AT A GLANCE
An effective anti-money laundering (AML) regulations. investigation follows a structured five-step process: identifying the trigger event, completing Know Your Customer (KYC) review, analyzing account activity, eliminating normal behavior, and determining whether a Suspicious Activity Report (SAR) is warranted. Institutions that standardize this process reduce investigation time, improve SAR quality, and maintain consistent compliance outcomes across their analyst teams.
What Is an AML Investigation and Why Does It Matter?
An AML investigation is a structured review conducted by a compliance analyst or investigator to determine whether a customer's activity constitutes money laundering, terrorist financing, or another financial crime — and whether it needs to be reported to the relevant financial intelligence authority.
Money laundering is not a simple or isolated crime. Experienced money launderers deliberately exploit the fragmented nature of international AML regulations, operating across multiple jurisdictions, financial institutions, and product types to obscure the origin and movement of illicit funds. Detecting and disrupting this activity requires investigators who are fluent in financial crime typologies, comfortable working with large volumes of transaction data, and capable of building a documented, objective case from disparate evidence sources.
The operational challenge for most financial institutions is resource constraint. AML departments consistently face more case volume than they have analyst capacity, investigative tools, or time to address. This imbalance is partly a function of institutional growth — as transaction volumes scale, alert volumes scale with them. Without standardized investigation workflows and efficient tooling, compliance teams spend an increasing share of their capacity on process rather than judgment.
The five-step investigation framework outlined in this article addresses this directly. By following a consistent, structured approach to every investigation — from the initial trigger through to SAR filing or case closure — institutions can process higher alert volumes without proportionally increasing headcount, while producing more consistent and defensible compliance outcomes.
What Triggers an AML Investigation?
An AML investigation is triggered when a system, process, or individual flags activity as potentially suspicious and routes it to a compliance analyst for review.
The most common trigger is a transaction monitoring alert — an automated flag generated when a customer's transaction activity matches a defined rule or behavioral anomaly pattern. Examples include transactions above a reporting threshold, structuring patterns designed to avoid that threshold, unusual transaction velocity, cross-border transfers to high-risk jurisdictions, or activity inconsistent with the customer's stated business purpose.
Other trigger types include:
Adverse media alerts: Automated or manual identification of negative news coverage linking a customer, their associates, or their business to financial crime, fraud, sanctions violations, or other predicate offenses.
Law enforcement referrals: A formal request or notification from a law enforcement agency indicating that a customer or account is of investigative interest.
Internal referrals: Reports from relationship managers, branch staff, or other employees who have observed unusual customer behavior that does not rise to the level of an automated alert but warrants compliance review.
KYC trigger events: Scheduled or event-driven customer due diligence reviews triggered by changes in customer circumstances — a change of address, new beneficial owner, material change in transaction behavior, or expiry of a time-limited KYC review cycle.
Regulatory or correspondent bank requests: Inquiries from regulators, correspondent banks, or payment partners requesting information about a specific customer or transaction.
The trigger event defines the starting point of the investigation and frames the initial question the investigator must answer. Critically, however, the trigger should not define the scope of the investigation. A transaction monitoring alert for a single large transaction should not limit the investigator to examining only that transaction — the investigation must take a holistic view of the customer's full activity profile. Anchoring too narrowly to the trigger event is one of the most common causes of incomplete investigations and missed suspicious activity.
Practical Tip: Document the trigger event in full at the outset of every investigation — the alert type, the rule or typology that fired, the transaction or behavior that triggered it, and the date and time of detection. This documentation anchors the investigation and demonstrates to regulators that the institution's detection systems are functioning as designed.
How Does KYC Review Support an AML Investigation?
KYC review is the foundation of every AML investigation. Before an investigator can assess whether activity is suspicious, they must have a clear and current understanding of who the customer is, what they do, and what their account activity is expected to look like.
Without this baseline, the investigator has no meaningful reference point. A $500,000 wire transfer might be entirely normal for a commercial real estate developer and deeply suspicious for a retail account holder with a stated income of $60,000 per year. KYC review is what equips the investigator to make that distinction accurately.
What does a thorough KYC review cover?
Customer identity and risk status: Full legal name, date of birth, identification documents, nationality, and residence. PEPs (Politically Exposed Persons) status is particularly critical — customers who hold or are closely associated with individuals in public office carry elevated inherent risk and may require enhanced due diligence regardless of their transaction activity.
Occupation, profession, or business: Understanding what the customer does for a living — or what their business does — is essential for assessing whether transaction patterns make sense. A money services business will have different expected activity than a salaried employee or a nonprofit organization.
Source of funds and source of wealth: Where does the customer's money come from? What is the origin of their wealth? These questions are foundational for assessing whether the volume and nature of transactions are consistent with the customer's financial profile.
Products held and purpose: What accounts, products, and services does the customer use, and why? A customer with a domestic checking account who suddenly begins using international wire transfer capabilities warrants scrutiny — not because wire transfers are inherently suspicious, but because they represent a change in product usage that requires explanation.
Geographic footprint: Which countries does the customer interact with, either through transactions, business relationships, or personal connections? FATF high-risk jurisdictions, sanctioned countries, and known high-risk payment corridors all elevate risk and require additional investigative attention.
Adverse information: Any prior SAR filings, law enforcement inquiries, regulatory actions, or adverse media hits associated with the customer, their business, their beneficial owners, or their close associates.
Non-adverse contextual information: Supporting information that helps explain the customer's activity in a positive context — legitimate business relationships, industry memberships, publicly available business information — is equally important. Good investigators look for exculpatory as well as incriminating evidence.
KYC information is drawn from institutional records — onboarding files, CDD and EDD documentation, account opening forms — as well as open-source intelligence, commercial database searches, and relationship manager knowledge. Branch-level records and account manager notes often contain contextual information that is not captured in central systems and can be critical to completing the picture.
Practical Tip: Before reviewing transaction activity, write a one-paragraph summary of the customer based solely on KYC data. Describe who they are, what they do, and what you would expect their account activity to look like. This exercise forces clarity on the expected baseline before behavioral analysis begins — and makes it significantly easier to identify deviations when they appear.
How Do AML Investigators Analyze Account Activity?
Activity analysis is the process of taking a comprehensive, high-level view of all account activity across all accounts held by the customer during the relevant review period — and assessing whether that activity is consistent with the customer's KYC profile.
The review period is defined by the trigger event and the investigation scope. For a transaction monitoring alert, the review period typically covers 12 months of activity, though longer periods may be warranted if the alert relates to a pattern that may have developed over time. For a KYC trigger event review, the period typically covers activity since the last due diligence review.
The activity analysis phase covers three dimensions:
Volume and value: What is the total inflow and outflow across all accounts? Is the aggregate volume consistent with the customer's stated income, business revenue, or financial profile? Significant discrepancies between stated financial profile and actual account volumes are one of the most reliable indicators of potential money laundering.
Transaction patterns: How does the customer transact? What are the typical transaction sizes, frequencies, and counterparties? Are there patterns — structuring below reporting thresholds, round-dollar transactions, rapid movement of funds through multiple accounts, consistent use of cash — that are inconsistent with the customer's stated business or personal purpose?
Counterparty analysis: Who is the customer sending money to and receiving money from? Are counterparties consistent with the customer's stated business relationships? Do counterparty accounts show signs of being used as pass-through vehicles? Are any counterparties in high-risk jurisdictions, on sanctions lists, or associated with adverse media?
The goal of this phase is not to reach a conclusion — it is to develop a complete factual picture of what the customer's accounts actually show, without yet making judgments about what is or is not suspicious.
Practical Tip: Use a timeline visualization during activity analysis. Plotting transaction activity chronologically — with key events (account opening, KYC review dates, trigger event, significant transactions) marked on the same timeline — often reveals patterns that are invisible in raw transaction data. Clusters of activity before or after significant dates are frequently meaningful.
How Do AML Investigators Eliminate Normal Activity?
Eliminating normal activity is the process of removing from investigative focus all transactions and behaviors that are fully consistent with the customer's KYC profile — leaving only the activity that is genuinely unusual or unexplained.
This step is what separates efficient, focused investigations from exhaustive reviews of every transaction in the account. Investigators do not need to explain everything — only what cannot be explained by the customer's legitimate financial profile.
What counts as normal activity for personal accounts?
Normal personal account activity typically includes grocery and retail purchases, rent or mortgage payments, utility bills, regular payroll deposits, tax payments, and personal spending consistent with the customer's stated income and lifestyle. Regular remittances to family members in the customer’s country of origin, along with the use of payment processors for everyday expenses or remittance transfers, are generally normal for customers with cross-border family connections when the amounts and frequency align with their income.
What counts as normal activity for business accounts?
Normal business account activity typically includes payroll, supplier payments and receipts at volumes consistent with the business's stated revenue and industry, rent and utilities, professional services fees (legal, accounting, IT, marketing), tax payments, and business travel expenses. The key test is whether the nature and volume of business-related transactions is commensurate with the scale and type of business as described in the customer's KYC file.
What remains after normal activity is eliminated?
The residual activity — the transactions and patterns that cannot be explained by the customer's legitimate financial profile — is the investigative focus. This residual becomes the basis for assessing whether the activity meets the threshold for suspicion.
A critical discipline in this phase is objectivity. Investigators must apply the same standard of scrutiny to exculpatory evidence as to incriminating evidence. An investigation that selectively eliminates normal activity while retaining ambiguous activity as suspicious, without equivalent rigor in assessing whether an innocent explanation exists, produces biased outcomes that will not withstand regulatory or legal scrutiny.
Practical Tip: Maintain a running "explained/unexplained" log throughout the investigation. As each transaction or pattern is reviewed, record whether a legitimate explanation has been identified and what that explanation is. This log becomes the documented basis for the final determination and demonstrates the investigator's objectivity to reviewers and regulators.
How Do AML Investigators Determine Whether to File a SAR?
The final determination in an AML investigation is whether the unexplained activity meets the legal threshold for filing a Suspicious Activity Report — and whether the customer relationship should be terminated.
Step one: Establish or rule out a predicate offense.
A predicate offense is the underlying criminal activity that generates the funds being laundered. Common predicate offenses include fraud, drug trafficking, human trafficking, tax evasion, corruption, bribery, and sanctions violations. If adverse media, law enforcement referrals, or investigative findings establish that the customer has been accused, charged, or convicted of a predicate offense, any subsequent movement of funds with the intent to disguise or conceal their origin constitutes money laundering — and is reportable regardless of the specific transaction patterns involved.
Establishing a predicate offense significantly strengthens a SAR and provides clear legal grounding for the filing. Investigators should always conduct adverse media and law enforcement database searches as part of the KYC review phase, specifically to identify potential predicate offense connections.
Step two: Apply red flag indicators when no predicate offense is established.
When no predicate offense can be identified, the determination rests on whether the unexplained activity, viewed in totality, gives reasonable grounds to suspect that money laundering or terrorist financing has occurred or been attempted. This is a lower threshold than proof — investigators are not required to establish that money laundering has definitively occurred, only that there are reasonable grounds to suspect it.
Red flags commonly considered in this assessment include:
- Transaction patterns inconsistent with the customer's stated business or personal profile
- Structuring activity — multiple transactions just below reporting thresholds — suggesting deliberate threshold avoidance
- Rapid movement of funds through multiple accounts with minimal economic purpose
- Transactions involving high-risk jurisdictions, sanctioned entities, or known money laundering typologies
- Use of cash or cash equivalents at volumes inconsistent with the customer's business type
- Reluctance to provide documentation or explanation for unusual activity
- Beneficial ownership structures that obscure the ultimate owner of funds
- Sudden changes in transaction behavior inconsistent with any identifiable life or business event
Step three: File the SAR and consider relationship termination.
If reasonable grounds to suspect money laundering or terrorist financing are established, the institution is legally required to file a SAR with the relevant Financial Intelligence Unit (FIU). The SAR must be complete, accurate, and submitted within the timeframe prescribed by the applicable jurisdiction's AML regulations.
Simultaneously, the institution must assess whether the risk of maintaining the customer relationship falls within its risk appetite. In most cases where a SAR is filed, particularly where a predicate offense has been established or the activity is egregious, relationship termination is the appropriate outcome. The decision to terminate must be documented and, critically, the customer must not be informed that a SAR has been filed — tipping off a customer is a criminal offense in most jurisdictions.
Practical Tip: Write the SAR narrative before closing the case file, while the investigation is still fresh. A high-quality SAR narrative tells a clear chronological story: who the customer is, what activity was observed, why it is suspicious, and what predicate offense or red flags support the filing. Vague or incomplete SAR narratives reduce the intelligence value of the report and can result in regulatory feedback requesting resubmission.
How Do You Improve AML Investigation Efficiency?
Improving AML investigation efficiency requires addressing the three primary sources of investigative delay: alert noise, process inconsistency, and manual data gathering.
Reduce alert noise at the source. The single largest driver of investigative inefficiency is excessive false positives from transaction monitoring rules. Analysts spending 80% of their time closing alerts that should never have fired have proportionally less capacity for genuine investigations. Behavioral risk scoring — which compares customers against their own individual baselines rather than universal thresholds — dramatically reduces false positive rates and concentrates investigative resources on alerts with genuine risk indicators.
Standardize the investigation workflow. Inconsistent investigation processes produce inconsistent outcomes and make it impossible to manage capacity reliably. Documenting a standard operating procedure for each investigation type — with defined steps, data sources, documentation requirements, and escalation criteria — ensures that every analyst follows the same process and that case quality does not vary by individual.
Automate data gathering. A significant portion of investigation time is consumed by manually pulling KYC data, transaction records, adverse media results, and sanctions screening outputs from multiple systems. Platforms that aggregate these data sources into a unified case view — presenting the investigator with all relevant information in one place at case opening — eliminate this overhead and allow analysts to spend their time on judgment rather than data collection.
Implement tiered case management. Not all alerts warrant the same depth of investigation. A robust triage process that routes low-complexity cases to a streamlined review workflow and reserves full investigation resources for complex or high-risk cases significantly increases throughput without reducing quality.
How Does Technology Support AML Investigations?
Modern AML compliance platforms support investigations by automating the data aggregation, alert generation, and workflow management steps that consume disproportionate analyst time in manual environments.
Flagright is an AML compliance platform built specifically for fintechs and neobanks. Its API-first architecture integrates with existing systems up to 70% faster than traditional implementations, with no coding knowledge required for compliance teams to configure rules, workflows, and risk scoring parameters. The platform provides real-time transaction monitoring, automated alert generation, case management, and SAR workflow support — enabling compliance teams to process higher alert volumes with greater consistency and less manual overhead.
Key capabilities that directly support the investigation process include real-time behavioral risk scoring that reduces false positive alert rates, unified case views that aggregate KYC, transaction, and adverse media data in one interface, configurable investigation workflows that standardize the process across analyst teams, and audit-ready documentation that captures every investigation step automatically.
Frequently Asked Questions
What is an AML investigation?
An AML investigation is a structured compliance review conducted to determine whether a customer's account activity constitutes money laundering, terrorist financing, or another financial crime. It begins with a trigger event — typically a transaction monitoring alert — and progresses through KYC review, activity analysis, elimination of normal behavior, and a final SAR filing determination.
What triggers an AML investigation?
The most common triggers are transaction monitoring alerts, adverse media hits, law enforcement referrals, internal staff reports of unusual behavior, and KYC trigger event reviews. Each trigger type routes the matter to a compliance analyst who conducts a structured investigation to determine whether the activity is suspicious.
What is a trigger event in AML?
A trigger event is any occurrence that initiates a compliance review of a customer's account activity. In AML, trigger events include automated transaction monitoring alerts, scheduled KYC review dates, significant changes in customer circumstances, adverse media hits, and law enforcement inquiries. The trigger event defines the starting point of the investigation but should not limit its scope.
How long does an AML alert investigation take?
Investigation timelines vary by complexity. Simple alerts — where normal activity explains the trigger and no additional suspicious indicators are present — can be closed in under an hour with good tooling and a standardized process. Complex investigations involving multiple accounts, cross-border activity, corporate structures, or potential predicate offenses can take days or weeks. Institutions should define target timelines for each investigation tier and track actual performance against those targets.
What is a SAR and when must it be filed?
A Suspicious Activity Report (SAR) is a formal report filed by a financial institution with its national Financial Intelligence Unit (FIU) when there are reasonable grounds to suspect that a customer's activity involves money laundering or terrorist financing. SAR filing obligations, thresholds, and timelines are defined by national AML legislation and vary by jurisdiction. In most jurisdictions, tipping off a customer that a SAR has been filed is a criminal offense.
What are the most common red flags in an AML investigation?
Common red flags include structuring activity designed to stay below reporting thresholds, rapid movement of funds through multiple accounts with no apparent business purpose, transactions inconsistent with the customer's stated occupation or business, use of high-risk jurisdictions or sanctioned payment corridors, unusual cash activity, reluctance to provide documentation, and complex beneficial ownership structures that obscure the ultimate owner of funds.
How do you standardize the AML investigation process across analyst teams?
Standardization requires documented SOPs for each investigation type, a consistent case management system that enforces workflow steps, calibration sessions where analysts review the same cases and compare determinations, regular quality assurance reviews of closed investigations, and clear escalation criteria for complex or high-value cases. Modern AML platforms can enforce workflow consistency automatically by requiring completion of defined steps before a case can be closed.
What is the difference between CDD and EDD in an AML investigation?
Customer Due Diligence (CDD) is the standard level of KYC review applied to most customers at onboarding and during periodic reviews. Enhanced Due Diligence (EDD) applies additional scrutiny — deeper source of funds verification, more frequent reviews, senior management approval — to customers who present elevated inherent risk, such as PEPs, customers in high-risk jurisdictions, or customers in cash-intensive industries. During an investigation, EDD information provides richer context for assessing whether activity is consistent with the customer's profile.
How do you investigate money laundering in a corporate account?
Corporate account investigations follow the same five-step framework but require additional focus on beneficial ownership structures, counterparty analysis, and the consistency of transaction volumes with the business's stated revenue and industry. Investigators should verify the legitimacy of key counterparties, assess whether the business's described activities align with its actual transaction patterns, and look for structures — shell companies, multiple layers of ownership, frequent inter-company transfers — that could be used to obscure the ultimate source or destination of funds.
What is the role of open-source intelligence (OSINT) in AML investigations?
OSINT — information gathered from publicly available sources including news media, company registries, court records, social media, and government databases — supports AML investigations by providing context that is not captured in institutional records. Adverse media searches, business registration lookups, sanctions list checks, and court record searches are all forms of OSINT used regularly in AML investigations. Modern compliance platforms integrate OSINT database searches directly into the case workflow, eliminating the need for manual external research.
Conclusion
Effective AML investigations are not a function of analyst instinct — they are a function of process. A standardized five-step framework, applied consistently across every case, produces faster investigations, stronger SAR narratives, and more defensible compliance outcomes. The institutions that manage AML investigation volume without proportionally scaling headcount are those that have reduced alert noise at the source, standardized their workflows, and automated the data gathering that consumes analyst time without adding investigative value. Contact Flagright to see how real-time monitoring and unified case management can strengthen your investigation program from trigger to SAR.






