Skip to content

Investigation Handbook

AML triage and provenance walks for the Compliance / Investigation team. Currently rendered against Your Institution (spec_example).

This handbook backs the Investigation dashboard — the compliance / AML view of Your Institution. Each entry here is framed around the investigative question an analyst opens with, and walks them from a typed question to row-level evidence on the same shared base ledger that the L1 dashboard reads.

The team

Your Institution's Investigation team sits between Treasury (GL Recon) and the regulator. Their day is reactive — a SAR draft, a counterparty referral, a model alert — and each case has the same shape: pose a question about a person, a pair, or a transfer; pull the rows that answer it; preserve the chain that ties evidence back to the underlying postings.

Unlike L1 Reconciliation (a continuous matview-driven exception surface read in a fixed morning rotation) and L2 Flow Tracing (the integrator's runtime evidence map for every declared Rail / Chain / TransferTemplate), Investigation is question-shaped. Four sheets, four questions, in no particular order:

  • Recipient Fanout — who is receiving money from too many distinct senders?
  • Volume Anomalies — which sender → recipient pair just spiked above its rolling baseline?
  • Money Trail — where did this transfer actually originate, and where does it go?
  • Account Network — what does this account's money network look like, on either side?

The dashboard reads from the same spec_example_transactions base table that L1 Reconciliation and L2 Flow Tracing read, plus two materialized views (inv_pair_rolling_anomalies and inv_money_trail_edges) that pre-compute the rolling-window statistics and recursive chain walk respectively. See Materialized views for the refresh contract — these matviews do not auto-refresh, so a skipped REFRESH after ETL load means the anomaly z-scores and chain edges lag the source data.

The investigator's posture

The walkthroughs below are organized around the question an analyst holds in their head when they open the dashboard:

  • Whose account looks like a collection point? → Recipient Fanout
  • Did anything just spike this week? → Volume Anomalies
  • Where did this specific transfer come from? → Money Trail
  • Show me everything touching this account. → Account Network

The four sheets are deliberately disjoint — pick the one shaped like your question. Many cases pivot through several of them: a Recipient Fanout hit on an account becomes a Money Trail walk on its largest inbound transfer, then an Account Network sweep around the same anchor to understand the full counterparty graph. Each walkthrough flags those natural transitions at the bottom.

Dataflow — which datasets feed which sheets

The four sheets

One question per sheet — pick by the shape of your question

Who's Getting Money from Too Many Senders?

Rank recipients by their distinct sender count. Drag the threshold slider to control where "too many" starts. The fanout-cluster shape — many small inbounds → one account — is a classic structuring footprint.

Which Sender → Recipient Pair Just Spiked?

Rolling 2-day SUM per (sender, recipient) pair vs. the population mean / standard deviation, exposed as a per-row z-score. σ slider sets the cutoff; the distribution chart shows the full population so the cutoff lands in context.

Where Did This Transfer Actually Originate?

Pick a chain root from the dropdown — the Sankey renders that chain's source-to-target ribbons; the hop-by-hop table beside it lists every edge ordered by depth. Layering chains and split-deposit funnels surface here.

What Does This Account's Money Network Look Like?

Pick an anchor account — the LEFT Sankey shows counterparties sending money INTO the anchor; the RIGHT Sankey shows the anchor sending money OUT. Right-click any table row to walk the anchor to the counterparty and re-render around the new center.

What you'll see in the demo

The bundled spec_example fixture plants three converging scenarios on a single anchor account, cust-001 (cust-001), so every sheet has a non-empty answer to its question — and the sheets connect:

  • Fanout cluster — 3 individual depositors each ACH 2 small amounts to cust-001. Recipient Fanout flags the anchor at the default 5-sender threshold; the table ranks it at the top with 3 distinct senders.

Account Network's anchor dropdown lands on the first account alphabetically; setting it to cust-001 shows the full picture — the inbound depositors on the left, the outbound destinations on the right, the anchor meeting in the middle.

Reference

  • Account Structure — the bank, customers, accounts, and money flows behind every walkthrough on this page.
  • Schema v6 — Data Feed Contract — column specs, metadata keys, and ETL examples for the upstream feeds. The Materialized views section documents spec_example_inv_pair_rolling_anomalies (Volume Anomalies) and spec_example_inv_money_trail_edges (Money Trail / Account Network) plus the REFRESH cadence contract.
  • Data Integration Handbook — the team that populates the data behind every walkthrough on this page. Read it when an anomaly z-score, fanout count, or chain-walk result disagrees with what you see in the source feed.
  • L1 Reconciliation Dashboard — Treasury's view of the same base tables. When a Money Trail edge needs row-level posting evidence, the L1 Transactions sheet is the next stop.