Lifecycle of a risk case

A risk case tracks how your business alerts, investigates, and acts on suspicious or risky activity related to AML. A single risk case may have events related to multiple parties (indicating related investigations), but the risk case should only contain information about a single investigation process per party.

Event types

To express these events, AML AI uses the following types in the RiskCaseEvent table.

Initial alerts trigger the following event types:

  • AML_ALERT_GOOGLE: triggered using Google AML risk score
  • AML_ALERT_LEGACY: triggered by another automatic risk assessment system
  • AML_ALERT_ADHOC: manually triggered, for example, by the relationship manager
  • AML_ALERT_EXPLORATORY: triggered based on considerations other than pure risk, for example, data exploration to improve the quality of AML models
  • AML_ALERT_EXTERNAL: triggered based on an external request

Start, end, and outcomes of an investigation process trigger the following event types:

  • AML_PROCESS_START: investigation process starts
  • AML_PROCESS_END: The investigation process is complete and no further outcomes are expected. If there is no AML_SAR or AML_EXIT by this point, then AML AI safely concludes there will be none.

Actions taken based on the investigation trigger the following event types:

  • AML_SAR: suspicious activity report (SAR) is filed
  • AML_EXIT: A customer exit is triggered. This event must have a corresponding AML_PROCESS_START event for the same party and risk case ID.

The suspicious activity period identified in an investigation triggers the following event types:

  • AML_SUSPICIOUS_ACTIVITY_START: this event marks the beginning of suspicious activity identified during the investigation
  • AML_SUSPICIOUS_ACTIVITY_END: This event marks the end of suspicious activity identified during the investigation. In the absence of this event, AML AI assumes suspicious activity is ongoing.

Risk case stages and outcomes

Risk case event data helps AML AI understand the lifecycle of risk cases and how to classify risk cases with positive outcomes (leading to an exit), ongoing investigations (not finished yet), or negative outcomes (finished and not leading to an exit).

AML positive case diagram Figure 1. Positive case example

AML negative case diagram Figure 2. Negative case example

The stages illustrated in the preceding diagrams can be expressed with risk case events as in the following steps:

  1. An alert is created for a given party.

    Alerts are triggered in a number of different ways:

    • An ad-hoc alert triggered manually somewhere within your business, for example, by a relationship manager (type: AML_ALERT_ADHOC)
    • An automated alert triggered using a Google AML risk score as input (type: AML_ALERT_GOOGLE)
    • An automated alert triggered by a rules-based or AI system other than AML AI (type: AML_ALERT_LEGACY)
    • An alert triggered based on considerations other than pure risk, for example, data exploration to improve quality of AML models (type: AML_ALERT_EXPLORATORY)
    • An external request triggered an investigation process (type: AML_ALERT_EXTERNAL)

    If this alert is related to investigations of other parties, it can reuse the same risk case ID. Otherwise, a new risk case ID should be used.

  2. Following an alert, an AML investigation process starts (type: AML_PROCESS_START).

    While your process may consist of multiple investigation stages, this event marks the start of the first stage.

  3. During some investigations, the risk is acted upon.

    • A SAR is filed relating to AML risk of this customer (type: AML_SAR).
    • The investigation process triggers the process to exit the customer (type: AML_EXIT).
    • The investigation process identifies risk associated with a different party. In this case, you may generate an alert with the same risk case ID for that party (type: AML_ALERT_ADHOC) and start Step 1.

  4. The investigation process concludes and no further investigation activity for this party is expected as part of this risk case (type: AML_PROCESS_END).

    In particular, if there has not been an AML_SAR or AML_EXIT event prior to the end of the process, then AML AI concludes that there was not sufficient risk identified to justify these outcomes for this party.

Suspicious activity period: Risk case events are also used to specify the period during which suspicious activity, if any, was identified. To identify this period, you may specify a single AML_SUSPICIOUS_ACTIVITY_START and AML_SUSPICIOUS_ACTIVITY_END pair for a given party and risk case ID. This input helps models identify risk at the correct time, for example, during or shortly after the period when the suspicious activity occurred.