Understanding Alert Severity Levels
Alerts are categorized into five severity levels to help prioritize investigation workload.
Severity Overview
INFORMATIONAL
Low-confidence or marginal matches. No immediate concern.
Action: Log for future reference | SLA: 72h
LOW
Minor anomalies or marginal risk scores. Typically routine.
Action: No action required | SLA: 72h
MEDIUM
Potential issues requiring attention. Enhanced due diligence recommended.
Action: Review within 24 hours | SLA: 24h
HIGH
Significant risk indicators. Manual review required before proceeding.
Action: Review within 8 hours | SLA: 8h
CRITICAL
Immediate concern. Direct sanctions match or hard stop triggered.
Action: Immediate escalation | SLA: 2h
Severity Calculation
Alert severity is determined by the following rules, evaluated in order:
| Condition | Resulting Severity |
|---|---|
| Sanctions match | CRITICAL |
| Hard stop triggered | CRITICAL |
| Alert type requires SAR consideration (money laundering, structuring, etc.) | CRITICAL |
| Risk tier is CRITICAL | CRITICAL |
| Risk tier is HIGH | HIGH |
| Alert type requires regulatory reporting (CTR threshold, threshold breach) | HIGH |
| Risk score >= 60 | HIGH |
| Risk tier is MEDIUM or risk score >= 30 | MEDIUM |
| Behavioral anomaly detected | MEDIUM |
| Risk score < 30 | LOW |
| No risk signals detected | INFORMATIONAL |
Regulatory Note
Many regulators require that sanctions matches result in immediate blocking or escalation. Configure your workflow to match your regulatory requirements.
Alert Workflow
Each alert follows this lifecycle:
- Created — Automatically generated when thresholds are exceeded
- Assigned — Routed to analyst based on workload and expertise
- In Progress — Analyst is actively investigating
- Escalated — Forwarded to senior compliance officer or MLRO
- Resolved — Marked as false positive, confirmed hit, or risk accepted