A compliance officer is asked to approve an escalation.
The case file is open, alerts are listed, transactions are logged, entities are named.
But nothing connects.
The picture is technically complete. But practically useless.
There's no relationship map. No account history. No view of linked entities or prior cases.
Approving means trusting that nothing was missed. Declining means sending the analyst back. Into three different systems. To find the context. Context that should have been there to begin with.
This is where anti-money laundering (AML) investigations fail.Not in the analysis. In the assembly.
Key takeaways
- Most AML and fraud investigation failures happen at the data assembly stage, not the analysis stage
- A 360-degree investigation view means every entity, every connection, every transaction, and every piece of case context – in one place
- Fragmented tools don't just slow teams down. They create blind spots. These blind spots survive into final decisions
- The right investigation platform doesn't just store data. It connects it, surfaces it, and keeps it auditable
What AML and fraud investigation actually involves
AML investigation and fraud investigation are closely related disciplines with the same core challenge: building a complete, defensible picture of a subject before making a decision.
In practice, a complete investigation covers:
- Entity resolution – identifying all accounts, counterparties, related parties, and linked entities connected to the subject under review
- Transaction history – a full, chronological view of payment flows, not just the flagged transaction that triggered the alert
- Behavioral patterns – changes in activity over time that indicate risk escalation, structuring, or unusual typologies
- Sanctions and PEP (Politically Exposed Person) screening history – what was checked, when, and what matched
- Prior cases and alerts – what your own system already knows about this entity, across prior investigations
- External context – adverse media, open-source intelligence, and third-party data relevant to the case
A 360-degree investigation view doesn't mean looking at a lot of data. It means looking at the right data, assembled in one place, with every connection visible. The distinction matters – volume without structure is just noise.
from alert to filing decision
Where AML investigations break down
The failure points are consistent. They're not analytical. They're structural.
Fragmented tools, fragmented picture
Most compliance teams work across multiple systems. A transaction monitoring platform here, a case management tool there, a sanctions screening database somewhere else – and a manual spreadsheet holding the rest together.
Every context switch is a risk. Every manual transfer is a potential error. Every system boundary is a place where a connection can be missed.
The result is an investigation picture that is technically assembled – but functionally incomplete. The analyst has seen the data. They haven't seen the relationships.
Alert-first thinking
Most investigation workflows are built around the alert – the single flagged transaction or event that opened the case. The alert is where the investigation starts.
But financial crime rarely lives in a single event. Structuring, layering, and account takeover fraud are all patterns. These patters only become visible when you look across time and across entities.
An investigation tool that only shows you the alert shows you a fragment of an important big picture. And fragmentation, siloed views ultimately add to alert fatigue, too – forcing analysts to clear repetitive flags.
No unified case history
When the same entity appears across multiple cases – different analysts, different time periods, different alert types – most platforms don't surface that history automatically. Each investigation starts from scratch.
Prior flags, prior decisions, prior context: gone.
This isn't just inefficient. It's a material gap.
A subject who has been reviewed three times and cleared three times is not the same risk as a first-time flag. Your investigation process has to reflect that.
Manual evidence assembly
Even when the data exists, gathering it is manual work.
Copy from the transaction system. Paste into the case file. Pull the entity profile from the KYC tool. Check the screening database. Reconcile the results by hand. Write the narrative from scratch.
Julie Pessey, Operation Risk and Compliance Manager at Pixpay, described this reality directly:
"Before Marble, when we started an investigation it took some time to access the data from different places."
The time cost is real. The error risk is real. And it compounds every step that follows.
What a 360-degree AML investigation view actually means
"360-degree view" is used somewhat loosely by the industry. Here's a precise definition.
Every entity, fully resolved
A complete investigation view starts with entity resolution. Every account, every related party, every linked entity associated with the subject – mapped, not listed. The difference between a list of names and a relationship map is the difference between data and understanding.
Every connection, traced
Financial crime moves through networks. An AML or fraud investigation that can't trace flows across connected entities is working with partial information. Therefore, your compliance tool must recognize suspicious signals: accounts held by the same beneficial owner, transactions routed through intermediaries, devices shared across multiple sign-ups – by default.
Every transaction, in sequence
Patterns only emerge in sequence. A single large transaction may be unremarkable. The same transaction following a series of smaller deposits, from accounts sharing a device fingerprint, in a jurisdiction on your elevated-risk list – is a different matter entirely.
Prior cases and decisions, surfaced
What your own platform already knows about a subject is the most underused resource in investigation workflows. A unified case history – searchable, linked, and presented alongside the live investigation – turns institutional knowledge into an active asset. Rather than just an archive.
External context, integrated
Adverse media, open-source intelligence, and third-party data belong inside the investigation, not in a separate browser tab. When external context is integrated into the case view, the analyst assesses it. When it requires a separate workflow step, it's often missed or skipped under time pressure.
AML investigation best practices
High-performing investigation teams structure their work around a consistent set of principles.
Investigate the entity, not just the alert
The alert is the starting point, not the scope.
From the first moment a case is opened, the investigation should expand outward: who is this entity, what are all their accounts and relationships, what does the full transaction history show? Alert-first thinking produces alert-sized conclusions.
Establish a single case record from day one
Every piece of evidence gathered belongs in one place from the moment the case opens. Reconstruction after the fact is unreliable. Transaction data, entity profiles, screening results, analyst notes. A single case record built in real time is auditable, complete, and defensible.
Surface institutional knowledge before you start
Before an analyst begins manual investigation work, they should see everything the platform already knows about the subject: prior alerts, prior cases, prior decisions, and prior context. This takes seconds when the system is designed for it. Without that design, it takes hours – or doesn't happen at all.
Document reasoning at every step
A decision without documented reasoning is a decision that can't be defended. Every assessment, every conclusion, and every escalation judgment should be written into the case record in real time. The audit trail is not a post-investigation task. It's a live record.
Separate the mechanical from the analytical
Most of the time an analyst spends on an investigation is mechanical. Gathering data. Reformatting it. Moving it between systems.
That time should be close to zero.
The analytical work is where investigator expertise actually matters. Assessing patterns, weighing risk, making the judgment call. You must design the workflow to protect that time.
How Marble builds the complete investigation picture
Marble's Case Manager is built around a single principle: everything the investigation needs, in one place, assembled before the analyst starts.
360-degree AML investigation view with unified alerts, entities, and transaction history
A unified 360-degree case view
When a case opens in Marble, the full picture assembles automatically. Alerts, transaction histories, entity profiles, screening results, linked cases, and prior decisions are all surfaced in one structured view. Not simply listed, but connected. The analyst arrives at the analysis stage with the full, comprehensive picture already in front of them.
AI-powered evidence compilation and narrative drafting
Marble's AI Virtual Analyst compiles case evidence and drafts investigation summaries – based on the full case context. It flags key findings, surfaces relevant patterns, and structures the narrative. So the analyst reviews and decides – rather than assembles and formats.
Entity resolution and relationship identification
Marble connects entities across accounts, transactions, devices, and related parties. These relationships become visible inside the case. No need for separate exports built in spreadsheets.
Automated workflow and escalation routing
Escalation follows your procedure, not a generic template. You route cases to the right reviewer based on configurable workflow logic. Every handoff is logged. Consistency is built in, not just enforced manually – and often inconsistently.
A real-time, unalterable audit trail
Every action in the Case Manager is tracked, versioned, and timestamped. The audit trail is not assembled after the fact – rather, it's built in real time, as the investigation unfolds. When regulators ask to see the record, it's already there.
Pixpay's compliance team put it plainly:
"the team opens Marble first thing in the morning and it's the last thing they close at night."
Build investigations that hold up
The compliance officer at the escalation desk shouldn't be working with fragments.
Every entity connected. Every transaction in sequence. Every prior decision surfaced. Every step documented as it happens.
That's what a complete AML investigation looks like. And it's what the right platform makes possible – without the manual assembly work that currently consumes most of the time.
See how Marble builds the complete investigation picture →
Frequently asked questions about AML investigations
What is AML investigation?
AML investigation is the process of reviewing flagged transactions, customer behavior, and entity relationships to determine whether suspicious activity represents genuine financial crime risk. It follows an alert from a transaction monitoring system and results in a decision to close, escalate, or file a suspicious activity report (SAR).
What is the difference between AML investigation and fraud investigation?
AML investigation focuses on detecting and documenting money laundering activity – the movement of illicit funds through financial systems.
Fraud investigation focuses on deceptive schemes designed to obtain money or assets illegally – account takeover, synthetic identity fraud, payment fraud.
In practice, both disciplines require the same investigative foundation: entity resolution, transaction analysis, behavioral pattern review, and a complete, auditable case record. Many compliance teams handle both within the same workflow and tooling.
What does a 360-degree AML investigation view include?
A complete 360-degree investigation view includes:
- full entity resolution across all linked accounts and related parties;
- complete transaction history in chronological sequence;
- sanctions and PEP screening history;
- prior alerts and case decisions;
- behavioral pattern data; and
- integrated external context such as adverse media.
The goal is a single, connected view – not just a collection of manual data exports from separate systems.
How long does an AML investigation take?
It depends on case complexity, risk tier, and the quality of the investigation tool.
Simple cases – a single transaction flag on a low-risk customer – can be resolved in minutes. Complex cases involving multiple entities, cross-border flows, and layered structures can take days or weeks.
The mechanical steps (evidence assembly, formatting, context gathering) typically account for the majority of investigation time in manual workflows. Platforms that automate evidence compilation and unify data sources reduce that time materially.
What makes an AML investigation defensible?
A defensible AML investigation has three properties:
- completeness – all relevant evidence was gathered and reviewed,
- documentation – every step and decision is recorded in real time, and
- auditability – the full record can be reconstructed and presented to a regulator without manual reconstruction.
A decision made on partial data, or documented after the fact, is not defensible – regardless of whether the underlying judgment was correct.
What tools do compliance teams use for AML investigation?
AML investigation tools range from standalone case management platforms to integrated compliance suites.
Key capabilities to evaluate:
- unified data aggregation across transaction monitoring, screening, and customer data;
- entity resolution and relationship mapping;
- AI-assisted evidence compilation and narrative drafting;
- configurable workflow and escalation routing; and a real-time, unalterable audit trail.
Teams that rely on spreadsheets and manual data transfers between systems consistently report longer investigation times, higher error rates, and greater difficulty producing audit-ready records.
