Cross-Case Pattern Detection (Pillar 3)
Automatic detection of suspicious patterns across compliance cases — entity overlap, structural motifs, temporal clusters, and risk trends.
Business Value
Individual case review misses systemic risk. Cross-Case Pattern Detection surfaces connections between cases that no single officer would see, identifying shell company networks, money laundering typologies, and coordinated fraud.
Architecture
Detectors (All Deterministic)
| Detector | Pattern | Example |
|---|---|---|
| Entity Overlap | Same entity across multiple cases | Director appears in 5 shell companies |
| Structural Motif | Known typology patterns | Phoenix company, circular ownership |
| Temporal Cluster | Suspicious timing | 10 companies registered same week |
| Risk Trend | Risk score trajectories | Sector-wide risk increase |
Alert Lifecycle
ACTIVE → ACKNOWLEDGED → DISMISSED (with reason) → RESOLVED
- EU AI Act Art. 12 compliant: Immutable evidence snapshots, mandatory dismiss reasons, full audit trail
- Deduplication: Same pattern_type + overlapping entities/cases = merged (not duplicated)
Key Components
pattern_engine.py— 4 detectors with configurable thresholdsalert_service.py— CRUD, deduplication, lifecycle managementpattern_alert.py— Data model with audit fieldsintelligence.py— 6 API endpointsRelatedIntelligenceCard.tsx— Case detail integrationintelligence/page.tsx— Intelligence Dashboard
API Endpoints
The intelligence router (app/api/intelligence.py, prefix /intelligence) is mounted under /api:
| Method | Path | Description |
|---|---|---|
| GET | /api/intelligence/alerts | List alerts (filterable) |
| GET | /api/intelligence/alerts/for-case/{workflow_id} | Alerts linked to a specific case |
| GET | /api/intelligence/alerts/{id} | Get alert details |
| PATCH | /api/intelligence/alerts/{id} | Lifecycle action — acknowledge or dismiss (dismiss requires a reason, EU AI Act Art. 14) |
| GET | /api/intelligence/stats | Aggregate alert / reliability statistics |
| GET | /api/intelligence/trends | Risk trend statistics |
Acknowledge and dismiss are a single PATCH endpoint driven by an action field, not separate POST routes. There is no separate resolve endpoint — the RESOLVED state in the lifecycle below is a model-level status, not a dedicated route.
Configuration
pattern_detection_enabled— Feature flag (default:true)- Alembic migration:
008_pattern_alerts