Alert Triage

A compliance analyst arrives at work to find 200 alerts in their queue. Each requires investigation. The average investigation takes 20 minutes. There are eight hours in a working day. The arithmetic does not work. Alert triage is the process of deciding which alerts to investigate first, which to fast-track, and which the machine can resolve without human involvement, and getting this wrong means either missed financial crime or an unsustainable operating model.

What is alert triage?

Alert triage is the prioritisation, categorisation, and initial assessment of compliance alerts generated by transaction monitoring, sanctions screening, and other financial crime detection systems. It sits between alert generation and full investigation. The goal is to ensure that the most important alerts receive human attention first, that obviously false positives are disposed of efficiently, and that the overall alert workload is manageable within the available analyst capacity.

In most institutions, alert triage is a manual process. An analyst opens an alert, reviews the customer profile, examines the flagged transactions, checks external databases, and makes an initial determination: dismiss, escalate for full investigation, or file a suspicious activity report. The time per alert ranges from 10 minutes for a clear false positive to several hours for a complex case. The total cost of alert processing in a mid-sized bank runs to millions of pounds annually.

The challenge is that alert volume is driven by detection systems calibrated for sensitivity, not specificity. A transaction monitoring system tuned to ensure no suspicious activity is missed will, by design, generate large numbers of false positives. The triage function absorbs the cost of this calibration choice. Without effective triage, the institution faces a binary decision: hire more analysts (expensive) or accept slower investigation times (risky).

The landscape

The FCA has been clear that alert backlogs are a supervisory concern. An institution that generates thousands of alerts per month but investigates them weeks or months after generation is not meeting its obligations. The expectation is timely investigation proportionate to the risk. Alert triage that prioritises high-risk alerts and fast-tracks low-risk ones is the mechanism by which institutions manage this expectation within fixed analyst capacity.

The quality of alert disposition is under increasing scrutiny. The EU AMLA's supervisory framework will set harmonised expectations for alert investigation quality across the EU. Regulators have identified cases where alerts were closed with boilerplate rationale, where the same dismissal text was applied to materially different alerts, and where analysts were incentivised to close alerts quickly rather than thoroughly. Effective triage must improve speed without compromising quality. The temptation to auto-close alerts without genuine assessment is a regulatory red line.

Alert fatigue is a well-documented problem. Analysts who review hundreds of false positives daily become desensitised. Their attention wanders. Genuine suspicious activity that would catch a fresh eye is dismissed by a fatigued one. Research from the behavioural sciences literature suggests that detection accuracy drops measurably after reviewing more than 50 to 60 cases in a session. Effective triage directly combats alert fatigue by ensuring that the cases reaching human reviewers are more likely to be genuine, keeping analysts engaged and effective.

How AI changes this

Risk scoring is the foundational application. Machine learning models trained on historical alert dispositions assign a risk score to each new alert, predicting the probability that it represents genuine suspicious activity. Analysts work the queue from highest risk to lowest. This ensures that if capacity constraints mean some alerts are investigated later than others, the delayed alerts are the lowest-risk ones. Institutions deploying risk-scored triage report 40 to 60 per cent improvements in analyst productivity without increasing missed suspicious activity.

Automated disposition of clear false positives is the highest-leverage intervention. When a sanctions screening alert is generated because a customer named "David Cameron" matches a sanctions list entry for a different "David Cameron" with a different date of birth and nationality, the AI can auto-close the alert with a documented rationale. The key is defining the confidence threshold above which automated disposition is permitted and validating that the threshold does not allow genuine matches through. This connects directly to false positive reduction as a discipline.

Contextual enrichment prepopulates the investigation workspace with relevant information. Rather than the analyst manually pulling customer data, transaction history, screening results, and prior alert history, the system assembles this information automatically and presents a pre-built case view. The analyst reviews a prepared brief rather than conducting research. This reduces the time per investigation by 30 to 50 per cent for cases that still require human review.

Workload distribution uses AI to balance alert queues across analysts based on skill, capacity, and case complexity. A complex EDD-triggered alert is routed to a senior analyst. A straightforward sanctions false positive is routed to a junior analyst or to the automated disposition queue. This optimises the team's overall throughput and ensures complex cases receive appropriate expertise.

What to know before you start

The quality of your training data determines the quality of your triage model. If historical alert dispositions are inconsistent (different analysts reaching different conclusions on similar alerts), the model will learn the inconsistency. Standardise your disposition taxonomy and rationale documentation before training. Run a calibration exercise where multiple analysts review the same sample of alerts to measure inter-rater agreement. If agreement is low, fix the process before training the model.

Automated disposition requires robust governance. Define which alert types are eligible for auto-close, what confidence threshold is required, and how auto-closed alerts are sampled and reviewed for quality assurance. The regulator will ask about this governance. Have the documentation ready before deployment, not after the supervisory review.

Measure the right metrics. Alert closure rate is not a quality metric. Suspicious activity report filing rate is not a productivity metric. The metrics that matter are: time from alert generation to disposition, proportion of alerts that result in genuine findings, analyst capacity utilisation, and the false negative rate (alerts auto-closed that should not have been). Track these from day one.

Start with a single alert type from a single detection system. Sanctions screening false positives are often the best starting point: high volume, high false positive rate, and relatively clear criteria for determining true versus false matches. Build the triage model, validate it on historical data, run it in shadow mode alongside human triage, and deploy to production only when the validation results support it.