AML Alert Triage: A Practical Workflow for Level 1 Analysts

Level 1 alert triage is where most AML programs win or lose their efficiency battle. The Level 1 (LOD 1) analyst sits at the front of the funnel, working through dozens of automated alerts every day, deciding which can be closed at the desk and which need to be escalated to a Level 2 investigator or directly to the MLRO. Get this stage right and your senior team focuses on real risk. Get it wrong and either suspicious activity slips through, or the escalation queue grows until investigators are buried in noise.

This guide walks through the practical triage workflow used by experienced Level 1 teams, with a focus on consistency, defensibility, and a clean handoff to Level 2 when escalation is the right call.

What Level 1 Triage Actually Decides

Level 1 triage is not a full investigation. It is a structured filter. The Level 1 analyst is answering one question: does this alert reach the threshold for escalation, or can it be closed with a documented rationale at the first line of defense?

That distinction matters. Level 1 is not the place for source-of-funds verification, deep counterparty research, or relationship reviews. Those happen at Level 2 or in dedicated EDD workflows. The Level 1 job is to clear noise efficiently and route real risk upward without delay.

The Standard Triage Steps

Open the alert and read the trigger logic. Every alert is generated by a specific rule or set of rules. Before doing anything else, read the rule description. A structuring rule, a velocity rule, a high-risk geography rule, and a name-screening hit all require completely different mental models. Knowing what tripped the alert tells you what to look for.

Pull customer context. Look at the customer's risk rating, industry, expected activity profile, prior alerts, and any open investigations. A repeat alert on the same customer is a different situation from a first-ever alert. A high-risk customer triggering a borderline rule is a different situation from a low-risk customer doing the same.

Examine the surrounding activity. The alert names a transaction or set of transactions, but the story is in the context. Pull 30 to 90 days of account activity. Look for patterns: is the alerting activity consistent with the customer's prior behavior, or does it represent a clear shift; are the counterparties recurring; is there a plausible commercial narrative.

Run the eight LOD 1 questions. A standardized question set keeps every analyst on the team applying the same framework. Whether you use the eight-question set built into Red Flag Check or your firm's internal version, the value is in the consistency. The same alert worked by two different analysts should reach the same conclusion.

Decide and document. Reach a clear yes or no on escalation. Write a rationale that names the alert, summarizes what you reviewed, states the deciding factors, and records the decision. If you escalate, the Level 2 investigator should be able to start work immediately without re-doing your context-gathering.

Escalation Criteria

Escalation criteria vary by firm, but most mature programs apply a small number of clear thresholds. Escalate when:

The activity has no plausible explanation consistent with the customer's known profile, business, or stated source of funds, and you cannot resolve it with the information available at Level 1.

The alert connects to known adverse information, including media coverage, sanctions hits, prior SAR filings, law enforcement requests, or internal escalations on related customers or counterparties.

The pattern suggests a higher-order typology such as structuring across accounts, layering through multiple counterparties, mule activity, or trade-based laundering. These patterns require investigation tools that Level 1 analysts typically do not have.

The customer's behavior has materially shifted from baseline in a way that suggests a change in beneficial ownership, control, or purpose of the relationship.

You feel uncertain after thorough review. Hesitation in a trained analyst is itself a signal. Escalate the alert with your concerns documented; the Level 2 reviewer can clear it quickly if your concerns are unfounded, and you have preserved the evidence trail if they are not.

Documentation Standards

Every closure or escalation decision needs a written rationale. The standard a Level 1 analyst should aim for is simple: a regulator or auditor reading the case file two years from now should be able to understand exactly what was reviewed, what was decided, and why, without needing to ask any follow-up questions.

A good Level 1 closure rationale includes: the alert reference and trigger rule; the customer's risk rating and relationship summary; a summary of the activity reviewed, including time period and transaction counts; the legitimate explanation, with supporting evidence; and the decision to close with no further action.

A good escalation note adds: the specific concerns that prevented closure; the typologies the activity may match; any urgency factors; and the recommended next steps for the Level 2 reviewer.

Common Triage Mistakes

The most common Level 1 mistakes are not catastrophic individually, but they erode the quality of the program over time. Watch for: closing alerts based on the customer's stated explanation without independent corroboration; treating the absence of adverse information as a positive indicator rather than the absence of a negative one; clearing repeat alerts by reference to prior closures without re-examining the activity; and closing alerts on high-risk customers using the same rationale you would apply to low-risk customers.

The discipline that prevents all of these is the same: every alert is its own decision, supported by its own evidence, documented in its own rationale.

The Bottom Line

Level 1 alert triage works when it is consistent, evidence-based, and disciplined about escalation. The goal is not to clear alerts as fast as possible, and it is not to escalate everything to be safe. It is to filter accurately, document defensibly, and route real risk upward without delay.

If you want a structured prompt to walk through a Level 1 triage decision, the LOD 1 triage workflow in the Red Flag Check tool runs you through the standard eight-question set and produces a documented case note in seconds.