For the compliance analyst¶
Audience — AML / fraud / SAR analyst at Your Institution.
What you do today¶
The trigger varies (a model alert, a counterparty referral, a SAR you're drafting that needs evidence) but the work has one shape: a question about a person, a pair or a transfer, and you need the rows that answer it — fast enough the case doesn't go stale, with enough trail to defend the conclusion to a regulator later.
Today that means a query language (or a request to someone who speaks one), a spreadsheet and a stack of CSV exports you stitch together by hand. Each follow-up question — "OK but where did that counterparty get the money?" / "what does this account's broader network look like?" — is another query, another export, another hand-stitch. By the time the picture is assembled the case has aged a week.
What this tool does differently¶
The Investigation Dashboard is question-shaped, not data- shaped. Each of the four sheets answers one class of question that maps to the investigative posture you start a case in (see it live at https://recon-gen-spec.hotchkiss.io/):
| Question shape | Sheet |
|---|---|
| "Who's getting money from too many senders?" | Recipient Fanout |
| "Which sender → recipient pair just spiked?" | Volume Anomalies |
| "Where did this transfer actually originate?" | Money Trail |
| "What does this account's money network look like?" | Account Network |
Pose the question, pick the sheet and the rows that answer it are already there with drill-into-detail on every row. You don't write SQL or hand-stitch CSV exports.
The first SAR-evidence pull you finish in 10 minutes instead of a half-day of queries is the proof — the investigative loop is now in YOUR hands, not the query-writer's.
What we are not asking you to learn¶
- Not SQL. The four matviews behind the four sheets do the heavy lifting. You filter, drill and export — you don't query.
- Not the L1 / L2 / Executives dashboards. Those are operator / integrator / leadership surfaces. They share the same base ledger as Investigation, so the rows are mutually consistent, but you don't need to know how they work.
- Not new statistical concepts. Volume Anomalies surfaces z-scores and standard-deviation-bucket bands, but the bucket numbers (1 = normal, 5 = extreme outlier) are the actionable signal — the underlying math is in the matview, not your job to compute.
How to start¶
- Read the Investigation handbook. It covers the four sheets, the team posture each sheet supports and the demo scenarios you can practice on.
- Walk the four question-shape walkthroughs in order — they're designed as a graduated curriculum:
- Practice on the demo scenarios. The Cast of Characters page lays out the demo's converging-anchor scenario (one recipient hub, several sender-side cluster shapes); each walkthrough above resolves one face of that scenario.
- Bookmark the L1 Reconciliation Dashboard as your back-stop. When a transfer's row looks suspicious in Investigation, the L1 surface tells you whether the underlying posting violated any invariant — additional evidence for regulator-facing case files.
The investigator's posture¶
Each sheet supports a different posture:
- Recipient Fanout is find-the-hub — start with a population of recipients, rank by distinct sender count, drag the threshold slider until "too many" stops being noise. The fanout-cluster shape (many small inbounds → one account) is a classic structuring footprint.
- Volume Anomalies is find-the-spike — the rolling 2-day SUM per (sender, recipient) pair plus z-score buckets surfaces pairs whose recent activity is out-of-line with their own baseline. The 5-band bucket is sortable; bands 4-5 warrant a look.
- Money Trail is trace-the-provenance — a
WITH RECURSIVEwalk overtransfer_parent_idflattens to one row per multi-leg edge with chain root + depth. The most useful drill shape for a SAR-evidence narrative. - Account Network is visualize-the-shape — anchor an account, see its inbound + outbound Sankeys, left-click any node to walk the flow (the URL parameter overwrites the anchor to the counterparty side). The chart you'd hand a regulator to show "here's what this account's relationships actually look like".
The audit report — your regulator handoff¶
When you need to hand evidence off to an external auditor or regulator, the audit reconciliation report is the artifact you ship. It's a regulator-ready PDF generated directly from the same per-instance L1 invariant matviews the L1 Reconciliation Dashboard reads — exception tables, per-account-day Daily Statement walks, sign-off block, cryptographic provenance fingerprint binding the report to its source data.
Use it when:
- An auditor needs a printable artifact outside the live dashboard.
- A SAR file needs an attached reconciliation snapshot for the reporting period.
- A regulator asks "show me what your books looked like on these dates and prove the numbers".
Generate one for the past 7 days:
recon-gen audit apply -c config.yaml \
--l2 path/to/instance.yaml \
--execute -o report.pdf
Override the period for a custom window:
recon-gen audit apply -c config.yaml \
--l2 path/to/instance.yaml \
--period 2026-04-01..2026-04-30 \
--execute -o april-report.pdf
The --period flag accepts several shapes: trailing:N for "last N
days ending yesterday" (default trailing:7), yesterday, today,
YYYY-MM-DD..YYYY-MM-DD for an explicit closed-closed range or a
single YYYY-MM-DD for a one-day report.
Verify a report's provenance against current source data:
recon-gen audit verify report.pdf -c config.yaml \
--l2 path/to/instance.yaml
The PDF auto-signs cryptographically when config.yaml carries
a signing: block. The reviewer attestation page also embeds two
empty signature widgets — your PDF reader can fill those in to
add your countersignature.
For integrators — automate the daily report
The audit report is meant to be generated DAILY by the same
scheduled job that runs the matview refresh after each ETL
load. Wire recon-gen audit apply --execute immediately
after recon-gen data refresh --execute in your cron /
Airflow / Prefect pipeline and write the PDF to a dated path,
so the compliance team always has yesterday's reconciliation
snapshot ready to hand off with no manual generate step.
For the full reference — what each section contains, the provenance recompute recipe, certificate creation instructions, how reviewer countersignatures work — see the Audit Reconciliation Report handbook.
The concepts you'll want grounded¶
- Open vs. closed loop — the system-boundary question shapes which transfers leave the institution's visibility entirely (and which become harder to trace beyond the institution's books).
- Vouchering — voucher → ACH materialization is a layering vector worth understanding when the Money Trail walks across one.
- Eventual consistency — why recent money trails may look incomplete; not all in-flight transfers have landed yet, and the picture stabilises after a settlement window.
What "good" looks like¶
After a few weeks of casework with Investigation:
- You're producing SAR evidence in single sittings, not multi-day research arcs.
- You're catching converging-anchor patterns (the fanout + spike + chain that point at the same account) without manually joining three reports.
- Your case files cite specific
transfer_idchains pulled from Money Trail, not paraphrased CSV exports. - When the regulator asks for the network shape behind a SAR, you screenshot the Account Network Sankey and attach.
That's the acceptance bar. The tool works when the institution's compliance team trusts the dashboard with the investigative loop end-to-end.