Alert Triage Workflows: SLA Benchmarks & Case Standards

Most firms have spent significant effort calibrating their transaction monitoring rules and significantly less effort designing the triage workflow that handles the alerts those rules produce. The result is recognisable across the industry: alerts accumulate, analysts work through them in queue order without prioritisation, dispositions are documented thinly because the time pressure does not permit more, and the case files that eventually reach a regulator are uneven in quality.

Triage is operational compliance. It is where the abstract architecture of transaction monitoring becomes a concrete control with measurable performance. The standards below are not aspirational — they are the operational benchmarks the better firms in each market actually hit, and the inspection expectations regulators have begun to apply consistently.

Every alert moves through a defined sequence of review stages. The number of stages and the criteria for advancement should be documented in the firm's procedures and reflected in the case-management system. The standard pattern:

• Analyst initial review. The L1 analyst examines the alert, the underlying transaction(s), the customer context (KYC profile, prior alerts, transaction history) and supporting external data. Initial disposition: dismiss as false positive with documented reasoning, escalate for further investigation, or escalate directly to senior review.
• L2 investigation. Where the initial review is insufficient to determine disposition, an L2 analyst conducts deeper investigation — extended counterparty analysis, source-of-funds documentation, adverse-media checks, customer contact where appropriate. The L2 review produces either a clear disposition or escalation to senior compliance.
• Senior compliance review. Where the L2 investigation suggests material suspicion, the case escalates to senior compliance for review. The senior reviewer assesses both the case itself and the broader pattern — is this customer producing repeat escalations? Is this typology growing across the customer base? Senior review produces the recommendation for SAR filing or relationship action.
• MLRO sign-off. SAR filings and material relationship decisions (account closure, restriction of services) require MLRO sign-off. The MLRO's review is the final check that the firm's response is consistent with both internal policy and regulatory expectation.

The escalation criteria should be explicit. "Customer is a PEP and the alert involves transactions above $100,000 from a high-risk jurisdiction" is documented; "the analyst thought it looked unusual" is not. Inspectors test whether escalation criteria are applied consistently across the alert population.

The SLA benchmarks below reflect the operational standards observed across mid-sized to large firms in the major financial centres. They are not regulatory mandates but they are the de-facto inspection benchmark in most jurisdictions.

• P1 alerts: initial review within 4 business hours; full disposition within 24 hours. Where the alert involves a sanctions match, real-time pending-transaction holds may apply pending disposition. Same-day MLRO escalation for confirmed sanctions hits.
• P2 alerts: initial review within 5–10 business days; full disposition within 30 days. Where investigation requires customer engagement, the 30-day clock may extend with documented reason. SAR filing decisions made within the 30-day window unless explicit extension is documented.
• P3 alerts: review within 30 days; full disposition within 60 days. Where the alert is part of a recurring pattern with prior benign dispositions, aggregated review across the pattern is acceptable; per-alert review is not always required.
• SAR filing deadlines: Per regulator. FinCEN allows 30 days from initial detection (extendable to 60 in specific circumstances); MAS expects "as soon as practicable"; FCA via the NCA expects "immediate" once suspicion is established; AUSTRAC has specific 3-day and 10-day windows for different SMR categories.
• Backlog visibility: Open alerts older than their SLA window should be visible to senior compliance daily. Backlog accumulation is itself a finding; the absence of backlog reporting is a finding.

The SLAs should be calibrated to the firm's actual alert volume and analyst capacity — chasing benchmark numbers without the operational capacity to meet them produces missed SLAs and demoralised teams. Where the gap exists, the response is either to expand capacity, reduce alert volume through rule tuning, or document a different SLA reflecting the firm's risk appetite.

Five operational practices distinguish high-performing triage functions from struggling ones:

• Single case-management platform. All alerts flow into one queue with consistent prioritisation, consistent documentation templates, consistent escalation routing. Multi-platform setups produce inconsistent handling at scale.
• Pattern aggregation across alerts. The case manager surfaces the customer's full alert history when an analyst opens a case — the analyst sees the pattern, not just the individual alert. Repeat firings on the same pattern aggregate for review.
• Templated documentation. Disposition templates that prompt for each required element of the case file. Templates do not write the reasoning, but they ensure the reasoning is structured and complete.
• Per-analyst quality review. A sample of each analyst's dispositions reviewed periodically (typically 10% per quarter) by senior compliance. The review provides both individual coaching and aggregate quality assurance evidence for inspection.
• Backlog management as a daily activity. The senior compliance team reviews backlog daily, reallocates capacity to drive SLA compliance, and escalates persistent gaps to management. The discipline is recurring rather than reactive.

One Constellation's transaction monitoring platform ships with integrated case management, templated dispositions, pattern aggregation across customer alert history, and configurable SLA tracking — designed to support the triage discipline rather than work against it.