Not every alert is a crime. An automated system flags a transaction, an incident gets reported, or a pattern looks wrong — and someone has to work out whether it's a genuine financial crime risk or a false positive. That structured process of working it out is an investigation, and it's a core part of any AML/CTF programme. This tutorial walks you through running one in BNDRY end to end: from the moment something is flagged, through gathering evidence and escalating for review, to a final determination and a clean audit trail behind you.
What an investigation is for
An investigation is how you turn a signal into a decision. The signal might be an alert from an automated monitoring system, a transaction that looks unusual, or an incident raised by a staff member. The investigation is the structured process of gathering the facts, weighing them, and deciding the one thing that matters: is this a real risk that needs reporting, or is it noise?
Every organisation runs this differently — different triggers, different evidence, different people who sign off. BNDRY doesn't impose one process on you. It gives you the building blocks instead: a Workspace to hold the investigation, Forms you design to capture exactly what your process needs, statuses to move the work between people, and an activity trail that records what happened against the entities involved. The result is an investigation process that's yours, not a template you have to bend to fit.
Before you start
A few things to have in place:
- You can sign in to BNDRY with a role that lets you create Workspaces and complete forms. If you're not sure, check with your administrator.
- You have an investigation form template available. BNDRY can provide a standard one for your industry, or your team can design its own — see Designing form templates.
- The entity or entities the investigation concerns already exist in BNDRY. If not, the Entities explanation covers how they work.
Phase 1 — Open an investigation Workspace
The Workspace is the container that keeps the whole investigation in one place — the event, the evidence, the people, and the outcome — with a single audit trail. Starting one is the first move whenever something needs looking into.
Select Create Workspace and choose your investigation form template — the standard one for your industry, or the template your team has configured. Give the Workspace a name that identifies it at a glance; most teams include the trigger and the date, such as "Unusual transaction — June 2026".
Now link the entity the investigation concerns. You can link more than one — when several parties are involved in the same unusual behaviour, a single Workspace can hold them all, so the investigation stays whole rather than fragmenting across separate cases. Linking the entities is what makes the investigation part of their story rather than a standalone file; it's the step that lets you later see which customers have been investigated and why.
Set the Workspace status to In progress to show the work has begun.
Phase 2 — Capture the event and gather evidence
With the Workspace open, the investigation form is where the facts of the matter get recorded in a consistent, reportable shape. This is the substance of the investigation — what happened, when, and what you found.
Work through the form. A typical investigation form captures a description of the event — incident details or transaction details — a timestamp for when it occurred, and placeholders to upload the intelligence and evidence you gather as you go. Because the template was designed around your process, it asks for exactly what your team needs to make a sound decision: nothing missing, nothing irrelevant.
Designing your own investigation form is what gives you consistency. Every investigation captures the same shape of information, which makes them comparable across your team, straightforward to report on, and defensible if a regulator ever asks to see how you reached a decision.
Phase 3 — Collaborate, escalate, and go deeper
Investigations are rarely a one-person job, and BNDRY uses Workspace status to move the work between the people involved. A common pattern is that front-line staff or analysts initiate an investigation, then escalate it when it needs a decision from someone more senior.
When the investigation is ready for review — by a compliance manager, a chief risk officer, or an AML compliance officer for a final determination — set the Workspace status to Attention. That flags it as needing a decision and gives everyone a shared view of where it's up to, without anyone having to chase an email thread to find out.
It's also common for an investigation to call for enhanced due diligence on the entities involved. Rather than running that as a separate exercise, add an ECDD form into the same investigation Workspace. The Workspace concept is designed for exactly this — keeping the full lineage of what you did in one place. It also means the ECDD has its context recorded: anyone reviewing the record later can see not just that you ran enhanced due diligence, but why, and what prompted it. Conducting Enhanced Customer Due Diligence in BNDRY covers that process in full.
Phase 4 — Record the determination
The whole point of the investigation is the decision at the end, so this is the phase that everything else has been building towards. Record the outcome on the investigation: is this a genuine financial crime risk, or a false positive?
If your team concludes that a suspicious activity report is warranted — a SAR, SMR, or STR, depending on your jurisdiction — file it with your regulator, then log it against the entity as an SMR activity. This is BNDRY's built-in activity type for recording that a suspicious report has been filed, and logging it places that fact directly on the entity's record.
Recording a false-positive outcome matters as much as recording a true one. A closed investigation with a clear "no further action" determination is evidence that your monitoring is working and that alerts are being reviewed rather than ignored.
Phase 5 — Resolve and read the lineage
Set the Workspace status to Resolved. The investigation is now closed, and its record is permanent.
Open the profile of an entity the investigation was linked to and look at its activity history. You'll see the full lineage of what happened: the investigation itself, any ECDD performed inside it, and the SMR activity if a report was filed. Over time this builds into something genuinely useful — at a glance you can see which entities have had investigations against them, and which have had reports filed, all from the entity's own record.
That's the chain an auditor or regulator wants to see. Not just that you investigated, but the whole sequence of what you did, who reviewed it, and why you reached the decision you did.
What you've learned
You've run an investigation from a flagged event to a final determination, escalated it for review, recorded the outcome, and left an audit trail that lives on the entities involved. You've seen the shape of it: BNDRY supplies the structure — the Workspace, the statuses, the activity trail — and you supply the specifics, through forms you design and an escalation path that matches how your team works. Every investigation you run from here follows the same shape.
Next steps
- Conducting Enhanced Customer Due Diligence in BNDRY — the deeper review you can run inside an investigation when an entity warrants it.
- Designing form templates — shape the investigation form so it captures exactly what your process needs.
- Activities — how the SMR activity and others build up the full history on an entity's record.
Comments
0 comments
Article is closed for comments.