A risk case tracks how your business alerts, investigates, and acts on suspicious or risky activity related to AML. A single risk case may have events related to multiple parties (indicating related investigations), but the risk case should only contain information about a single investigation process per party.
Event types
To express these events, AML AI uses the following types in the RiskCaseEvent table.
Initial alerts trigger the following event types:
AML_ALERT_GOOGLE
: triggered using Google AML risk scoreAML_ALERT_LEGACY
: triggered by another automatic risk assessment systemAML_ALERT_ADHOC
: manually triggered, for example, by the relationship managerAML_ALERT_EXPLORATORY
: triggered based on considerations other than pure risk, for example, data exploration to improve the quality of AML modelsAML_ALERT_EXTERNAL
: triggered based on an external request
Start, end, and outcomes of an investigation process trigger the following event types:
AML_PROCESS_START
: investigation process startsAML_PROCESS_END
: The investigation process is complete and no further outcomes are expected. If there is noAML_SAR
orAML_EXIT
by this point, then AML AI safely concludes there will be none.
Actions taken based on the investigation trigger the following event types:
AML_SAR
: suspicious activity report (SAR) is filedAML_EXIT
: A customer exit is triggered. This event must have a correspondingAML_PROCESS_START
event for the same party and risk case ID.
The suspicious activity period identified in an investigation triggers the following event types:
AML_SUSPICIOUS_ACTIVITY_START
: this event marks the beginning of suspicious activity identified during the investigationAML_SUSPICIOUS_ACTIVITY_END
: This event marks the end of suspicious activity identified during the investigation. In the absence of this event, AML AI assumes suspicious activity is ongoing.
Risk case stages and outcomes
Risk case event data helps AML AI understand the lifecycle of risk cases and how to classify risk cases with positive outcomes (leading to an exit), ongoing investigations (not finished yet), or negative outcomes (finished and not leading to an exit).
Figure 1. Positive case example
Figure 2. Negative case example
The stages illustrated in the preceding diagrams can be expressed with risk case events as in the following steps:
An alert is created for a given party.
Alerts are triggered in a number of different ways:
- An ad-hoc alert triggered manually somewhere within your business, for
example, by a relationship manager (
type: AML_ALERT_ADHOC
) - An automated alert triggered using a Google AML
risk score as input (
type: AML_ALERT_GOOGLE
) - An automated alert triggered by a rules-based or AI system other than
AML AI (
type: AML_ALERT_LEGACY
) - An alert triggered based on considerations other than pure risk, for
example, data exploration to improve quality of AML models
(
type: AML_ALERT_EXPLORATORY
) - An external request triggered an investigation process
(
type: AML_ALERT_EXTERNAL
)
If this alert is related to investigations of other parties, it can reuse the same risk case ID. Otherwise, a new risk case ID should be used.
- An ad-hoc alert triggered manually somewhere within your business, for
example, by a relationship manager (
Following an alert, an AML investigation process starts (
type: AML_PROCESS_START
).While your process may consist of multiple investigation stages, this event marks the start of the first stage.
During some investigations, the risk is acted upon.
- A SAR is filed relating to AML risk of this customer (
type: AML_SAR
). - The investigation process triggers the process to exit the customer
(
type: AML_EXIT
). - The investigation process identifies risk associated with a different
party. In this case, you may generate an alert with the same risk case
ID for that party (
type: AML_ALERT_ADHOC
) and start Step 1.
- A SAR is filed relating to AML risk of this customer (
The investigation process concludes and no further investigation activity for this party is expected as part of this risk case (
type: AML_PROCESS_END
).In particular, if there has not been an
AML_SAR
orAML_EXIT
event prior to the end of the process, then AML AI concludes that there was not sufficient risk identified to justify these outcomes for this party.
Suspicious activity period: Risk case events are also used to specify the
period during which suspicious activity, if any, was identified. To identify
this period, you may specify a single AML_SUSPICIOUS_ACTIVITY_START
and
AML_SUSPICIOUS_ACTIVITY_END
pair for a given party and risk case ID. This
input helps models identify risk at the correct time, for example, during or
shortly after the period when the suspicious activity occurred.