Case Manager · Investigation & Governance

From alert to defensible decision.

The Loci Case Manager turns alerts, transactions, screening results, and session risk into auditable investigations: assigned, documented, reviewed, and closed with an evidence trail a regulator can follow.

maker-checker review for recommended closures SLA tracked on every case append-only audit timeline
Case Manager · CASE-20481 priority HIGH · SLA 24h
ALERT QUEUE
3 related alerts claimed TRIAGE
flagged transactions · same beneficiary cluster · analyst j.okafor
CASE CREATED
CASE-20481 opened SLA STARTED
priority HIGH · due in 24h · typology: mule network
EVIDENCE LINKED
7 transactions · 1 screening hit · 2 sessions VERIFIED
threaded investigation notes · every link on the timeline
SUBMITTED FOR REVIEW
Recommended: confirmed fraud PENDING APPROVAL
disposition rationale + summary attached · analyst cannot approve own case
REVIEWER DECISION
Approved · CLOSED_CONFIRMED_FRAUD FOUR-EYES
linked transactions marked fraud · entity graph updated · SLA met
Two Levels of Workflow

Triage fast. Investigate properly.

Alert work and investigation work are different jobs. Loci gives each its own surface, with a clean handoff between them.

Alert Queue
Fast triage

Who is looking at this alert, and what is the next immediate action? Claim, assign, release, and reassign flagged transactions with full assignment history. High-priority views keep the riskiest work on top.

Case Manager
Governed investigation

What evidence was reviewed, what was decided, and who approved it? Group related alerts into one investigation with notes, status, SLA, maker-checker review, and a final disposition.

Governance by Design

Safeguards you don't have to remember to apply.

The controls a compliance framework asks for are enforced by the system, not by convention.

Four-eyes enforced

A reviewer cannot approve their own submitted case. Maker and checker are structurally separate roles for recommended closures.

Closure is a decision

Cases cannot be closed through ordinary status changes. Closure happens through review approval or an explicit, logged admin override.

Everything on the timeline

Creation, assignment, status changes, notes, evidence links, review decisions, closures, and reopenings all write append-only timeline events.

Status and disposition, separated

Lifecycle state and investigation conclusion are distinct fields, from NO_ISSUE and FALSE_POSITIVE through CONFIRMED_FRAUD and STR_FILED.

SLA Tracking

Every case has a clock, and everyone can see it.

SLA windows are set by priority the moment a case opens. Every case response carries its computed SLA state, so queues can be worked by urgency instead of arrival order, and breaches are visible instead of discovered.

See it in the console
Priority SLA window Computed state
Critical 4 hours DUE_SOON
High 24 hours ON_TRACK
Medium 72 hours ON_TRACK
Low 120 hours DUE_TODAY
Evidence & Feedback

Investigations that make detection smarter.

Cases link evidence from enabled Loci surfaces such as transaction monitoring, AML screening, AccessGate/session risk, and custom sources. When a case closes as confirmed fraud, Loci updates linked transactions and fraud records, refreshes graph signals where linked data exists, and makes the outcome available to downstream detection workflows.

Transaction evidence

Flagged transactions link directly, verified against your organization, with duplicates blocked within a case.

Screening & session evidence

When enabled, AML screening hits and AccessGate session risk can attach to the same investigation, so one case carries the relevant context.

Manual & custom evidence

Analyst-entered findings, adverse-media references, and custom sources link through the same evidence model with source and severity.

case closed: confirmed fraud transactions marked entity graph updated detection workflows informed
Get Started

Walk one alert to a closed case.

A 30-minute walkthrough: claim an alert, build the case, submit for review, and see how confirmed outcomes update linked records.