Skip to main content
This page lists all standard Tags available in FrankieOne Transaction and Activity Monitoring. Tags are the API-level concept. In the FrankieOne Portal, they are presented as Reasons. When you resolve an alert or classify an activity, you select one or more Tags (Reasons) to record the outcome. The available Reasons in the Portal are filtered by the status you select:
  • True Positive statuses (True Positive: Accept, True Positive: Reject) show the true positive Reasons listed below.
  • False Positive shows the false positive Reasons.
  • In Review shows the in review Reasons.
All Reasons are available regardless of alert category. For example, a fraud alert can be resolved with a money laundering Reason if the investigation supports it. Tags are managed by FrankieOne. You cannot create, rename, or delete Tags through the API. Only active Tags can be applied.

True Positive

True Positive Tags classify an activity or alert as confirmed or suspected fraudulent, suspicious, or high-risk. They are grouped by category.

Money laundering

TagReasonWhen to use
ML_CASH_STRUCTURINGCash structuring or opacityThe customer is splitting cash deposits or withdrawals to stay below thresholds, or cash is being handled to hide ownership or origin through mules, third-party deposits, or mixing of funds.
ML_LAYERINGLayeringAn account is being used as a pass-through or mule to move funds and hide their origin. This includes rapid in-out movement, circular flows, fan-in/fan-out patterns with unrelated counterparties, crypto on/off-ramp or stablecoin layering, cash-to-crypto conversion via ATMs or digital currency exchanges, and placement or layering through gambling channels.
ML_IDENTITY_CRIMEIdentity crimeA stolen or fake identity has been used to open accounts, access funds, or bypass controls.
ML_DECEPTIONDeception or misrepresentationFabricated or inconsistent documents have been used to make transactions look legitimate, the customer’s stated source of funds conflicts with the actual transactions, or trade payments don’t match business reality such as over/under invoicing or phantom shipments.
ML_FACILITATIONInsider or professional facilitationA staff member, trusted insider, or external professional is helping bypass controls, open accounts, or move funds.
ML_STRUCTURAL_CONCEALMENTStructural concealmentShells, trusts, nominees, or unjustified complexity are being used to hide beneficial owners or control. This includes entities with no real operations used as pass-throughs, trust accounts used to mix funds, and proceeds integrated through luxury goods, vehicles, real estate, or bullion inconsistent with the customer’s profile.
ML_DETECTION_AVOIDANCEDetection or sanctions avoidanceUnregulated channels, remitters, informal value transfer services, high-risk jurisdictions, or transaction patterns have been chosen to reduce visibility or circumvent sanctions outside the weapons of mass destruction or proliferation context.
ML_DRUG_PROCEEDSDrug trafficking proceedsFunds are linked to narcotics trafficking or drug-related criminal activity.
ML_CORRUPTIONCorruption or bribery proceedsFunds are linked to corruption, bribery, or politically exposed person abuse of public office.
ML_TAX_CRIMETax crime proceedsFunds are linked to tax evasion or tax fraud.
ML_CYBER_CRIMECyber-enabled crime proceedsProceeds of ransomware, business email compromise, or other cyber crime are being laundered. This covers the offender or proceeds side and is distinct from victim-facing scam or fraud codes.
ML_OTHER_PREDICATEOther predicate offenseFunds are linked to a designated predicate offense not covered by a specific code, including human trafficking, arms trafficking, environmental crime, kidnapping, or counterfeiting. Specify the predicate in case notes.

Fraud

TagReasonWhen to use
FR_UNAUTHORIZED_CARDUnauthorized card fraudThere is a confirmed unauthorized card transaction, whether online (card-not-present) or physical (skimming, counterfeit, lost/stolen, or intercepted in mail).
FR_IDENTITY_TAKEOVERIdentity takeoverSomeone’s identity has been captured and used to open accounts, credit lines, or products without their knowledge, or an account or product was opened through deception or misrepresentation at application.
FR_ACCOUNT_TAKEOVERAccount takeoverA legitimate account has been taken over using stolen or compromised credentials.
FR_MALWAREMalwareMalware has been used to access accounts or redirect transactions without the victim knowing.
FR_PORTINGPorting or SIM swapFraud resulted from phone number porting or a SIM swap.
FR_FIRST_PARTYFirst-party fraudThe customer intentionally disputes a legitimate transaction or claims it was unauthorized while they participated or benefited.
FR_PHISHINGPhishing-led fraudThe victim was tricked into revealing credentials, sharing information, or authorizing a payment through phishing.
FR_ELDER_ABUSEElder or vulnerable person abuseThere is evidence of financial exploitation of an elderly or vulnerable person by someone in a position of trust.

Scam

TagReasonWhen to use
SC_RELATIONSHIPRelationship scamThe victim authorized payments because of relationship manipulation.
SC_INVESTMENTInvestment scamThe victim authorized payments into a fake investment opportunity, including crypto schemes such as pig butchering, fake exchanges, or rug pulls.
SC_BUYING_SELLINGBuying or selling scamThe victim paid for goods or services that were never delivered or don’t exist.
SC_THREATS_EXTORTIONThreat or extortion scamThe victim authorized payment because of threats, coercion, extortion, or a ransomware demand.
SC_JOB_EMPLOYMENTJob or employment scamThe victim authorized payments for a fake job or guaranteed income. This may also involve mule recruitment.
SC_UNEXPECTED_MONEYUnexpected money or winningsThe victim paid an upfront fee or shared information to claim a fake prize or windfall.
SC_IMPERSONATIONImpersonation scamThe victim authorized payment or shared information because someone impersonated a trusted person or organization.
SC_PAYMENT_REDIRECTPayment redirectionA business was tricked into sending an invoice payment or urgent transfer to a fraudulent account.
SC_REMOTE_ACCESSRemote access scamThe victim installed remote-access software and was coached into transferring funds.

Terrorism financing

TagReasonWhen to use
TF_SELF_FUNDEDSelf-funding or supporter fundsA lone actor is self-funding, personal savings or small contributions from associates are being used to support terrorism, or outgoing transfers appear intended to support offshore terrorist organizations or affiliates.
TF_CHARITABLE_NPOCharitable or linked to NPODonations are presented as charity or mixed with legitimate displaced-person support but indicators suggest diversion to a terrorist nexus, or a non-profit organization appears set up, controlled, or exploited to support terrorist-linked individuals or organizations.
TF_ONLINE_ECOSYSTEMOnline funding ecosystemPayments are linked to social media fundraising, crowdfunding, communications platforms, or recruitment networks.
TF_INFORMAL_CHANNELSInformal or non-traditional channelsA de-risked actor or non-profit organization has shifted to cash couriering, hawala-like channels, unregistered remitters, or digital currency for raising, moving, or storing funds.
TF_CONDUIT_JURISDICTIONConduit jurisdictionFunds are sent to a neighboring or conduit country and then likely moved physically into a conflict zone.

Proliferation financing

TagReasonWhen to use
PF_PROCUREMENTProliferation procurementPayments or trade finance are linked to procurement of dual-use or proliferation-sensitive goods, use of unwitting suppliers where payments look normal but end-use or end-user is illicit, or a state-linked procurement network targeting suppliers or financial services.
PF_EVASIONProliferation evasionFunds are routed through third countries, trans-shipment hubs, front or shell entities, intermediaries, or professionals to hide the real parties or evade DPRK or Iran-related targeted financial sanctions. Also covers goods mislabeled or exported just under control or reporting thresholds to avoid export controls.

False Positive

False Positive Tags record that an alert was reviewed and determined to be genuine or low-risk.
TagReasonWhen to use
FP_NOT_SUSPICIOUSNot suspiciousThe activity is not suspicious for a reason not covered by the other false positive Reasons. This is also the default Reason when all true positive Reasons are removed from an activity.
FP_CONFIRMED_AUTHORIZEDCustomer confirmed authorizedThe customer explicitly confirms they authorized the transaction and the purpose is legitimate.
FP_PLAUSIBLE_SOFPlausible source of funds or wealthThe customer provides a credible source of funds or wealth that explains the activity.
FP_ACTIVITY_EXPLAINEDActivity explained by profileThe activity fits the known customer profile, risk appetite, established payee history, or declared business model.
FP_KNOWN_COUNTERPARTYKnown counterpartyThe counterparty identity is verified and the relationship or purpose is confirmed (for example, supplier, family, landlord).
FP_DOCUMENTARY_EVIDENCEDocumentary evidence matchesSupporting documents (invoice, contract, purchase order, settlement statement) match the payee, amount, goods or services, and timeline.
FP_CRYPTO_SUPPORTEDDeclared crypto activity supportedThe customer has declared crypto trading or investing and exchange records and source of funds support the activity.
FP_OWN_ACCOUNTSOwn-account transferTransfers are between the same beneficial owner’s accounts.
FP_REVERSED_VOIDEDPayment reversed or voidedThe alerted transaction was reversed or voided in the normal course of business.

In Review

In Review Tags record that an alert is under active investigation and a final decision has not been reached.
TagReasonWhen to use
IR_PENDING_CUSTOMER_INFOPending customer informationYou need to contact the customer, are waiting for documents, or incomplete or outdated KYC data prevents a clear decision.
IR_LAW_ENFORCEMENTLaw enforcementThe decision depends on law enforcement feedback, negative news, open-source intelligence, or external intelligence.
IR_REPORTING_DECISIONReporting decisionPending a decision on whether to file a suspicious activity report (SAR), suspicious matter report (SMR), or equivalent.
IR_LINKED_CASELinked alert or case pendingThe outcome depends on another active fraud, AML, or scam alert or case that hasn’t been finalized.
IR_SPECIALIST_ANALYSISSpecialist analysis in progressComplex funds-flow analysis, network or graph mapping, multi-entity payment chain analysis, mule pattern monitoring, or cross-channel activity review is being performed by a technical specialist before determining an outcome.
IR_INTERNAL_ESCALATIONInternal escalationThe alert has been escalated to a team leader, risk, or compliance team for review. This includes higher-risk countries, sanctions screening dependencies, complex customer structures, terrorism or proliferation financing red flags, internal misconduct indicators, scam coaching concerns, enhanced due diligence requirements, or borderline behavior needing policy clarification.
IR_AWAITING_EXTERNALAwaiting external outcomeYou are waiting on a response from another organization, payment provider, or card scheme, or waiting on the outcome of a funds recall, reversal, or recovery before deciding.
IR_VULNERABILITYCustomer vulnerability assessmentIndicators of vulnerability (age, disability, language, bereavement) require specialist review before the case can be resolved.