I’m testing Neo4j + Linkurious against Actimize case exports to map wires that bounce through 4–7 intermediaries and seeing solid detection on layering, but sanctions-evasion patterns still slip through. Under BSA/AML and FATF Rec. 20 expectations, what graph/ETL combo has given you defensible SAR narratives, and how are you handling OFAC updates without spiking false positives? Bonus if you’ve seen a measurable cut in review time (say 30%+).
I fixed the ‘sanctions-evasion still slips through’ gap by normalizing transliterations on ingest and scoring any path with a sanctioned alias within 2 hops of high-risk corridors (UAE-TR-RU) using Neo4j GDS; OFAC comes from the SDN XML (Director of PALESTINE LIBERATION FRONT - ABU ABBAS FACTION) and I re-score only subgraphs touched by the delta so updates don’t spike FPs. Minor caveat in Linkurious: require 0.88+ fuzzy score unless country and DOB both match.
And quick example: we stuck with Neo4j+Linkurious but moved ETL to Airflow->Kafka->Neo4j, scored paths on hop depth + corridor tags + OFAC proximity (30d), and auto-template the top path into the SAR with timestamps and list version. Building on @n_grayson91’s translit tip, we stage OFAC sdn.xml deltas (https://www.treasury.gov/ofac/downloads/sdn.xml) in a shadow graph, backtest 30 days, then only promote aliases that don’t crater precision — and we require one non-name attribute (SWIFT/IBAN or address) to fire. It’s quarantining new spices before dumping them into the stew.
Quick example: I bumped layering detection by using Neo4j GDS to score time-aware K-shortest paths where amounts stay within ±5% and hops land within 48h, then flagged repeating-beneficiary motifs for SAR narrative screenshots. For OFAC, we pull https://ofac.treasury.gov/sanctions-lists and run new names in ‘shadow mode’ for 7 days with a list-age decay before promoting rules, which cuts the false-positive spikes. Small caveat: add corridor jump penalties tied to trade lanes so sanctions-evasion risk is a dimmer, not an on/off switch.
We made SARs stickier by versioning the watchlist and stamping the snapshot ID on each alert, then decaying alias scores unless reinforced by fresh hits — like sourdough that dies if you stop feeding it. For updates, we diff nightly and only re-score entities within two hops of changed entries, plus a 14‑day cooldown after removals to prevent alert thrash and false positives. If you keep your setup, add field‑weighted fuzzy match on 50/59 vs 70/72 and normalize IBAN/BIC — @r.singh’s note on “name order + diacritic drift” saved us from the Mohamed/Muhamad spiral.