Repliant for BFSI

Every customer call your bank can't afford to drop.

Repliant runs voice, SMS, and secure-messaging conversations inside Finacle, Flexcube, Fiserv DNA, FIS, TCS BaNCS, and Salesforce FSC — under Reg E, the RBI customer-protection circulars, GLBA, DORA, and DPDP. The result: dispute desks that finish inside the regulatory window, KYC re-verifications that don't end in a branch visit, and a cost-to-serve curve your CFO will read on the first try.

Deployed at 14 banks across US, EU, GCC and APAC · including a Tier-1 US regional and a top-five Indian retail bank.

SESSION · DISP-0XA7F1 · LIVE connected
VOICE
01:14

"I'm calling about a charge on my debit card I don't recognize —

82 at a retailer in Newark."

  1. 01 · KYCStep-up auth · last-four SSN · DOB · OTP ok · 612 ms
  2. 02 · COREFiserv DNA · authorization lookup · merchant code ok · 184 ms
  3. 03 · POLICYReg E intake · reason code 11 (unauthorized) ok · 14 ms
  4. 04 · CREDITProvisional credit ·
    82 · auto-issued ok · 308 ms
  5. 05 · SMSConfirmation · tracking link · provisional credit notice queued
audit · #AT-77821 · signed policy · Reg-E.v4.2 reversible · yes retained · 7 y
↑ disputes.intake · one session, five systems, one audit trail

The industry reality

Your contact center is a regulatory surface.

The phone line a customer dials to dispute a debit charge is not a customer-service touchpoint. It is the surface against which the OCC, the CFPB, the RBI, and the ECB measure your bank's compliance posture. Every minute of dead air on that line is, depending on the jurisdiction, a clock that has already started running.

The operational reality at most banks is familiar. Three IVRs inherited from three acquisitions. Two case-management systems and a tab of someone's spreadsheet. A core platform — Finacle, Flexcube, Fiserv DNA, FIS Profile, TCS BaNCS — that was last extended in a year your CTO will not name aloud. The contact-center vendor was renewed in 2022 because the alternative was a six-month rebuild that the audit committee did not have appetite for.

The consequence is a cost-to-serve line item that grows roughly with deposit growth and an FCR number that has not meaningfully moved in seven quarters. Meanwhile the share of disputes resolved outside the Reg E ten-business-day window quietly drifted to nine percent in 2024. The internal exception report runs sixty-seven pages.

Repliant was built to sit precisely where the contact center, the core platform, the fraud system, and the regulator meet — and to make the conversations that happen there finish inside the window, with an audit trail your second line of defense can sign off on without reading a sixty-seven-page report.

What Repliant handles for BFSI.

Five workflows. Named, governed, and measured against the metric your board reads each quarter.

WORKFLOW 01 · disputes.intake

Card dispute intake & Reg E timer compliance

The agent runs Reg E intake on the first call: identity step-up, transaction lookup against TSYS or your processor, reason-code classification across fourteen Reg E codes, provisional-credit issuance within configurable ceiling, and customer notification on the channel of record. The ten-business-day clock starts when the customer reports the error — and is enforced at the agent level, not on a back-office spreadsheet.

Outcome · 100% Reg E timer compliance · Northbank, FY2026 YTD

10-business-day window · day-of-resolution distribution

DAY 123 456 789 10 REG E DEADLINE →

WORKFLOW 02 · collections.restructure_emi

EMI / loan restructuring negotiation

The agent runs the regulator-approved restructuring script — RBI Resolution Framework 2.0 language for India deployments, CFPB-compliant hardship scripts in the US — including affordability assessment, three pre-approved restructuring offers, and digital signature capture. Edge cases (income volatility, secured-collateral exposure, prior restructures) escalate to a named human team. The agent does not invent rates.

Outcome · +41% restructure-acceptance rate · 4-bank rollout, FY26

Restructure flow · regulator-approved branches

Affordability check 3 offers Tenure ↑ · same EMI EMI ↓ · 6-mo holiday Escalate · human policy · RBI-RF2.0 · CFPB-hardship.v3

WORKFLOW 03 · fraud.confirm_with_stepup

Suspicious-activity callback with step-up auth

When Verafin, Actimize, or your in-house fraud model flags a transaction, Repliant places the outbound call, runs voice biometric verification, asks the right KBA pair from the bank-of-record (never invented), captures a confirm/deny on the transaction, and writes the disposition back to the fraud platform. The customer never receives a callback from a number that isn't yours. Step-up auth is enforced before any account action.

Outcome · −72% mean confirm time · 14 min → 3.8 min

Callback timeline · seconds from fraud flag → disposition

0 s 30 s 90 s 180 s 230 s Fraud flag · Verafin Outbound call · voice bio KBA · step-up Confirm / deny captured Disposition · written to fraud prior baseline · 14 min mean · agent-assisted repliant · 3.8 min mean

WORKFLOW 04 · kyc.reverify_remote

Branch-visit deflection for KYC re-verification

Periodic KYC refresh under RBI master direction, FinCEN CDD, or 4MLD/5MLD typically requires a branch visit your customer will postpone for nine months. Repliant runs remote re-verification on voice and the secure-messaging channel: liveness check via in-app SDK, document re-capture, address attestation, sanctions re-screen. Re-verification closes in a single session. The branch is left for the cases that need a human signature.

Outcome · −84% branch visits · KYC refresh book, top-five Indian bank

KYC refresh routing · 100,000 customers due

BEFORE AFTER Branch visit · 100% Branch · 16% Remote re-verify · 84% cost / customer ·
2.40 avg time-to-close · 47 days cost / customer · $4.10 avg time-to-close · 6.2 days

WORKFLOW 05 · payments.confirm_high_value

High-value transaction confirmation callbacks

Wires above the bank's threshold or first-time-payee transfers trigger an outbound voice confirmation under dual-control. The agent confirms beneficiary, amount, and purpose against the customer's stated history, captures explicit verbal authorization, and writes back to the payments rail. Anything that smells like an APP fraud pattern — coached customer, urgency cues, unusual payee category — escalates to a fraud analyst with the call still live.

Outcome · −61% APP-fraud loss · UK bank rollout, FY26 H1

Dual-control · high-value wire confirmation

Wire initiated Repliant outbound Verbal auth captured APP-pattern flagged Analyst live · co-pilot happy path → ↳ pattern match

Built to live inside the systems your bank already runs.

No rip-and-replace. No middleware project. Repliant reads from and writes to your core, your front office, your fraud, your card processor — under the same SSO and audit posture your second line already trusts.

Core platforms · read & write

native connectors

Finacle

Infosys · v10 +

Flexcube

Oracle · UBS & SaaS

Fiserv DNA

Premier · Signature

FIS Profile

+ Horizon

TCS BaNCS

retail · core

Front office & CRM

case · timeline · journey

Salesforce FSC

Financial Services Cloud

Pega CDH

Customer Decision Hub

Microsoft Dynamics

Banking accelerator

nCino

commercial · SBA

Encompass

ICE · mortgage

Fraud, AML & cards

read · enqueue · disposition

Verafin

FinCrime

NICE Actimize

XCEED · IFM

SAS Fraud

Mgmt 7

TSYS

card processor

FIS · Jack Henry

card platforms

Channels & telephony

carrier-grade · 99.99% SLA

Genesys Cloud

IVR replacement

NICE CXone

routing · WFM

Twilio · Vonage

voice · A2P SMS

WhatsApp Cloud

Meta direct

Your in-app SDK

secure messaging

For banks running on mainframe — IBM z, AS/400, custom green-screen — Repliant integrates via signed gateway with 5250/3270 emulation, the same posture your existing screen-scrape vendors use, with PII redaction enforced before any value crosses the gateway. We have shipped this into production at three banks running on cores acquired before 2003.

Compliance & guardrails

Designed for the regulator in the room.

Every tool call is signed. Every model inference is reproducible from the audit record. The agent operates inside ceilings, dual-control rules, and mandatory disclosure scripts your compliance team writes — not the other way around.

CERTIFIED

SOC 2 Type II

CERTIFIED

ISO 27001

CERTIFIED

PCI-DSS

ALIGNED

GLBA · CFPB

ALIGNED

RBI · DPDP

ALIGNED

PSD2 · DORA

Regulator awareness: Reg E · Reg Z · BSA/AML · FFIEC · UDAAP. RBI master directions on customer protection, KYC, and digital lending. ECB IT & cyber risk requirements under DORA.

Industry-specific guardrails

  • DUAL-CONTROL Any account action above a configurable threshold requires a second authorization. Defaults are conservative; thresholds are set per legal entity by your team.
  • TRANSACTION LIMITS Provisional credit, fee waivers, and balance adjustments are bounded at the agent level. The agent cannot exceed them under any prompt.
  • MANDATORY DISCLOSURES Reg Z APR disclosures, Reg E error-resolution notice, Reg DD truth-in-savings — read verbatim, logged, and timestamped. Cannot be skipped.
  • NO-HALLUCINATION ON RATES The agent quotes only rates, fees, and product terms retrieved from your system of record. Anything outside that scope triggers a human handoff.
  • CALL RECORDING Stored under your KMS, in your region. PII is redacted pre-LLM; payment data never enters the model context.
  • ESCALATION OBLIGATIONS Words and patterns your compliance team flags (vulnerable-customer markers, complaint language, hardship indicators) trigger immediate human handoff with full context.
  • UDAAP REVIEW Weekly sampling, scored against your bank's UDAAP rubric. Findings flow to your second line with the call audio and the model trace.
  • MODEL ISOLATION Single-tenant VPC. Bring-your-own KMS keys. Your traffic does not train anyone's model.

What to expect

From signed MSA to production in 14 weeks.

BFSI deployments are not seven-day sprints. Buyers in this industry trust a deliberate timeline more than a fast one. We move on the schedule your CISO, your second line, and your regulator can sign off on — and not faster.

W1W3W5W7W9W11W13W14 · GA DISCOVERY BUILD INTEGRATE SECURITY REVIEW SANDBOX · UAT PHASED ROLLOUT Scope · data access · CISO Workflows · 5 named flows built compliance scripts reviewed Core + fraud connected 2nd-line + IT security signoff model trace · audit log review UAT · shadow mode 100% 5% live · then 50% GA · regulator walkthrough includes one regulator walkthrough · second-line audit signoff before GA

FAQ

Questions buyers in this industry actually ask.

If yours isn't here, your AE will get it answered before your second meeting.

How do you handle dual-control for transactions above our threshold?

Thresholds are configured per legal entity, per workflow, and per channel. Any action that crosses the ceiling — provisional credit, fee waiver, wire confirmation, account opening — is queued for a named human authorizer in your existing escalation system (typically Salesforce FSC queues, or Pega cases). The agent never proceeds on its own; the customer is told the wait time, in plain language, and called back when the authorizer signs off.

Can the agent take action in our core banking system, or only read?

Both. Native read/write into Finacle, Flexcube, Fiserv DNA, FIS Profile, and TCS BaNCS — with the same SSO, the same RBAC, and the same audit posture your existing teller workstations use. Write actions are scoped per tool: the disputes agent can issue provisional credit up to the configured ceiling and cannot, for example, open an account. Scope changes flow through your existing change-management process, not ours.

What happens to a call recording under DPDP, GDPR, and GLBA?

Recordings are encrypted at rest under your KMS keys, pinned to the region you specify (EU, US, IN, GCC, etc.), and retained per your existing record-retention policy. PII is redacted pre-LLM; cardholder data is masked before it enters any model context, in line with PCI-DSS Requirement 3. Right-to-erasure requests under GDPR and DPDP are honored through the same workflow your CRM already supports.

How do you avoid hallucinated rates, fees, or product terms?

The agent does not generate rates. It retrieves them from your system of record — your product master, your pricing engine, your card platform — through scoped tools. If a customer asks something outside the retrieved scope (e.g. a competitor's rate, an unsupported product), the agent says it cannot answer and routes to a human. Compliance-critical fields (APR, fees, disclosures) are pulled by deterministic tool calls, not generated.

What does the audit trail look like for our second line of defense?

Every session emits a signed, immutable record: the channels touched, the tools called with arguments and return values, the policies evaluated, the disclosures read, the model trace, and the final disposition. Records are exportable to your existing GRC platform — MetricStream, Archer, ServiceNow IRM — on a schedule your team configures. We have walked a US OCC examiner and an Indian RBI inspection team through this exact log without remediation findings.

Can you deploy on-prem or inside our existing VPC?

Yes. Default deployment is single-tenant in your AWS, GCP, or Azure account, region-pinned, with bring-your-own KMS. We support fully on-prem deployments on customer-managed Kubernetes for banks under regulatory direction (RBI master direction on outsourcing, ECB DORA ICT third-party rules). Air-gapped builds are available for cases where outbound telemetry is prohibited.

Which LLM are you actually using — and can we bring our own?

Repliant is model-agnostic. Default deployment runs on whichever frontier model your tenant prefers (we currently have production deployments on Anthropic, OpenAI, and self-hosted Llama-derivatives). Bring-your-own-LLM is supported — your fine-tuned weights run inside your tenant, with the rest of the Repliant orchestration layer wrapping them. Model swaps do not require rewriting agents.

How do you handle vulnerable customers — and complaint detection?

We ship with a configurable vulnerability-detection layer mapped against the FCA's vulnerable-customer framework and the CFPB's consumer-complaint typology. Markers (hardship language, distress cues, accessibility flags, complaint terms) trigger immediate human handoff with full session context. The agent does not attempt to resolve a complaint; it logs, escalates, and apologizes — in that order.

Repliant for BFSI

Bring your hardest dispute, your loudest IVR queue, your slowest KYC backlog.