3.5.2.13 Alerts Decision

The actions for each role can be configurable as per the requirement. For more information, see the OFS Transaction Filtering Administration Guide .

Note:

A Reviewer user cannot access the alert decision.

The Analyst has the following actions available for a standard flow:

• Promote to Case

  Note:

  The Promote to Case action is available to the analyst when ECM L2 is enabled.
• Block
• Release
• Escalate

The Analyst has the following actions available for a four-eyes flow:

• Promote to Case

  Note:

  The Promote to Case action is available to the analyst when ECM L2 is enabled.
• Recommend to Block
• Recommend to Release
• Escalate

If a transaction is in the Auto Release (AR) status, the following actions are available:

• Escalate
• False Positive
• Confirmed Match

You must also add a comment for any alert. For more information, see Adding Comments to an Event.

You can also attach a file to any alert. Select an alert from the list and follow these steps:

1. Click Add Attachment. The Attachment window is displayed.
2. Click Select Files to select the files.
3. Click Save. The attachments are added to the list.
4. If you want to delete any attachments, click the Delete icon next to the Attachment name.
5. Click OK to confirm. The file will be marked to delete. Click Save to delete the file.

   Note:

   The maximum allowed size for the attachment is 9MB, and the Attachments uploaded by other users cannot be deleted.

If the Analyst escalates the alert to the Supervisor, the Supervisor has the following actions available for a standard flow:

• Block
• Release

If the Analyst escalates the alert to the Supervisor, the Supervisor has the following actions available for a four-eyes flow:

• Block
• Release
• Reject

Recommending to Block an Alert

This action is only available to the Analyst and Senior Supervisor. You can block the alert if you find suspicious data. Follow these steps:

1. From the Alert Decision section, select the Recommend to Block button.
2. Select the Standard Comments and then enter the comments to explain your analysis. Click Clear if you want to clear the comments.
3. Add the attachments, if any, and click Save and Close or Clear to clear the attachment and details. The status of the alert changes to BR (Block Recommended).

Recommending to Release an Alert

This action is only available to the Analyst and Senior Supervisor. You can release an alert if it is clean. Follow these steps:

1. Select the Standard Comments and then enter the comments to explain your analysis. Click Clear if you want to clear the comments.
2. Add the attachments, if any and, click Save and Close or Clear to clear the attachment and details. The status of the alert changes to RR (Release Recommended). This alert is called a False Positive.
3. In the Event Summary section, if any of the alerts' matches are marked as suspicious, then a pop-up window is displayed when you release the alert. Change the status to Recommend to Block or Escalate.

Escalating an Alert

This action is only available to the Analyst and Senior Supervisor. You can escalate the alert to the Supervisor if you need further analysis and approval. Follow these steps:

1. From the Alert Decision section, select the Escalate button.
2. Select the Standard Comments and then enter the comments to explain your analysis. Click Clear if you want to clear the comments.
3. Add the attachments, if any and, click Save and Close or Clear to clear the attachment and details. The status of the alert changes to E (Escalated).

Blocking an Alert

This action is only available to the Supervisor. You can block the alert if you find suspicious data. Follow these steps:

1. From the Alert Decision section, select the Block button.
2. Select the Standard Comments and then enter the comments to explain your analysis. Click Clear if you want to clear the comments.
3. Add the attachments, if any and click Save and Close or Clear to clear the attachment and details. The status of the alert changes to B (Blocked).

Releasing an Alert

This action is only available to the Supervisor. You can release an alert if it is clean. Follow these steps:

1. From the Alert Decision section, select the Release button.
2. Select the Standard Comments and then enter the comments to explain your analysis. Click Clear if you want to clear the comments.
3. Add the attachments, if any, and click Save and Close or Clear to clear the attachment and details. The status of the alert changes to R (Released). This alert is called a False Positive.
4. In the Event Summary section, if any of the alerts' matches are marked as suspicious, then a pop-up window is displayed when you release the alert. Change the status to Block or Escalate.

Rejecting an Alert

This action is available to the Supervisor. You can reject an alert if you think that the alert must be reanalyzed by the Analyst. Follow these steps:

1. From the Alert Decision section, select the Reject button.
2. Select the Standard Comments and then enter the comments to explain your analysis. Click Clear if you want to clear the comments.
3. Add the attachments, if any, and click Save and Close or Clear to clear the attachment and details.
4. When you reject an alert, it is assigned back to the Analyst.

Promoting to case

This action is available to the Analyst when ECM L2 is enabled. Follow these steps:

1. From the Alert Decision section, select the Promote to Case button.
2. Select the Standard Comments and then enter the comments to explain your analysis. Click Clear if you want to clear the comments.
3. Add the attachments, if any and, click Save and Close or Clear to clear the attachment and details.
4. When you select Promote to Case, a new case will be created in ECM for the same Alert for the next level analysis.

   Figure 3-32 Promoting to Case PMF Work flow

   
   

   
   Description of "Figure 3-32 Promoting to Case PMF Work flow"

   
   

   Note:

   To integrate TF alerts with ECM post promoting to case, see the Configuring Sanctions Server Details for L2 Feedback section in the ECM Administration and Configuration Guide.

Alert Statuses

The alerts that are displayed are in the following order for the Analyst and Supervisor users:

• Standard Flow For Analyst
  • Hold
  • Investigated
  • Escalated
  • Blocked
  • Released
• Standard Flow For Supervisor
  • Escalated
  • Blocked
  • Released
  • Four-Eyes Flow For Analyst
  • Hold
  • Escalated
  • Block Recommended
  • Release Recommended
  • Blocked
  • Released
  • Pending
• Four-Eyes Flow For Supervisor
  • Escalated
  • Block Recommended
  • Release Recommended
  • Blocked
  • Released
  • Pending