Alert investigation checkpoint
Work a synthetic screening alert end to end: triage it with secondary identifiers, understand what false positives mean, record a defensible disposition, and apply the ownership principle to entities that appear on no list by name.
QUESTIONS AS TEXT
Q1. What is the right way to work this alert?
Answer: A: Compare the secondary identifiers side by side: the roughly 34-year date-of-birth gap against a verified document, plus the non-matching nationality and addresses, are documented — and if they satisfy the bank's elimination criteria, the alert is closed as a false positive.
This alert has the classic shape of a name collision: strong name similarity, weak everything else. The analyst's job is to convert 'probably not the same person' into recorded evidence — which identifiers were compared, from which sources, and why they support elimination. If the identifiers could not separate the applicant from the entry, or key data were missing, the alert would escalate instead. Institutions differ in their exact elimination criteria and review levels; the discipline of evidence before decision is what they share.
Q2. Most screening alerts turn out to be false positives. What does that mean, and what does it say about the control?
Answer: A: A false positive is an alert where investigation shows the flagged party is not the listed person — usually a name collision. A high share of false positives is the expected cost of matching broadly enough not to miss true matches, not proof that the system is broken.
False positives are managed, not eliminated: better customer and message data, sensible list scoping, and governed tuning all reduce the load. Institutions also watch both extremes, because each is a failure mode — too many alerts bury analysts and slow payments, while suspiciously few suggest the engine is matching too narrowly to be effective.
Q3. An analyst closes an alert as a false positive. What should the disposition record contain?
Answer: A: The specific evidence and reasoning: which list entry was matched, which identifiers were compared, what differed, which sources were used, who decided, and when — enough for a reviewer to reach the same conclusion independently later.
Dispositions are the audit trail of the control. A good record is specific (this entry, these identifiers, these sources), consistent (guided by policy and templates rather than free-form habit), and reviewable — quality assurance samples closed alerts to check that eliminations were justified. When a regulator or auditor asks 'why did you release this payment?', the disposition record is the answer.
Q4. Meridian Bank investigates a corporate applicant, "Corvex Trading B.V." (fictional), which appears on no sanctions list. Research shows it is owned 30% by one designated person and 25% by another, both blocked under the same authority's program. Under the widely referenced ownership principle — OFAC's "50 Percent Rule" is the best-known version — how should this be assessed?
Answer: A: The company is treated as blocked itself: entities owned 50 percent or more in the aggregate, directly or indirectly, by one or more blocked persons are subject to blocking even though they appear on no list by name.
Under OFAC's published guidance, the property of an entity owned 50 percent or more, directly or indirectly, in the aggregate by one or more blocked persons is itself blocked — with indirect ownership traced through chains of majority-owned entities. Other authorities apply comparable ownership tests, and the EU additionally assesses control; the exact criteria are regime-specific, so investigators work from the guidance that applies to them. This is why ownership research is part of alert investigation rather than a simple list lookup.