Case Management: What It Is, What Regulators Expect, and What Gets You Cited

What is Case Management?

Case Management is the compliance workflow control that covers the full lifecycle of an AML alert: from initial creation and triage, through investigation and documentation, to a final disposition decision. That decision is either a SAR (Suspicious Activity Report) filing, an escalation to the MLRO or senior compliance officer, or a closure with a documented rationale.

It sits between detection and reporting. Transaction monitoring systems, customer due diligence reviews, and screening hits all generate alerts. Case Management is where analysts receive those alerts, conduct the investigation, and produce the record that proves the institution acted on what it found.

Without it, every other control in the AML program is undermined. Excellent transaction monitoring, rigorous KYC, and real-time screening all lose their value if the alerts they generate disappear into a queue with no documented investigation trail. Regulators will view the whole program as defective.

Banks typically run case management through dedicated platforms. Actimize, Oracle FCCM, Quantexa, and FIS MANTAS are common choices, but the platform is secondary. What matters is the workflow: who receives the alert, what actions they're required to take, what evidence gets attached, and how escalation decisions are documented.

The control applies to both individual and batch alert workflows. High-volume automated triage handles lower-risk alerts. Deeper manual investigation is reserved for complex cases. In large institutions, case management can touch 50,000 to 200,000 alerts per month.

Why is Case Management required?

FATF Recommendation 20 requires financial institutions to file suspicious transaction reports when they suspect money laundering or terrorist financing. That obligation is impossible to meet without a structured workflow that tracks what was reviewed, when, and by whom.

In the US, the Bank Secrecy Act (31 U.S.C. § 5318(g)) mandates SAR filing within 30 calendar days of detecting suspicious activity. A 60-day extension is available when the subject hasn't been identified. In the UK, the Proceeds of Crime Act 2002 and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 require a Suspicious Activity Report to the National Crime Agency before any action that could constitute tipping off.

FATF Recommendation 11 requires institutions to maintain records of all transactions and customer identification data for at least five years. Case management records are how institutions prove they met that obligation. Without documented case files, there's no evidence that alerts were investigated rather than suppressed.

The EU's 6th Anti-Money Laundering Directive and Regulation 2024/1624 (part of the 2024 EU AML Package) both require documented investigation procedures and internal controls that produce auditable records. FinCEN's 2010 guidance on SAR reporting (FIN-2010-A005) and the OCC's BSA/AML Examination Procedures both identify case management as a fundamental component of a sound AML program.

FATF Recommendation 10 on Customer Due Diligence adds another dimension. When case investigations reveal gaps in a customer's risk profile, institutions must have a mechanism to feed those findings back into the CDD process. Case management is that mechanism.

What do regulators expect to see?

On exam day, regulators look for documented procedures first. They want a written case management policy that defines the alert triage process, escalation thresholds, SAR decision-making authority, and timelines for each case type.

Then they test the records. Examiners will pull a sample of cases across risk tiers and check for:

• A clear audit trail showing every action taken on the case, timestamped and attributed to a named user
• Supporting evidence attached: transaction data, account history, adverse media results, and prior case history for the same customer
• A written rationale for the disposition decision (file SAR, escalate, or close with documented reasoning)
• For SAR filings: proof that the form was submitted within the statutory deadline (30 days in the US, 7 days for consent SARs in the UK)
• Evidence that senior compliance officers or the MLRO reviewed cases above defined risk thresholds
• Exit documentation when a case is closed without a SAR: what was reviewed, why it wasn't suspicious, and who approved the closure

They also look at management information. A well-run program produces regular MI reports showing alert volumes, average case age, SAR filing rates by business line, and backlog trends. If those reports don't exist, or if they show deteriorating backlogs without a documented response plan, examiners will view that as a governance failure.

Quality assurance matters too. Regulators expect periodic second-line reviews of case samples, with documented findings and corrective actions. The FCA's Financial Crime Guide specifically calls out QA programs that test the quality of investigation decisions, not just whether cases were closed.

Training records round out the evidence set. Analysts who investigate cases must be trained, and that training must be documented and refreshed at least annually.

What does good Case Management look like?

Good case management is fast, documented, and connected to the rest of the AML program. Speed matters because SAR filing deadlines are statutory, and backlogs create regulatory exposure at scale.

The Wolfsberg Group's 2019 Guidance on SAR Filing recommends that institutions set and track internal SLAs for each case tier. A high-risk alert should be opened, assigned, and triaged within 24 hours. A complex multi-jurisdictional case may take 30 days or more, but documented checkpoints throughout are expected at every stage.

On documentation, the standard is simple: anyone with access to the case file should be able to reconstruct what happened without asking the analyst. Every action is timestamped. Every source is attached. Every decision references specific facts rather than generic conclusions.

A well-designed workflow runs like this:

1. Alert is generated by a transaction monitoring or screening system
2. Automatic triage assigns a risk score and routes the alert to the appropriate analyst queue
3. Analyst reviews the alert and pulls supporting data: account history, prior cases, KYC profile
4. Level-1 decision: escalate to a full case, or dismiss with documented rationale
5. For open cases: investigation, evidence collection, and customer risk-profile review
6. Level-2 decision by a senior compliance officer or MLRO: file SAR or close the case
7. For SAR filings: form completed, submitted, and confirmation retained in the case file
8. Post-SAR monitoring flag set on the customer for heightened surveillance

The Basel Committee's 2017 guidelines on AML risk management recommend that institutions build feedback loops between case management and their customer risk profiling systems. When a case reveals new risk indicators, the customer's risk rating should be updated. That loop is absent at most institutions.

Wolfsberg also recommends regular cross-functional case reviews where compliance, legal, and business line representatives review a sample of complex cases together. This catches interpretation drift before it becomes a regulatory finding.

Common audit findings and exam citations

Case management failures tend to fall into five categories, and regulators have been consistent about this for more than a decade.

SAR backlogs. The most common finding is a queue of alerts that have been sitting uninvestigated for months. When the US Senate Permanent Subcommittee on Investigations reviewed HSBC in 2012, the bank had cleared a backlog of approximately 17,000 unreviewed alerts in a single week, right before the hearing. The HSBC 2012 enforcement action resulted in a $1.9 billion settlement, with deficient case management identified as a central failure.

Missing documentation. Examiners regularly find cases closed with no rationale, or SAR decisions that record "investigation completed" without specifying what was reviewed. That's not a documentation format problem. It's evidence that the investigation didn't happen.

Broken escalation paths. Cases flagged for MLRO review should have a documented trail showing when the referral was made, what the MLRO decided, and when that decision was communicated back. In the Danske Bank 2018 case, the Estonian branch processed approximately €200 billion in non-resident payments over nearly a decade. Internal escalations about suspicious activity were not acted on by group-level compliance. Case management governance was identified as a core failure in the subsequent regulatory proceedings.

Disconnected systems. Case files that don't reference KYC data, prior SAR history, or related-party accounts leave analysts investigating in isolation without the full customer picture.

SLA breaches on SAR filing. FinCEN has cited multiple US institutions for systematic late SAR filings where backlogs pushed submissions beyond the 30-day statutory window. The OCC's BSA/AML Handbook explicitly lists SLA monitoring as a required element of a sound case management program.

Metrics and KPIs

Measuring case management health requires a mix of volume, quality, and timeliness metrics. Here are the ones that matter.

Volume and throughput:

• Alerts generated per month, by business line and detection rule
• Alert-to-case conversion rate: what percentage of alerts are escalated to full investigation
• Cases closed per analyst per day (a typical benchmark for standard-complexity cases is 8 to 15)

Timeliness:

• Average days to alert disposition
• Average days to case closure
• SAR filing timeliness rate: percentage of SARs filed within the statutory window (target: 100%)
• Backlog by age tier: 0-15 days, 16-30 days, 31-60 days, over 60 days open

Quality:

• False positive rate: cases escalated to full investigation that close without a SAR (industry averages run 90-95% for most transaction monitoring programs; rates above 97% often indicate poorly tuned detection rules)
• SAR quality score based on QA sampling of narrative completeness, accuracy, and readability
• QA reviewer override rate: how often second-line reviewers overturn an analyst's disposition

Governance:

• Percentage of cases reviewed by the MLRO or second line within SLA
• Training completion rate for case management staff
• Time to correct QA deficiencies after they're identified

The FCA's Financial Crime Guide recommends producing MI dashboards at least monthly and presenting quarterly summaries to a senior risk committee. FinCEN's 2016 guidance on SARs reiterates that institutions should track filing trends and investigate unexplained drops in SAR volume. A drop that doesn't correspond to a genuine reduction in customer risk is often a detection failure, not a compliance success.

How Case Management connects to other controls

Case management is the integration point for the AML control stack. Alerts flow in from transaction monitoring, sanctions screening, PEP screening, and adverse media screening. Case management is where those signals are combined, investigated, and converted into a decision.

The connection to customer due diligence runs both ways. When a case reveals that a customer's actual behavior doesn't match their declared risk profile, that finding should trigger a CDD review or EDD escalation. The reverse holds too: CDD updates that surface new risk indicators (change of beneficial ownership, adverse media hits, sanctions list addition) should generate case flags in the management system.

Typology coverage is where case management earns its keep. Complex schemes like money mule networks typically span multiple accounts and time periods. A single transaction monitoring alert won't surface the full pattern. Case management systems that support related-case linking, customer history views, and network visualization catch these schemes where isolated alert review fails.

Layering is another typology that requires cross-case analysis. Layering schemes are designed to appear legitimate at the level of individual transactions. The pattern only becomes visible when an analyst can pull together the sequence: placement, movement through multiple accounts, integration into apparently legitimate assets. Without a case management system that links related activity, that analysis doesn't happen.

For sanctions screening, case management handles the post-match workflow: confirming a true positive, escalating to legal, and generating the required regulatory notification with a full evidence record.

How FluxForce supports Case Management

FluxForce's AI agents work across the full case lifecycle. Nova Sentinel generates real-time alerts with behavioral context pre-attached, so analysts open a case with the relevant evidence already assembled. Aiden Flux conducts structured investigations, links related accounts and prior case history, and produces a decision memo with a complete audit trail. Every action is timestamped and attributed to a named user. For teams managing high alert volumes, this cuts average case resolution time and produces case files that are audit-ready from the moment they're closed. Request a demo to see how this works in practice.