Overview
Cloud Combinator partnered with a fintech client to turn a promising “virtual CFO” concept into a governed, AWS-hosted proof of concept. We implemented a multi-agent demo using Amazon Bedrock Agents with EU-region hosting, robust guardrails, and auditable workflows so plain English requests can be translated into safe, repeatable operations over transaction data. The demo is designed as a blueprint for future integration into client's core platform.
About the client
The customer is a UK fintech platform built for fast-growing digital businesses. By combining business banking, corporate cards, payments, and financial insights in one place, it helps teams track cash flow, manage spending, and automate financial workflows with greater clarity and control.
Customer Challenge
Client wanted a production-grade orchestration pattern for business actions. Each action, such as “create category” or “set rule” needed to be previewed, confirmed, and logged to ensure full traceability. They needed to strengthen compliance with EU-region hosting, improve operational resilience, and enhance observability. Just as critical was building defence-in-depth security, with guardrails and data protections suitable for financial use.
The Solution at a Glance
Cloud Combinator delivered a multi-agent system on Amazon Bedrock with clear separation of concerns and AWS-native security.
- Multi-agent orchestration
- Orchestration agent supervises and routes intent.
- Specialist agents handle discrete tasks:
- Category Creation Agent: preview → confirm → commit.
- Rule Creation Agent: typed criteria, transaction preview, safe commit.
- Execution layer
- OpenAPI + AWS Lambda: validated, structured requests are executed deterministically.
- Human-in-the-loop safety: previews before any write; full traceability in logs.
- AWS foundations
- Amazon Bedrock, AWS Lambda, Amazon CloudWatch, AWS KMS, and Amazon VPC with private subnets and VPC endpoints.
- Deployment in eu-west-2 (London) to meet residency expectations.
- Provisioned via Infrastructure as Code (Terraform).
How it Works
1) Ask in plain English - “Create a Travel & Transport category with subcategories Rail, Ride-hailing, and Fuel.”
2) Supervisor routes to the right specialist - The orchestration agent delegates to the Category agent, which turns the request into a validated, structured operation using OpenAPI.
3) Lambda applies business logic - The system returns a non-destructive preview for the user to review. On confirmation, it writes the new records with unique identifiers (IDs) and returns a success summary.
4) Audit & explainability - Routing traces, previews, and results are visible in Amazon CloudWatch for full operational clarity.
Security by Design
The system was built with defence-in-depth principles to meet the security standards required in financial services. All AWS Lambda functions run in private subnets with no inbound access, and outbound access is restricted to required destinations through NAT gateways and tightly scoped security groups. Each agent and function operates with least privilege access, enforced through distinct IAM roles and resource scoped permissions.
Encryption is applied everywhere: environment secrets and CloudWatch logs are protected with AWS Key Management Service (KMS), with automatic key rotation enabled. Private service access is maintained through VPC endpoints, ensuring that traffic remains within the AWS network. Finally, content filtering in Amazon Bedrock is tuned specifically for finance, with additional guardrails to control the handling of personally identifiable information (PII).
Technical Handover & Enablement
Cloud Combinator completed a structured handover so client’s team can confidently extend the proof of concept and productionise it in a future phase. Clear OpenAPI contracts and agent prompts were established, making it straightforward to add new agent tools like reconciliation, anomaly review, or enrichment without changing the orchestration pattern.
The team was also provided with environment-specific runbooks outlining monitoring, tracing, and incident response procedures using Amazon CloudWatch and VPC Flow Logs. To support consistency across environments, the platform was provisioned with Infrastructure as Code, using Terraform modules and tagging standards for auditable deployments.
Security playbooks were delivered as part of the handover, covering KMS key management, access reviews, and the tuning of guardrails for finance-grade privacy. With these resources, Incard is positioned to integrate new agent capabilities safely and quickly.
Outcomes
- From prototype to governed demo: ad-hoc tooling refactored into a typed, auditable agent pattern.
- Operational confidence: previews before changes, parameterised SQL, and end-to-end traces.
- EU-hosted and AWS-native: residency and latency needs met without slowing iteration.
- Future-ready blueprint: Agent → OpenAPI → Lambda → Data generalises to reconciliation, anomaly review, enrichment, and more.
Why Cloud Combinator?
As an AWS Advanced Partner, CloudCombinator specialises in turning prototypes into secure, auditable systems ready for production. Using the AI/ML Accelerator programme, proven Bedrock patterns, security baselines, and Infrastructure as Code foundations were applied, so Incard’s assistant could move quickly from prototype to a finance-grade, extensible platform.
Client Satisfaction
Cloud Combinator impressed us with their ability to take complex requirements and translate them into a secure, production-ready design on AWS. Their team combined technical depth with clear communication, giving us confidence throughout the process. It was a strong demonstration of how to approach finance-grade AI systems with both speed and rigour.
