Investigating cases

Once an alert is activated, an analyst needs to determine whether it is a false positive. If not, the alert needs to be escalated to a case. You can add multiple alerts and transactions to a case for a thorough investigation. 

Cases can be created from scratch on the Cases page by clicking  the New case button. Alternatively, you can create a case from an alert by clicking on Change status and selecting Escalate to a case.

After this, you can choose to create a new case or add the alert to an existing case. If the user ID is already involved in an ongoing investigation, you will receive a notification and a link to the existing case. If desired, you can simply add the new alert to the already open case for a person who is already under investigation.

The Case details page serves as the starting point for each investigation. Here, investigators will find the most critical information connected to a case. 

This includes the affected amount of suspicious behaviour, which assists investigators in understanding the severity of the case and taking appropriate actions.

Additionally, alert triggers are listed here, serving as red flags indicating areas where further investigation is needed. 

Tip: We recommend using alert trigger names that are expressed in plain English, making it easy for investigators to understand what was flagged. This approach aids investigators in quickly determining how to proceed with the investigation at a glance.

You will also find the number of linked customers and linked transactions associated with the case here. Additionally, you will have the option to add new transactions to your case. By clicking on the 'Customer Activity' tab, you can view all transactions related to the customer, and with a simple click, you can add more transactions to the case here too.

From the Case details page, you can also upload documents connected to the case. 

Investigation checklists

You can set up an investigation checklist for cases simply by goin to the Case management section of the Settings page and navigate to the Checklist tab. You can create separate checklists for alerts and for cases. Add your items and click Save changes once you're done.

This checklist will then appear on every Alert and Case details page you or any assignees investigate. 

Once an alert is escalated to a case, you can assign the case for investigation to colleagues. During escalation, you can also set up the status of the newly created case. In the upper right corner, by clicking on "Change Status," you can modify the status.

There is a default setting for case states, which can be changed at any time on the Settings page, tailored to the needs of your organization.
 

Learn more: Learn how to file SAR reports from our dedicated article.