AML – The Complexities of Investigating Compliance Alerts

2020 04 29 10 04 49 Anti Money Laundering The Complexities Of Investigating Compliance Alerts Imran

The sole objective of a screening engine is to generate relevant alerts for trained investigators to analyse and decide whether an alert is deemed a false positive or a true match. This article will examine how a Banking corporation’s AML department utilises investigation techniques to resolve compliance alerts whilst achieving quality, meeting productivity, and regulatory standards.

Banking policy is normally dictated by regulatory standards and its risk appetite, in turn these will dictate how alerts are generated and how alerts processes are written. Process documents should outline how an investigator should perform an investigation whilst ensuring high levels of quality are adhered to, and productivity levels are achieved.

Training for alert investigators is imperative in achieving a high-quality standard, as well as ongoing training to ensure alert screening standards. Line managers should adopt Lean principles to managing investigating analysts and install quality checks at every level of investigation.

A generated compliance alert from a front end screening tool, for whether it be an (SDN) Sanctions alert, (PEP) Politically exposed person alert, or an Adverse Media alert, all will typically display a full profile of the SDN/PEP/Adverse Media Individual in question. It will also show where matches have taken place between the bank’s data on a customer and the SDN/PEP/Adverse Media Individual in question, and in some cases highlighted.

Customer information can be inputted manually, or it can be automatically fed into the screening tool. Information on the SDN/PEP/ Adverse Media Individual is normally supplied by data suppliers, which is also fed into the screening tool to ensure any changes in the SDN/PEP/ Adverse Media lists are reflected in screening.

Screening tools will provide the investigator with information on the potential matches which they use to conduct their investigations, for example of the type of information for a Politically exposed person can be seen below.

Profile Information

  • PEP’s Full Name
  • PEP’s Associations
  • PEP’s Photograph
  • Employment Status
  • Country of Residence
  • Date of Birth
  • Place of Birth
  • Active/Inactive
  • Employment History


This information is compared to the customer information the screening tool has matched in the generated alert. In many instances it is very clear to see where the screening tool has made a match i.e. a name match of Mr. Jeremy Jones Corby (customer) matched against Mr. Jeremy James Corbyn (PEP). These types of alerts can be investigated within seconds whereas some closer matched alerts may take days, as requests for information may delay the ultimate decision the investigator makes.

A screening engine is reliant on the quality of data that is inputted into it. Bad or incomplete data will have impacts on the quality of alerts generated by a screening engine, therefore making the investigations process harder to make the decision of false positive or true match.

Generally, there are 4 main scenarios a generated alert would fall into:

  1. Eliminating a potential match – False Positive
  2. Confirmation of matched data – True Match
  3. Further investigation required / Additional information required
  4. Unable to make a decision with the information to hand and unable to retrieve additional information – Alert Ring Fenced


Having a structured approach to screening alerts is essential to ensuring a full investigation has taken place. Banks must balance the time given to investigate an alert with a quality of the investigation taken place. In order to achieve a high-quality standard and ensure workflows are sustainable, specific standards need to be implemented.

A set of questions called the “Killer Questions” must be asked on every alert, if these questions are asked on every alert, then senior management can take confidence that an investigation has taken place, and every alert has been screened effectively. These questions will leave no doubt that the investigator has made the correct decision.

Below are a few questions typical asked by investigators when investigating PEP alerts, additional questions may be asked of sanctions concerns and high-risk locations for example:

  • IRAN
  • CUBA

When an investigator answer NO to any of the killer question the alert can be discounted, and when any questions are answered as YES, then the investigator must move on to the next question. If the investigator matches 3 key pieces of information such as name, date of birth, and gender. Then the alert match can be considered a full match.

Do the Names Match?

Investigators must first compare whether the customer is a name match to that of the SDN/PEP/ Adverse Media Individual. They compare all parts of the name, First Name, Middle Names, Family Names. They also consider titles, ethnicity, and spelling mistakes.

If Yes, then continue to the next killer question

If No, then the investigator can eliminate the hit.

Do the Date of Births Match?

Date of birth information for the bank’s customer is compared against the SDN/PEP/ Adverse Media information detailed within their screening solution, this information is not always available for the customer or the SDN/PEP/Adverse Media Individual in question. A bank may add additional rules which can be integrated to cover such scenarios as partial dates of birth. Generally, if the date of birth information is missing, then this rule is not used in the investigation process.

 If Yes, then continue to the next killer question

If No, then the investigator can eliminate the hit.

Do the genders match?

This question is not always straight forward as you may think, some eastern cultures use the same name for both males and females.

If Yes, then continue to the next killer question

If No, then the investigator can eliminate the hit.

Does the PEP role fall within the scope of risk appetite?

Not all PEP roles are equal. The basic rule of establishing if a PEP is a PEP is by determining if the PEPs role has Power and Influence. A diagram detailing senior roles from Judges to army chiefs is given to investigators to help determine if the PEP role in question is in the scope of screening.

If Yes, then continue to the next killer question

If No, then the investigator can eliminate the hit.

Is the PEP still active in their role?

Even though a PEP may have retired from their role they are still be classed as PEP, the reason for this is because they still may hold power and influence within their former organisation. In order to take account of this for screening purposes, banks can set a time limit on when they consider a PEP no longer a relevant PEP.

If Yes, then continue to the next killer question

If No, then the investigator can eliminate the hit.

Any Alerts at this stage that have not been eliminated using the exclusion rules above will require further investigation. Investigators must use information from reliable external sources to gather information on the PEP, and internal sources for the customer. Once enough information has been collated and compared the investigator can make a decision. The following may be of considered sources of internal and external sources of additional information:

Historic information – Other Key facts perhaps from related cases or previously generated alerts

Age – Is it possible the customer could be in the PEPs role

Children and other family members – information on numbers, names and ages of children

Occupation – customers occupation and salary can be compared

Material status – Is the customer or PEP married, single, divorced or widowed

Effective Googling –PEP / Sanctions information is available from reliable sources online

As it is possible for internet pages to be updated by anybody, investigators must be careful when choosing what websites, they use to support their investigation. Below is a list of websites that are considered acceptable.

  • State-owned
  • Political party
  • BBC News
  • Established broadsheet
  • LinkedIn
  • Customers own website

Investigators will document their investigation and add rationale detailing the justification they have reached. If the investigator cannot eliminate the alert using the killer questions, then the investigator must tie in all the information gathered internally and externally to produce their rationale. Small differences in personal information can add up and allow the investigator to use the balance of probability to make their decision.

Depending on an organisations risk appetite alerts may require a four-eyed check to ensure accuracy on every alert generated. This may sound excessive but considering the reputational risk and substantial fines of sanctions breaches, some banks incorporate a 6-eye check on every alert to ensure nothing can slip through the net.   

SQA Consulting are happy to assist you further in your compliance needs. Please contact us to find out more.

Get In Touch

Technology Consulting Partners