Investigation Triggers and Case Triage

How Investigations Are Triggered

A financial-crime investigation is the structured process of researching a customer, account, or transaction to decide whether activity is suspicious and reportable. Investigations do not start at random — they begin from a defined trigger event. The Certified Anti-Money Laundering Specialist (CAMS) exam expects you to recognize each trigger source and the correct first response.

Common triggers include: a transaction-monitoring alert (a rule or model flags unusual activity); a sanctions or politically exposed person (PEP) screening hit; an internal referral from a front-line employee (for example, a teller who observes a customer breaking a deposit into amounts just under reporting limits); negative news or adverse media; a law-enforcement request such as a grand-jury subpoena or a Section 314(a) request; and a prior Suspicious Activity Report (SAR) that requires continuing-activity review.

A critical exam concept: an alert is not a finding of guilt. Monitoring systems generate many false positives. The investigator gathers facts — customer profile, expected activity, source of funds, and counterparties — and then decides whether suspicion is articulable. Closing an alert with a documented "no suspicious activity" rationale is a legitimate, common outcome.

Triage: Working the Right Case First

Triage ranks open cases so analysts handle the highest-risk files within deadlines. The U.S. SAR clock is strict: file within 30 calendar days of initial detection of facts that form a basis for filing, extendable to 60 days if no suspect is yet identified. Triage must protect that deadline.

A Worked Triage Example

An analyst opens the queue Monday with three alerts. Alert A is a $400 ATM withdrawal flagged for geography. Alert B shows a customer making nine cash deposits of $9,400 across three branches in five days. Alert C is a wire to a country newly added to a sanctions advisory. Correct triage works B and C before A: B shows a classic structuring pattern designed to evade the $10,000 Currency Transaction Report (CTR), and C touches sanctions risk — both carry severe regulatory and criminal exposure. A is low-value and can be batched.

The Five-Step Investigation Workflow

Once a case is triaged, investigators follow a repeatable sequence. The exam frequently asks which step comes next, so know the order:

1. Scope the alert — read the rule that fired and the transactions that triggered it. Understand why the system flagged the activity before forming any opinion.
2. Profile the customer — pull the Know Your Customer (KYC) file, occupation, expected activity, beneficial ownership, and risk rating. Suspicion arises mainly from deviation between actual and expected behavior.
3. Reconstruct the activity — map the flow of funds: who sent, who received, amounts, dates, instruments, and counterparties. Look for layering, round-tripping, rapid in-and-out movement, and pass-through accounts.
4. Corroborate — supplement internal data with vetted open sources to confirm or dispel the hypothesis.
5. Decide and document — either close with a no-suspicious-activity rationale or escalate for a SAR decision, recording the basis either way.

Red-Flag Typologies to Recognize

The CAMS blueprint expects fluency in classic laundering typologies that surface during triage:

• Structuring (smurfing) — breaking cash into amounts below $10,000 to dodge CTRs.
• Funnel accounts — deposits in many geographies, withdrawals in one.
• Trade-based laundering — over- or under-invoicing to move value across borders.
• Layering — rapid movement through multiple accounts or shell entities to obscure origin.
• Pass-through / nested accounts — a customer's account used to move third parties' funds.

A disciplined investigator pattern-matches the fact set against these typologies early, because naming the suspected scheme focuses the rest of the workflow and strengthens the eventual narrative.

Managing Deadlines Across the Queue

Triage is not a one-time sort; it is continuous. As cases age, their priority rises because the 30-day SAR clock keeps running from the date of initial detection, not from when the analyst happens to open the file. A common program control is a daily aging report that surfaces any case approaching, say, day 20 so it cannot silently breach the deadline. Investigators should also recognize escalating triggers: a low-priority alert can jump the queue if new information — a 314(a) match, a subpoena, or fresh adverse media — attaches to the same customer.

Treat the customer, not the single alert, as the unit of investigation, and merge related alerts so the full picture (and the earliest detection date) is assessed together rather than piecemeal.

Common Traps

• Working first-in-first-out. The exam rewards risk-based prioritization, not chronological order.
• Treating the alert as the conclusion. You investigate to confirm or dispel suspicion, not to justify a predetermined SAR.
• Ignoring aggregation. Several sub-threshold transactions can together meet the $5,000 SAR threshold or reveal structuring; review them as a pattern, not in isolation.

A disciplined triage habit is to ask four questions on every new case: What is the trigger? What deadline applies? What is the customer's expected profile? What is the worst-case typology this could be? That framing turns a noisy alert queue into a defensible, risk-ordered workflow.