Skip to content
ClaudeClaude

Fighting financial crime with Claude Cowork

Leveraging Claude Cowork to optimize high-stakes workflows and fight financial crime. In-house MCPs, MCP gateways, evals, deploying critical workflows in production for analyst teams.

May 22, 202627mWatch on YouTube ↗

CHAPTERS

  1. 0:14 – 2:29

    Qonto’s mission and why financial crime is a top AI priority

    Stefano Amorelli introduces Qonto and frames financial crime as a massive global problem where AI raises both the attacker and defender capabilities. He outlines the talk’s focus: using Claude (via Cowork) in a security- and compliance-first way for sensitive investigations.

    • Qonto overview: SME business banking across multiple European markets
    • Scale of the problem: trillions laundered annually
    • AI improves criminal tactics, but also strengthens prevention
    • Goal: show a secure system design for using AI with sensitive data
    • Preview: evals and broader lessons for enterprise AI adoption
  2. 2:29 – 4:00

    The manual investigation workflow: alerts trigger a heavy human process

    He explains the end-to-end lifecycle of a suspicious activity case: automated alerts followed by investigator-led triage and evidence gathering. Investigators juggle many sources and artifacts, assembling context manually before making a consequential judgment.

    • Automated alerting creates cases; manual work starts afterward
    • Investigators prioritize cases and collect data from many sources
    • Workflow involves many tools/tabs and cross-referencing documents
    • Reasoning and final judgment are high-stakes and time-consuming
    • The process is cognitively demanding and not scalable as-is
  3. 4:00 – 5:01

    Where AI fits: predictive ML for alerts, agentic AI for investigations

    Stefano distinguishes between the first line of defense (alerting) and the second line (case investigation). He argues generative AI is not ideal for real-time alerting but is a strong fit for agentic assistance in the investigator’s manual workflow.

    • General LLM Q&A is helpful but not transformative alone
    • First line (alerting): predictive ML + rules optimized for speed/accuracy
    • Second line (investigations): best target for agentic AI automation
    • Industry adoption is still limited in this second-line step
    • Focus of the talk: agentic AI assistance for investigators
  4. 5:01 – 6:32

    Model and interface choices: Opus 4.7 + Claude Cowork for investigators

    He justifies selecting Opus 4.7 for long-context reasoning across scattered evidence and positions Claude Cowork as the practical UI for non-technical investigators. Cowork’s plugin system enables packaging multiple skills with the needed tools and MCP servers.

    • Opus 4.7 chosen for reasoning over large, messy contexts
    • Not every task needs a top-tier model, but investigations often do
    • Cowork provides an easy onboarding path for non-technical users
    • Plugins can bundle multiple skills plus required tool access
    • Sets up the later architecture around MCP and secure data access
  5. 6:32 – 7:32

    Why long-context reasoning matters: GraphWalks benchmark and scattered facts

    He introduces GraphWalks as a benchmark aligned with investigative work: linking facts that appear far apart in a large context. This maps directly to financial crime investigations where evidence is distributed across many documents and sources.

    • Investigations require connecting dispersed facts, not just local context
    • GraphWalks measures cross-document/context reasoning and linkage
    • Benchmark relevance: evidence is scattered across the case context window
    • Opus 4.7 leads in this style of reasoning performance
    • Model selection is tied to the investigative evidence pattern
  6. 7:32 – 8:58

    Data access is the real bottleneck—and MCP raises security/compliance concerns

    He emphasizes that even strong models are limited without reliable access to internal and external data. MCP is the natural approach, but it triggers risk, security, and compliance objections—especially in sensitive domains like financial crime.

    • Without data access, LLM usefulness is limited
    • MCP is a common solution for tool/data connectivity
    • Security/compliance teams often raise concerns about MCP usage
    • The key is designing boundaries and a governance harness
    • Sets the stage for a security-first MCP architecture
  7. 8:58 – 9:28

    The data landscape: many sources, multimodal inputs, and action-taking APIs

    Stefano describes the complexity of investigative inputs: knowledge bases, OSINT, internal dashboards, KYC/KYB, and the need to trigger internal actions. The challenge is unifying this into a single, compliant, secure experience despite heterogeneous systems.

    • Data spread across internal systems + external intelligence sources
    • Includes KYC/KYB and multimodal information
    • Investigations may require taking automated actions via internal APIs
    • Different data entry points use different languages and implementations
    • Need a unified interface with strong security/compliance controls
  8. 9:28 – 10:59

    Security-first requirements: remote MCP servers, OAuth, RBAC, audit trails, human oversight

    He lists core design requirements for deploying MCP in production safely. The approach combines centralized management, strong authentication, cryptographically robust session tokens, granular access control, and full auditability—while keeping humans in the loop for legal-risk decisions.

    • Remote MCP servers for centralized management and monitoring
    • OAuth/SSO as default for strong authentication
    • Short-lived, cryptographically safe session tokens (Paseto)
    • Role-based access control to limit data exposure by identity
    • Audit trails plus a deliberate human-in-the-loop posture
  9. 10:59 – 13:33

    System architecture overview: Cowork plugin → MCP gateway → federated MCP servers

    He walks through the implemented architecture where Cowork plugins are the investigator entry point and an MCP gateway is the central control plane. The gateway authenticates, enforces RBAC, logs actions, and brokers access to multiple downstream MCP servers that can be implemented in varied languages.

    • Cowork plugin is the single interface for investigators
    • MCP gateway handles auth, RBAC, and append-only auditing
    • Gateway connects to many downstream MCP servers (federated sources)
    • Language-agnostic MCP servers simplify adding new data sources
    • Downstream MCP servers connect onward to internal/external APIs
  10. 13:33 – 15:35

    End-to-end auth flow and RBAC operations: SSO identity, token minting, Terraform policy

    He details how a user session is initiated via SSO and how permissions determine which tools/servers are even visible. RBAC is managed as versioned infrastructure (Terraform), enabling auditable changes and clear control over team-level access.

    • SSO login establishes identity; everything is logged from the start
    • Users can only see/execute tools permitted by their role
    • Gateway validates OAuth token, resolves identity, authorizes, forwards
    • RBAC defined in Terraform and versioned in Git for auditability
    • Design prevents direct access to MCP servers outside the gateway
  11. 15:35 – 18:07

    Implementation details: ContextForge gateway, Kubernetes deployment, streamable HTTP, Paseto validation, OTEL instrumentation

    He shares practical build choices: an open-source gateway base (ContextForge), internal deployment of MCP servers on Kubernetes, and stateless streamable HTTP for scalability. Tokens are minted and verified using Paseto, and tool calls are instrumented with OpenTelemetry plus extra audit fields.

    • Authorization gateway validates SSO token and extracts permissions
    • Bearer tokens are minted as short-lived Paseto tokens
    • Downstream MCP servers run on Kubernetes and are gateway-reachable only
    • Stateless streamable HTTP simplifies scaling and reliability
    • Tool calls are traced with OTEL + added fields for audit completeness
  12. 18:07 – 19:07

    What investigators experience: one interface, interactive widgets, faster case understanding

    A demo shows Cowork running analysis and rendering interactive, inline widgets that replace slow, manual artifact-building. Investigators can explore charts, use dropdowns, and trigger actions—reducing tool-switching and accelerating evidence review and reasoning.

    • Cowork consolidates data retrieval and reasoning in one place
    • On-the-fly inline widgets replace slower manual reporting artifacts
    • Interactive controls support exploration and investigator-driven actions
    • Reduces context switching across many tools/tabs
    • Improves speed and quality of investigative decision-making
  13. 19:07 – 19:38

    Operational monitoring and auditability: Grafana + ClickHouse visibility into tool usage

    He shows production observability for compliance and operations: dashboards track tool calls, auth flows, latency, and who accessed what. ClickHouse is positioned as a strong fit for append-only audit trails and scalable analytics.

    • Grafana dashboard provides production visibility into the system
    • ClickHouse stores audit events and tool-call traces effectively
    • Metrics include tool names, call counts, timing, and user access
    • Supports compliance reporting and incident investigation
    • Reinforces trust through transparent, inspectable operations
  14. 19:38 – 21:09

    Plugin design lessons: modular skills, orchestrator + meta-skill, XML prompts, explicit tool scoping

    He explains how the team structured a complex investigator plugin by splitting prompts into reusable sub-skills. An orchestrator routes tasks to the right skill, and a meta-skill performs end-of-run verification; XML prompting and explicit tool declarations reduce ambiguity and tool-search overhead.

    • Avoid monolithic prompts; split into multiple targeted sub-skills
    • Orchestrator selects skills based on investigation step/intent
    • Meta-skill verifies outputs at the end of each run
    • XML-structured prompts improve consistency and controllability
    • Each skill declares which MCP servers/tools it can use to reduce drift
  15. 21:09 – 23:40

    Evals for trust: tool correctness, grounding, and reasoning quality (LLM-as-judge)

    He addresses the critical question—can stakeholders trust the system—by outlining evaluation strategies. Evals measure correct tool usage and sequencing, enforce grounding to reference data to prevent hallucinations, and assess the quality of reasoning (not just the final label) using LLM-as-judge methods.

    • Evaluate correct tool selection and call ordering
    • Ensure dashboards and claims are grounded in reference documents
    • Measure hallucination resistance and factual reliability
    • Assess reasoning quality, not only the final decision/output
    • Evals enable regression detection when changing prompts/models
  16. 23:40 – 27:51

    Scaling AI adoption with an MCP gateway: a reusable compliance “flywheel” and future automation levels

    He concludes with how the same secure data-access layer enables other teams to build plugins quickly, accelerating adoption across the company. He outlines a maturity path from human-in-the-loop to human-on-the-loop and eventually (long-term) more autonomous decisions—contingent on demonstrated accuracy via evals.

    • Security-first platform unlocks fast creation of new team plugins
    • Shared MCP gateway provides RBAC, audit trails, and identity by default
    • New MCP servers/data sources can be added quickly when needed
    • Roadmap: human-in-loop → human-on-loop → potential full autonomy later
    • Core takeaways: start with evals (like TDD) and treat data access as king

Get more out of YouTube videos.

High quality summaries for YouTube videos. Accurate transcripts to search & find moments. Powered by ChatGPT & Claude AI.