Transaction Monitoring Utility

Version: 2.5 Last Updated: May 2026

Component Overview

The Transaction Monitoring utility is a financial crime alert triage and case-management application built on the DataFab core framework. It evaluates customer alerts using a self-organizing DAG rule chain, orchestrates the operational workflow per tenant via a tenant-scoped BPMN engine, enriches subjects and counterparties through OSINT and watchlist screening, runs straight-through processing for clear cases, and supports analysts with an explainable decision-support surface and human-in-the-loop review for high-risk decisions. The utility produces three structured outcomes — Close, Request for Information (RFI), and Escalate (SAR) — each backed by an immutable chain trace, a workflow audit, and, where applicable, a regulatory filing pack.

The utility is delivered as a single coherent surface: alert intake, rule-based assessment, OSINT and screening enrichment, decisioning, workflow execution, analyst dialog, SAR filing, outreach, dashboards, and policy management — all under unified tenant scoping and audit.

Capabilities:

Capability	Description
Multi-tier DAG Chain	13-tier rule graph (tiers 0–12) with 69 registered rules covering intake, baseline, deviation, tagging, patterns, context, OSINT, gaps, composite scoring, risk scoring, decision routing
Self-Organising Rule Graph	Rules declare inputs, outputs, dependencies; the executor infers parallelism, ordering, and skip conditions
Transaction Tagging	Sixteen tagging rules with precedence resolution (salary, benefits, pension, rent, bills, gambling, MSB, crypto, cash, family, own-transfer, etc.)
Pattern Detection	Unexpected credits / debits, pass-through, turnover inconsistency, third-party activity, rapid 48h cycles, velocity bursting, rounded-amount structuring
Relationship Analysis	Counterparty strength classification, breach detection, indirect linked-party discovery via Text-to-Cypher rules
Knowledge-Graph Evidence	Graph-database-backed evidence for unregulated / shell entity classification and indirect-link discovery
OSINT and Watchlist Screening	Per-source OSINT snapshots with primary-subject auto-trigger, counterparty extraction, conflict adjudication; tenant-selectable screening lists
Customer Profile and Behavioural Intelligence	Subject-centric profile combining KYC, expected behaviour, derived baselines, and recent activity signals
Anomaly Detection	Statistical and rule-driven anomaly metrics over baseline, focus period, and counterparty interactions
Evidence Assembly	Per-case evidence pack compiling chain trace, OSINT snapshots, screening hits, transactions, and graph paths
Linked Accounts and Flow of Funds	Cross-account heuristics and flow-of-funds graph linking subject accounts and counterparties across the focus period
Composite Scoring	Weighted aggregation by domain (suspicion 0.70 / materiality 0.30), with confidence and benign mitigant adjustments
Decision Routing	SAR / RFI / Close routing with score thresholds, confidence floor, and hard-override reason codes
Tenant Workflow (BPMN)	Per-tenant BPMN workflow defining post-decision operational handling — SAR pipeline, outreach loop, approval gates
Explainability and Decision Support	Graph-to-narrative rendering, structured recommendations, multi-step Human-in-the-Loop wizard, grounding validator
SAR Filing Pipeline	Multi-jurisdiction SAR templates (FinCEN, NCA), versioned revisions, multi-stage approve / reject, audit aggregator
Outreach Gap Detection	Automated identification of evidence gaps from skipped rules, low-confidence findings, missing KYC; auto-generated outreach questions
Straight-Through Processing	Auto-close of clear cases through deterministic agents with hard guards on SAR / escalation and tenant-scoped exclusion configuration
Dashboards and Analytics	Productivity, compliance, and AI-agreement metrics with unified drill-down
Policy Management and Testing	Versioned policies (rule chain, BPMN, freetext rules) with create / activate / rollback, hot reload, ground-truth testing, regression diff
Historical Alerts and SARs	Per-customer history of prior alerts, decisions, RFIs, and filed SARs surfaced into the live case
Investigation Case	Client-centric case binding alerts, transactions, evidence, decisions, notes, and the full audit timeline
Case Notes and Decision Record	Structured analyst notes and final decision rationale persisted with reviewer identity and version history
Case Event Log and Notifications	Append-only case event log driving in-app and channel notifications to assigned reviewers
Analyst Workbench	Suite of Studio Widgets surfaced in the dialog and canvas: graph renderer, visual link analysis, evidence panel, typologies drawer, baseline + spike chart, raw-transactions table, linked-flow-of-funds, counterparty analysis, account switcher, anomaly metrics, recommendations cards, quick-action toolbar, audit-trail timeline, mobile / tablet responsive
Analyst Dialog	Playbook-driven dialog exposing rule catalog, deep dives, dashboards, alert query, decision explanation, recommendations, narrative, SAR pack, policy testing
Chain Trace	Full DAG (nodes, edges, parameters, scoring, decision) persisted on the analysis record

Architecture Overview

┌───────────────────────────────────────────────────────────────────────┐
│                TRANSACTION MONITORING UTILITY                         │
├───────────────────────────────────────────────────────────────────────┤
│                                                                       │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    DATA SOURCES                                 │  │
│  │  Core Banking │ KYC │ Sanctions / PEP │ Adverse Media │ OSINT   │  │
│  │  via Knowledge Fabric MCP Connectors                            │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    KNOWLEDGE GRAPH                              │  │
│  │  Subject │ Counterparties │ Linked Parties │ Account Links      │  │
│  │  Entity Resolution │ Regulatory Markers                         │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    DAG RULE CHAIN (69 rules)                    │  │
│  │  Tier 0  Intake (Alert + KYC)                                   │  │
│  │  Tier 1  Baseline (12-month rolling stats)                      │  │
│  │  Tier 2  Deviation (historic + focus period)                    │  │
│  │  Tier 3  Focus Set Merge                                        │  │
│  │  Tier 4  Tagging (16 rules + precedence + aggregation)          │  │
│  │  Tier 5  Pattern Detection                                      │  │
│  │  Tier 6  Context Rules (relationships, SoF, regulation)         │  │
│  │  Tier 7  OSINT Evidence Pack                                    │  │
│  │  Tier 8  OSINT Adverse Press                                    │  │
│  │  Tier 9  Gap Analysis + Adverse Media + Linked Parties          │  │
│  │  Tier 10 Composite (typology, materiality, mitigant)            │  │
│  │  Tier 11 Risk Scoring                                           │  │
│  │  Tier 12 Decision Router → Close / RFI / SAR                    │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    ANALYTICAL SERVICES                          │  │
│  │  OSINT + Screening │ Customer Profile + Behavioural Intelligence│  │
│  │  Anomaly Detection │ Linked Accounts + Flow of Funds            │  │
│  │  Evidence Assembly │ Historical Alerts and SARs                 │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    EXPLAINABILITY + DECISION SUPPORT            │  │
│  │  Graph-to-Narrative │ Recommendations │ HITL                    │  │
│  │  Grounding Validator                                            │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    DECISION OUTPUT                              │  │
│  │  Final Normalized Risk Score (0–100)                            │  │
│  │  Decision (Close / RFI / SAR)                                   │  │
│  │  Hard-Override Reason │ Chain Trace                             │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    TENANT WORKFLOW (BPMN)                       │  │
│  │  Post-decision workflow per tenant │ SAR pipeline               │  │
│  │  Outreach loop │ Approval gates                                 │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │              STRAIGHT-THROUGH PROCESSING                        │  │
│  │  Deterministic agents auto-close clear cases                    │  │
│  │  SAR / escalation hard guard │ Tenant exclusion config          │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    INVESTIGATION CASE                           │  │
│  │  Client-centric case │ Notes + Decision Record                  │  │
│  │  Event Log + Notifications │ Audit Trail                        │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    ANALYST WORKBENCH (Studio Widgets)           │  │
│  │  Graph Renderer │ Visual Link Analysis │ Evidence Panel         │  │
│  │  Typologies Drawer │ Baseline + Spike Chart │ Raw Tx Table      │  │
│  │  Linked Flow of Funds │ Counterparty Analysis │ Account Switcher│  │
│  │  Anomaly Metrics │ Recommendations Cards │ Quick-Action Toolbar │  │
│  │  Audit Trail Timeline │ Decision + Notes │ Mobile / Tablet      │  │
│  └─────────────────────────────────────────────────────────────────┘  │
│                              │                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                    ANALYST SURFACE                              │  │
│  │  Case List + Drill-Down │ Error Queue │ Dashboards              │  │
│  │  Dialog Playbook │ SAR Filing UI │ Policy Management            │  │
│  └─────────────────────────────────────────────────────────────────┘  │
└───────────────────────────────────────────────────────────────────────┘

Domain and Schemas

Entity	Description
Subject	The customer / account holder under review
Account	Subject’s account; current vs savings drives baseline behaviour
Transaction	Individual debit or credit; tagged, scored, focused
Counterparty	Other side of the transaction; classified as regulated / unregulated / shell / unknown
Linked Party	Entity related to the subject indirectly (shared account, common reference, business link)
Alert	The triggering event being investigated
Case	The end-to-end record progressing through the lifecycle, holding decisions, evidence, workflow state
Analysis Record	Persisted result of a chain run, including the full chain trace
OSINT Snapshot	Per-source evidence record with provider, fetched-at, version, payload
SAR Pack	Structured filing artefact (jurisdiction-specific) with versioned revisions
Workflow Instance	Running BPMN workflow instance bound to a case

Relationship	Description
HOLDS	Subject → Account
TRANSACTED_WITH	Account → Counterparty
LINKED_TO	Subject → Linked Party (graph-discovered)
CLASSIFIED_AS	Counterparty → Regulatory Class
ASSOCIATED_WITH	Counterparty → Adverse Media / Sanction / PEP record

Schemas are managed by the Schema Registry (Schema Management). Schema changes are versioned and gated.

Data Sources

Source	Purpose	Integration
Core Banking	Transaction history, account metadata, balance	MCP Connector / direct DB
KYC	Subject profile, declared source of funds, employment, address	MCP Connector
Sanctions / PEP Lists	Watchlist screening	Screening Service + tenant-selected watchlists
Adverse Media	News and press signals	OSINT integration (see Graph Operations › External Source Integration)
Counterparty Reference	Regulated-entity registers, company registries	OSINT
Behavioural Profiles	Historical transaction baselines and tags	Computed from Core Banking

Connection security (see 02-Architecture: Connectivity, 03-Knowledge-Fabric: MCP Connectors):

Control	Implementation
Connection Method	MCP Connector via VPN tunnel or Private Link
Direction	Inbound (read); outbound only for case-management write-back where contracted
Credential Storage	Encrypted vault (AES-256-GCM) with role-based access
Connection Audit	All connection attempts logged with user, timestamp, result
Rotation	Credentials rotated every 90 days; on-demand for incident response
Quality Monitoring	Availability, latency, error rate, data quality score

DAG Rule Chain

The Transaction Monitoring chain is the canonical example of a DAG Rule chain (see Graph Operations › DAG Rules). The platform ships 69 rules out of the box, organized into 13 tiers — but the rule chain is fully customizable: customers can author additional rules, adjust weights and thresholds, group rules into custom typology domains, and disable platform-shipped rules where their methodology differs. The chain’s self-organisation (declared inputs / outputs / dependencies, parallel-safety flag, dependency-not-met handling) means changes do not require manual workflow rewiring.

Tier Structure

The 13 tiers express the data-flow phases of the chain. Each tier may contain any number of rules, including customer-authored rules.

Tier	Block	Purpose
0	Intake	Capture alert trigger and customer profile into context
1	Baseline	Period aggregations, baseline statistics, period-over-period deltas, balance flow
2	Deviation	Historic-deviation classification; identify focus period and its drivers
3	Focus Merge	Union of flagged periods into the focus transaction set
4	Tagging	Categorise transactions (income, transfers, expenditure, cash, MSB, crypto, gambling, etc.) with precedence resolution
5	Patterns	Typology pattern detection (unexpected flows, pass-through, third-party, rapid movement, velocity, structuring)
6	Context	Apply customer context: source-of-funds risk, relationship breaches, counterparty regulatory class, linked accounts
7	OSINT Evidence	Assemble OSINT evidence pack for subject and priority counterparties
8	OSINT Press	Adverse-press classification
9	Gaps and Media	Expected-use gaps, knowledge gaps, adverse media, linked-party evidence
10	Composite	Aggregate signals into typology strength, materiality band, benign mitigant
11	Risk Score	Compose final risk score from severity, materiality, confidence, and mitigant
12	Decision	Apply thresholds and hard overrides; route to Close / RFI / SAR; produce structured output packs

Rule Classes

The platform ships rules in well-defined classes. Each class has a stable contract; new rules are authored by adding members to a class and wiring them into the chain. Rules within a class share an output shape, so downstream rules can consume them uniformly.

Class	Purpose	Typical Output
Intake	Capture trigger and ground-truth profile	Subject context, expected-behaviour assumptions
Baseline	Compute statistical baseline from history	Per-period metrics, percentiles, deltas
Deviation	Detect material divergence from baseline	Flagged periods + driver attribution
Tagging	Categorise transactions by purpose / nature	Per-transaction tag with precedence-resolved family
Pattern	Detect a typology pattern over the focus set	Typology severity (0–1) with reason codes
Relationship	Classify counterparties and linked parties	Strength bands, regulatory class, breach flags
Knowledge Gap	Identify missing or ambiguous input	Gap codes for outreach generation
OSINT	Assemble or classify external-source evidence	Material / NonMaterial / None classification
Composite	Aggregate other rules’ outputs	Typology strength, materiality band, benign mitigant
Risk Score	Convert evidence into a 0–100 score	Final risk score
Decision	Apply thresholds and hard overrides	Decision (Close / RFI / SAR) and reason codes
Output Pack	Produce structured outputs for downstream consumers	RFI pack, SAR pack

Rule Logic Patterns

The Rule Engine supports several logic patterns that may be used alone or in combination within a rule. Customers may use any combination when authoring custom rules; every pattern is bound by the same execution-context, schema, and audit contract.

Logic Pattern	Description
Threshold	Compare a numeric input against a configurable threshold
Statistical	Compute a statistic (mean, percentile, coefficient of variation, ratio) over a configurable window
Aggregation	Aggregate transactions, tags, or counterparties over a period
Window	Detect activity within a configurable time window (e.g., a 48-hour velocity window)
Boolean Conditional	Combine boolean predicates with AND / OR / NOT
Pattern Matching	Match references, merchant categories, or structured fields against governed lists
Graph Query	Issue a Text-to-Cypher query against the knowledge graph (with mandatory deterministic fallback)
LLM-Assisted	Use the LLM Router for a bounded reasoning step with grounding validation
Composite	Read other rules’ outputs from the chain trace and aggregate
Hard Override	Force a decision regardless of score (sanctions hit, confirmed fraud, etc.)

Customer-Authored Rules and Tenant Customization

Every governable artefact in the chain is tenant-customizable. The utility ships sensible defaults; customers can author additional rules, adjust weights and thresholds, and disable platform-shipped rules where their methodology differs. All changes flow through Policy Management (versioning, ground-truth testing, hot reload) and are audited.

Customisation	Detail
Custom Rules	Customers author new rules in any class using any logic pattern; rules go through the same registry, declared inputs / outputs / dependencies, parallel-safety flag, and audit
Freetext Rules	Declarative rules expressed in business-readable form for non-technical authoring; bound by schema and grounding validator
Per-Tenant Weights	Per-rule weights in the suspicion aggregate are tunable per tenant
Per-Tenant Thresholds	SAR / RFI / confidence thresholds are tunable per tenant
Per-Tenant Rule Enable / Disable	Platform-shipped rules can be disabled per tenant; chain self-organisation handles the absence cleanly via dependency-not-met reason codes
Custom Tag Families	Tagging-rule families can be extended (e.g., new merchant categories, jurisdiction-specific patterns)
Custom Hard Overrides	Customers can register additional hard-override reason codes
Custom Typology Domains	Customers can group rules into custom typology domains for scoring caps and convergence bonuses
Custom Output Packs	Tenants can extend the RFI and SAR output-pack rule classes for jurisdiction-specific templates
Policy Versioning	Every change is versioned; activation is approval-gated and tested against ground-truth
Hot Reload	Activated changes apply without service restart; in-flight cases complete on their starting version

Scoring Configuration

Field	Default	Description
Suspicion Weight	0.70	Weight on rule-severity aggregate
Materiality Weight	0.30	Weight on materiality band
Domain Groups	A–E	Groupings of rules with caps and convergence bonuses; tenant-extensible
Confidence Max Reduction	−10%	Maximum reduction applied when knowledge-gap rules indicate weak evidence
Benign Max Reduction	−5%	Maximum reduction applied when benign-mitigant rules indicate plausible legitimate context
Per-Rule Weights	Tunable	Weight applied per rule in the suspicion aggregate

Decision Configuration

Field	Default	Description
SAR Threshold	80.0	Final score above which decision is SAR
RFI Threshold	55.0	Final score above which decision is RFI (subject to confidence floor)
Confidence Threshold	0.70	Minimum confidence to issue an RFI
Hard Overrides	Sanctions Hit, PEP Hit, Material Adverse Media (extensible per tenant)	Reason codes that force SAR regardless of score

Graph-Query Rules

Rules in any class may use the Graph Query logic pattern (Text-to-Cypher; see 13-Graph-RAG: Text-to-Cypher Rules) to consult the knowledge graph for evidence the transaction-level data alone cannot provide — for example, classifying counterparties by regulatory status, discovering indirect linked parties through shared accounts or common references, or boosting a third-party-pattern signal with graph context.

Every graph-query rule must declare a deterministic fallback for use when the graph query is unavailable, returns an unexpected shape, or breaches the resource budget. Without a declared fallback, the chain rejects the rule at registration. This enforces the principle that no graph-query failure can silently change a decision.

Chain Trace

Every chain run persists a chain trace on the analysis record.

Field	Description
`chain_id`	Versioned chain identifier
`typology`	Human-readable label of the chain
`started_at` / `completed_at`	ISO timestamps
`total_duration_ms`	End-to-end duration
`nodes`	Per-rule entries (id, tier, key, status, duration, output summary, reason codes)
`edges`	Inferred data-flow edges between rules
`parameters`	Effective parameter values used
`scoring`	suspicion_inputs, suspicion_score, materiality_score, confidence_factor, mitigant_factor, final_risk_score
`decision`	`Close` / `RFI` / `SAR`
`hard_override_triggered`	Reason code if any

OSINT and Watchlist Screening

OSINT and screening are first-class evidence sources for the chain. Both feed scoring inputs (the OSINT rule class) and both surface independently to analysts through the dialog and case surface.

OSINT Snapshots

Every OSINT enrichment captures a per-source snapshot rather than a single aggregated result, so analysts can see exactly which provider returned which signal and when.

Aspect	Detail
Per-Source Snapshot	Each call to an OSINT provider produces a separate snapshot with provider identifier, version, fetched-at timestamp, and evidence payload
Primary-Subject Auto-Trigger	OSINT enrichment fires automatically on case intake for the primary subject
Counterparty Extraction	Counterparties identified in transactions are surfaced for OSINT enrichment
Adjudication	Conflicting signals across sources (e.g., adverse-media positive vs. sanctions clear) are presented with provenance for analyst adjudication; the adjudication outcome is persisted
Lifecycle Refresh	Snapshots are refreshed on case re-open or analyst-initiated re-screen

Watchlist Screening

Screening uses the platform’s Screening Service. Watchlists are catalogued globally; the selection of which watchlists to apply is tenant-specific and per-check, so different tenants can prioritise different list sets without operating distinct screening services.

Aspect	Detail
Catalogue	Global list of available watchlists with version and record count
Tenant Configuration	The tenant nominates the subset of watchlists eligible for compliance use
Per-Check Selection	Each screening call carries the explicit watchlists to apply
Hit Persistence	Hits stored with similarity score, match type, source watchlist, and reviewer status
Reviewer Workflow	Analysts mark hits `relevant` / `irrelevant` with optional notes; reviewer ID and timestamp persisted

Customer Profile and Behavioural Intelligence

The Customer Profile is the subject-centric view that combines static KYC attributes with derived behavioural signals. It is the analyst’s grounding for “what should normal look like for this customer?” and feeds into baseline rules, expected-use gap detection, and outreach question generation.

Aspect	Detail
Static Profile	KYC attributes (employment, age, declared source of funds, residency, account type) sourced from the Knowledge Fabric
Expected Behaviour	Derived expected income, expected counterparties, expected outflow categories, expected balance range
Baseline Snapshot	12-month rolling baseline statistics (averages, percentiles, month-over-month deltas, balance flow)
Recent-Activity Signals	Tag distributions, counterparty mix, velocity indicators over the focus period
Linked Accounts	Subject’s other accounts surfaced for cross-account inspection (see Linked Accounts and Flow of Funds)
Surface	Surfaced through a dedicated Studio Widget with an account switcher to move between the subject’s accounts

The Customer Profile is read-only from the analyst’s perspective; modifications go back through the source-of-record systems and are reflected through the Knowledge Fabric on next sync.

Anomaly Detection

Anomaly Detection is an analytical service consumed by both the rule chain (Tier 1 / 2 baseline-deviation rules) and the analyst surface (anomaly metrics widget). It quantifies how unusual the alert period is relative to the customer’s own history and to peer cohorts.

Anomaly Class	Description
Baseline Deviation	Magnitude of deviation of focus-period metrics from the 12-month rolling baseline
Spike / Trend Classification	Distinguishes one-off spikes from sustained-trend deviations across the focus window
Velocity Anomaly	Peak activity in any 48-hour window vs. the customer’s mean daily rate
Counterparty Anomaly	New / unfamiliar counterparties carrying material value, or breach of historic counterparty levels
Pattern Anomaly	Round-amount structuring indicators, pass-through indicators, rapid in-out cycles
Tag-Distribution Anomaly	Shifts in the mix of transaction tags vs. the customer’s historic profile

Anomaly metrics are surfaced in the analyst surface alongside the contributing chain-trace rules so the analyst can see the rule-based reasoning and the underlying numeric signal in one place.

Evidence Assembly

Evidence Assembly compiles every artefact bearing on a case into a single coherent evidence pack. It is the source of truth for the SAR pack, the RFI pack, the analyst evidence panel, and the audit trail.

Evidence Type	Source
Chain Trace	DAG run nodes, edges, parameters, scoring, decision
OSINT Snapshots	Per-source snapshots captured during enrichment
Screening Hits	Per-watchlist hits with reviewer status
Transactions	Raw transactions in the focus set, with tags
Linked-Party Evidence	Graph paths and shared-account heuristics
Customer Profile	Static KYC + derived behavioural baseline
Anomaly Metrics	Numeric anomaly signals per class
Dialog Turns	Analyst-issued questions and tool calls relevant to the case
Recommendations	Recommendations issued during the investigation
Notes and Decisions	Analyst notes, intermediate decisions, final decision rationale

The evidence pack is append-only and traceable: every entry carries the source, timestamp, and (where applicable) the actor. The grounding validator (see Explainability) blocks any narrative or recommendation that cannot be traced to a persisted evidence entry.

Linked Accounts and Flow of Funds

Linked Accounts and Flow of Funds is the cross-account view: it identifies other accounts associated with the subject, surfaces shared-counterparty patterns, and renders the directional flow of funds through the focus period.

Capability	Detail
Linked-Account Heuristics	Detects subject’s other accounts via shared counterparties, common references, and graph adjacency
Cross-Account Pattern Detection	Identifies coordinated activity across linked accounts (e.g., funds entering one account and exiting another)
Flow-of-Funds Rendering	Directional graph rendering of inbound and outbound flows across the focus period, with material-value emphasis
Counterparty Analysis	Per-counterparty rollup: total value, frequency, classification (regulated / unregulated / shell), reviewer status
Account Switcher	Analyst can pivot the workbench between any of the subject’s linked accounts
Persistence	Linked accounts attached to the case; reviewer can mark linkages confirmed / disputed with audit

The Linked Flow of Funds is rendered as a dedicated Studio Widget in the canvas surface; the Visual Link Analysis widget supplements it with relationship-level navigation across linked parties (see Graph Operations › Knowledge Graph for Operations).

Historical Alerts and SARs

Every case carries the customer’s history of prior alerts, decisions, RFIs, and filed SARs. This history is surfaced into the live case so the analyst sees the full pattern over time, not just the current trigger.

Aspect	Detail
Historical Alerts	Prior alert records with decision, score band, contributing rules, reviewer
Historical RFIs	Past RFIs, customer responses, time-to-response
Historical SARs	Filed SARs with template, jurisdiction, filer, filing date
Pattern Extraction	Recurrence patterns (e.g., similar typology three times in twelve months) flagged as material context
Cross-Customer Comparison	Optional anonymised cohort context (e.g., “this score is at the 92nd percentile for similar customers”)
Surface	Dedicated Historical Alerts and SARs widget in the workbench, plus tools in the analyst dialog

History is read-only and tenant-scoped; cross-tenant comparison is permitted only in anonymised aggregate.

Investigation Case, Notes, and Event Log

The Investigation Case is the client-centric record that binds together every artefact in a single audit-ready record. Cases are unified across alerts, RFIs, and SARs; one customer relationship maps to one investigation case timeline.

Aspect	Detail
Client-Centric Case	One case per customer relationship; multiple alerts within the same case roll up to a unified timeline
Case Notes	Structured analyst notes; markdown-supported; reviewer identity + timestamp; immutable history with edit revisions
Decision Record	Final decision rationale captured as a structured note + reason codes; required to close a case
Case Event Log	Append-only event log: alert received, rule run, decision issued, RFI sent, SAR drafted, note added, hit reviewed, etc.
Notifications	Notifications dispatched to assigned reviewers on key events (escalation, RFI response, SAR review needed) — surfaced in-app and through configurable channels
Audit Trail Timeline	Audit-trail timeline rendering in the workbench, showing the case lifecycle from intake to closure

The case event log is the foundation for the audit trail. Every action — automated or analyst-driven — appends an event with actor, timestamp, and payload reference. Notes and the decision record are versioned; prior versions are preserved.

Analyst Workbench

The Analyst Workbench is the unified investigation surface. It is composed of Studio Widget Types bound to the analyst playbook (see Dialog › Playbook-Based Communication — Widget Bindings) so the dialog can render any of these widgets inline as part of a response, in the canvas surface, or both.

Widget	Purpose
Graph Renderer	Interactive rendering of the subject + counterparties + linked-party knowledge subgraph
Visual Link Analysis (VLA)	Relationship-level navigation across linked parties with depth, filter, and pivot controls
Evidence Panel	Inline view of the evidence pack assembled for the case (chain trace, snapshots, hits, transactions, paths)
Identified Typologies Drawer	Drawer surfacing matched typologies and the contributing rules / domain-group breakdown
Baseline + Spike Chart	Time-series rendering of monthly baseline metrics with focus-period spike overlays
Raw Transactions Drill-Down Table	Sortable / filterable raw-transaction table for the focus period and any drill-down selection
Linked Flow of Funds	Directional flow-of-funds graph across linked accounts and counterparties
Counterparty Analysis	Per-counterparty rollup with classification, reviewer status, value, and frequency
Account Switcher	Pivot between the subject’s linked accounts without leaving the workbench
Anomaly Metrics Display	Numeric anomaly signals (baseline deviation, velocity, counterparty, pattern, tag-distribution)
Historical Alerts and SARs	Customer history with prior alerts, RFIs, and filed SARs
Recommendations Cards	Card-based rendering of decision-support recommendations with accept / edit / reject actions
Quick-Action Toolbar	One-click actions: assign, escalate, request RFI, draft SAR, mark hit reviewed, close
Decision + Notes	Inline notes editor plus the structured decision record (required reason codes for closure)
Audit Trail Timeline	Timeline rendering of the case event log
Customer Profile Card	Static KYC + derived behavioural intelligence in a single inspection card
Per-Case AI Chat	Embedded dialog playbook scoped to the active case context

The workbench is mobile- and tablet-responsive: every widget supports the dialog and canvas view types and adapts to narrow viewports for analyst review on the move.

Widget rendering and tool authorization follow 04-Studio (Widget Types, Tool Authorization) and 15-Dialog (Widget Rendering); ad-hoc widgets cannot be invoked outside the playbook’s bound widget catalogue.

Tenant Workflow (BPMN)

The platform’s BPMN workflow engine (see Graph Operations › Graph Workflows) drives the operational lifecycle of every case. Each tenant declares an active BPMN workflow version that defines:

post-decision handling (Close / RFI / SAR);
the SAR filing pipeline including approval gates;
the outreach loop following an RFI;
any tenant-specific approval, escalation, or notification gates.

Aspect	Detail
Tenant Binding	Active workflow version per tenant; immutable version history; all changes approval-gated
Authoring	Visual BPMN editor available to authorised tenant administrators
Triggering	Workflow instances are created at decision and lifecycle events on the case
Audit	A BPMN-instance trace is persisted alongside the chain trace; every step records actor, decision, duration
Versioning	Workflow versions are immutable; in-flight cases complete on the prior version after activation of a new one
Governance	Workflow changes follow the same change-control discipline as rule and policy changes

Explainability, Decision Support, and Human-in-the-Loop

To support the analyst in understanding and acting on a chain decision, the utility ships an explainability and decision-support surface backed by a grounding validator that prevents fabrication.

Capability	Detail
Graph-to-Narrative	Renders an analyst-readable narrative of the alert / case from the chain trace and the knowledge-graph evidence
Decision Recommendation	The chain’s decision (Close / RFI / SAR) is presented alongside reason codes and contributing rules
Recommendations Engine	Surfaces ordered next-best-actions to the analyst (e.g., issue an RFI question, request additional KYC, refer to senior analyst)
Multi-Step HITL Wizard	High-risk decisions are walked through a multi-step Human-in-the-Loop wizard; each step is auditable and reviewable
Grounding Validator	Every assertion in the narrative or any recommendation must be traceable to a persisted source — chain trace, OSINT snapshot, transaction, KYC field. Ungrounded output is rejected before render

All LLM-driven steps in this surface route through the platform LLM Router with model provenance recorded (see AI & LLM).

SAR Filing Pipeline

The SAR pipeline orchestrates a draft → review → approve / reject → file workflow on top of the unified Case model. Multi-jurisdiction templates (FinCEN, NCA) are bundled; tenants may extend the catalogue.

Capability	Detail
Templates	FinCEN and NCA filing templates supplied; tenants may add jurisdiction-specific templates
Drafting	Draft generated from chain trace, OSINT snapshots, transactions, dialog turns; structured by template sections
Multi-Stage Approval	Approve / reject at each stage with reviewer identity, timestamp, justification
Versioned Revisions	Every revision is versioned; diffs preserved between versions
Audit Aggregator	Compiles the full evidence pack (chain trace, OSINT snapshots, screening hits, transactions, dialog turns, recommendations) into the SAR record
Moratorium Handling	Surface for moratorium tracking on filed cases
Filing Audit	Filing events recorded with filer, recipient, timestamp

Outreach Gap Detection

When evidence is insufficient — a rule was skipped due to missing input, a knowledge-gap rule fired, KYC fields are missing, or a signal was OSINT-only — the platform automatically identifies the gap and proposes outreach questions to the customer.

Gap Source	Outreach Output
Skipped rule (`DEPENDENCY_NOT_MET`, `PRECONDITION_NOT_MET`)	Question targeted at the missing input
Low-confidence finding (knowledge-gap rule)	Clarifying question on the affected attribute
Missing KYC field	Direct request for the field
Evidence-only-from-OSINT signal	Customer-side corroboration question

Generated outreach questions are surfaced as auto-created recommendations in the analyst recommendations panel and through a dialog tool. Analysts accept, edit, or reject before issuing the RFI.

Straight-Through Processing

For clear cases, the platform supports straight-through processing through deterministic agents (see Graph Operations › Graph Workflows) that auto-close the case without analyst review.

Aspect	Detail
Decision Service	Deterministic agent service evaluates whether a case is eligible for auto-close
Hard Guard	SAR / escalation / hard-override cases never auto-close, regardless of score
Tenant Exclusion Configuration	Tenants may exclude specific cohorts (e.g., new customers within first 90 days) from STP; exclusions are tenant-scoped, change-controlled, and logged
Metrics	Auto-close rate, exclusion-config impact, AI-versus-analyst agreement; all surfaced on the dashboard
Audit	Every auto-close logged with case ID, score, exclusion match, agreement signal, and effective policy version

The deterministic-agent step takes no probabilistic decisions; eligibility is computed from the chain trace, exclusion configuration, and hard-override flags.

Dashboards and Analytics

Metric Category	Examples
Productivity	Cases per analyst per day, average time-to-decision, queue depth
Compliance	SAR conversion rate, outreach response rate, escalation accuracy
AI Agreement	AI-versus-analyst decision agreement, override rate, override-reason mix
Quality	Per-rule match rate, hard-override frequency, grounding-failure rate

Each dashboard tile supports unified drill-down to the underlying cases.

Policy Management and Testing

Every governable artefact in the utility — DAG rule chain, tenant BPMN workflow, freetext rules, scoring weights, decision thresholds — is managed through a unified Policy Versioning surface.

Capability	Detail
Policy Versioning	Generic versioning over rule chains, BPMN workflows, freetext rules, scoring config, decision config
Activate / Rollback	Versioned activation with one-click rollback; no service restart required
Hot Reload	Activation takes effect without restart; in-flight cases complete on their starting version
Ground-Truth Datasets	Curated case sets with expected decisions and rationale
Policy Test Runner	Runs a candidate policy across the dataset; produces eval metrics (precision, recall, agreement-with-historical-decision)
Regression Diff	Per-case decision delta of the candidate policy versus the active policy
Approval	Activation is approval-gated; testing is required before activation
Audit	Every create, activate, rollback, and test run is logged with author, approver, and outcome

Policy testing prevents silent drift: an analyst cannot promote a candidate policy without seeing the regression impact against ground-truth data.

Case Management Surface

The analyst surface unifies case lookup, filtering, drill-down, error handling, and ad-hoc ingestion.

Surface	Capability
Case List	Multi-filter, role-aware, with assignee picker; saved filter sets per analyst
Drill-Down	Unified across alerts, cases, dashboards, policy tests, STP metrics
Error Queue	Ingestion / pipeline / chain failures listed for triage with retry / dismiss / escalate actions
Standalone Ingestion	KYC and transaction uploads independent of the bank pipeline (for ad-hoc reviews and back-test scenarios)

User Management

User identity, roles, tenants, and feature flags are managed through the Knowledge Fabric and consumed by the utility through the platform identity layer.

Aspect	Detail
Identity Authority	Knowledge Fabric is the source of truth for users, roles, and tenants
Authentication	Bearer-token authentication validated at the API gateway against Knowledge-Fabric-issued tokens
Role Mapping	Utility roles (Analyst, Senior Analyst, Operations Manager, Auditor) mapped onto the platform role taxonomy
Tenant Resolution	Tenant resolved per request from token claims; cross-tenant access is denied at every layer
Feature Flags	Per-tenant feature flags evaluated against Knowledge Fabric attributes (role, tenant, group)
Lifecycle Webhooks	User-lifecycle events (create / disable / role change) propagate to utility state

Decision Outputs

Output	Description
Final Risk Score	0–100 numeric score produced by the Risk Score rule class
Decision	`Close` / `RFI` / `SAR` produced by the Decision rule class
Hard-Override Reason	Reason code, if a hard override forced escalation
RFI Pack	Structured questions and gaps; consumed by case-management or analyst workflow
SAR Pack	Structured findings, subject, jurisdiction template, versioned revisions
Chain Trace	Full DAG of the run, persisted to the analysis record
Workflow Trace	BPMN workflow instance trace persisted alongside the chain trace
Narrative	LLM-rendered narrative summary, grounded in the chain trace and persisted evidence; LLM call routed through the LLM Router with provenance

Dialog Playbook

The Transaction Monitoring playbook (see Dialog › Playbook-Based Communication) governs the analyst conversation surface.

Tool Catalog (illustrative)

Tool	Description
`get_alerts`	Filtered list of alerts (status, risk band, demographics)
`get_cases`	Multi-filter case list with assignee picker and saved filters
`get_case`	Full case record including alerts, evidence, notes, decision, event log
`get_dashboard`	Aggregate stats: alert counts, rule match rates, 30-day trend
`get_chain_rules`	Full registered rule list with enabled status and weights
`get_rule_deep_dive`	Rule metadata, dependencies, scoring weight, audit history
`get_risk_thresholds`	Threshold ranges and decision bands
`explain_decision`	Walk the chain trace and surface matched rules + hard overrides
`get_narrative`	Graph-to-narrative rendering for an alert / case
`get_recommendations`	Decision-support recommendations
`get_outreach_gaps`	Evidence gaps from skipped rules / low-confidence findings / missing KYC
`get_sar_pack`	Render the SAR pack with sections sidebar
`get_workflow`	Active BPMN workflow + version for the tenant
`get_stp_metrics`	Auto-close metrics, exclusion-config impact, agreement rates
`get_policy_versions`	Policy version history with activate / rollback events
`run_policy_test`	Run the active policy against a ground-truth dataset; return regression diff
`get_error_queue`	List ingestion / pipeline / chain errors awaiting review
`get_drill_down`	Unified drill endpoint for any KPI tile
`get_customer_profile`	Render customer profile + behavioural intelligence card
`get_anomaly_metrics`	Render anomaly metrics (baseline deviation, velocity, counterparty, pattern, tag-distribution)
`get_evidence_pack`	Render the assembled evidence pack for the case
`get_history`	Customer history of prior alerts, RFIs, filed SARs
`get_linked_accounts`	Subject’s linked accounts and shared-counterparty heuristics
`get_flow_of_funds`	Directional flow-of-funds graph across linked accounts and counterparties
`get_counterparties`	Per-counterparty rollup with classification, value, frequency
`get_typologies`	Identified typologies and contributing rules
`get_event_log`	Case event log entries with actor, timestamp, payload pointer
`get_notes`	Case notes with version history
`add_note`	Append an analyst note (subject to authorisation)
`set_decision`	Set or update the structured decision record (subject to authorisation and HITL gate)
`quick_action`	Trigger a quick action (assign, escalate, request RFI, draft SAR, mark hit reviewed, close) under tool authorization

Tools are subject to Tool Authorization; analysts only see tools their role permits.

Persona and Guardrails

Setting	Default
Persona	Concise, evidence-first; tables and lists preferred; never fabricates rule outcomes
Refuse-List	No legal advice; no SAR filing decisions; no PII leakage outside the analyst’s tenant scope
Escalation	Any user request to mutate configuration is redirected to Rule Engine, BPMN, or Policy governance as appropriate
Memory	Turn + session memory retained; cross-session memory off by default

System Self-Awareness

Within Transaction Monitoring, Self-Awareness (see Dialog › System Self-Awareness) gives analysts these specific capabilities:

Question	Tool / Source
“What rules ran on this alert?”	Chain trace + `get_chain_rules`
“Why was this alert escalated?”	`explain_decision` walks the chain trace, surfaces matched rules, hard overrides
“How does the rapid-movement rule work?”	`get_rule_deep_dive`
“What does a score of 75 mean here?”	`get_risk_thresholds`
“Show me the case narrative”	`get_narrative` — graph-to-narrative service
“What does the policy recommend?”	`get_recommendations`
“What outreach questions should I send for this alert?”	`get_outreach_gaps`
“Which BPMN workflow is active for this tenant?”	`get_workflow`
“Why was this case auto-closed?”	`get_stp_metrics` + chain trace + exclusion config
“Has the active policy changed recently?”	`get_policy_versions`
“How would the new policy version perform on historical data?”	`run_policy_test`
“Are there any ingestion errors blocking this case?”	`get_error_queue`
“Show me the customer profile and expected behaviour”	`get_customer_profile`
“How anomalous is this alert vs. baseline?”	`get_anomaly_metrics`
“Show me the full evidence pack for this case”	`get_evidence_pack`
“Has this customer been alerted before?”	`get_history`
“Which other accounts are linked to this subject?”	`get_linked_accounts`
“Show me the flow of funds across linked accounts”	`get_flow_of_funds`
“Which counterparties drove this alert?”	`get_counterparties`
“Which typologies were identified?”	`get_typologies`
“Show me the case event log”	`get_event_log`
“Is the graph database available?”	Service Health introspection tool
“What can I ask you to do?”	Capability Discovery — lists intents the analyst is authorised for

Self-Awareness is read-only; configuration changes go through Rule Engine, BPMN, and Policy governance.

User Roles

Role	Responsibilities	Access Level
Analyst	Day-to-day alert triage, case work, RFI / outreach handling, SAR drafting	Case work, read / write on assigned cases
Senior Analyst	Case approval, hard-override review, SAR approval	Full case access, approval authority
Operations Manager	Escalation approval, oversight, reporting, policy administration	Full system access, configuration
Compliance Officer	Policy versioning, BPMN authoring, watchlist selection	Policy + BPMN + watchlist administration
Auditor	Internal / external audit, compliance review	Read-only access to all cases and audit logs

RBAC Capability Matrix	Case Work	Approve	Override	Configure	Audit
Analyst	✓	✗	✗	✗	✗
Senior Analyst	✓	✓	✓	✗	✗
Operations Manager	✓	✓	✓	✓	✗
Compliance Officer	Read	✗	✗	✓	✗
Auditor	Read-only	✗	✗	✗	✓

Authentication: MFA required; password policy minimum 12 characters; idle timeout 15 minutes; absolute session timeout 8 hours; SAML 2.0 SSO supported.

Operational Modes

The utility supports the platform’s operational modes (see Studio › Operational Modes), with the addition of straight-through processing for clear cases. SAR / escalation cases retain a hard guard regardless of mode.

Mode	Behavior
1 — AI-Assisted Manual	All decisions reviewed by an analyst; chain produces a suggested decision and evidence
2 — Routine Automation	Close decisions automated via straight-through processing; RFI and SAR require analyst review
3 — Autonomous with Escalation	Close + RFI automated; SAR and hard-override cases escalate to analysts
4 — Fully Automated with Audit	All decisions automated; analysts audit a sampled subset

Straight-through behaviour (auto-close eligibility, exclusion configuration) is tenant-scoped and surfaced in the dashboard. The deployment-time configuration declares which modes are permitted for the utility. Mode transitions are change-controlled.

Security Controls

Control	Implementation
Tenant Isolation	Subjects, alerts, cases, chain traces, workflow instances, OSINT snapshots, screening results, dialog sessions are tenant-scoped; cross-tenant access is impossible
Schema Bounding	Rule inputs / outputs, graph queries, and workflow tasks are bound by the registered schema; out-of-schema references rejected at validation
Rule Governance	All rule changes go through the Rule Engine governance workflow (see Graph Operations)
Policy Versioning	Every governable artefact (rule chain, BPMN, freetext rules, scoring, thresholds) is versioned; promotion is approval-gated and requires ground-truth testing
BPMN Version Governance	Active workflow per tenant is approval-gated; immutable version history
Per-Rule Error Isolation	A failure in one rule never cascades; chain continues with `EVAL_ERROR:*` reason codes
Hard-Override Authorisation	Hard-override reason codes are change-controlled like rule definitions
Straight-Through Hard Guard	SAR / escalation / hard-override cases never auto-close, regardless of score
Tenant-Scoped Exclusion Config	Auto-close exclusions are tenant-scoped, approval-gated, and logged
Grounding Enforcement	Narrative and recommendations are rejected if not traceable to a persisted source
Decision Auditability	Every decision is backed by a persistent chain trace and (where applicable) a workflow trace
Tool Authorization	Dialog tools follow the 04-Studio Tool Authorization model
Operational Mode Gating	Out-of-mode invocations rejected at chain submission
Identity Authority	All identity, role, tenant, and feature-flag decisions sourced from the Knowledge Fabric
Inter-Service Authentication	mTLS between services; service mesh with zero-trust networking
Credential Vault	All integration credentials in encrypted vault (AES-256-GCM); 90-day rotation
Encryption	Data at rest: AES-256-GCM; data in transit: TLS 1.3
Field-Level Encryption	PII and financial fields encrypted at the application layer with separate keys
Model Provenance	Any LLM-driven step (narration, recommendations, graph-query generation) logs model identifier, prompt hash, and version (see AI & LLM)
Network Segmentation	Edge / Application / Data / Management zones (see Architecture)

Audit Logging

Event	Retention
Alert Received	5 years
Chain Started / Completed	5 years
Rule Skipped	1 year
Rule Errored	1 year
Hard Override Triggered	5 years
Decision Issued	5 years
Workflow Instance Started / Completed	5 years
Workflow Step Recorded	5 years
OSINT Snapshot Captured	5 years
OSINT Adjudication	5 years
Screening Hit / Reviewed	5 years
Recommendation Issued	1 year
HITL Step Completed	5 years
Grounding Validation Failure	1 year
RFI Issued	5 years
Outreach Question Created	3 years
SAR Drafted / Approved / Rejected	5 years
SAR Revision	5 years
SAR Filed	5 years
Auto-Close Issued	5 years
Policy Created / Activated / Rolled Back	5 years
Ground-Truth Test Run	5 years
Error Queue Action	1 year
Configuration Change	5 years
Dialog Turn	1 year
Authentication / Authorisation	1 year
User Lifecycle Event	1 year
Case Note Added / Edited	5 years
Decision Record Set	5 years
Case Event Logged	5 years
Notification Dispatched	1 year
Quick Action Invoked	3 years
Linked Account Confirmed / Disputed	5 years
Widget Rendered (per case)	1 year

Logs are stored in immutable tamper-evident storage with PII redaction. Retention defaults are configurable per regulator requirement.

Data Subject Rights

Right	Process	Response Time
Access	Automated data export from the Knowledge Fabric and case store	30 days
Rectification	Data update workflow with audit trail	30 days
Erasure	Deletion with verification (subject to regulatory retention requirements)	30 days
Portability	Standard format export	30 days
Objection	Processing review workflow	30 days

Recovery Objectives

Component	RPO	RTO
Knowledge Graph	1 hour	4 hours
Case Store	1 hour	4 hours
API Services	N/A (stateless)	15 minutes
Credential Vault	1 hour	2 hours
Audit Logs	15 minutes	4 hours

DR testing schedule: monthly backup-restore tests; quarterly failover tests; annual full DR exercise; semi-annual tabletop exercise.

Regulatory Mapping

Regulator / Regulation	Supported Capability
FCA (UK)	Transaction monitoring, Suspicious Activity Reports (SARs), audit and recordkeeping
MLR 2017 / 2022 (UK)	Customer due diligence, ongoing monitoring, source-of-funds checks
FATF Recommendations	Risk-based approach, suspicious-transaction reporting
FinCEN (US)	SAR filing template + audit aggregator
NCA (UK)	SAR filing template + audit aggregator
6AMLD (EU)	AML / CFT compliance; risk assessment and tiered customer due diligence
GDPR / UK GDPR	Data subject rights honoured; data minimisation in chain inputs (see Compliance Capabilities)
SOC 2	Audit trail, change control, access control on rule, BPMN, and policy changes

Cross-References

Overview — Utilities overview
Car Finance — Reference utility implementation (security framing reused)
Compliance — Compliance utility (graph-based conflict detection, screening, BPM)
Knowledge Fabric — Knowledge Graph, Entity Resolution, OSINT integration, MCP connectors, identity authority
Studio — Tools, Widgets, Tool Authorization, Operational Modes
Dialog — Playbooks, Context-Awareness, System Self-Awareness, Widget Rendering
AI & LLM — LLM Router, Model Provenance
Graph Operations — DAG Rules, Rule Engine, Graph Workflows
Schema Management — Schema Registry
Graph RAG — Text-to-Cypher Rules
Compliance Capabilities — Regulatory framework