A sanctions case note is the written record of why an alert was cleared, escalated, or blocked. Most programs spend their setup effort on matching logic and list coverage, and leave the note as a free-text box the analyst fills however they like. The note decides whether the program can defend its decisions later. Reviewed and cleared is a claim, not evidence.

The difference shows up in an audit. A program with structured notes can produce the full record for any sampled alert in minutes. A program with free-text notes and screenshots on a shared drive can spend forty minutes rebuilding a single case.

Writing the note is the last step of resolution, and resolution is where most screening programs are thin.

The Audit Moment Every Case Note Must Survive

Sooner or later, an auditor pulls one cleared alert from the pile and asks four questions. What information did the analyst have? What sources were checked? What reasoning was applied? What decision was made?

These questions matter because the auditor was not in the room. Months or years have passed. The analyst may have left the company. The only thing that can answer the decision is the record left behind.

In interviews with trade compliance teams at European industrial companies, the same pattern repeats. Decisions live in the screening tool, evidence in screenshots on a shared drive, reasoning in an email thread or nowhere. When the audit lands, the team reconstructs each sampled case across three or four systems. One aviation maintenance provider reported that its auditors reject screenshots outright and accept only system-generated records.

The note is written once, at the moment of decision. It is read later, by someone who must judge that decision. That reader sets the standard, and what auditors look for in a sanctions program is the reasoning, not the activity around it.

What Is the Difference Between an Audit Trail and a Case Note?

An audit trail is the system's record of events. It logs the timestamp, the user, the list version, and the workflow steps: alert opened, alert closed. Screening tools generate it automatically, and it answers the question of what happened.

A case note is the analyst's record of judgment. It holds the evidence considered, the comparison made, the reasoning applied, and the conclusion reached. A tool can pre-fill the evidence and the sources. It should not treat the note as fully automatic, because the judgment has to be reviewed and owned by the company. It answers the question of why the outcome was allowed to happen.

A missing trail entry is a system gap. A missing note is an unexplained decision.

Both records must also be kept, and the retention obligations are long. EU Best Practices expect operators to assess whether a match is genuinely the designated person or entity before proceeding. That assessment has to be recorded, because the later question is not only what the tool returned, but why the team concluded the match could be cleared. That word, clear, is a reasoning standard: the operator has to be able to show what made it clear. On the US side, 31 CFR 501.601 requires persons engaging in transactions subject to OFAC rules to keep full and accurate records, generally available for examination for at least ten years.

The trail proves you looked. The note proves you thought.

What Four Questions Must the Record Answer?

The four audit questions map directly onto four parts of a complete note. Treat them as the test every note must pass before the case is closed.

What information did the analyst have? The note states the input: the business partner's name, address, registration data, and the candidate listing the system matched it against, with the match score and list version.

What sources were checked? The note names each source consulted and what it returned: a corporate registry entry, the company website, an ownership database, a search in the local language. Naming the source matters as much as the finding, because a reader reviewing the decision at a later point must judge whether the check was adequate.

What reasoning was applied? The note connects the evidence to the conclusion. The date of birth differs, the registered address sits in a different country, the ownership chain contains no listed person. Most free-text notes do not contain this reasoning.

What decision was made? The note states the outcome, who made it, and when. Cleared as a false positive. Escalated for legal review. Held pending information from the business partner.

A note that answers all four questions survives the audit without its author. A note that answers none of them is a signature on a blank page.

What Does a Defensible Case Note Contain?

The easiest way to see the standard is to compare a weak note and a strong note for the same case. The scenario below is drawn from validation interviews with trade compliance practitioners; the pattern came up repeatedly for business partners in Central Asian jurisdictions.

Take a machinery distributor registered in Uzbekistan. The screening run returns a name-similarity match against an entity listed under the EU's Russia measures. The analyst investigates and clears it.

The weak note reads: "Reviewed. Not the listed entity. Cleared." Three sentences, thirty seconds, and it answers none of the four questions.

The strong note has four labelled parts.

Evidence: Input entity is a machinery distributor, registered in Tashkent, Uzbekistan in 2014, matched at 87% name similarity against the listed entity. List version of 12 May. Registration numbers do not match.

Sources: National corporate registry extract dated 14 May. Company website, active since 2015, consistent with stated machinery trade. Local-language and Russian web search for links to the listed entity and to military procurement: no results connecting the two. Ownership record shows two local individual shareholders, neither listed.

Reasoning: The name overlap comes from a shared generic industry term. Registration number, founding date, ownership, and business activity all diverge from the listed entity. No indicator of a relationship to the listed entity or to sanctioned procurement networks was found in any source checked.

Decision: Cleared as a false positive on 14 May by the reviewing analyst; second review completed the same day.

The strong note takes perhaps five minutes longer to write. Those five minutes are the entire difference between a defensible decision and an assertion. The research behind the note is separate work: the registry checks, the website review, the searches in other languages. The manual research work behind every alert is where most of the investigation time goes.

The Hardest Note: A Real Match With No Action Required

Some matches are genuine and still may require no current action from your company. The identity is confirmed, but the listing sits on a regime that does not regulate your transaction, or the business predates the designation date. Most tools offer only two closing statuses, false positive or true positive, so this third case has no honest button. Why a confirmed match does not always require action, and what clearing one incorrectly does to your records, is a problem large enough to have its own article.

For documentation, the consequence is direct. This is the one case where the reasoning is the entire decision. There is no identity mismatch to point at. The note must carry the basis for the decision: which list, which regime, which nexus, which dates, and who reviewed the conclusion.

If your note structure cannot hold that analysis, the hardest decisions in your program are the ones with the weakest records.

Thin Notes Are a System Problem, Not a People Problem

Analysts do not write thin notes because they are lazy. They write thin notes because the volume makes anything else feel impossible.

Run the numbers. A mid-sized program handling 300 alerts a month, at eight minutes of investigation each, already spends 40 hours a month on resolution. Documentation is the last step of every one of those investigations, performed when the next alert is already waiting. Under that pressure the note is the first thing to shrink. The investigation still happens; the record of it does not.

So the fix is structural, not motivational.

A free-text box invites three words. When the note template pre-builds or asks for evidence, sources, reasoning, and decision by name, a thin note becomes visible as an empty field instead of hiding as a short sentence. The steps before the note follow a consistent shape, and the investigation workflow after a sanctions alert shows where each field's content is produced.

Telling analysts to write more does not improve compliance. Changing what the system asks for changes what gets written.

What Does Consistency Across Analysts Require?

An auditor rarely reads one note. They read a sample and compare. Put two notes from the same program side by side: one carries evidence, sources, and reasoning; the other says "checked, ok". Both alerts may have been handled correctly. The record still shows a program where the outcome depends on who was on shift.

The fix is three shared habits. Every source check follows the same evidence standard, so a registry check means the same check for everyone. Reasoning runs in the same order, from evidence to conclusion. And the decision labels, cleared, escalated, held, mean one thing for the whole team.

Small teams object: they know their cases, and structure feels like bureaucracy. But audits do not sample by team size. When the analyst who knew the case leaves, the structure is what remains.

The Decision You Cannot Explain

A screening program produces two things: decisions and records of decisions. The first keeps the business moving. The second keeps the first defensible. One number tracks the whole system: the time from a list update to a documented decision.

Everything above reduces to one habit. Before a case is closed, the note answers the four questions: what information, what sources, what reasoning, what decision. The audit trail will confirm when it happened. Only the note can confirm why it was right.

Reviewed and cleared is a claim, not evidence. The claim satisfies the workflow. The evidence satisfies the auditor. A decision you cannot explain is a decision you cannot defend, no matter how correct it was.