MICKAI
Article · 1 July 2026

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow

For the Money Laundering Reporting Officer who signs off on every disposition: how Mickai runs sanctions and OFSI screening inside your walls, so alerts, hits and decisions stay under one accountable, tamper-evident record.

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

The screening desk is where personal liability lives

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow, illustration 1

If you are an MLRO, your name sits on an SM&CR statement of responsibilities. When the FCA or OFSI asks why a payment cleared, why a name was passed against a sanctions list, or why an alert was closed, the answer traces back to you. That is not a governance abstraction. It is personal accountability that follows you between firms and, in the worst case, into an enforcement notice.

The uncomfortable truth about most sanctions and OFSI screening stacks is that the accountable person does not actually own the workflow. Watchlist data flows through a third-party matching engine. The fuzzy-matching logic is a vendor black box. Analyst dispositions live in one system, the payment in another, and the audit trail is stitched together after the fact from logs nobody signed. When a regulator asks for the complete story behind a single hit, the firm spends days reconstructing it.

Mickai was built to close that gap. It is a sovereign AI operating system: AI that regulated firms own and run inside their own walls, on-premise and air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record. For the MLRO, that means sanctions screening, OFSI list matching, alert triage and disposition all sit under one accountable record that you control, not a vendor.

Nemesis: sanctions and OFSI screening that never leaves the building

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow, illustration 2

Nemesis is the Mickai Studio for fraud and AML. Run inside your data centre or in an air-gapped enclave, it screens customers, counterparties and payments against the OFSI consolidated list, OFAC, UN and EU regimes, and your own internal watchlists. The reference data is ingested into an air-gapped retrieval layer, so lists update on your schedule and no name, no payment reference, and no customer identifier is ever sent to an external cloud API to be matched.

That single architectural choice answers a question MLROs have carried for years. Where does the data go when we screen? With Mickai the answer is: nowhere. It stays behind your perimeter. For firms wrestling with the CLOUD Act, UK GDPR special-category handling, and DORA obligations on critical third parties, on-premise screening removes an entire class of exposure rather than papering over it with contractual assurances.

Nemesis does the analytical work an MLRO expects. It resolves aliases and transliterations, scores name and entity matches, factors in dates of birth, jurisdictions and vessel identifiers for maritime and trade exposure, and separates true hits from the noise that buries most alert queues. What it does not do is decide alone. Every material judgement is framed for a human disposition, because the accountable person is you.

The deterministic arbiter keeps AI inside the guardrails

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow, illustration 3

The reason regulated firms are legally barred from most public-cloud AI is that a probabilistic model, left to itself, is not auditable and not reliably repeatable. Mickai runs fifty specialist brains beneath a deterministic arbiter. The brains propose. The arbiter decides against fixed, inspectable policy. The same input produces the same routed outcome, and that outcome is explainable in terms a regulator and an internal audit function can follow.

For sanctions work this matters twice over. First, screening logic that shifts unpredictably between runs is a compliance failure in itself. Second, EU AI Act obligations for high-risk systems, together with FCA expectations under Consumer Duty and operational resilience, require that you can show governance over the decision, not just the decision. A deterministic arbiter turns AI-assisted screening from a black box into a controlled process you can defend.

The OAR: one accountable record for every hit and disposition

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow, illustration 4

The heart of the value for an MLRO is the Ownable Audit Record. Every screening event, every alert generated, every analyst action, every escalation and every disposition is written to a tamper-evident log signed with ML-DSA-65, a post-quantum digital signature standard. The record is bound to hardware-bound identity, so you know which operator, on which authorised machine, took which action. Nothing can be altered after the fact without breaking the signature chain.

Consider what that does to your evidence burden. When OFSI or the FCA asks for the full lifecycle of a single sanctions hit, you do not reconstruct it. You export a signed, ordered, immutable record that shows the match, the score, the reasoning presented, the analyst who dispositioned it, the four-eyes reviewer, and the timestamp on each step. Where a decision needs to be unwound, compensating rollback reverses the action and writes the reversal to the same record, so even the correction is auditable. For high-sensitivity dispositions, voice-biometric quorum can require a named group of officers to authorise before a payment to a high-risk jurisdiction is released.

This is the difference between a firm that hopes its logs hold up and a firm whose screening record is designed, from the schema up, to be the accountable evidence.

Why this is a category, not a feature

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow, illustration 5

Roughly 850,000 UK businesses and around 5 million across the EU are legally barred from putting regulated workloads on public-cloud AI. Sanctions and OFSI screening is one of the sharpest cases: the data is special-category, the accountability is personal, and the regulatory perimeter is unforgiving. The sovereign AI market is projected to grow from around USD 40 billion in 2025 to USD 148 billion by 2032, and screening is one of the workloads that forces the move on-premise.

Mickai holds 104 filed UK patent applications, roughly 2,340 claims, under Mickai LTD, covering the arbiter, the signed audit record, hardware-bound identity and the air-gapped retrieval architecture. Filed, not granted, but the priority date and the prior-art position are secured. As a third-party momentum signal, founder Micky Irons was independently ranked number four on Crunchbase in June 2026, with the company placing in the top one to two percent globally. The platform is built and LIVE, with UK manufacturing secured in Birmingham, and we are building to scale.

To be clear about posture: Mickai is an ally to the frontier labs, not a challenger to them. The frontier builds general intelligence. We build the sovereign substrate that lets regulated firms run AI they are permitted to own. That dual-buyer thesis, the regulated enterprise and the sovereign operator, is what underwrites the estate.

For the MLRO weighing the next control cycle

The MLRO and On-Premise AML: Owning the Sanctions and OFSI Screening Workflow, illustration 6

If you are planning your next AML technology review, the question to put to any screening vendor is simple. When we screen a name, where does the data go, and can I produce a signed, immutable record of every hit and disposition on demand? If the honest answer involves a cloud API and reconstructed logs, you are carrying risk that on-premise architecture removes outright.

If sanctions and OFSI screening sits under your signature, I would welcome a direct conversation about owning that workflow rather than renting it. Reach me at micky@mickai.co.uk.

Micky Irons, founder and CEO of Mickai.

Frequently asked questions

Does Mickai send any customer or payment data to an external cloud to screen it?

No. Nemesis screens against the OFSI consolidated list, OFAC, UN and EU regimes and internal watchlists inside your own data centre or an air-gapped enclave. Reference lists are ingested into an air-gapped retrieval layer, so no name, payment reference or customer identifier leaves your perimeter.

How does the audit record help an MLRO under SM&CR?

Every screening event, alert, analyst action, escalation and disposition is written to the Ownable Audit Record, signed with the ML-DSA-65 post-quantum standard and bound to hardware-based identity. When OFSI or the FCA asks for the full lifecycle of a hit, you export a signed, ordered, immutable record rather than reconstructing it from unsigned logs.

Is the AI making sanctions decisions on its own?

No. Fifty specialist brains propose, and a deterministic arbiter routes outcomes against fixed, inspectable policy. Material judgements are framed for a human disposition, and for high-sensitivity cases voice-biometric quorum can require a named group of officers to authorise before release.

Which regulatory regimes does this on-premise approach address?

On-premise, air-gapped screening directly supports handling under the CLOUD Act, UK GDPR special-category rules, DORA third-party obligations, EU AI Act high-risk requirements, and FCA expectations on Consumer Duty and operational resilience.

Is Mickai available now?

Yes. Mickai is built and LIVE, with UK manufacturing secured in Birmingham, and the company is building to scale. Mickai LTD holds 104 filed UK patent applications covering the arbiter, the signed audit record, hardware-bound identity and the air-gapped retrieval architecture.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/the-mlro-and-on-prem-aml-screening-owning-the-sanctions-and-ofsi-workflow. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles