> ## Documentation Index
> Fetch the complete documentation index at: https://docs.roe-ai.com/llms.txt
> Use this file to discover all available pages before exploring further.
# AML Investigation
> Investigates transaction data for potential money laundering patterns using policy-driven analysis
## AML Investigation Engine Overview
The AML (Anti-Money Laundering) Investigation Engine is an agentic workflow that investigates transaction data for potential money laundering patterns. It analyzes alerts against your defined Standard Operating Procedures (SOPs), performs web research, and queries data warehouses to gather evidence and produce a structured investigation result.
### Key Capabilities
* **Policy-Driven Analysis**: Investigates transactions against your AML SOP guidelines
* **Automated Evidence Collection**: Uses web research and SQL queries to gather evidence
* **Category-by-Category Analysis**: Evaluates red flags and green flags per SOP category
* **Structured Verdicts**: Produces investigation results with clear verdicts from your policy dispositions
## AML Investigation Engine Inputs
The AML Investigation Engine Configuration has **four parameters**:
| Parameter | Required | Description |
| ----------------------- | -------- | ---------------------------------------------------------------------------------------------- |
| **policy\_version\_id** | Yes | The Policy version ID containing your AML investigation guidelines (SOP) |
| **context\_sources** | No | Data sources (e.g., Snowflake) for the agent to query transaction data during investigation |
| **alert\_data** | Yes | Alert data that triggered this investigation (JSON string with alert details) |
| **transaction\_data** | No | Pre-loaded transaction data (JSON string). If empty, the agent will fetch from context sources |
See [Template Strings](/agents/input-definition#template-strings) for dynamic parameter configuration.
## AML Investigation Output
The output is a structured JSON object containing:
### Policy Applied
Information about the policy used for investigation:
* `name`: Name of the policy applied
* `version`: Version ID of the policy applied
### AML Analysis
Complete investigation result including:
| Field | Description |
| -------------------- | ----------------------------------------------------------------------------------- |
| `verdict` | Final verdict from policy dispositions (e.g., "Clear - False Positive", "File STR") |
| `summary` | Executive summary explaining the conclusion and key findings |
| `category_analysis` | Detailed analysis for each category in the policy guidelines |
| `out_of_scope_flags` | Additional findings not covered by the defined guidelines |
| `reason_for_output` | Brief explanation of the thought process behind the verdict |
### Category Analysis Structure
For each SOP category, the output includes:
* `category_title`: Title of the category
* `summary`: 2-3 sentence summary of findings
* `red_flag_analysis`: Array of RED\_FLAG rules with hit status and evidence
* `green_flag_analysis`: Array of GREEN\_FLAG rules with hit status and evidence
### Evidence Structure
Each piece of evidence includes:
* `evidence_type`: "web\_link", "screenshot", or "artifact"
* `evidence_data`: URL or artifact reference
* `evidence_name`: Short descriptive name
* `evidence_description`: Why this evidence is relevant
## Policy (SOP) Structure
Your AML policy should contain:
1. **Instructions**: High-level data exploration and investigation guidance
2. **Guidelines**: Organized as Categories > Rules
* Each Category (e.g., "BLACKLISTED\_BARCODE\_CHECK", "DAILY\_TRANSACTION\_COUNT\_CHECK") contains multiple Rules
* Each Rule has a `flag` type (GREEN\_FLAG or RED\_FLAG), `title`, and `description`
3. **Dispositions**: Classification options for final verdicts
## Supported Context Sources
The AML Investigation Engine supports the following data source connectors:
| Connector | Type | Description |
| -------------- | ---- | -------------------------------------------------------------------------------- |
| **Snowflake** | SQL | Query your Snowflake data warehouse for transaction history, customer data, etc. |
| **Roe Tables** | SQL | Query tables stored in Roe Tables for internal data analysis |
| **Zendesk** | API | Fetch support tickets and customer communication history |
Configure context sources to allow the agent to automatically fetch transaction data during investigation. The agent will use natural language to generate appropriate SQL queries or API calls.
## Creating an AML Policy
The AML Investigation Engine requires a policy containing your Standard Operating Procedures (SOPs). You can create policies using the [Policies](/policies/introduction) feature.
A pre-built **AML Investigation Workflow** policy template is available in the platform. This template provides a comprehensive framework for alert review, typology assessment, evidence synthesis, and regulatory reporting decisions.
### Policy Template Structure
The AML policy template includes:
* **Alert Intake and Classification**: Initial steps for processing alerts
* **Customer Due Diligence Review**: KYC verification and customer profile analysis
* **Transaction Pattern Analysis**: Suspicious activity indicators
* **Web Research Guidance**: Entity verification and adverse media screening
* **Disposition Classifications**: Clear verdict options (e.g., "Clear - False Positive", "File STR", "Escalate for Review")
## Example Alert Data
```json theme={null}
{
"alert_id": "ALT-2024-001234",
"merchant_id": "MER-789456",
"merchant_name": "ABC Trading Co.",
"alert_type": "HIGH_VOLUME_TRANSACTIONS",
"alert_date": "2024-01-15",
"triggered_by": "Daily transaction count exceeded threshold",
"transaction_summary": {
"total_transactions": 450,
"total_amount": 125000.00,
"average_amount": 277.78
}
}
```
## Example Output
```json theme={null}
{
"policy_applied": {
"name": "AML Investigation SOP v2",
"version": "pol_ver_abc123"
},
"aml_analysis": {
"verdict": "Clear - Continue Monitoring",
"summary": "Investigation found high transaction volume consistent with seasonal business patterns. No indicators of structuring or suspicious counterparties identified.",
"category_analysis": [
{
"category_title": "TRANSACTION_PATTERN_CHECK",
"summary": "Transaction patterns show legitimate business activity with seasonal variation.",
"red_flag_analysis": [
{
"rule_title": "Round Amount Detection",
"hit": false,
"evidences": []
}
],
"green_flag_analysis": [
{
"rule_title": "Consistent Business Hours",
"hit": true,
"evidences": [
{
"evidence_type": "artifact",
"evidence_data": "AMLInvestigationEngine-123/sql_query_1234567.json",
"evidence_name": "Transaction timing analysis",
"evidence_description": "95% of transactions occur during business hours 9am-6pm"
}
]
}
]
}
],
"out_of_scope_flags": [],
"reason_for_output": "I analyzed the merchant's transaction patterns and found them consistent with their stated business type. The high volume is explained by seasonal factors and no structuring patterns were detected."
}
}
```
## Common Verdict Classifications
Define disposition classifications in your policy that match your compliance requirements. Common examples include:
| Verdict | Description |
| ------------------------------------- | --------------------------------------------------------- |
| **Clear - False Positive** | Alert reviewed, no suspicious activity identified |
| **Clear - Continue Monitoring** | No immediate concern, but enhanced monitoring recommended |
| **Hold - Pending Documentation** | Additional documentation needed before final decision |
| **Escalate for Review** | Requires senior analyst or compliance officer review |
| **File STR** | Suspicious Transaction Report should be filed |
| **Temporary Suspension + Escalation** | Account suspended pending further investigation |
## Use Cases
The AML Investigation Engine is designed for:
* **Transaction Monitoring Alerts**: Investigate alerts from TMS systems for unusual transaction patterns
* **Sanctions Screening**: Verify potential matches against sanctions lists
* **PEP Identification**: Investigate politically exposed person alerts
* **Adverse Media Monitoring**: Assess negative news coverage about customers or counterparties
* **Periodic Customer Reviews**: Conduct scheduled reviews of high-risk customers
* **Referrals from Other Teams**: Investigate escalations from frontline staff
## Best Practices
Create comprehensive policies with specific red and green flag rules for each category you want to investigate
Configure SQL context sources to allow the agent to query historical transaction data automatically
Provide well-structured alert data with all relevant identifiers for accurate investigation
Define clear disposition classifications in your policy for consistent verdict assignment
## Related Resources
Learn how to create and manage AML investigation policies
Set up Snowflake and other data source connections