Post-Investigation Feedback Loops

Key Takeaways

Closed cases should feed back into monitoring: false positives tune rules/thresholds, confirmed typologies become new scenarios.
Continuing-activity SARs are filed (commonly every 90 days) when suspicious activity persists after an initial filing.
Quality assurance and management information (MI) measure SAR timeliness, alert-to-SAR conversion, and investigator consistency.
Feedback supports risk-based decisions such as enhanced monitoring, account exit (de-risking), or productivity tuning — and updates the enterprise risk assessment.

Last updated: June 2026

Why the Loop Matters

A mature anti-financial-crime program does not treat a filed Suspicious Activity Report (SAR) or a closed alert as the end of the story. Feedback loops push investigation outcomes back into the program so detection, staffing, and risk posture keep improving. The CAMS exam frames this as continuous improvement: monitoring, investigation, reporting, and risk assessment form a cycle, not a straight line.

Tuning Monitoring From Outcomes

Every closed case carries a lesson. The two most important signals are false positives and confirmed typologies.

Outcome	Feedback action
High-volume false-positive alert rule	Tune thresholds/logic to cut noise (after governance approval)
Confirmed new laundering typology	Build a new monitoring scenario to catch it next time
Repeated misses by a rule	Investigate model/data gaps; consider model validation
Productive rule with high SAR conversion	Preserve and document its effectiveness

A caution the exam tests: tuning to reduce alerts must be risk-based and governed, never a covert way to suppress legitimate alerts. Threshold changes are documented, approved, and validated so the institution can defend them to examiners.

Continuing-Activity SARs

When suspicious activity persists after an initial SAR, the institution files continuing-activity reports. U.S. guidance commonly calls for a follow-up SAR on roughly a 90-day review cycle while the activity continues, summarizing the ongoing conduct and referencing the prior filing. This keeps law enforcement informed without restarting the clock for each transaction.

Quality Assurance and Management Information (MI)

Feedback also flows up to management. Quality assurance (QA) samples closed cases to check that suspicion was correctly identified, narratives meet standard, and deadlines were met. Management information (MI) tracks metrics such as:

SAR timeliness (percentage filed within the 30-day window)
Alert-to-SAR conversion rate (signal quality of monitoring)
Case aging and backlog
Investigator consistency across similar fact patterns

These metrics drive staffing, training, and budget decisions, and they evidence an effective program during regulatory examination.

Worked Example

QA review finds that a velocity rule generated 4,000 alerts last quarter but produced only six SARs — a 0.15% conversion rate — while a structuring rule converted at 9%. The financial-crime committee approves recalibrating the velocity rule's threshold, validates the change against historical data to confirm no productive alerts are lost, and documents the rationale. Separately, a confirmed trade-based laundering case prompts a new scenario targeting mismatched invoice values. Both actions are recorded in the enterprise risk assessment, which is updated to reflect the newly evidenced exposure.

Closing the Loop to Risk Decisions

Outcomes also feed risk-based business decisions: placing a customer under enhanced ongoing monitoring, exiting a relationship (de-risking) where risk cannot be managed, or refining the customer risk-rating model. The cycle ends where it began — a better risk assessment that retargets monitoring.

Governing Model and Threshold Changes

Because transaction-monitoring rules are effectively models, changes to them fall under model risk management. Before a threshold moves, the institution should perform below-the-line testing — sampling alerts that would not have fired under the new setting — to prove no productive alerts are lost. The change is approved by a governance body, validated, and documented. Examiners scrutinize tuning precisely because a poorly governed change can silently suppress legitimate detection. The exam wants you to see tuning as a controlled, evidence-based activity, never an informal dial-down to reduce workload.

Metrics That Tell the Story

Management information turns case outcomes into program insight. Useful metrics and what they reveal:

Metric	What it signals
Alert-to-SAR conversion	Quality and calibration of monitoring rules
SAR filing timeliness	Whether the 30-day deadline is met consistently
Case aging / backlog	Capacity and staffing pressure
Reopened or amended SARs	Investigation quality and consistency
Continuing-activity SAR volume	Persistence of high-risk relationships

Reporting these to senior management and the board evidences an effective program — a recurring theme regulators emphasize when assessing anti-money-laundering controls.

Closing the Loop Through Training and the Risk Assessment

Lessons from investigations should reshape training and the enterprise-wide risk assessment. When a new typology surfaces — say, mule accounts opened with synthetic identities — front-line and investigative staff are trained to spot it, monitoring scenarios are updated, and the customer risk-rating model is recalibrated. The risk assessment is then refreshed to record the newly evidenced exposure, which in turn retargets where monitoring focuses.

This is the program-improvement cycle the CAMS exam frames as continuous: detect, investigate, report, learn, and re-assess. A program that files SARs but never feeds outcomes back into rules, training, and the risk assessment will keep generating the same false positives and missing the same emerging schemes. The feedback loop is what separates a reactive filing factory from a genuinely effective anti-financial-crime function.

Common Traps

Filing and forgetting. Persistent activity needs continuing-activity SARs, not silence.
Suppressing alerts under the label of tuning. Threshold changes must be governed and documented.
Ignoring conversion metrics. A flood of low-yield alerts wastes investigator time and hides real risk.
Failing to update the risk assessment. New typologies must reshape the program, or the same gaps recur.

Test Your Knowledge

Suspicious activity continues on an account several weeks after the institution filed an initial SAR. What is the appropriate action?

No further reporting is needed once the first SAR is filed

File a continuing-activity SAR, commonly on about a 90-day review cycle, referencing the prior filing

Immediately close the account without any further report

Notify the customer that ongoing activity is being reported

Test Your Knowledge

A monitoring rule produced 4,000 alerts but only 6 SARs last quarter. What is the best governed response?

Quietly disable the rule to eliminate the alerts

Ignore the metric because alert volume does not matter

Recalibrate the threshold with committee approval, validate the change, and document the rationale

File SARs on all 4,000 alerts to be safe

Up Next

AI and Machine Learning in AFC Controls

Chapter 11: Technology and Emerging AFC Practice

CAMS Study Guide

1Chapter 1: CAMS Orientation and Exam Facts

2Chapter 2: Financial Crime Risks and Methods

3Chapter 3: High-Risk Sectors and Structures

4Chapter 4: Global AFC Frameworks

5Chapter 5: Governance Regulations and Information Sharing

6Chapter 6: AFC Compliance Program Design

7Chapter 7: Program Governance and Operating Model

8Chapter 8: Customer Lifecycle Controls

9Chapter 9: Ongoing Controls and Monitoring

10Chapter 10: Investigations and Case Support

11Chapter 11: Technology and Emerging AFC Practice

12Chapter 12: Final CAMS Review and Exam Day

CAMS