Conducting Effective AML Investigations: Key Steps and Practices

Introduction

According to UNODC, between $800 billion and $2 trillion — roughly 2% to 5% of global GDP — is laundered annually. What makes that figure more striking is the follow-on statistic: less than 1% of those illicit financial flows are ever seized or frozen.

That gap exists, in part, because AML investigations are inconsistently executed. The policy-level obligations are broadly understood. What breaks down is the actual process — from alert to resolution — particularly inside fast-growing fintechs, crypto firms, and money transmitters operating across the US, UK, Canada, and EU simultaneously.

What follows is a practical breakdown of that process — covering how alerts get triaged, where investigations stall, what separates a defensible SAR filing from a liability, and the common failure points that examiners and regulators keep finding in firms that look compliant on paper.

TL;DR

  • An AML investigation is a formal, multi-phase process for examining flagged activity and determining whether regulatory reporting is required.
  • Core sequence: alert → triage → case creation → CDD/EDD → transaction analysis → source of funds → SAR decision → recordkeeping → ongoing monitoring.
  • Investigations are triggered by transaction thresholds, behavioral red flags, high-risk jurisdiction links, and internal or external referrals.
  • Quality hinges on data integrity, risk-based prioritization, qualified compliance leadership, and documentation discipline.
  • Common failures include under-documenting closed cases, treating all alerts equally, and shallow work that misses cross-case patterns.

What Is an AML Investigation?

An AML investigation is a formal, multi-phase process by which a financial institution reviews flagged activity to determine whether it constitutes money laundering, terrorist financing, or related financial crime — and whether regulatory reporting is required.

The output is a documented, evidence-based decision to do one of three things:

  • Close the case with recorded rationale
  • Escalate internally for further review or account action
  • File a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) with the relevant Financial Intelligence Unit (FIU)

Understanding where investigation fits in the broader AML program matters. Transaction monitoring generates the alerts. The investigation is the analytical and decision-making process that follows — gathering evidence, contextualizing behavior, and reaching a defensible conclusion. The two are connected but distinct, and conflating them is a common source of program weakness.

Why AML Investigations Are Critical for Financial Institutions

The Regulatory Obligation

Investigation isn't optional. The Bank Secrecy Act in the US, the UK Money Laundering Regulations 2017, Canada's PCMLTFA, and the EU's 2024 AML package (Regulation (EU) 2024/1624 and Directive (EU) 2024/1640) all require financial institutions to investigate suspicious activity and report it — not just screen for it.

Enforcement consequences are real and escalating:

Year Institution Regulator Penalty
2024 TD Bank FinCEN $1.3B USD — largest BSA penalty against a depository institution in FinCEN history
2024 TD Bank FINTRAC CAD $9.185M — for failures including missed STR submissions
2025 Monzo Bank FCA £21.09M — for inadequate financial crime controls from 2018–2020

AML enforcement penalty comparison table 2024-2025 TD Bank Monzo FinCEN FCA

Personal liability is also on the table. In 2014, FinCEN assessed a $1M civil penalty against the former MoneyGram Chief Compliance Officer for failure to ensure BSA compliance and failure to file SARs. Rabobank executives faced criminal referrals after the bank pleaded guilty in 2018 for concealing AML deficiencies from regulators.

The Operational Stakes for Fintechs and Crypto Firms

For fintechs, crypto firms, and money transmitters, the stakes are higher still. Sponsor banks assess AML program maturity as a condition of partnership, and regulators apply elevated scrutiny to high-risk business models.

A weak investigation function doesn't just create regulatory exposure — it can end a banking relationship entirely.

What Triggers an AML Investigation?

AML investigations don't start on instinct. Triggers must be codified in a firm's AML Compliance Program: a documented, risk-based threshold must exist before an alert generates a case.

Rule-Based and Threshold Triggers

Reporting thresholds vary significantly by jurisdiction and entity type:

  • US banks: SARs triggered at transactions aggregating $5,000 or more where suspicious criteria are met
  • US MSBs: SAR threshold drops to $2,000; Currency Transaction Reports (CTRs) apply above $10,000
  • Canada: LCTRs triggered at CAD $10,000 or more; STRs have no monetary threshold and are required whenever reasonable grounds exist to suspect ML/TF
  • UK: Suspicion-based; HMRC guidance states suspicion must be "more than fanciful" and not merely a vague unease

Structuring — breaking transactions into smaller amounts to avoid reporting thresholds — is a federal crime under FinCEN rules and itself triggers a mandatory investigation.

Behavioral and Profile-Based Triggers

  • Transactions inconsistent with the customer's stated business purpose or risk profile
  • Refusal to provide KYC documentation
  • Sudden, unexplained changes in transaction volume
  • Rapid fund movements: funds received and immediately withdrawn
  • Activity involving high-risk countries or sanctioned entities

Internal and External Referrals

  • Law enforcement requests or legal process
  • Adverse media alerts and PEP screening matches
  • Suspicious activity identified during Enhanced Due Diligence (EDD) reviews
  • Internal whistleblower referrals

How an AML Investigation Works: Step-by-Step

While workflows vary by institution size and jurisdiction, the core sequence is consistent across regulatory frameworks. Every step must be documented to satisfy audit requirements.

Step 1: Alert Generation and Triage

Automated transaction monitoring systems generate alerts based on pre-set rules or behavioral models. Triage involves a first-level review: is this a likely false positive, or does it warrant further investigation? An auditable decision must be recorded regardless of the outcome. Dismissing an alert without documentation is as problematic as missing a genuine SAR case.

Step 2: Case Creation and Assignment

Valid alerts escalate into a formal case within a case management system and are assigned to an investigator. Case prioritization (based on risk severity, customer risk rating, and urgency) is a step many institutions handle inconsistently. Routing a low-risk alert through the same workflow as a high-risk one delays action on the cases that matter most.

Step 3: Customer Due Diligence and Enhanced Due Diligence

Investigators pull existing CDD records and assess whether additional verification is needed. For high-risk cases — those involving PEPs, high-risk jurisdictions, or complex ownership structures — EDD is required. EDD typically involves:

  • Source of wealth verification
  • Adverse media screening
  • Additional identity documentation
  • Ownership structure mapping for corporate entities

Step 4: Transaction Analysis

This step involves a detailed review of the account's transaction history to identify patterns, anomalies, and behavior inconsistent with the customer's profile. Investigators look for:

  • Structuring patterns across multiple transactions
  • Layering activity and rapid fund movements
  • Unusual counterparties or geographic exposure
  • Links to high-risk entities not captured in initial KYC

Step 5: Source of Funds and Source of Wealth Review

Tracing where the money came from, and whether it has a documented legitimate origin, is especially critical for large transfers, cross-border transactions, and customers in high-risk business sectors.

Two concepts apply here and should be evaluated separately for high-risk cases:

  • Source of funds: where the money in this specific transaction came from
  • Source of wealth: how the customer accumulated their overall assets

Step 6: SAR Filing Decision and Regulatory Reporting

If reasonable grounds exist to suspect financial crime, a report must be filed with the relevant FIU. Filing timelines differ by jurisdiction:

  • US: SARs due within 30 calendar days of initial detection; extendable to 60 days if no suspect is identified
  • Canada: STRs due as soon as practicable after establishing reasonable grounds to suspect — there is no fixed 30-day deadline under current FINTRAC guidance
  • UK: Reporting tied to forming suspicion; HMRC must inform the NCA as soon as practicable

Critical: The tipping-off prohibition applies in all major jurisdictions. Investigators must not alert the subject of the investigation. In the UK, POCA 2002 Section 333A makes this a criminal offence.

SAR filing decisions typically require sign-off from a BSA Officer, MLRO, or CAMLO: the named compliance officer who holds regulatory accountability for that decision.

Step 7: Record Keeping and Ongoing Monitoring

All steps, findings, decisions, and rationale must be documented and retained. Retention minimums are consistent across major jurisdictions:

  • US: BSA records generally kept for 5 years (FFIEC guidance)
  • UK: MLR 2017 Regulation 40 requires 5 years from transaction completion or end of business relationship
  • Canada: FINTRAC requires at least 5 years for STR copies, LCTR copies, and account records

After case closure, the customer remains under ongoing monitoring. The case record feeds into future alert assessments. A closed investigation that surfaced elevated risk should trigger heightened scrutiny going forward, not a reset to default monitoring parameters.

7-step AML investigation process flow from alert triage to ongoing monitoring

Key Factors That Affect AML Investigation Quality

Data Quality and Availability

Investigations are only as strong as the data feeding them. Poor KYC records, fragmented transaction histories, or disconnected monitoring and case management systems impair investigator judgment at every step. Before proceeding to deeper analysis, investigators should validate that the data they're working with is complete — missing or stale CDD records should be flagged and resolved, not worked around.

Qualified Compliance Leadership and Escalation Paths

Effective investigations require clearly defined escalation hierarchies: who reviews, who decides, who signs off on SARs, and who manages law enforcement requests. The BSA Officer, MLRO, or CAMLO plays a critical gatekeeping role — and personal accountability for filing failures, as the enforcement history shows, is real.

For growing fintechs and crypto firms without a full-time compliance executive, this oversight doesn't have to mean a permanent hire. Fraxtional's fractional BSA Officer and MLRO model places a named, director-level compliance leader — with full SAR sign-off authority — into that role without a full-time hire. Clients list the Fraxtional director as their named BSA Officer or MLRO with regulators and sponsor banks, and that director takes direct ownership of SAR/STR workflows, case governance, and regulatory reporting.

Risk-Based Prioritization

Not every alert warrants the same investigator time. Programs that use risk scoring — weighting cases by customer risk rating, transaction size, and red flag severity — deploy resources where they matter most. Flat treatment of all alerts is one of the fastest ways to miss high-risk activity.

Jurisdiction-Specific Regulatory Alignment

A US-based fintech with UK and Canadian operations must simultaneously satisfy BSA/FinCEN, FCA/NCA, and FINTRAC requirements — each with different SAR/STR thresholds, filing timelines, record retention rules, and EDD standards. Investigation workflows must reflect those specific requirements, not a generic framework applied uniformly across markets.

AML regulatory requirements comparison across US UK Canada and EU jurisdictions

Documentation Discipline

Regulators assess not just whether the right outcome was reached, but whether the decision-making process was sound and recorded. Investigation notes, evidence gathered, escalation logs, and SAR filing rationale must be maintained in a form that supports both routine audits and regulatory examinations.

Common AML Investigation Mistakes and How to Avoid Them

Three patterns show up repeatedly in AML programs that underperform — and each one is avoidable.

Over-relying on alerts without investigator judgment. Automated alerts are inputs, not conclusions. Consider structuring activity that stays below individual alert thresholds but shows a clear pattern across weeks of transactions: no single transaction triggers an alert, but an investigator reviewing the account holistically would identify it. Programs that treat monitoring as a binary output (SAR or dismiss) will miss these cases.

Under-documenting closed cases. Regulators are as interested in why a case was closed without a SAR as in why one was filed. Institutions frequently under-document dismissal rationale, creating audit exposure. A "close without escalation" decision deserves the same documentary rigor as a SAR filing. That means capturing:

  • What was reviewed
  • What was found
  • Why it didn't meet the reporting threshold

Confusing volume with quality. Case volume alone doesn't signal a strong AML program. Shallow investigations that miss patterns across cases, or fail to connect related alerts to the same underlying network, are a genuine weakness. The Wolfsberg Group's 2024 statement on effective monitoring noted that constantly increasing SAR/STR volumes don't contribute proportionately to effective outcomes — quality and cross-case intelligence are better measures than throughput alone.

Frequently Asked Questions

What is an AML investigation?

An AML investigation is the formal process financial institutions use to examine flagged activity, gather evidence, and determine whether money laundering or financial crime has occurred. It concludes with a documented decision to close the case, escalate internally, or file a report with the relevant regulatory authority.

What is an AML investigator?

An AML investigator is a compliance professional responsible for reviewing suspicious alerts, conducting customer and transaction analysis, and making documented decisions about escalation or SAR filing. They work under a named BSA Officer, MLRO, or CAMLO who holds sign-off authority on regulatory filings.

What triggers a money laundering investigation?

The most common triggers include:

  • Automated monitoring alerts based on transaction thresholds
  • Behavioral red flags inconsistent with a customer's profile
  • Links to high-risk jurisdictions or sanctioned entities
  • Internal or external referrals — including law enforcement requests, adverse media matches, or EDD findings

How long does an AML investigation take?

Straightforward cases may close in days. Multi-jurisdictional or high-risk cases can take weeks or longer. Institutions should set internal SLA targets to ensure timely SAR filing — US rules impose a 30-day deadline, while Canada and the UK require reporting as soon as practicable.

What happens after an AML investigation is completed?

The institution closes the case with documented rationale, files a SAR or STR with the relevant FIU, or takes account-level action such as enhanced monitoring or account closure. Either way, the customer remains subject to ongoing monitoring and the case record informs future alert assessments.