When a model (rule) flags a transaction event, it generates an alert.
The alert is then sent into an alert queue. The team of agents assigned to that alert queue are able to view and investigate the alert.
team P0alert queue.
- Agent Grabriela Smith consumes from the
team P0alert queue and investigates
If escalation is necessary, the alert and its data can be turned into a case.
Unit21 will not create a new alert if there is already an OPEN alert for that entity.
If there is already an open alert from a rule for a specific entity and new transactions are flagged for said entity by said rule, it will be added under the Hits tab in the existing alert.
As such, it is important to close old alerts so that rules can generate new alerts for new transactions! Otherwise new transactions that are flagged may end up getting lost in old unclosed alerts for a specific entity.
Alerts offer many possibilities for action, all of which can be managed from the Alerts pane of the Unit21 dashboard.
The Alerts page is the first step in the workflow for an agent. Each day, an agent logs into the dashboard and receives a new set of alerts to investigate:
The agents can request more alerts to work by using the Get More Alerts button.
Agents will work on alerts that are in their alert queue; see the Alert Queues section to learn more about how alerts get triaged into alert queues and are consumed by teams of agents.
An agent will choose an available alert from the Alert page to investigate further (simply click on an alert in the table).
Alerts are the first step in the case management component of the Unit21 platform. During the investigation, agents can assign investigators, add notes, and upload media.
Each alert is identifiable by an
alert_id (Alert ID).
When an agent investigates an alert, they can also find data about:
- The underlying rule and the transactions that triggered the rule
- Associated alerts, i.e. involving same entities and transactions
- Entities and instruments involved
As an agent investigates the alert, they can:
- Review associated entities, alerts, cases, and reports
- Add documents to the alert
- Add notes to the alert
- Add tags to the alert
- Work through the investigation checklist
- Re-assign or re-queue the alert
- Resolve (dispose, escalate, transfer, close...) the alert through workflow buttons
Alert Triage and Assignment -- Alerts are triaged using alert queues.
You can also manually assign alerts to agents. These actions are reserved for administrators (agents with administrative permissions).
Alert State -- Alerts have two states:
closed. If needed, a closed alert can be reopened.
Alert Investigation Checklist -- The investigation checklist is programmable by an investigator and forces an investigative workflow for agents (steps they must take and check-off before an alert is resolved).
Alert Disposition -- Alerts can have dispositions such as "false positive".
Alert Deadline -- Alerts can have deadlines so that agents have a clear due date for their investigation.
Alert Workflow and Resolution -- Alerts can be escalated, transferred between agents, closed, opened, turned into a case, whitelisted, de-escalated, tagged and more using workflow buttons.
Alert Audit Trail -- Whenever an agent marks an alert’s data, adds a tag to the alert, uploads documents, or resolves the alert, the action is logged automatically in the alert’s audit trail.
Administrators can view all alerts in all queues under the Admin tab of the Alert page:
Administrators can create and delete alert queues in the Alert tab of the Alert page:
Updated 5 months ago