence & Regulator Portal
An obligation registry with change-notice ingestion and per-tenant acknowledgement keeps the team on top of evolving requirements. A separate read-only regulator portal gives supervisors jurisdictionally scoped access to evidence packs and acknowledgements through a dedicated API and UI.
STR/CTR Reporting
The platform manages the suspicious-transaction and cash-transaction reporting lifecycle — draft, review, approve, submit — with retry, reconciliation, and acknowledgement handling. For the filing mechanics themselves, it hands off to Creodata's dedicated goAML Reporting Platform, which owns goAML XML generation, country adapters, and FIU submission. This keeps the AML platform focused on detection and case work while reporting is handled by purpose-built tooling.
Built on microservices, deployed your way
The platform is fourteen first-party services plus staff and regulator portals, built on .NET 9 isolated-worker Function Apps. Because each capability is an independent service, it can be deployed, scaled, updated, and licensed on its own — there is no monolith to upgrade all at once.
It is multi-tenant with schema-per-tenant data isolation, so each institution's data is separated at the database level, and per-tenant license and module gating means you only run and pay for the capabilities you have switched on.
Deployment is genuinely dual-backend:
| Microsoft Azure | On-premises Kubernetes | |
|---|---|---|
| Database | Postgres Flexible Server | Postgres 16 |
| Messaging | Service Bus | RabbitMQ |
| Storage / search | Blob storage | MinIO / OpenSearch |
| Identity | Microsoft Entra ID | Keycloak |
On Azure the platform ships as a Managed Application; on-premises it runs on Kubernetes with Grafana, Loki, and Tempo for observability. Dual-backend abstractions for messaging, storage, search, and key management keep the two environments identical in behaviour, so a regulated institution that must keep data in-country is not running a lesser product.
Designed for audit and trust
The platform is built around the assumption that every consequential decision will eventually be questioned, and should be defensible when it is.
- Evidence-first. Every consequential decision shows its evidence one click away — the data, the rule, the score, the reasoning behind it.
- Four-eyes approval. Anything consequential — an override, a model activation, a rule promotion — requires a second authorised reviewer.
- Append-only audit log. The audit trail is immutable, so the record of what happened cannot be quietly altered after the fact.
- Explainable AI. No black-box decisioning: every AI output carries its model version, SHAP top-three reasons, and a confidence score, with a human in control.
Underneath, a transactional outbox guarantees that every domain event is captured reliably, full observability runs on OpenTelemetry, and the interface is internationalised across ten locales including Arabic right-to-left. If you also need help designing the underlying programme — risk methodology, policies, tuning, and examiner readiness — that pairs with Creodata's financial crime compliance advisory.
Who it is for
The platform is designed for any regulated institution in the region that has to run an AML/CTF programme and stand behind it:
- Banks, SACCOs, microfinance institutions, and insurers
- Fintechs, payment service providers, and mobile-money operators
- Forex bureaus and capital-markets intermediaries
- Designated non-financial businesses and professions (DNFBPs)
It covers the obligations of the FRC in Kenya, the FIA in Uganda, the FIU in Tanzania, and the FIC in Zambia and Rwanda, against the wider FATF and ESAAMLG framework. For a fuller walk-through of how the pieces fit together, see the complete guide to the AML platform.
Frequently asked questions
Is this a full AML programme or only a reporting tool?
It is the full programme — risk assessment, screening, transaction monitoring, case management, entity resolution, and more. STR/CTR reporting is one capability within it, and the actual goAML filing is handed off to the dedicated goAML Reporting Platform.
Can we run it entirely on-premises?
Yes. The platform deploys to on-premises Kubernetes — using Postgres 16, RabbitMQ, MinIO, OpenSearch, and Keycloak — with the same features as the Azure Managed Application deployment. Dual-backend abstractions keep the two environments identical.
Do we have to adopt every capability at once?
No. Each capability is an independent, separately licensed service. Per-tenant module gating lets you start with what you need and switch on additional services over time.
How does the platform handle AI decisions for audit?
Every AI surface shows its model and version label, SHAP top-three explanations, and a confidence percentage, and requires a human Accept, Modify, or Reject. Decisions are logged with the model version, an inputs hash, and the SHAP output, and models can only be activated under four-eyes approval, with a kill switch and rollback available.
See how the platform fits your institution's risk profile, jurisdiction, and existing systems. Request a demo and we will walk through customer risk assessment, screening, transaction monitoring, and reporting against your own scenarios.