Skip to main content

AIM accelerator introduction

Financial crime is rising at an unprecedented rate, and financial institutions continue to try to fight back. The suspicious activity must be investigated and reported to the relevant authorities in specific formats within tight timelines. Failure to do so can lead to escalating fines, damage to brand reputation, or even the closure of the institution.

With multiple systems that generate various alerts related to financial crimes, the appropriate staff must handle alerts by using differing processes and timelines. The required data is distributed across multiple systems of record (SOR) and commonly without any unified customer view.

Efficient management of all this complexity can prove an almost impossible challenge and result in delays and high manual costs.

Built upon Pega Foundation for Financial Services™, the Alert and Investigation Management (AIM) accelerator can help financial institutions through the use of the following features:

  • A single system to streamline the management of complex alerts and corresponding investigations.
  • A 360-degree Customer Master Profile and the ability to consolidate data from multiple SORs into one view.
  • Automatically routes the work to the right teams based on complexity, skills, and urgency.
  • Automatically enriches and displays key investigations without losing context.
  • Reduced manual work and prevented late submissions of suspicious activity to regulators and law enforcement with managed Service-Level Agreements (SLAs) and escalations.

Architecture of the solution

The following diagram provides a high-level overview of the solution. In AIM, alert-producing systems, such as Transaction Monitoring, initiate the Alerts. The Event-Driven Architecture receives the Alerts before handing off the Alert for processing through two key Case Types.

The following list outlines the terms and functional areas that comprise the AIM accelerator:

  • Alert: An Alert is a set of data generated by an Alerting system, such as Transaction Monitoring or Sanctions Screening. Alerts should contain sufficient information, directly or via reference IDs, to allow another system to process the Alert and take the appropriate business-driven actions. 
  • Alert reception (Event-Driven Architecture): The reception of Alerts is critical for AIM, which needs to manage Alerts coming from different systems and modules to ensure continuous regulatory compliance. For this purpose, the solution includes an infrastructural component, EDA, that facilitates the implementation of event-driven processes. The component manages the reception of Alerts and events from different sources and routes them to the appropriate applications and processes in charge of their resolution.
  • Alert Intake: The core function of the Alert Intake Case is to ingest each Alert that is received, ensure sufficient data and instructions are available to progress the processing of the Alert, and, where necessary, assign it to an Investigation Case. The system automatically creates an Alert Intake Case for each Alert.
  • Investigation: The core function of the Investigation Case is to provide a robust and efficient process whereby at least one Alert can be triaged and investigated and, on conclusion of the investigation, run potential Post-Investigation actions such as filing a Suspicious Activity Report to the necessary regulator.
  • Data Link Analysis: The Data Link Analysis (DLA) component maintains a network of key data related to Alerts and Investigations to support the investigation: Transactions, Accounts, and Subjects. The ability to visualize this network of data and relationships and apply filters accordingly helps investigators see the connections they need to complete their work.
  • Subject: A Subject is an individual or organization that is included in an Investigation. The relationship that the financial institution has with a Subject impacts the amount of data that is initially available. Subjects are categorized as follows: an active customer, a known related party of a customer, such as a beneficial owner of an existing customer, or an external party unknown to the financial institution. During the Alert Intake process, Subjects are extracted directly from the available data in the Alert. During the automated Enrichment Step in this Process the system can also automatically add additional Subjects to the Investigation as discovered. For example. A joint account holder of the Account included in an Alert.

Demonstration of AIM

The following videos demonstrate how:

  • A series of three Alerts from a Transaction Monitoring System are processed and merged into a single Investigation,
  • A member of the Level 1 team triages the initial Alert, and escalates to the Level 2 team.
  • A Level 2 team member take the Investigation during which two further Alerts are automatically merged in the Case and handled
  • Upon finalization of the Investigation activity an example Suspicious Activity Report (SAR) file is automatically generated for submission to the local regulator.

Alert triaging and Initial investigation


U Plus Bank’s transaction monitoring system generated an alert based on three cash transactions to one of its clients. The alert passed through an automated process in Pega Platform™ that enriched, indexed, and assigned the alert to a new Investigation Case. The system automatically and intelligently routed the work to the correct team based on factors such as urgency, skills, and complexity.

Level 1 investigator Vanessa Yu opens a new Investigation Case from her team’s Work Queue. All the information Vanessa needs to triage the alert is readily available. She clicks Preview to view the details of the Alert Case in the right pane without losing the context of her current task. After viewing the content of a few of the tabs, she clicks Data Network Analysis at the Investigation Case level. With the visualizer, Vanessa can clearly see the connections between all the key information and more quickly draw reliable conclusions.

Each of the three cash transactions was just under the reportable threshold of USD 10,000 and received from multiple people across a few days. Vanessa determines this requires escalation for further investigation. In the Conclusion section, she selects Confirm, and in the Rationale section, she selects Structuring activity identified. Then, for the Decision option, she clicks on Escalate. In the Escalate to list, Vanessa selects AML Investigation Level 2. She clicks Submit to escalate the Investigation Case to the Level 2 team.

Level 2 investigator, Carl Rios, opens the escalated Case to continue the investigation. He must carry out detailed research, conclude the investigation, and set which post-investigation activities to trigger.

Fortunately for Carl, there is easy access to the full customer profiles that U Plus created during the original onboarding by clicking Subjects. When he clicks Preview, he can view information including, but not limited to, Risk Profile, Regulatory details, Related Parties, and related Alerts and Investigations.

You have reached the end of the video.

New alerts merge and Data link analysis


While Carl actively continues his research, new alerts continue to arrive from the transaction monitoring system. Two of these alerts are automatically tagged as related to Carl's active Case. Following an automatic merge of the new alerts to the Case, a notification is provided.

Seeing the notification, Carl refreshes the Case by clicking Actions > Refresh. The new alerts are displayed in the Alerts list, and the counts in the left pane tabs are updated accordingly.

Moving to check the Subjects tab, he sees that three entities are now part of the investigation. Carl clicks Preview for First Dutch Investments to review the related party, noting that Earl Jackson was involved in the first alert.

Carl clicks Data Network Analysis. Again, the visualizer proves invaluable for making connections. By adjusting the filters, he can see the flow of funds between accounts or subjects. Clicking any of the items, the diagram displays additional, relevant information.

Carl determines that cash has flowed to Dawn Summer’s account, and joint account holder Willam Hang has sent those funds through two intermediary entities to First Dutch Investments. With Earl Jackson depositing some of the original funds but also being a KYC Significant party of First Dutch Investments, Carl concludes that a report must be filed with the local regulator. In the Conclusion section, Carl selects Confirm for the remaining Alerts, and in the Rationale section, he selects Large cash activity identified. With all alerts confirmed, for the Decision option, he selects Finalize investigation, and then proceeds by clicking Submit.

You have reached the end of the video.

Investigation finalization and suspicious activity report


In the Finalize investigation Step, Carl must complete the form by building out a narrative of his investigation findings.

In Conclusion list, Carl concludes that this is a Reportable suspicious activity. In Rationale section, the three alerts indicate the conclusion rationales across Structuring and Money Laundering, and in Post-investigation actions section, he wants a Suspicious activity report to be triggered as well as a Customer review carried out.

Manually preparing investigation narratives from scratch can be difficult, error-prone, and time-consuming. This is where Pega GenAI™ can help to reduce that effort greatly. Using the core Case data that is available, the system intelligently engineers a prompt which is then passed into Pega GenAI to produce a draft narrative. Of the two formats available, Carl selects the more detailed and prescriptive Generate report format. The Summary format allows Pega GenAI to be more creative with its output.

Carl reviews the draft report carefully and edits it as needed. In this demo, Carl proceeds by clicking Submit through the Review investigation conclusion step that allows for a review cycle with another colleague. The core investigation concludes, and the chosen post-actions are automatically triggered.

Finally, switching over to Money Laundering Reporting Officer Hubert Jones, he can see that the Suspicious Activity report process is well underway for this investigation. He clicks the SAR Case to open it. By combining all the necessary data from the Case and the finalized narrative, the system automatically creates a document to file with the local regulator. In this example, the document uses the GoAML format from the United Nations Office of Drugs and Crime, which is actively used by 65 countries worldwide.

You have reached the end of the video.

Check your knowledge with the following interaction:

This Topic is available in the following Module:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice