AML Case Management: From Alert to Disposition Without Losing the Audit Trail

June 18, 2026• 9 min readcase managementalert investigationSLAEDD

A walk through the AML case lifecycle — queue assignment, the RFI cycle, SLA management, linked-case investigation, EDD, escalation, and the decision to file or close — built so every step leaves an audit trail.

AML Case Management: From Alert to Disposition Without Losing the Audit Trail

An alert is not a finding. It is a question the system asks your team: is this activity what it appears to be, or is it something a regulator would expect you to report? Everything that happens between that question and its answer — the triage, the investigation, the request for documents, the second pair of eyes, the decision to file or close — is case management. Done well, it is the difference between a compliance function that can defend every decision and one that scrambles for evidence when an examiner asks why a particular customer was cleared.

The hard part is rarely the judgement itself. Experienced analysts know suspicious activity when they see it. The hard part is doing the work consistently, within the time limits your supervisor expects, and leaving a record clean enough that a colleague — or an examiner two years later — can reconstruct exactly what was known, when, and who decided what. This article follows a single alert from generation to disposition through Creodata's Case Management service, and shows how each step is built to leave that record behind without the analyst having to think about it.

For the wider context — how case management sits alongside risk assessment, screening, monitoring, and reporting — see the complete AML platform guide. This piece zooms in on the workflow itself.

Where the alert comes from

A case usually begins with an alert, and an alert usually begins with transaction monitoring. A rule fires because a pattern crossed a threshold — structured cash deposits below a reporting limit, a sudden change in transaction velocity, funds moving through a corridor the customer has never used before. Screening produces alerts too: a name matches a sanctions or PEP entry closely enough to warrant a look. The mechanics of how those rules and matches are produced are covered in how transaction monitoring systems generate the alerts; for case management, what matters is what arrives.

What arrives is not a bare flag. Each alert carries its context with it: the rule or match that fired, the customer's current risk band, the transactions involved, and — where a model contributed to the score — the SHAP top-three reasons the system surfaced the activity, with a confidence percentage and a model version stamped on the decision. The analyst opens a case that already knows why it exists. There is no separate hunt across three systems to assemble the picture, because the alert, the customer, and the evidence already point at the same entity.

Triage and queue assignment

Not every alert deserves the same effort, and pretending otherwise is how teams drown. The first decision is triage: is this worth a full investigation, an immediate escalation, or a quick, well-reasoned close?

Creodata's Case Management service routes alerts into queues and assigns them according to the configuration you set during onboarding — by risk band, by alert type, by jurisdiction, or by analyst workload. A high-risk customer's alert lands in a queue watched by senior staff; a low-risk, low-value pattern goes where it belongs. Assignment is explicit and recorded: who owns the case, when they picked it up, and when ownership changed. That ownership record is the first entry in the audit trail, and it answers the question examiners ask most often — who was responsible for this decision.

Good triage also means the analyst can see, at a glance, what they are dealing with:

The triggering rule or screening match, and its score.
The customer's risk band and the factors behind it.
Any open or historical cases linked to the same customer or counterparties.
The SLA clock — how long this case has before it breaches the time limit you have committed to.

The investigation

Investigation is the core of the work, and it is where evidence-first design earns its place. In Creodata's platform, every consequential fact an analyst relies on is one click from its source. The risk score shows the factors that produced it. A screening hit shows the matched list entry and the reasons for the match. A monitoring alert shows the underlying transactions. The analyst is not asked to trust a number; they are shown the basis for it, and so is anyone who reviews the case later.

This matters because an investigation is, in the end, an argument — for a conclusion that the activity is explained and benign, or that it is suspicious and reportable. An argument is only as strong as the evidence behind it, and a trail reconstructed after the fact is an argument that has already lost. By keeping evidence attached to the case as the analyst works, the platform makes the eventual narrative something you assemble from a record that already exists.

The request-for-information (RFI) cycle

Often the analyst cannot decide on internal data alone. They need something from the customer or from another part of the institution — a source-of-funds explanation, a contract, an updated beneficial-ownership declaration, a reason for an unusual payment. That is the request-for-information cycle.

In Creodata's Case Management service, an RFI is a tracked step, not an email that vanishes into an inbox. The request is logged against the case, the response is attached when it arrives, and the case status reflects that it is waiting on someone else. This is important for two reasons. First, it keeps the evidence in one place: the question and its answer live with the case, not in a side conversation. Second, it interacts honestly with your SLA, which brings us to time.

SLA pause and resume

Most supervisors expect alerts to be investigated and resolved within a defined period. Treating that clock naively — running it continuously from the moment the alert fires — punishes analysts for delays they do not control. If a case has been waiting two weeks for a customer to return a document, the analyst should not be counted as slow.

Creodata's service handles this with SLA pause and resume. When a case is genuinely blocked — typically waiting on an RFI response — the SLA clock can be paused, and it resumes when the dependency clears. The pause is itself a recorded event: when it started, why, and when it lifted. The result is a time metric that reflects the work your team actually controls, and a record that shows precisely where any delay came from. When an examiner questions why a case took three months, the answer is in the timeline: ten days of investigation, eleven weeks waiting on the customer, two days to close.

Seeing the bigger picture: the linked-case graph

Money laundering rarely confines itself to one customer or one alert. The same beneficial owner appears behind two accounts; a counterparty in one investigation is the subject of another; three "unrelated" cases turn out to share an address or a phone number. An analyst working a single alert in isolation will miss this every time.

Creodata's Case Management service includes a linked-case graph that surfaces these connections, drawing on the platform's entity-resolution layer — resolved entities, the links between them, and the beneficial-ownership graph that shows who ultimately controls what. From inside a case, the analyst can see related cases, shared counterparties, and the cluster of entities the customer sits within. An alert that looks trivial on its own can become significant once you see it is the fourth in a pattern. This investigative context lives in the case interface, so the analyst is not switching tools to ask "have we seen this before?"

When a case needs more: the EDD workflow

Sometimes the investigation tips into territory that demands deeper scrutiny — a high-risk customer, a PEP connection, a transaction pattern that ordinary checks cannot explain. That is enhanced due diligence, and Creodata's service carries a dedicated EDD workflow inside the case rather than pushing the analyst out to a separate process.

EDD raises the standard of evidence: more documentation, senior sign-off, a closer look at source of wealth and source of funds, and a clearer articulation of why the institution is comfortable continuing the relationship — or why it is not. Because the workflow lives inside the case, the EDD steps and their evidence become part of the same record as the original alert. There is no seam between "the alert investigation" and "the enhanced review"; it is one continuous, auditable file. For the substance of what enhanced due diligence requires and how to conduct it, see the EDD workflow inside a case.

Escalation

Not every case can or should be closed by the analyst who opened it. Some need a manager's judgement; some need the MLRO; some need a decision the analyst is not authorised to make alone. Escalation is the controlled handover of a case up the chain.

Creodata's service supports manual case creation and escalation as first-class actions. An analyst can escalate a case with their reasoning attached, and the escalation is recorded — who raised it, to whom, and why. The senior reviewer inherits the full case, evidence and timeline intact, and adds their decision to the same record.

The disposition: file or close

Every case ends in one of two places. Either the activity is explained and the case is closed, or it is suspicious and the institution files a suspicious-transaction report. Both outcomes are decisions, and both must be defensible.

A close is not the absence of a decision; it is a decision in its own right, and Creodata treats it that way. The analyst records the rationale, the evidence supporting it stays attached, and — for consequential closes — four-eyes approval applies, so that clearing a high-risk case is never a single person's unreviewed call. This is the discipline that protects the institution: the cases you close are the ones an examiner will scrutinise hardest, and "we looked and were satisfied" is only an answer if you can show the looking.

When the decision is to file, case management hands off cleanly to the STR/CTR reporting service, which runs the draft, review, approve, and submit lifecycle. The investigation you have just completed is the raw material for the report — the evidence, the timeline, the reasoning all carry forward. The act of writing the report itself is a craft of its own; writing the STR narrative once you decide to file covers how to turn an investigation into a narrative a financial intelligence unit can act on. We will not re-explain the filing mechanics here; that is the job of the goAML Reporting Platform and its cluster.

The audit trail underneath all of it

Everything above shares one foundation: an append-only, immutable audit log. Every assignment, every RFI, every SLA pause, every escalation, every override, every disposition is recorded as it happens, with the actor, the time, and the evidence in view. Four-eyes approval guards the consequential moments — clearing a high-risk case, overriding a risk band, activating a change that affects how alerts are scored — so that no single person can make a material decision unchecked.

The point is not to slow analysts down. It is that the record is a by-product of doing the work properly, not a separate chore bolted on at the end. When the audit comes, the answer to "show me how you handled this" is already written. The principles behind this — immutability, four-eyes, evidence-first — are set out in the audit trail behind every disposition.

Frequently asked questions

What is the difference between an alert and a case?

An alert is a single flag raised by transaction monitoring or screening — a rule fired, or a name matched a list. A case is the investigation that follows. One case can gather several alerts about the same customer, plus the analyst's work, RFIs, evidence, and the final decision. The alert is the question; the case is how you answer it.

How does SLA pause and resume affect my reporting deadlines?

SLA pause and resume governs your internal investigation clock — the time you commit to working an alert — not statutory reporting deadlines. Pausing the clock while you wait on a customer's documents gives you an honest measure of the work your team controls, and a recorded reason for any delay. Once you decide to file, statutory timelines for submission to your financial intelligence unit apply independently.

Can an analyst close a high-risk case on their own?

Consequential dispositions, including clearing a high-risk case, are protected by four-eyes approval. The analyst records the rationale and evidence, and a second authorised person reviews and approves before the case is closed. This is recorded in the immutable audit log, so the institution can always show that material decisions were independently checked.

How does case management connect to STR reporting?

When the disposition is to file, the case hands off to the STR/CTR reporting service with its evidence, timeline, and reasoning intact. The reporting service runs the draft, review, approve, and submit lifecycle and manages submission to the regulator. Case management produces the investigation; reporting turns it into a filing.

Case management is where an AML programme either holds together or comes apart — and where examiners look first. If you want to see how an alert moves from queue to disposition with the evidence and audit trail built in, explore the Creodata AML Platform, talk to our financial crime compliance advisory team, or book a demo and we will walk a case through the full lifecycle with you.

Adverse Media Screening: Catching the Risk Sanctions Lists Miss
Sanctions and PEP lists only show known, designated risk. Adverse media screening surfaces the rest — how negative-news screening works, how to filter for relevance and recency, and where it fits in onboarding, EDD and periodic review.
Audit-Ready AML: Evidence-First Investigations and the Four-Eyes Principle
When an examiner asks you to walk through a single decision, can you? How an append-only audit trail, evidence-first design and the four-eyes principle make every AML decision reconstructable — and inspections far less painful.
Why AML Detection Fails Without Data Quality: Ingestion, Mapping, and DQ Rules
No monitoring rule can catch what bad data hides. How disciplined ingestion, field mapping, source certification and data-quality rules give your AML platform the clean, complete data it needs to detect and report accurately.
AML Compliance Platforms: The Complete Guide for Banks, SACCOs & Fintechs (2026)
What a modern AML compliance platform does end to end — customer risk assessment, sanctions and PEP screening, transaction monitoring, case management, entity resolution, explainable AI, data quality, audit trails, and regulatory reporting — the complete 2026 guide for East African institutions.