Skip to main content

AML Investigation Engine Overview

The AML (Anti-Money Laundering) Investigation Engine is an agentic workflow that investigates transaction data for potential money laundering patterns. It analyzes alerts against your defined Standard Operating Procedures (SOPs), performs web research, and queries data warehouses to gather evidence and produce a structured investigation result.

Key Capabilities

  • Policy-Driven Analysis: Investigates transactions against your AML SOP guidelines
  • Automated Evidence Collection: Uses web research and SQL queries to gather evidence
  • Category-by-Category Analysis: Evaluates red flags and green flags per SOP category
  • Structured Verdicts: Produces investigation results with clear verdicts from your policy dispositions

AML Investigation Engine Inputs

The AML Investigation Engine Configuration has four parameters:
ParameterRequiredDescription
policy_version_idYesThe Policy version ID containing your AML investigation guidelines (SOP)
context_sourcesNoData sources (e.g., Snowflake) for the agent to query transaction data during investigation
alert_dataYesAlert data that triggered this investigation (JSON string with alert details)
transaction_dataNoPre-loaded transaction data (JSON string). If empty, the agent will fetch from context sources
See Template Strings for dynamic parameter configuration.

AML Investigation Output

The output is a structured JSON object containing:

Policy Applied

Information about the policy used for investigation:
  • name: Name of the policy applied
  • version: Version ID of the policy applied

AML Analysis

Complete investigation result including:
FieldDescription
verdictFinal verdict from policy dispositions (e.g., “Clear - False Positive”, “File STR”)
summaryExecutive summary explaining the conclusion and key findings
category_analysisDetailed analysis for each category in the policy guidelines
out_of_scope_flagsAdditional findings not covered by the defined guidelines
reason_for_outputBrief explanation of the thought process behind the verdict

Category Analysis Structure

For each SOP category, the output includes:
  • category_title: Title of the category
  • summary: 2-3 sentence summary of findings
  • red_flag_analysis: Array of RED_FLAG rules with hit status and evidence
  • green_flag_analysis: Array of GREEN_FLAG rules with hit status and evidence

Evidence Structure

Each piece of evidence includes:
  • evidence_type: “web_link”, “screenshot”, or “artifact”
  • evidence_data: URL or artifact reference
  • evidence_name: Short descriptive name
  • evidence_description: Why this evidence is relevant

Policy (SOP) Structure

Your AML policy should contain:
  1. Instructions: High-level data exploration and investigation guidance
  2. Guidelines: Organized as Categories > Rules
    • Each Category (e.g., “BLACKLISTED_BARCODE_CHECK”, “DAILY_TRANSACTION_COUNT_CHECK”) contains multiple Rules
    • Each Rule has a flag type (GREEN_FLAG or RED_FLAG), title, and description
  3. Dispositions: Classification options for final verdicts

Supported Context Sources

The AML Investigation Engine supports the following data source connectors:
ConnectorTypeDescription
SnowflakeSQLQuery your Snowflake data warehouse for transaction history, customer data, etc.
Roe TablesSQLQuery tables stored in VolansDB for internal data analysis
ZendeskAPIFetch support tickets and customer communication history
Configure context sources to allow the agent to automatically fetch transaction data during investigation. The agent will use natural language to generate appropriate SQL queries or API calls.

Creating an AML Policy

The AML Investigation Engine requires a policy containing your Standard Operating Procedures (SOPs). You can create policies using the Policies feature.
A pre-built AML Investigation Workflow policy template is available in the platform. This template provides a comprehensive framework for alert review, typology assessment, evidence synthesis, and regulatory reporting decisions.

Policy Template Structure

The AML policy template includes:
  • Alert Intake and Classification: Initial steps for processing alerts
  • Customer Due Diligence Review: KYC verification and customer profile analysis
  • Transaction Pattern Analysis: Suspicious activity indicators
  • Web Research Guidance: Entity verification and adverse media screening
  • Disposition Classifications: Clear verdict options (e.g., “Clear - False Positive”, “File STR”, “Escalate for Review”)

Example Alert Data

{
  "alert_id": "ALT-2024-001234",
  "merchant_id": "MER-789456",
  "merchant_name": "ABC Trading Co.",
  "alert_type": "HIGH_VOLUME_TRANSACTIONS",
  "alert_date": "2024-01-15",
  "triggered_by": "Daily transaction count exceeded threshold",
  "transaction_summary": {
    "total_transactions": 450,
    "total_amount": 125000.00,
    "average_amount": 277.78
  }
}

Example Output

{
  "policy_applied": {
    "name": "AML Investigation SOP v2",
    "version": "pol_ver_abc123"
  },
  "aml_analysis": {
    "verdict": "Clear - Continue Monitoring",
    "summary": "Investigation found high transaction volume consistent with seasonal business patterns. No indicators of structuring or suspicious counterparties identified.",
    "category_analysis": [
      {
        "category_title": "TRANSACTION_PATTERN_CHECK",
        "summary": "Transaction patterns show legitimate business activity with seasonal variation.",
        "red_flag_analysis": [
          {
            "rule_title": "Round Amount Detection",
            "hit": false,
            "evidences": []
          }
        ],
        "green_flag_analysis": [
          {
            "rule_title": "Consistent Business Hours",
            "hit": true,
            "evidences": [
              {
                "evidence_type": "artifact",
                "evidence_data": "AMLInvestigationEngine-123/sql_query_1234567.json",
                "evidence_name": "Transaction timing analysis",
                "evidence_description": "95% of transactions occur during business hours 9am-6pm"
              }
            ]
          }
        ]
      }
    ],
    "out_of_scope_flags": [],
    "reason_for_output": "I analyzed the merchant's transaction patterns and found them consistent with their stated business type. The high volume is explained by seasonal factors and no structuring patterns were detected."
  }
}

Common Verdict Classifications

Define disposition classifications in your policy that match your compliance requirements. Common examples include:
VerdictDescription
Clear - False PositiveAlert reviewed, no suspicious activity identified
Clear - Continue MonitoringNo immediate concern, but enhanced monitoring recommended
Hold - Pending DocumentationAdditional documentation needed before final decision
Escalate for ReviewRequires senior analyst or compliance officer review
File STRSuspicious Transaction Report should be filed
Temporary Suspension + EscalationAccount suspended pending further investigation

Use Cases

The AML Investigation Engine is designed for:
  • Transaction Monitoring Alerts: Investigate alerts from TMS systems for unusual transaction patterns
  • Sanctions Screening: Verify potential matches against sanctions lists
  • PEP Identification: Investigate politically exposed person alerts
  • Adverse Media Monitoring: Assess negative news coverage about customers or counterparties
  • Periodic Customer Reviews: Conduct scheduled reviews of high-risk customers
  • Referrals from Other Teams: Investigate escalations from frontline staff

Best Practices

Define Clear SOPs

Create comprehensive policies with specific red and green flag rules for each category you want to investigate

Connect Data Sources

Configure SQL context sources to allow the agent to query historical transaction data automatically

Structure Alert Data

Provide well-structured alert data with all relevant identifiers for accurate investigation

Review Dispositions

Define clear disposition classifications in your policy for consistent verdict assignment

Policies

Learn how to create and manage AML investigation policies

Data Connectors

Set up Snowflake and other data source connections