The Investigation Lifecycle: Alert to Escalation *(OUTLINE + BULLET BODY)*

An alert is just a question: "Is this normal?" The investigator's job is to turn that question into a defensible answer — and to build a file so clear that, months from now, an examiner or a federal agent can pick it up cold and follow every step of the reasoning. A sloppy investigation isn't just a missed criminal; it's a finding against the bank. By the end of this lecture, you'll be able to walk a case from the moment the alert lands to the moment it's escalated, decided, and documented — including the hardest call of all, when to fire the customer.

- Cases originate from multiple sources: **automated monitoring alerts**, **screening hits**, **front-line/employee referrals**, **314(a) matches**, **law-enforcement requests (subpoenas, warrants)**, and **negative news**. - **Triage / prioritization:** assess severity and risk to decide order of work — not every alert is equal; high-risk customers, sanctions nexus, and large/rapid flows go first. ML alert-scoring (Domain 4) can assist here. - Capture the **basics immediately** in the case-management system: who, what triggered it, when, the relevant accounts/transactions — and a unique case ID for the **audit trail**.

- **Pull the internal picture:** account/KYC profile, expected activity, beneficial ownership, prior alerts/SARs, relationship history, and the **full transaction set** around the alert (not just the flagged item). - **Enrich with external data:** corporate registries, adverse media/negative news, sanctions/PEP status, public records, and — for crypto — blockchain analytics. **Entity resolution** (Domain 4) ensures you've connected all of the customer's records. - **The central question:** does the activity have a **reasonable, lawful explanation consistent with the customer's profile**, or is it **unusual, unexplained, or matching a known typology**? Compare *expected* vs. *actual* behavior. - You may ask the customer **ordinary due-diligence questions** (purpose of a wire, source of funds) — but remember the **tipping-off** rule: you must **never** signal that a SAR is being considered or filed.

- **Document as you go.** Record the facts reviewed, the analysis, and the **rationale** for the conclusion. The standard: a third party should be able to **reconstruct the decision** from the file alone. - **Document the no-file too.** A decision **not** to file is just as important to record — examiners scrutinize closed alerts for under-reporting; "we looked and here's why it's explained" is the defense. - Preserve **supporting documentation** (statements, transaction records, screenshots, correspondence). For SARs, this support must be retained **5 years** and provided to FinCEN/law enforcement **on request without a subpoena** (31 CFR 1020.320). - Keep the file **objective and factual** — conclusions backed by evidence, not speculation.

- When research suggests potential suspicious activity, escalate per the **program's defined path** — typically analyst → **investigations/SAR review team** → the **BSA/AML compliance officer** (or a SAR decisioning committee), who owns the **file/no-file** decision. - Escalation must be **timely** because the **SAR clock is running**: file within **30 calendar days** of initial detection of facts supporting a filing (up to **60** if no suspect is identified). A slow internal escalation can blow the deadline. - Escalate **outside compliance** when warranted: senior management/legal for major matters, and **immediately** for sanctions hits (OFAC blocking/reporting) or imminent law-enforcement issues. - The outcome is one of: **file a SAR**, **close with documented rationale**, **continue monitoring** (e.g., place the customer on a watch/heightened-monitoring list), or **escalate to a relationship decision** (de-risking).

- **De-risking** = exiting or restricting a customer/relationship deemed to carry **unacceptable risk.** It is a **business-and-risk decision distinct from SAR filing** — and critically, **closing the account does NOT satisfy the SAR obligation**; if activity is suspicious, you still **file**. - Regulators caution against **wholesale de-risking** of entire categories (e.g., all MSBs, all correspondents from a region) **without case-by-case analysis** — FATF and U.S. agencies warn it can cut people off from the financial system and push activity underground (financial-exclusion concern). - Sometimes law enforcement issues a **"keep open" request** — asking the institution **not** to close an account so an investigation can continue. These should be **in writing** with a defined duration; the institution still maintains monitoring and SAR obligations. - Exit is the **last resort after escalation**, weighed against the value of continued monitoring (and any keep-open request) — a documented, deliberate decision, not a reflex.

So the lifecycle is a chain you can recite: an alert comes in and gets triaged, you research it inside and out and enrich it with external data, you ask the core question — does this fit the customer's profile or match a typology? — and you document every step, including a decision not to file. If it looks suspicious, you escalate up the defined path to the compliance officer while that thirty-day clock ticks, and the outcome is file, close, keep watching, or exit. And remember the two traps: de-risking a customer doesn't excuse you from filing the SAR, and don't slam the account shut if law enforcement asked you to keep it open. Next, we tackle the single most tested deliverable of any investigation — writing the SAR narrative itself: the five W's plus how, the supporting documents, and the deadlines you cannot miss.