WHOCOMPLY
Book a demo
Built for the CBN BSD/DIR/PUB/LAB/019/002 deadline · 10 June 2026

The compliance system of record for financial institutions.

Push events. We orchestrate. Your examiners read one audit trail.

Book a demoRead the integration guide
app.whocomply.com / dashboard
WhoComply dashboard

The problem

Compliance teams are firefighting across five tools while a regulator waits.

The cost of fragmentation is not slow workflows. It is the inability to answer the regulator with confidence.

01

A regulatory deadline you cannot push

CBN circular BSD/DIR/PUB/LAB/019/002 requires every regulated FI to file a roadmap by 10 June 2026 and stand up a CBR-aligned monitoring infrastructure. Most institutions have nothing approaching that.

02

A stack that does not talk to itself

Sumsub for KYC. ComplyAdvantage for sanctions. A spreadsheet for case work. A core banking event firehose nobody listens to. Five tools, one regulator, no audit trail anyone wants to defend.

03

No system of record for examiners

When the examiner asks "why was this customer flagged, who reviewed it, what did the rule say at that moment, and where is the evidence" you need one answer, not five exports.

How it works

You push raw events. We hold the state.

Your engineering responsibility ends at sending data and reacting to operational hooks. WhoComply owns the resulting compliance state, the unified customer risk view, alerts, cases, reports, and the audit trail.

Inbound

What you push into WhoComply

Customer profiles

POST /customers

When onboarding happens or KYC details change.

Transaction events

POST /events/webhook

Every event that should drive scoring. Pipeline runs immediately.

Native ledger postings

POST /postings

Recording funds movements directly. Double-entry, hash-chained, signed.

Outbound

What WhoComply sends back

Risk view reads

GET /customers/{id}/risk-view

Transaction-time decisioning. Rating, score, sanctions, EDD.

Webhook subscriptions

POST /webhooks

Subscribe to alert.created, alert.resolved, alert.dismissed.

Examiner audit reads

GET /audit

Hash-chained audit log. Immutable, deterministic, defensible.

Triage, case management, report filing, and provider activation all happen inside the WhoComply dashboard. Your engineering team does not need to build a parallel UI.

The pipeline

Six stages run on every event. Deterministic. Auditable. Fast.

STAGE 01

Match the event to a customer.

Every inbound event lands with an account ref, a KYC ref, or a tenant-scoped customer UUID. The resolver maps it deterministically. No fuzzy matching, no orphaned events.

Resolve

STAGE 02

Pull the live state.

Risk profile, prior alerts, watchlist matches, the rule scope this customer is subject to. Everything downstream stages need is read once, in one transaction.

Load profile

STAGE 03

Sanctions, PEP, adverse media.

Native screening or a plugin adapter. OFAC, UN, EU, NG PEP register. Hits become alerts with provenance. The original payload is hashed, signed, and stored.

Screen

STAGE 04

Run the rule engine.

Velocity, threshold, structuring, geography, peer-group anomalies. Rules are versioned. The rule snapshot at the moment of evaluation is captured against every alert.

Monitor

STAGE 05

Update the composite.

Identity, behavioral, transactional axes feed one composite score. A rating change fans out through the risk view, the EDD trigger, and the webhook stream.

Score

STAGE 06

Write, fan out, audit.

Alerts saved. Risk view refreshed. Webhooks queued with HMAC signatures. The audit log gets a new hash-chained entry. The whole pipeline is replayable.

Persist

ACC-001
KYC-A1B2
UUID f1e2..

Adebayo M.

High risk · KYC ok

Risk profile
loaded
Prior alerts (3)
loaded
Watchlist (1)
loaded
Rule scope (12)
loaded
OFAC SDNClear
UN ConsolidatedClear
EU SanctionsClear
NG PEP RegisterMatch
Adverse mediaClear
rule HighValueTxn {
when amount > 5_000_000
and customer.risk ≥ high
then alert(severity: medium)
}
Triggered: TXN-2026-04-26-014severity medium
580composite
Identity200
Behavioral220
Transactional160
9c4a..f1signed

alert.created

a7b2..03signed

risk.changed

d5e8..1csigned

webhook.queued

f2a9..b4signed

audit.append

Activate without engineering

Plug in the providers your team already uses.

Your compliance admin pastes credentials in the dashboard. The plugin authors alerts. The pipeline reads the right adapter at run time. Engineering writes nothing.

Su

Sumsub

KYC · KYB

Live
Co

ComplyAdvantage

Screening · PEP

Live
Sm

Smile ID

Identity

Roadmap
Mo

Mono

Open Banking

Roadmap
Pa

Paystack

Card Detail

Roadmap
On

Onfido

KYC

Roadmap
app.whocomply.com / integrations
WhoComply Integrations dashboard

Native engines

Three engines, first-class, when you do not want to outsource the substance.

Plug-ins are optional. The native ledger, monitoring engine, and reporting engine are first-class. Most institutions run a mix.

HASH 0x9c4a..f1BLOCK 4128
+ DR cash5,000,000.00
- CR deposit5,000,000.00
SIG OK · CHAIN OKverify ✓

Native ledger

Double-entry, hash-chained, signed.

When your core banking is not the system of record for funds, post directly to WhoComply. Every transaction is double-entry. Every block is hash-chained. Every signature is HMAC-verifiable. The examiner reads one tape.

rule HighValueTxn {
when amount > 5_000_000
and customer.risk high
then alert(severity: medium)
}
→ 12 rules active

Monitoring engine

A rule DSL your compliance team can read.

Velocity, threshold, geography, structuring, peer-group anomalies. Rules are versioned, scoped to customer segments, and run deterministically against every event. Triggered alerts carry the rule snapshot for audit.

STRSubmitted
NFIU-2026000
SARAwaiting review
NFIU-2026007
CTRSubmitted
NFIU-2026014
FTRAwaiting review
NFIU-2026021

Reporting engine

NFIU goAML XML, generated and signed.

STR, SAR, CTR, FTR. Reports compose from the live state, follow maker-checker review, and emit goAML-conformant XML. Submission timestamps and reference numbers are recorded against the originating alerts.

Regulatory coverage

Built section by section against the CBN circular.

BSD/DIR/PUB/LAB/019/002 is the spec. Every section that demands a system control maps to a feature in WhoComply, with the audit evidence to defend it.

Section
Coverage
§5.2
Customer due diligence
Risk-based KYC, ongoing monitoring, beneficial ownership, PEP screening.
§5.3
Sanctions screening
OFAC, UN, EU, and Nigerian PEP register screening at onboarding and continuously.
§5.5
Transaction monitoring
Rule-based and behavioral monitoring, threshold breaches, structuring detection.
§5.7
Enhanced due diligence
EDD triggers tracked against the live customer state. Automatic step-up on rating change.
§5.8
Suspicious activity reporting
STR/SAR generation, maker-checker review, NFIU submission with reference tracking.
§5.9
Currency transaction reporting
CTR threshold detection, batched generation, goAML XML output.
§5.10(d)
Audit trail and retention
Hash-chained audit log, immutable case history, examiner-grade evidence package.

Book a demo

See your real customer data inside WhoComply in 30 minutes.

Bring your Sumsub or ComplyAdvantage credentials. We will walk through ingesting a live event end to end. No pre-call form, no NDA.

Pick a time on Calendlyhello@whocomply.com

30 min

Live walkthrough on your data

0 LOC

No code change to see ingestion

10 Jun 2026

CBN roadmap deadline we hit together