Case study · synthetic but defensible · FinTech

Four weeks to drop in KGE, close two of three stalled community-bank PoCs.

A mid-stage FinTech SaaS (~120 people, $22M ARR) that runs loan-decisioning for community banks had three enterprise PoCs blocked. Their customers' regulators (FDIC, OCC) were asking the banks for runtime-verifiable AI explanations on adverse-action decisions; the banks passed the question through to the vendor. The vendor had a model card, not an audit trail. After dropping in KGE and sending a Procurement Packet, two of three PoCs closed (one didn't — disclosed below). Net spend: ~$24K/year saved + ~40 engineering-hours/month recovered.

← see also: HealthTech rollout (3 weeks, 2 of 2 PoCs closed)
Synthetic but defensible. The vendor, customers, timeline, and numbers below are illustrative — they describe the shape of how a real KGE rollout lands in FinTech, not a closed customer. Regulatory references (Reg B, ECOA adverse-action notice, FDIC supervisory expectations on model risk) are accurate; vendor numbers are calibrated to public FinTech-SaaS benchmarks. If you want to be the first named case, open a contact thread.

The vendor

Profile: Mid-stage FinTech SaaS, ~120 people, $22M ARR. Product is a loan-decisioning workflow for community banks and credit unions: ingest application data, run model-assisted underwriting, produce adverse-action notices when the answer is "no." ~190 customers, mostly $500M–$5B asset-size community banks.

Trigger: Three new enterprise PoCs stalled simultaneously. The common thread: each customer's primary regulator (two FDIC-supervised, one OCC) had updated their AI/model-risk supervisory expectations in early 2026 and was asking the bank for:

The vendor's existing answer was a SOC 2 Type II report and a model-card PDF. Both well-produced. Neither was a runtime artifact the bank could put in front of a bank examiner.

The constraint

The vendor's engineering team had two engineers with ~25% bandwidth each to allocate. Adding a third-party compliance platform (FairLending-style, ~$45–$80K/year) was out of budget AND wouldn't have produced the specific artifact the regulator was asking for — namely, which model decided what, and which inputs got which weight at decision time.

A compliance-consultant engagement was quoted at ~$80K for a 12-week assessment + report. Useful for posture, useless for the live PoC blockers.

The vendor needed an option that:

  1. Produced runtime audit primitives a bank examiner would recognize, not paperwork
  2. Was open-source so the bank's third-party-risk team could verify the implementation themselves (the bank's TPRM team won't audit a closed-source SDK they can't read)
  3. Got an artifact in front of the bank's compliance team within 4 weeks — the PoCs were on procurement calendars
  4. Worked across all three customers without requiring per-customer engineering work

The approach

Week 1
SDK integration. Eng dropped kinetic-gain-embedded into the decision-engine service. The integration point: every call into the underwriting model wrapped with an audit-stream emit: 
const card  = parseDecisionCard(JSON.parse(customerDecisionCard));
const audit = new AuditStream({
  source:            "loan-decisioning-prod",
  decisionCardRef:   card.canonical_url,
  signingKey:        env.KG_ED25519_SIGNING_KEY,
  sink:              new NdjsonFileSink("/var/log/audit-stream.ndjson")
});

// At every decision point:
const decision = await runUnderwritingModel(input);
audit.emit({
  kind:           "loan.decision.emitted",
  model_version:  decision.modelVersion,
  inputs_hash:    sha256(input),
  outcome:        decision.outcome,
  reasons:        decision.reasonCodes,    // for Reg B adverse-action notice
  correlation_id: requestId
});
The Decision Card was authored once per customer bank (~3 hours per customer with the bank's compliance lead, using the Decision Card v0.3 spec). Each card declared: required reason-code taxonomy, PII vault targets, retention envelope, model versions allowed in production.
Week 2
Per-customer Decision Cards + Procurement Packet. Each customer bank's compliance lead reviewed and signed their own Decision Card. The vendor then took docs/sales/PROCUREMENT-PACKET.md from the KGE repo and filled in the bracketed sections plus the four §8 KGE-backed verifiable claims:
  1. Hash-chained audit (every decision emission lands in append-only NDJSON, walkable end-to-end via GET /verify)
  2. Vault-contract tokenization (PII fields tokenized per the customer-published Decision Card before any cross-boundary call)
  3. ed25519-signable (every audit emission can be signed for non-repudiation by the bank's examiner)
  4. Customer-defined Decision Card (the BANK publishes the policy; the vendor enforces at runtime — this maps directly to how regulators expect model-risk management to flow)
Public-language discipline: the packet uses "readiness for FFIEC AI/ML supervisory guidance · OCC Bulletin 2011-12 · CFPB Circular 2023-03" rather than claiming certifications. 26-page packet, 4 KGE-backed claims, no overclaims. Delivered to three customers in parallel.
Week 3
Customer-side verification. Bank #1 (FDIC-supervised, $1.8B assets) and Bank #2 (FDIC-supervised, $740M assets) ran the audit-stream against five synthetic loan applications. Hash chain verified. Decision Card replayed against expected outputs. Vault contract redacted SSN + DOB. ed25519 signature validated against the vendor's published public key. Both PoCs closed in week 4. Total: ~8-figure combined TCV across the two.

Bank #3 (OCC-supervised, $2.4B assets) didn't close. Their third-party-risk team approved the technical posture but the deal got de-prioritized when their primary loan-platform vendor offered a competing AI feature in renewal negotiations. The KGE work wasn't the blocker — but we're not going to claim a win we didn't earn. The audit-stream artifact is in their queue if they revisit.

The outcome (measured)

Before KGEAfter KGEDelta
Model-risk evidence was SOC 2 + model-card PDFs Model-risk evidence is runtime-verifiable + replayable qualitative shift
Reg B / ECOA reason-code traceability: hand-stitched per customer ticket Auto-emitted in audit-stream, replayable by bank examiner examination-ready
3 PoCs stalled, average 9 weeks each 2 PoCs closed by week 4; 1 didn't (non-technical reason) 2 / 3 closed · ~5 weeks compression / closed deal
Internal eng time on bank-audit responses: ~16 hrs/week ~6 hrs/week (mostly handling examiner replay requests) ~40 hours/month recovered
Compliance-consultant proposal: ~$80K one-time $0 (not engaged) ~$80K avoided
FairLending-style compliance platform: quoted at $45–$80K/year $0 (KGE Team tier covers the audit-stream surface) ~$60K/year midpoint avoided
Total spend on KGE Team tier $3,500/month = $42K/year Net: ~$24K/year saved + ~40 eng-hrs/mo recovered
1 PoC that didn't close (Bank #3) 1 PoC that didn't close (Bank #3) no change — disclosed for credibility
"Our examiner asked for the trail. We didn't have a hand-built spreadsheet to produce — we ran the verify endpoint live, in the meeting." — Vendor's VP Engineering, post-PoC retro
"It's the first AI vendor we've onboarded where my third-party-risk team didn't ask for a clarifying call. The Decision Card said exactly what would happen at runtime, and the audit-stream confirmed it had happened." — Bank #1's Chief Risk Officer

What this case study explicitly is and isn't

So you don't have to read between the lines:

✓ It is

  • An honest depiction of the shape of a KGE rollout for a FinTech SaaS vendor in the typical $15–40M ARR band selling into community banks and credit unions
  • Numbers calibrated against published FinTech-SaaS benchmarks and standard compliance-platform price ranges
  • Regulatory references that are accurate as cited (Reg B / ECOA §1002.9, FFIEC AI/ML supervisory guidance, OCC Bulletin 2011-12, CFPB Circular 2023-03)
  • A template you can adapt to your context (your numbers, customers, regulators will differ)

✗ It isn't

  • A claim that we have closed this customer (we haven't — KGE is pre-commercial)
  • A guarantee your numbers will match (they almost certainly won't, exactly)
  • A statement that KGE provides Reg B / ECOA compliance (it doesn't — it provides the audit trail; your legal review on adverse-action notice content is still required)
  • A claim of FDIC / OCC / CFPB approval (no AI vendor has that — regulators approve banks, not vendors; KGE helps banks pass their exams)
  • A guarantee that 2 of 3 is the conversion rate you should expect (we honestly don't know what the real rate is yet)

When we have a named-customer version of this story with their permission and measured numbers from their actual rollout, we'll publish it here. If you want to be that customer, the path is short:

Open a contact thread See pricing Run your own ROI IT/Security runbook

Adjacent reading

Published 2026-06-02. Author: Miz Causevic. License: CC BY 4.0 — feel free to share, with attribution.

Reference scaffolding for audit evidence — not a HIPAA / FERPA / SOC 2 / GDPR / FDIC / OCC / CFPB / Reg B compliant or certified product. Compliance posture depends on the embedder's full control environment and external attestation specific to each regulatory regime.