Alert Investigation & Case Management
FraudShield AI generates an alert for every transaction that scores above the configured HIGH threshold. Case Management is the operational layer that takes those alerts from creation through to final disposition: routing them to the right analyst, supporting the investigation, capturing the outcome, and feeding results back into the model.
The Case Manager module includes an Advanced Work Allocation (AWA) engine, investigation workspaces, case creation and linking tools, and a regulatory filing integration for SAR/CTR submissions. This page describes the full alert lifecycle.
Alert lifecycle
Transaction scored → Decision: STEP-UP or BLOCK
│
▼
Alert created (alert_id, risk_score, BTA, top RIs, transaction data)
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ WORK ALLOCATION ENGINE (AWA) │
│ Evaluates: alert type, channel, amount, language, geography, │
│ customer tier, analyst skill set, queue capacity, SLA deadline │
│ │
│ Route to individual queue ──► Analyst sees alert in queue │
│ Route to open pool ──► Any eligible analyst can claim │
│ GetNext ──► Highest-priority alert pushed │
│ to the most available analyst │
└───────────────────────┬─────────────────────────────────────────┘
│
▼
Analyst opens Alert Workspace
┌──────────────────────────────────┐
│ Transaction details │
│ Explainability (top contributing │
│ RIs + display text) │
│ Account profile & history │
│ Customer record (CDD tab) │
│ Prior alert history │
│ Linked cases │
└──────────────────────────────────┘
│
┌──────┴──────────────┐
│ Investigation tools │
│ · Add to case │
│ · Network graph │
│ · Request info │
│ · Add note │
│ · Attach document │
└──────┬──────────────┘
│
▼
Disposition selected
┌──────────────┬────────────────┬──────────────┐
│ │ │ │
Confirmed Suspicious False Duplicate
Fraud No Action Positive
│ │ │ │
▼ ▼ ▼ ▼
Escalate / Soft-label for FPR metric + Deduplicate
SAR review monitoring suppression and close
candidate
Advanced Work Allocation (AWA)
The AWA engine ensures every alert is routed to the analyst best positioned to resolve it quickly and accurately. Routing decisions are based on a policy matrix that matches alert attributes to analyst skills, availability, and business unit assignment.
AWA routing factors
| Factor | Alert attributes considered | Analyst attributes considered |
|---|---|---|
| Fraud type / skill | BTA, transaction type, top RI category (e.g. ATO, mule, card CNP) | Skill set (e.g. Wire Fraud, Card Fraud, RTP Mule), proficiency level per skill |
| Priority | Risk score, transaction amount, CRITICAL vs. HIGH level, time-sensitive rails (RTP/FedNow) | Current queue depth, in-progress case count |
| Geography / language | Customer home country, beneficiary country, branch region | Language certification, regional specialization |
| Customer tier | VIP flag, HNW segment, business vs. retail | VIP handling certification, relationship manager liaison |
| SLA deadline | Time since alert creation, regulatory reporting deadlines (SAR 30-day window) | SLA capacity, supervisor override capability |
GetNext
When an analyst selects Get Next in the Case Manager interface, the AWA engine evaluates all pending alerts in the open pool and pushes the single highest-priority alert for which the analyst is qualified. This prevents cherry-picking of low-complexity alerts and ensures SLA-critical items are resolved first.
Supervisor assignment
Supervisors can view the full open-pool queue, see per-analyst workload metrics, and manually assign or reassign alerts. Alerts that remain unassigned beyond a configurable SLA threshold are escalated to the supervisor queue automatically.
Investigation workspace
When an analyst opens an alert, the investigation workspace surfaces all relevant data in a single view. Analysts don't need to switch between systems to build an investigation picture.
| Workspace tab | Content |
|---|---|
| Alert details | Transaction data, risk score, BTA, model version, enrichment summary, and the top 5 Risk Indicator contributors with display text and raw values. |
| Account history | Rolling transaction history (30/90 days), prior alerts on this account, existing open cases, average transaction amounts and velocity. |
| Customer record | Customer profile, CDD risk score, PEP/beneficial ownership flags, account relationships, and open CDD reviews. Sourced from the Customer Risk module. |
| Network graph | Entity relationship graph showing shared devices, IPs, payees, and beneficiary accounts. Highlights known mule network members and previously confirmed fraud links. |
| Linked cases | Other alerts and cases associated with the same customer, beneficiary account, device, or IP address. Supports pattern recognition across multiple fraud events. |
| Audit trail | Timestamped log of all actions taken on this alert: opens, notes, case links, status changes. Immutable once written. |
Case creation and linking
Analysts can link a single alert to an existing case or create a new case. Cases group related alerts, allowing the investigation of coordinated fraud patterns (such as a mule network or an organized ring) under a single investigative record.
Case types
| Case type | Description | Common use |
|---|---|---|
| Single-alert case | One case per alert. Used when the alert represents a standalone event with no known related activity. | One-off ATO event, isolated high-value wire |
| Multi-alert case | Multiple alerts grouped under one case. Alerts may span accounts, customers, or time periods. | Mule network investigation, serial first-party fraud |
| Regulatory case | Cases created specifically to support SAR or CTR filing. Contains a structured narrative section aligned to FinCEN BSA e-filing requirements. | SAR filing within 30 days of suspicion, CTR for cash transactions > $10,000 |
Investigation actions
During investigation, analysts can take the following actions from the workspace:
- Add note
- Free-text note attached to the alert or case. Notes are time-stamped, analyst-attributed, and included in the audit trail. Required for SAR narrative drafts.
- Request information
- Sends a structured information request to the customer's relationship manager or branch. Tracks status (pending / received / overdue) and logs the response.
- Attach document
- Uploads supporting evidence (transaction receipts, ID documents, call recordings, screenshots). Documents are stored in the case record and retained per the document retention policy.
- Place hold
- Flags the associated account for a temporary transaction hold pending investigation outcome. Requires supervisor approval for accounts above a configured balance threshold.
- Escalate
- Routes the case to a senior analyst or a specialized fraud investigation team. Escalation reason is logged and SLA clock resets to the escalation-tier target.
- Network expand
- Adds related entities (shared device, beneficiary account, IP address) to the network graph and generates linked alerts for any of those entities currently under investigation.
Disposition and regulatory reporting
When investigation is complete, the analyst selects a disposition and completes any required regulatory reporting steps.
-
Select disposition
Choose from: Confirmed Fraud, Suspicious — No Action, False Positive, or Duplicate. All dispositions require a reason code and optional free-text note.
-
Fraud loss recording (Confirmed Fraud only)
Enter the fraud loss amount, recovery amount (if any), and fraud category code. Loss data is written to the fraud loss register and fed into model performance reporting.
-
SAR assessment
For Confirmed Fraud and Suspicious dispositions, the system prompts: "Does this activity require a SAR filing?" If yes, a regulatory case is created and the 30-day filing clock starts. The analyst is assigned as the SAR owner.
-
SAR narrative drafting
The SAR workspace pre-populates the FinCEN SAR form fields from the case data: account information, suspicious activity type, date range, and dollar amount. The analyst completes the narrative section, which must describe the activity in plain language. The AI narrative assist tool can generate a draft narrative from case notes for analyst review and edit.
-
Supervisor review and SAR approval
The completed SAR is routed to the BSA Officer for review and approval. Approval triggers FinCEN BSA e-filing via the integrated STAR module. Confirmation receipt is attached to the case record.
-
Case closure and feedback loop
Once filed or closed without regulatory action, the case is marked closed. Disposition data is written to the model feedback dataset. The analyst's disposition is used in the next retraining cycle's label set.
SLA management
The AWA engine tracks SLA compliance for every alert and case. Configurable SLA targets are set per alert risk level and BTA.
| Alert level | Default investigation SLA | SAR filing SLA | Escalation trigger |
|---|---|---|---|
| CRITICAL | 4 business hours | 30 calendar days from suspicion | At 2 hours unworked |
| HIGH | 1 business day | 30 calendar days from suspicion | At 4 hours unworked |
| MEDIUM (batch review) | 3 business days | N/A (batch review only) | At end of day 2 |