FinTech / Challenger Bank
AI took the KYC queue from 36 hours to eleven minutes.
How a DACH challenger bank rebuilt its onboarding funnel around LLM document review and cut abandonment by 42%.
CASE / 09
DACH challenger bank
The bank had spent 2024 and 2025 acquiring customers on brand and referral, and the onboarding funnel had not been seriously rebuilt since 2022. Compliance teams in Frankfurt and Vienna were drowning in a manual KYC queue that had grown from 300 daily applications to 2,400. Median time-to-decision was 36 hours. 47% of applicants dropped off before it resolved. The question on the table in December 2025 was whether to triple the compliance team or rebuild the pipe.
GEO
Germany · Austria
Setup
Onboarding squad + risk
Duration
15 weeks
Shipped
Q1 2026
Where the 47% actually went
Where the 47% actually went
Session-level funnel analysis against 90 days of applicant logs showed a clean pattern. The largest single drop was not in the document upload step. It was the 36-hour wait that followed it. 61% of the lost applicants opened the app at least once during the wait, saw the "pending review" screen, and never came back. The problem was not the KYC complexity. It was the latency.
We also looked at what the compliance team was actually doing inside that 36 hours. 74% of the manual work was structured data extraction and rule checks that did not require human judgement. Address consistency, document expiry, BaFin/FMA sanctions lookup, name-to-document matching. The 26% that did need human judgement was edge cases (unusual passport countries, PEP review, risk-flag disambiguation), and compliance officers were spending their cognitive budget on the 74% before they got to the work that needed them.
LLM in the loop, not LLM in charge
LLM in the loop, not LLM in charge
We did not replace the compliance team with a model. We wired Claude 3.7 Sonnet into the pipeline as a first-pass reviewer that produced a structured decision object (extracted fields, rule-check results, confidence score, flag reasons) for every application. Applications with high confidence on all checks went through to automatic approval. Applications with any uncertainty went into a compliance queue with the LLM's analysis attached as context. Compliance officers saw pre-extracted fields, pre-flagged concerns, and a suggested decision they could accept, amend, or reject.
The risk team's first reaction was a hard no. The resolution was a three-week shadow mode: the LLM ran on every application, produced its decision, and was never used for the actual verdict. We compared its calls to the compliance team's. Agreement was 94.1% on clean applications, 81% on edge cases. The 5.9% of disagreements on clean applications were analysed case by case. Two-thirds were cases where the LLM was more conservative than the human (fine). One third were cases where the human had missed a rule check the LLM caught (useful). We shipped with a confidence threshold calibrated on that analysis.
The funnel, remeasured every sprint
The funnel, remeasured every sprint
We instrumented the funnel end to end in PostHog with session replay on the top five drop-off points. Every sprint, someone on the engagement watched the replays. The biggest find in week four was a layout bug on Android small screens that cut off the consent checkbox on certain device profiles. It had been there for eighteen months. It was responsible for a measurable share of the document-upload drop-off. Ten-line fix. Nobody had noticed because the session replay tool had been licensed but nobody had scheduled time to actually watch the tapes.
What regulators needed, in writing
What regulators needed, in writing
BaFin had been cautious about AI in onboarding since the 2024 EU AI Act provisional guidance. We did three things. First, we wrote a model card describing the LLM's role, training data categories, known failure modes, and escalation path. Second, we logged every LLM decision with inputs, outputs, and confidence score to a WORM storage bucket on EU-hosted infrastructure. Third, we kept a human-in-the-loop for every application classified as anything other than low risk. These were not nice-to-haves. Without them, the bank's compliance lead would not have signed off, regulator conversation or not.
Launch With Us