# **Agricultural Bank of China NY Branch - Suspicious Activity Report (SAR) Generator Using GenAI**

### **Created by:** Aditya Gupta, Miranda Montenegro, Rui Yang, Xianghan Zhu

----

For easier readibility this notebook has been formatted into 4 main sections as per below:
* **Configuration Steps:** This section contains all related configuration steps from database creation to querying the data, creating the prompt and any function required for greater automation of the SAR Creation process. 
* **SAR Generation - Alert Narrative 1:** Using both Llama 3.3 and DeepSeek R-1, this section will focus on creating the SAR Narratives based on SAR Alert Narrative 1 and will also use 3 different temperatures per model to compare outputs. 
* **SAR Generation - Alert Narrative 2:** Using both Llama 3.3 and DeepSeek R-1, this section will focus on creating the SAR Narratives based on SAR Alert Narrative 2 and will also use 3 different temperatures per model to compare outputs. 
* **SAR Generation - Alert Narrative 3:** Using both Llama 3.3 and DeepSeek R-1, this section will focus on creating the SAR Narratives based on SAR Alert Narrative 3 and will also use 3 different temperatures per model to compare outputs. 

---- 

# **Configuration Steps**

### Necessary Installations for this Section

In [1]:
#Pip installation only needs to be run once
!pip install sqlalchemy psycopg2-binary
!pip install langchain faiss-cpu sentence-transformers docx2txt
!pip install -U langchain-community
!pip install python-docx
!pip install boto3
!pip install awscli

Collecting langchain-community
  Downloading langchain_community-0.3.21-py3-none-any.whl.metadata (2.4 kB)
Collecting langchain-core<1.0.0,>=0.3.51 (from langchain-community)
  Downloading langchain_core-0.3.51-py3-none-any.whl.metadata (5.9 kB)
Collecting langchain<1.0.0,>=0.3.23 (from langchain-community)
  Downloading langchain-0.3.23-py3-none-any.whl.metadata (7.8 kB)
Collecting langchain-text-splitters<1.0.0,>=0.3.8 (from langchain<1.0.0,>=0.3.23->langchain-community)
  Downloading langchain_text_splitters-0.3.8-py3-none-any.whl.metadata (1.9 kB)
Downloading langchain_community-0.3.21-py3-none-any.whl (2.5 MB)
   ---------------------------------------- 0.0/2.5 MB ? eta -:--:--
   ---------------------------------------- 2.5/2.5 MB 29.0 MB/s eta 0:00:00
Downloading langchain-0.3.23-py3-none-any.whl (1.0 MB)
   ---------------------------------------- 0.0/1.0 MB ? eta -:--:--
   ---------------------------------------- 1.0/1.0 MB 24.2 MB/s eta 0:00:00
Downloading langchain_core-0.3

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
open-webui 0.5.14 requires langchain==0.3.7, but you have langchain 0.3.23 which is incompatible.
open-webui 0.5.14 requires langchain-community==0.3.7, but you have langchain-community 0.3.21 which is incompatible.
open-webui 0.5.14 requires sentence-transformers==3.3.1, but you have sentence-transformers 3.4.1 which is incompatible.


Collecting awscli
  Downloading awscli-1.38.33-py3-none-any.whl.metadata (11 kB)
Collecting botocore==1.37.33 (from awscli)
  Downloading botocore-1.37.33-py3-none-any.whl.metadata (5.7 kB)
Collecting s3transfer<0.12.0,>=0.11.0 (from awscli)
  Downloading s3transfer-0.11.4-py3-none-any.whl.metadata (1.7 kB)
Collecting rsa<4.8,>=3.1.2 (from awscli)
  Downloading rsa-4.7.2-py3-none-any.whl.metadata (3.6 kB)
Downloading awscli-1.38.33-py3-none-any.whl (4.7 MB)
   ---------------------------------------- 0.0/4.7 MB ? eta -:--:--
   ---------------------------------------- 4.7/4.7 MB 35.2 MB/s eta 0:00:00
Downloading botocore-1.37.33-py3-none-any.whl (13.5 MB)
   ---------------------------------------- 0.0/13.5 MB ? eta -:--:--
   ----------------------------- ---------- 10.0/13.5 MB 44.3 MB/s eta 0:00:01
   ---------------------------------------- 13.5/13.5 MB 38.4 MB/s eta 0:00:00
Downloading rsa-4.7.2-py3-none-any.whl (34 kB)
Downloading s3transfer-0.11.4-py3-none-any.whl (84 kB)
Instal

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
aiobotocore 2.12.3 requires botocore<1.34.70,>=1.34.41, but you have botocore 1.37.33 which is incompatible.
boto3 1.35.53 requires botocore<1.36.0,>=1.35.53, but you have botocore 1.37.33 which is incompatible.
boto3 1.35.53 requires s3transfer<0.11.0,>=0.10.0, but you have s3transfer 0.11.4 which is incompatible.
open-webui 0.5.14 requires langchain==0.3.7, but you have langchain 0.3.23 which is incompatible.
open-webui 0.5.14 requires langchain-community==0.3.7, but you have langchain-community 0.3.21 which is incompatible.
open-webui 0.5.14 requires sentence-transformers==3.3.1, but you have sentence-transformers 3.4.1 which is incompatible.


### Importing Necessary Modules for this Section

In [3]:
import psycopg2
import pandas as pd
from sqlalchemy import create_engine
from langchain.vectorstores import FAISS
from langchain.embeddings import HuggingFaceEmbeddings
from langchain.docstore.document import Document
import docx2txt
import os
import re
from langchain.schema import Document
import boto3
import botocore.session
import json

## **Database Creation**

### Setting Up the Connection to PostgreSQL

In [7]:
#Connecting to PostgreSQL Database
conn = psycopg2.connect(
    dbname="aml_database",
    user="postgres",
    password="8A208adi@1",  # Fill in your password here
    host="localhost"
)
cursor = conn.cursor()

#Testing the connection
cursor.execute("SELECT version();")
print(cursor.fetchone())

#Close the connection
cursor.close()
conn.close()

('PostgreSQL 17.4 on x86_64-windows, compiled by msvc-19.42.34436, 64-bit',)


### Creating the Four Tables

In [10]:
#Reestablishing a connection
conn = psycopg2.connect(
    dbname="aml_database",
    user="postgres",
    password="8A208adi@1",
    host="localhost"
)
cursor = conn.cursor()

#Create tables function, ensuring to drop any previously created tables with the same name
create_tables= '''

DROP TABLE IF EXISTS Transaction;
DROP TABLE IF EXISTS Alert;
DROP TABLE IF EXISTS Account;
DROP TABLE IF EXISTS Customer;

-- Customer Table
CREATE TABLE Customer (
    customer_id VARCHAR(20) PRIMARY KEY,
    customer_type VARCHAR(20) NOT NULL,
    customer_name VARCHAR(100) NOT NULL,
    customer_line_of_business VARCHAR(100) NOT NULL,
    customer_expected_products TEXT NOT NULL,
    customer_expected_geographies TEXT NOT NULL,
    customer_incorporation_residence_country TEXT NOT NULL
);

-- Account Table
CREATE TABLE Account (
    account_id VARCHAR(20) PRIMARY KEY,
    customer_id VARCHAR(20) REFERENCES Customer(customer_id) ON DELETE CASCADE NOT NULL,
    date_of_opening DATE NOT NULL,
    expected_incoming_activity NUMERIC(15,2) NOT NULL,
    expected_outgoing_activity NUMERIC(15,2) NOT NULL
);

-- Alert Table
CREATE TABLE Alert (
    detection_id VARCHAR(20) NOT NULL,
    alert_id VARCHAR(20) NOT NULL,
    alert_date DATE NOT NULL,
    customer_id VARCHAR(20) REFERENCES Customer(customer_id) ON DELETE SET NULL,
    rule_name VARCHAR(255) NOT NULL,
    alerted_transactions VARCHAR(20) NOT NULL,
    false_positive_true_positive VARCHAR(20) NOT NULL,
    alert_narrative TEXT,
    PRIMARY KEY (detection_id, alerted_transactions)  -- Composite Primary Key
);

-- Transaction Table
CREATE TABLE Transaction (
    transaction_id VARCHAR(20) PRIMARY KEY,
    transaction_date DATE NOT NULL,
    transaction_type VARCHAR(100) NOT NULL,
    customer_id VARCHAR(20) REFERENCES Customer(customer_id) ON DELETE SET NULL,
    account_id VARCHAR(20) REFERENCES Account(account_id) ON DELETE CASCADE NOT NULL,
    incoming_outgoing VARCHAR(20) CHECK (incoming_outgoing IN ('Incoming', 'Outgoing')) NOT NULL,
    amount NUMERIC(15,2) NOT NULL,
    originator VARCHAR(100) NOT NULL,
    originator_country VARCHAR(10) NOT NULL,
    beneficiary VARCHAR(100) NOT NULL,
    beneficiary_country VARCHAR(10) NOT NULL
);
'''

#Execute the SQL statement to create the table
cursor.execute(create_tables)
conn.commit()
print("All tables created successfully!")

#Close the connection
cursor.close()
conn.close()

All tables created successfully!


### Importing Four Local CSV Files Into Database

In [13]:
#Reestablishing a connection
conn = psycopg2.connect(
    dbname="aml_database",
    user="postgres",
    password="8A208adi@1",
    host="localhost"
)
cursor = conn.cursor()

# ------------------- 1. Import Customer table ------------------- #
print("Starting import of Customer data...")
customer_df = pd.read_csv("/Users/addro/Downloads/ABC/Customer Table.csv")

#Remove duplicate customer_id within the CSV itself
customer_df = customer_df.drop_duplicates(subset=["Customer ID"])

for _, row in customer_df.iterrows():
    cursor.execute(
        """INSERT INTO Customer (customer_id, customer_type, customer_name, customer_line_of_business, 
                                 customer_expected_products, customer_expected_geographies, customer_incorporation_residence_country) 
           VALUES (%s, %s, %s, %s, %s, %s, %s)
           ON CONFLICT (customer_id) DO NOTHING""",  # <- Skip if exists
        (row["Customer ID"], row["Customer Type"], row["Customer Name"], row["Customer Line of Business"], 
         row["Customer Expected Products"], row["Customer Expected Geographies"], row["Customer Incorporation/Residence Country"])
    )

conn.commit()
print("Customer data import completed!")

# ------------------- 2. Import Account table ------------------- #
print("\nStart importing Account data...")
account_df = pd.read_csv("/Users/addro/Downloads/ABC/Account Table.csv")
#Remove duplicate account_id
account_df = account_df.drop_duplicates(subset=["Account ID"])

#Import only customer_ids that exist in the Customer table
cursor.execute("SELECT customer_id FROM Customer")
valid_customers = {row[0] for row in cursor.fetchall()}

for _, row in account_df.iterrows():
    if row["Customer ID"] in valid_customers:
        cursor.execute(
            "INSERT INTO Account (account_id, customer_id, date_of_opening, expected_incoming_activity, expected_outgoing_activity) VALUES (%s, %s, DATE '1900-01-01' + INTERVAL '1 day' * %s, %s, %s) ON CONFLICT (account_id) DO NOTHING",
            (row["Account ID"], row["Customer ID"], row["Date of Opening"], row["Expected Incoming Activity"], row["Expected Outgoing Activity"])
        )
conn.commit()
print("Account data import completed!")

# ------------------- 3. Import Alert table ------------------- #
print("\nStart importing Alert data...")
alert_df = pd.read_csv("/Users/addro/Downloads/ABC/Alert Table.csv")

#Convert Alert Date from Excel Serial Date format to YYYY-MM-DD
alert_df["Alert Date"] = pd.to_datetime(alert_df["Alert Date"], origin="1899-12-30", unit="D")

for _, row in alert_df.iterrows():
    customer_id = row["Customer ID"] if pd.notna(row["Customer ID"]) and row["Customer ID"] in valid_customers else None

    cursor.execute(
        """INSERT INTO Alert (detection_id, alert_id, alert_date, customer_id, rule_name, alerted_transactions, 
                              false_positive_true_positive, alert_narrative) 
           VALUES (%s, %s, %s, %s, %s, %s, %s, %s) 
           ON CONFLICT (detection_id, alerted_transactions) DO NOTHING""",  
        (row["Detection ID"], row["Alert ID"], row["Alert Date"].date(), customer_id, row["Rule Name"],
         row["Alerted Transactions per Detection"], row["False Positive / True Positive"], row["Alert Narrative"])
    )

conn.commit()
print("Alert data import completed!")

# ------------------- 4. Import Transaction table ------------------- #

#Load Transaction CSV
transaction_df = pd.read_csv("/Users/addro/Downloads/ABC/Transaction Table.csv")

#Fix: Convert Excel Serial Date to YYYY-MM-DD
transaction_df["Transaction Date"] = pd.to_datetime(transaction_df["Transaction Date"], origin="1899-12-30", unit="D")

print("\nStart importing transaction data...")

#Remove duplicate transaction_id
transaction_df = transaction_df.drop_duplicates(subset=["Transaction ID"])

#Get a valid customer_id and account_id
cursor.execute("SELECT customer_id FROM Customer")
valid_customers = {row[0] for row in cursor.fetchall()}

cursor.execute("SELECT account_id FROM Account")
valid_accounts = {row[0] for row in cursor.fetchall()}

for _, row in transaction_df.iterrows():
    customer_id = row["Customer ID"] if pd.notna(row["Customer ID"]) and row["Customer ID"] in valid_customers else None
    account_id = row["Account"] if pd.notna(row["Account"]) and row["Account"] in valid_accounts else None

    if account_id is not None:  # account_id is required because it is a foreign key
        #Make sure all None are handled correctly
        transaction_values = (
            row["Transaction ID"],
            row["Transaction Date"],
            row["Transaction Type"],
            customer_id,
            account_id,
            row["Incoming/Outgoing"] if pd.notna(row["Incoming/Outgoing"]) else None,
            row["Amount"] if pd.notna(row["Amount"]) else 0,  # If the numeric column is empty, replace it with 0, or use None as needed
            row["Originator"] if pd.notna(row["Originator"]) else None,
            row["Originator Country"] if pd.notna(row["Originator Country"]) else None,
            row["Beneficiary"] if pd.notna(row["Beneficiary"]) else None,
            row["Beneficiary Country"] if pd.notna(row["Beneficiary Country"]) else None
        )

        cursor.execute(
            "INSERT INTO Transaction (transaction_id, transaction_date, transaction_type, customer_id, account_id, incoming_outgoing, amount, originator, originator_country, beneficiary, beneficiary_country) "
            "VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)"
            "ON CONFLICT (transaction_id) DO NOTHING",
            transaction_values
        )

conn.commit()
print("Transaction data import completed!")

#Close the database connection
cursor.close()
conn.close()
print("\nAll data has been successfully imported into the database!")

Starting import of Customer data...
Customer data import completed!

Start importing Account data...
Account data import completed!

Start importing Alert data...
Alert data import completed!

Start importing transaction data...
Transaction data import completed!

All data has been successfully imported into the database!


### Confirming Data Was Successfully Imported

In [15]:
from sqlalchemy import create_engine
import urllib.parse
import pandas as pd

# Properly encode special characters in the password
db_user = "postgres"
db_password = urllib.parse.quote_plus("8A208adi@1")  # Encode special characters
db_host = "localhost"
db_name = "aml_database"

engine = create_engine(f"postgresql+psycopg2://{db_user}:{db_password}@{db_host}/{db_name}")

In [17]:
#View the Customer Table
print("\nViewing data from the Customer table...")
query = "SELECT * FROM Customer LIMIT 10;"
df_customer = pd.read_sql(query, engine)
display(df_customer)

#View the Account Table 
print("\nViewing data from the Account table...")
query = "SELECT * FROM Account LIMIT 10;"
df_account = pd.read_sql(query, engine)
display(df_account)

#View the Alert Table 
print("\nViewing data from the Alert table...")
query = "SELECT * FROM Alert LIMIT 10;"
df_alert = pd.read_sql(query, engine)
display(df_alert)

#View the Transaction Table 
print("\nViewing data of Transaction table...")
query = "SELECT * FROM Transaction LIMIT 10;"
df_transaction = pd.read_sql(query, engine)
display(df_transaction)

print("\nThe data of all tables has been successfully displayed!")


Viewing data from the Customer table...


Unnamed: 0,customer_id,customer_type,customer_name,customer_line_of_business,customer_expected_products,customer_expected_geographies,customer_incorporation_residence_country
0,C-1,Individual,John Diamond,Manufacturing,ACH; Wire,US,US
1,C-2,Business,RDF Plumbing,Plumbing Services,ACH; Wire; Cash Deposit; Internal Transfer,US,US
2,C-3,Individual,Kyle Strong,Service Industry,ACH; Wire; Cash Deposit; Internal Transfer,US; HK,HK
3,C-4,Business,JDF Industries,Oil refinement,ACH; Wire,US; SA,US



Viewing data from the Account table...


Unnamed: 0,account_id,customer_id,date_of_opening,expected_incoming_activity,expected_outgoing_activity
0,ACC-1,C-1,1980-03-03,100000.0,10000.0
1,ACC-2,C-2,2010-01-03,200000.0,200000.0
2,ACC-3,C-2,2024-02-17,200000.0,200000.0
3,ACC-4,C-3,2024-09-03,2000.0,2000.0
4,ACC-5,C-4,2007-07-04,10000000.0,10000000.0



Viewing data from the Alert table...


Unnamed: 0,detection_id,alert_id,alert_date,customer_id,rule_name,alerted_transactions,false_positive_true_positive,alert_narrative
0,A-1-1,A-1,2024-10-01,C-1,Cash Structuring $10k,T-1,True Positive,No reasonable explanation for customer activit...
1,A-1-1,A-1,2024-10-01,C-1,Cash Structuring $10k,T-2,True Positive,No reasonable explanation for customer activit...
2,A-1-1,A-1,2024-10-01,C-1,Cash Structuring $10k,T-3,True Positive,No reasonable explanation for customer activit...
3,A-1-1,A-1,2024-10-01,C-1,Cash Structuring $10k,T-4,True Positive,No reasonable explanation for customer activit...
4,A-1-1,A-1,2024-10-01,C-1,Cash Structuring $10k,T-5,True Positive,No reasonable explanation for customer activit...
5,A-1-1,A-1,2024-10-01,C-1,Cash Structuring $10k,T-6,True Positive,No reasonable explanation for customer activit...
6,A-1-1,A-1,2024-10-01,C-1,Cash Structuring $10k,T-7,True Positive,No reasonable explanation for customer activit...
7,A-1-2,A-1,2024-10-01,C-1,Cash Structuring $10k,T-7,True Positive,No reasonable explanation for customer activit...
8,A-1-2,A-1,2024-10-01,C-1,Cash Structuring $10k,T-8,True Positive,No reasonable explanation for customer activit...
9,A-1-2,A-1,2024-10-01,C-1,Cash Structuring $10k,T-9,True Positive,No reasonable explanation for customer activit...



Viewing data of Transaction table...


Unnamed: 0,transaction_id,transaction_date,transaction_type,customer_id,account_id,incoming_outgoing,amount,originator,originator_country,beneficiary,beneficiary_country
0,T-1,2024-09-02,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
1,T-2,2024-09-03,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
2,T-3,2024-09-04,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
3,T-4,2024-09-05,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
4,T-5,2024-09-06,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
5,T-6,2024-09-07,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
6,T-7,2024-09-08,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
7,T-8,2024-09-09,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
8,T-9,2024-09-10,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US
9,T-10,2024-09-11,Cash Deposit,C-1,ACC-1,Incoming,9000.0,John Diamond,US,John Diamond,US



The data of all tables has been successfully displayed!


In [19]:
engine.dispose()
print("\nDatabase connection closed.")


Database connection closed.


## **Creation of RAG With 3 Alert Narratives Files**

### Loading in the 3 Alert Narrative Files

In [21]:
#Loading the narrative document into a list
doc_paths = [
    "/Users/addro/Downloads/ABC/A-1 Alert Narrative.docx",
    "/Users/addro/Downloads/ABC/A-2 Fake Alert Narrative.docx",
    "/Users/addro/Downloads/ABC/A-5 Fake Alert Narrative.docx"
]

### Combining the 3 Alert Narrative Files

In [24]:
#Cleaning the documents and combining them into a single document
documents = []
for path in doc_paths:
    text = docx2txt.process(path)
    chunks = [chunk.strip() for chunk in text.split('\n\n') if len(chunk.strip()) > 50]
    for chunk in chunks:
        documents.append(Document(page_content=chunk))

#Build embedding model
embedding_model = HuggingFaceEmbeddings(model_name="all-MiniLM-L6-v2")

#Build FAISS index
vectorstore = FAISS.from_documents(documents, embedding_model)

  embedding_model = HuggingFaceEmbeddings(model_name="all-MiniLM-L6-v2")





## **Generating the Prompt**

This is the prompt that will be used by the LLM model to generate the SAR. The placeholder sections detailed by text between {} will be completed with data retrieved by a query from the database.

In [26]:
sar_generation_prompt = """
You are a compliance analyst at LLM Bank New York Branch ("LLM NY"). Based on the following structured data and previous similar cases, write a Suspicious Activity Report ("SAR") in professional, regulatory tone, strictly following the format and style used by LLM NY.

---
[1] STANDARD INTRODUCTORY STATEMENT
Please start the report with the following sentence, replacing placeholders with actual data:
"LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number {alert_id_str}) to report {transaction_count} transaction(s) totaling ${total_amount} and sent between {start_date} and {end_date}."

---
[2] TRANSACTION SUMMARY
Write one or more detailed paragraphs describing the transactions, covering:
- Date of transaction
- Amount
- Direction (incoming/outgoing)
- Originator and beneficiary names
- Account IDs involved
- Jurisdictions or countries involved
- Abnormal patterns if any (e.g., round dollar amounts, rapid movement, mirror transactions)
Use short and specific sentences for each transaction. Please write these transactions in chronological order, using short declarative sentences. Avoid repeating identical transaction details unless necessary.

---
[3] CUSTOMER PROFILE (KYC) AND RELATIONSHIP ANALYSIS
Describe the customer using internal KYC data. Include:
- Legal Name
- Line of business or occupation
- Place of incorporation or residency
- DOB, SSN, address (if available)
Then evaluate if the customer has any legitimate relationship to counterparties or transaction patterns.
If external or internal research found no connection, state so clearly.
If KYC information is incomplete, explicitly state the missing fields and their implications.

---
[4] SUSPICIOUS ACTIVITY REASONS
Please introduce this section with:
"These transactions are being reported due to the following:"
Then list each reason as a numbered item.
You may use these types of reasons:
- No apparent economic or business purpose
- Possible shell company or funnel account
- Unusual transaction patterns
- High-risk jurisdiction involvement
- Lack of identifiable relationship between entities
- Cash structuring
- Round dollar amounts or mirror wires

---
[5] CLOSING STATEMENT
Conclude the SAR with this standardized paragraph:
"This SAR pertains to LLM NY Case No. {alert_id_str}. For inquiries, please contact Donald J. Orange, Chief Compliance Officer and Chief BSA/AML Officer (646-555-5555 or donaldjorange@llmbank.com) or Alyn Mask, General Counsel (646-666-6666 or alynmask@llmbank.com). All supporting documentation is maintained by the Financial Crime Compliance Department at LLM NY."
If any placeholder value is missing, do not guess. Replace with "REDACTED" or skip the sentence.

---
[DATA FOR THIS SAR REPORT]
Customer Name: {customer_name}
Customer ID: {customer_id}
Incorporation Country: {customer_country}
Line of Business: {line_of_business}
Account ID(s): {account_ids}
Transaction Date Range: {start_date} to {end_date}
Transaction Count: {transaction_count}
Total Amount: ${total_amount}
Key Transactions:
{transaction_summary}
KYC Information:
{kyc_info}

Alert Narrative Summary (from analyst or RAG):
{alert_narrative}

Similar Case Insights from Retrieval System:
{similar_cases_text}

Now, using the above data and format requirements, write a complete SAR narrative.
""".strip()

## **Defining the Function to Query the Database and FAISS**

The function below has been defined to be able to both:
1. Query the data in the dataset to be able to place it in the placeholders defined in the prompt.
2. Call on the RAG generated in the previous section to retrieve similar cases from FAISS to improve the syntax of the responses.

In [27]:
def build_prompt_variables(customer_id: str, conn, vectorstore, k: int = 3) -> dict:
    #Read all data tables
    alert_df = pd.read_sql("SELECT * FROM Alert", conn)
    txn_df = pd.read_sql("SELECT * FROM Transaction", conn)
    customer_df = pd.read_sql("SELECT * FROM Customer", conn)
    account_df = pd.read_sql("SELECT * FROM Account", conn)

    #Get the target alert record (possibly multiple detections)
    alert_subset = alert_df[alert_df["customer_id"] == customer_id]

    #Merge all transaction_id
    all_txn_ids = set()
    for txns in alert_subset["alerted_transactions"]:
        all_txn_ids.update([x.strip() for x in txns.split(",")])

    #Get relevant transaction data
    txn_rows = txn_df[txn_df["transaction_id"].isin(all_txn_ids)].copy()
    txn_rows["transaction_date"] = pd.to_datetime(txn_rows["transaction_date"])
    txn_rows.sort_values("transaction_date", inplace=True)

    #Obtaining customer and account information
    #customer_id = alert_subset["customer_id"].iloc[0]
    customer = customer_df[customer_df["customer_id"] == customer_id].iloc[0]
    accounts = account_df[account_df["customer_id"] == customer_id]
    account_ids_list = accounts["account_id"].tolist()

    alert_id_str = f"2025-{int(customer_id.split('-')[1]):04d}"

    #Time and amount statistics
    transaction_count = len(txn_rows)
    total_amount = txn_rows["amount"].sum()
    start_date = txn_rows["transaction_date"].min().strftime("%m/%d/%Y")
    end_date = txn_rows["transaction_date"].max().strftime("%m/%d/%Y")

    #Constructing a transaction summary
    txn_summary_lines = []
    for _, row in txn_rows.iterrows():
        date = row["transaction_date"].strftime("%m/%d/%Y")
        amount = f"${row['amount']:,.2f}"
        account_id = row["account_id"]
        originator = row["originator"]
        origin_country = row["originator_country"]
        beneficiary = row["beneficiary"]
        beneficiary_country = row["beneficiary_country"]

        if row["incoming_outgoing"] == "Incoming":
            line = f"On {date}, {originator} ({origin_country}) sent a wire of {amount} to {beneficiary} ({beneficiary_country}) at LLM NY account {account_id}."
        else:
            line = f"On {date}, {beneficiary} ({beneficiary_country}) received a wire of {amount} from {originator} ({origin_country}) sent from LLM NY account {account_id}."

        txn_summary_lines.append(line)
    transaction_summary = "\n".join(txn_summary_lines)

    #Constructing KYC information
    kyc_info = (
        f"{customer['customer_name']} (Customer ID: {customer['customer_id']}) is classified as a "
        f"{customer['customer_type']} in the {customer['customer_line_of_business']} sector, "
        f"incorporated/residing in {customer['customer_incorporation_residence_country']}. "
        f"Expected products: {customer['customer_expected_products']}. "
        f"Expected geographies: {customer['customer_expected_geographies']}."
    )

    #Get the narrative (simulate the summary written by the analyst)
    alert_narrative = alert_subset["alert_narrative"].iloc[0]

    #Retrieve similar cases from FAISS using transaction_summary as query
    def get_similar_cases_text(query: str, vectorstore, k: int = 3) -> str:
        docs = vectorstore.similarity_search(query, k=k)
        return "\n\n".join([f"Similar Case {i+1}:\n{doc.page_content}" for i, doc in enumerate(docs)])

    similar_cases_text = get_similar_cases_text(transaction_summary, vectorstore, k=k)

    #Constructing the final variable dictionary
    prompt_variables = {
        "alert_id_str": alert_id_str,
        "transaction_summary": transaction_summary,
        "transaction_count": transaction_count,
        "start_date": start_date,
        "end_date": end_date,
        "total_amount": f"{total_amount:,.2f}",
        "account_ids": ", ".join(account_ids_list),
        "customer_name": customer["customer_name"],
        "customer_id": customer_id,
        "customer_country": customer["customer_incorporation_residence_country"],
        "line_of_business": customer["customer_line_of_business"],
        "kyc_info": kyc_info,
        "alert_narrative": alert_narrative,
        "similar_cases_text": similar_cases_text
    }

    return prompt_variables

In [28]:
#Creating a function to retrieve the Customer ID from the Alert Narrative
def extract_customer_id_from_docx(docx_file_path):
    doc = Document(docx_file_path)
    full_text = "\n".join([para.text for para in doc.paragraphs])

    match = re.search(r'CIN:\s*(C-\d+)', full_text)
    if match:
        return match.group(1)
    else:
        return None

## **LLM Set Up**

### AWS Configuration Details

The line of code below will require that the following configuration details below be inputted in order to use the LLM Models:
* **Access Key ID:** AKIA6C7OYDUD4M2R2ZFO
* **Secret Access Key:** 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
* **Region:** us-east-1

In [34]:
!aws configure

^C


***Note**: If the code above does not run correctly, the user is able to configure their AWS settings by using the aws configure code in the command prompt.*

Once the configuration is done the code below can be run to confirm that the Access Key and Secret Access Key was correctly included:

In [36]:
#Set up botocore session to access internal details
session = botocore.session.get_session()
provider_chain = session.get_component('credential_provider')

#Print out all providers in the chain
print("**Credential current configuration:**")
for provider in provider_chain.providers:
    creds = provider.load()
    if creds:
        print("Access key:", creds.access_key)
        print("Secret key:", creds.secret_key)
        break
else:
    print("No valid AWS credentials found.")

**Credential current configuration:**
Access key: AKIA6C7OYDUD4M2R2ZFO
Secret key: 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


### Next Steps

Now that all of the configuration steps have been finalized we will start to generate the SAR using the LLM models.

In order to analyze the capability of LLMs in generating SARs, the code below will create 3 SAR Narratives based on the 3 SAR Alert Narratives provided by the client. For each of the available SAR Alert Narratives, output will be provided from two models, **Llama 3.3** and **DeepSeek R-1**, on 3 three different temperature (0.3, 0.6, 0.9) settings. This will allow us to then guage which temperature is ideal per model and by using the newly created grading rubric we will be able to asses with model performs best.

----

# **SAR Generation - Alert Narrative 1**

### Defining the Input

In [43]:
from docx import Document

#Detailing the file path for Alert Narrative 1
doc_path = "/Users/addro/Downloads/ABC/A-1 Alert Narrative.docx"
customer_id = extract_customer_id_from_docx(doc_path)
print("The extracted customer number is:", customer_id)

The extracted customer number is: C-1


### Detailing the Filled in Prompt Based on the Updated Input

In [45]:
conn = psycopg2.connect(
    dbname="aml_database",
    user="postgres",
    password="8A208adi@1",
    host="localhost"
)
cursor = conn.cursor()

prompt_variables = build_prompt_variables(customer_id=customer_id, conn=conn, vectorstore=vectorstore, k=3)

filled_prompt = sar_generation_prompt.format(**prompt_variables)
print(filled_prompt)

# Close the database connection
cursor.close()
conn.close()

  alert_df = pd.read_sql("SELECT * FROM Alert", conn)
  txn_df = pd.read_sql("SELECT * FROM Transaction", conn)
  customer_df = pd.read_sql("SELECT * FROM Customer", conn)
  account_df = pd.read_sql("SELECT * FROM Account", conn)


You are a compliance analyst at LLM Bank New York Branch ("LLM NY"). Based on the following structured data and previous similar cases, write a Suspicious Activity Report ("SAR") in professional, regulatory tone, strictly following the format and style used by LLM NY.

---
[1] STANDARD INTRODUCTORY STATEMENT
Please start the report with the following sentence, replacing placeholders with actual data:
"LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0001) to report 13 transaction(s) totaling $213,000.00 and sent between 09/02/2024 and 09/14/2024."

---
[2] TRANSACTION SUMMARY
Write one or more detailed paragraphs describing the transactions, covering:
- Date of transaction
- Amount
- Direction (incoming/outgoing)
- Originator and beneficiary names
- Account IDs involved
- Jurisdictions or countries involved
- Abnorm

## **SAR Narrative Using Llama 3.3**

### SAR Generated with Temperature = 0.3

In [47]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.3,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

# SAR Narrative

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0001) to report 13 transaction(s) totaling $213,000.00 and sent between 09/02/2024 and 09/14/2024.

The transactions in question occurred as follows: 
On 09/02/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/03/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/04/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/05/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/06/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/07/2024, John Diamond (US) sent a wire o

### SAR Generated with Temperature = 0.6

In [61]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.6,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

---

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0001) to report 13 transaction(s) totaling $213,000.00 and sent between 09/02/2024 and 09/14/2024.

The transactions in question occurred between 09/02/2024 and 09/14/2024. On 09/02/2024, John Diamond sent a wire of $9,000.00 to John Diamond at LLM NY account ACC-1. This pattern continued for 12 consecutive days, with each transaction being $9,000.00. On 09/14/2024, ACME Investment Management received a wire of $105,000.00 from John Diamond sent from LLM NY account ACC-1. All transactions were incoming and outgoing from the same account, ACC-1, belonging to John Diamond.

John Diamond, with Customer ID C-1, is classified as an individual in the manufacturing sector, incorporated and residing in the US. The expected prod

### SAR Generated with Temperature = 0.9

In [53]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.9,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

# SAR Narrative
LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0001) to report 13 transaction(s) totaling $213,000.00 and sent between 09/02/2024 and 09/14/2024.

The transactions occurred as follows: 
On 09/02/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/03/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/04/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/05/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/06/2024, John Diamond (US) sent a wire of $9,000.00 to John Diamond (US) at LLM NY account ACC-1.
On 09/07/2024, John Diamond (US) sent a wire of $9,000.00 t

## **SAR Narrative Using DeepSeek R-1**

### SAR Generated with Temperature = 0.3

In [63]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.3,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 Do not use markdown formatting. Use only line breaks between sections.
</think>

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0001) to report 13 transaction(s) totaling $213,000.00 and sent between 09/02/2024 and 09/14/2024.  

Between September 2, 2024, and September 13, 2024, John Diamond (US) initiated 12 consecutive outgoing wire transfers of $9,000.00 each from LLM NY account ACC-1 to himself, totaling $108,000.00. All transactions originated and terminated within the US. On September 14, 2024, a single outgoing wire transfer of $105,000.00 was sent from ACC-1 to ACME Investment Management in the Cayman Islands.  

John Diamond (Customer ID: C-1) is an individual in the manufacturing sector residing in the US. KYC records indicate expected transactional activity lim

### SAR Generated with Temperature = 0.6

In [66]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.6,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:


</think>

**Suspicious Activity Report (SAR)**  

**LLM Bank New York Branch (“LLM NY”) is a wholesale branch of LLM Bank Ltd. (“LLM”), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report (“SAR”) (Internal SAR Reference Number 2025-0001) to report 13 transaction(s) totaling $213,000.00 and sent between 09/02/2024 and 09/14/2024.**  

---

**Transaction Summary**  
Between September 2, 2024, and September 13, 2024, John Diamond (US) initiated 12 consecutive outgoing wire transfers of $9,000.00 each from his account (ACC-1) at LLM NY to himself at the same account, totaling $108,000.00. All transactions originated and terminated within the U.S., with identical originator and beneficiary details. On September 14, 2024, John Diamond (US) sent a wire transfer of $105,000.00 from ACC-1 to ACME Investment Management in the Cayman Islands.  

The 12 initial transactions involved round-dollar amounts and rapid, 

### SAR Generated with Temperature = 0.9

In [68]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.9,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:


</think>

**Suspicious Activity Report (SAR) Narrative**

**1. Standard Introductory Statement**  
LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0001) to report 13 transaction(s) totaling $213,000.00 and sent between 09/02/2024 and 09/14/2024.

---

**2. Transaction Summary**  
Between September 2, 2024, and September 13, 2024, John Diamond (US) initiated twelve (12) consecutive outgoing wire transfers of $9,000.00 each from his account (ACC-1) at LLM NY to himself at the same account. All transactions originated and terminated domestically within the U.S. On September 14, 2024, John Diamond sent a single outgoing wire of $105,000.00 from ACC-1 to ACME Investment Management, a beneficiary incorporated in the Cayman Islands. The cumulative activity reflects repeated round-

# **SAR Generation - Alert Narrative 2**

### Defining the Input

In [70]:
from docx import Document

#Detailing the file path for Alert Narrative 2
doc_path = "/Users/addro/Downloads/ABC/A-2 Fake Alert Narrative.docx"
customer_id = extract_customer_id_from_docx(doc_path)
print("The extracted customer number is:", customer_id)

The extracted customer number is: C-2


### Detailing the Filled in Prompt Based on the Updated Input

In [72]:
conn = psycopg2.connect(
    dbname="aml_database",
    user="postgres",
    password="8A208adi@1",
    host="localhost"
)
cursor = conn.cursor()

prompt_variables = build_prompt_variables(customer_id=customer_id, conn=conn, vectorstore=vectorstore, k=3)

filled_prompt = sar_generation_prompt.format(**prompt_variables)
print(filled_prompt)

# Close the database connection
cursor.close()
conn.close()

  alert_df = pd.read_sql("SELECT * FROM Alert", conn)
  txn_df = pd.read_sql("SELECT * FROM Transaction", conn)
  customer_df = pd.read_sql("SELECT * FROM Customer", conn)
  account_df = pd.read_sql("SELECT * FROM Account", conn)


You are a compliance analyst at LLM Bank New York Branch ("LLM NY"). Based on the following structured data and previous similar cases, write a Suspicious Activity Report ("SAR") in professional, regulatory tone, strictly following the format and style used by LLM NY.

---
[1] STANDARD INTRODUCTORY STATEMENT
Please start the report with the following sentence, replacing placeholders with actual data:
"LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0002) to report 6 transaction(s) totaling $5,628,940.80 and sent between 09/02/2024 and 09/15/2024."

---
[2] TRANSACTION SUMMARY
Write one or more detailed paragraphs describing the transactions, covering:
- Date of transaction
- Amount
- Direction (incoming/outgoing)
- Originator and beneficiary names
- Account IDs involved
- Jurisdictions or countries involved
- Abnor

## **SAR Narrative Using Llama 3.3**

### SAR Generated with Temperature = 0.3

In [76]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.3,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

# SAR Narrative

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0002) to report 6 transaction(s) totaling $5,628,940.80 and sent between 09/02/2024 and 09/15/2024.

The transactions in question occurred as follows: On 09/02/2024, US Processing (US) sent a wire of $200,000.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/07/2024, JD Import and Export (UK) sent a wire of $179,000.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/09/2024, Cos Cob Fishery (US) sent a wire of $552,665.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/10/2024, HK Industries (HK) sent a wire of $10,563.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/14/2024, RDF Plumbing - ACC2 (US) sent a wire of $2,286,712.80 to RDF Plumbing - ACC3 (US) at LL

### SAR Generated with Temperature = 0.6

In [78]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.6,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)


The generated SAR report is as follows:

 Please make sure you have included all relevant data points in the SAR.

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0002) to report 6 transaction(s) totaling $5,628,940.80 and sent between 09/02/2024 and 09/15/2024.

The transactions in question are as follows: 
On 09/02/2024, US Processing (US) sent a wire of $200,000.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. 
On 09/07/2024, JD Import and Export (UK) sent a wire of $179,000.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. 
On 09/09/2024, Cos Cob Fishery (US) sent a wire of $552,665.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. 
On 09/10/2024, HK Industries (HK) sent a wire of $10,563.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. 
On 09/14/2024, RDF Plumbing - ACC2 (US) sent a w

### SAR Generated with Temperature = 0.9

In [80]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.9,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

Please note, for this prompt, we will not consider currency exchange rates for the report.

---

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0002) to report 6 transaction(s) totaling $5,628,940.80 and sent between 09/02/2024 and 09/15/2024.

On 09/02/2024, a wire of $200,000.00 was sent from US Processing (US) to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/07/2024, JD Import and Export (UK) sent a wire of $179,000.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/09/2024, Cos Cob Fishery (US) sent a wire of $552,665.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/10/2024, HK Industries (HK) sent a wire of $10,563.00 to RDF Plumbing - ACC2 (US) at LLM NY account ACC-2. On 09/14/2024, RDF Plumbing - ACC2 (US) sent a wire of $2,286,7

## **SAR Narrative Using DeepSeek R-1**

### SAR Generated with Temperature = 0.3

In [83]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.3,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 Use only the data provided. Do not add any information not present in the data. Use the exact same structure as the example SARs. Do not use markdown formatting.
</think>

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0002) to report 6 transaction(s) totaling $5,628,940.80 and sent between 09/02/2024 and 09/15/2024.  

Between 09/02/2024 and 09/15/2024, RDF Plumbing (Customer ID: C-2) engaged in six transactions through accounts ACC-2 and ACC-3 at LLM NY. On 09/02/2024, RDF Plumbing received $200,000.00 via wire from US Processing (US) into ACC-2. On 09/07/2024, a $179,000.00 wire from JD Import and Export (UK) was credited to ACC-2. On 09/09/2024, ACC-2 received $552,665.00 from Cos Cob Fishery (US). On 09/10/2024, HK Industries (HK) sent $10,563.00 to ACC-2. On 09/14/20

### SAR Generated with Temperature = 0.6

In [85]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.6,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 Use only the data provided. Do not include markdown. Use full sentences and proper grammar. Ensure the SAR follows the structure and order outlined in [1] to [5].
</think>

**LLM Bank New York Branch ("LLM NY") Suspicious Activity Report**  

**1. Standard Introductory Statement**  
LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0002) to report 6 transaction(s) totaling $5,628,940.80 and sent between 09/02/2024 and 09/15/2024.  

**2. Transaction Summary**  
On 09/02/2024, RDF Plumbing received an incoming wire of $200,000.00 from US Processing (US) into account ACC-2. On 09/07/2024, a $179,000.00 incoming wire from JD Import and Export (UK) was credited to ACC-2. On 09/09/2024, Cos Cob Fishery (US) sent $552,665.00 to ACC-2. On 09/10/2024, HK Industries (Hong Kong) transf

### SAR Generated with Temperature = 0.9

In [88]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.9,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:


</think>

**Suspicious Activity Report (SAR)**  
**Internal SAR Reference Number: 2025-0002**  

---

**[1] STANDARD INTRODUCTORY STATEMENT**  
LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0002) to report 6 transaction(s) totaling $5,628,940.80 and sent between 09/02/2024 and 09/15/2024.  

---

**[2] TRANSACTION SUMMARY**  
On 09/02/2024, RDF Plumbing received a $200,000.00 incoming wire from US Processing (US) to account ACC-2.  
On 09/07/2024, RDF Plumbing received a $179,000.00 incoming wire from JD Import and Export (UK) to account ACC-2.  
On 09/09/2024, RDF Plumbing received a $552,665.00 incoming wire from Cos Cob Fishery (US) to account ACC-2.  
On 09/10/2024, RDF Plumbing received a $10,563.00 incoming wire from HK Industries (Hong Kong) to account ACC-2.  
On 

# **SAR Generation - Alert Narrative 3**

### Defining the Input

In [94]:
from docx import Document 

#Detailing the file path for Alert Narrative 3
doc_path = "/Users/addro/Downloads/ABC/A-5 Fake Alert Narrative.docx"
customer_id = extract_customer_id_from_docx(doc_path)
print("The extracted customer number is:", customer_id)

The extracted customer number is: C-4


### Detailing the Filled in Prompt Based on the Updated Input

In [96]:
conn = psycopg2.connect(
    dbname="aml_database",
    user="postgres",
    password="8A208adi@1",
    host="localhost"
)
cursor = conn.cursor()

prompt_variables = build_prompt_variables(customer_id=customer_id, conn=conn, vectorstore=vectorstore, k=3)

filled_prompt = sar_generation_prompt.format(**prompt_variables)
print(filled_prompt)

# Close the database connection
cursor.close()
conn.close()

  alert_df = pd.read_sql("SELECT * FROM Alert", conn)
  txn_df = pd.read_sql("SELECT * FROM Transaction", conn)
  customer_df = pd.read_sql("SELECT * FROM Customer", conn)
  account_df = pd.read_sql("SELECT * FROM Account", conn)


You are a compliance analyst at LLM Bank New York Branch ("LLM NY"). Based on the following structured data and previous similar cases, write a Suspicious Activity Report ("SAR") in professional, regulatory tone, strictly following the format and style used by LLM NY.

---
[1] STANDARD INTRODUCTORY STATEMENT
Please start the report with the following sentence, replacing placeholders with actual data:
"LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0004) to report 5 transaction(s) totaling $11,028,129.00 and sent between 09/03/2024 and 09/07/2024."

---
[2] TRANSACTION SUMMARY
Write one or more detailed paragraphs describing the transactions, covering:
- Date of transaction
- Amount
- Direction (incoming/outgoing)
- Originator and beneficiary names
- Account IDs involved
- Jurisdictions or countries involved
- Abno

## **SAR Narrative Using Llama 3.3**

### SAR Generated with Temperature = 0.3

In [100]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.3,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

---

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0004) to report 5 transaction(s) totaling $11,028,129.00 and sent between 09/03/2024 and 09/07/2024.

The transactions in question occurred as follows: On 09/03/2024, a wire of $789,654.00 was sent from Venezuela Law to JDF Industries at LLM NY account ACC-5. The next day, on 09/04/2024, JDF Industries sent a wire of $1,000,000.00 from LLM NY account ACC-5 to its Citibank account. On 09/05/2024, JDF Industries received a wire of $1,000,000.00 back from its Citibank account to LLM NY account ACC-5. Then, on 09/06/2024, JDF Industries sent a wire of $1,000,000.00 from LLM NY account ACC-5 to Venezuela Oil. Finally, on 09/07/2024, a wire of $7,238,475.00 was sent from JDF Industries at LLM NY account ACC-5 to ARAMCO. These

### SAR Generated with Temperature = 0.6

In [102]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.6,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

---

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0004) to report 5 transaction(s) totaling $11,028,129.00 and sent between 09/03/2024 and 09/07/2024.

The transactions under review occurred as follows: 
On 09/03/2024, Venezuela Law (KY) sent a wire of $789,654.00 to JDF Industries (US) at LLM NY account ACC-5.
On 09/04/2024, JDF Industries - Citibank Account (US) received a wire of $1,000,000.00 from JDF Industries (US) sent from LLM NY account ACC-5.
On 09/05/2024, JDF Industries - Citibank Account (US) sent a wire of $1,000,000.00 to JDF Industries (US) at LLM NY account ACC-5.
On 09/06/2024, Venezuela Oil (VE) received a wire of $1,000,000.00 from JDF Industries (US) sent from LLM NY account ACC-5.
On 09/07/2024, ARAMCO (SA) received a wire of $7,238,475.00 from JD

### SAR Generated with Temperature = 0.9

In [104]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.9,
    "top_p": 0.9,
    "max_gen_len": 2048
}

#Calling Model
response = client.invoke_model(
    modelId="us.meta.llama3-3-70b-instruct-v1:0",  # LLaMA 3 70B
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
generated_sar_text = response_body.get("generation", "⚠️ No response generated.")

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 

---

# Step 1: Standard Introductory Statement
LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0004) to report 5 transaction(s) totaling $11,028,129.00 and sent between 09/03/2024 and 09/07/2024.

# Step 2: Transaction Summary
On 09/03/2024, a wire of $789,654.00 was sent from Venezuela Law (KY) to JDF Industries (US) at LLM NY account ACC-5. 
On 09/04/2024, a wire of $1,000,000.00 was sent from JDF Industries (US) at LLM NY account ACC-5 to JDF Industries - Citibank Account (US). 
On 09/05/2024, a wire of $1,000,000.00 was sent from JDF Industries - Citibank Account (US) to JDF Industries (US) at LLM NY account ACC-5. 
On 09/06/2024, a wire of $1,000,000.00 was sent from JDF Industries (US) at LLM NY account ACC-5 to Venezuela Oil (VE). 
On 09/07/2024, a wire of $7,238,4

## **SAR Narrative Using DeepSeek R-1**

### SAR Generated with Temperature = 0.3

In [107]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.3,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 Do not use markdown. Use only the data provided. Do not add any information not present in the data.
</think>

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0004) to report 5 transaction(s) totaling $11,028,129.00 and sent between 09/03/2024 and 09/07/2024.

On 09/03/2024, LLM NY account ACC-5 received an incoming wire of $789,654.00 from Venezuela Law (Cayman Islands) to JDF Industries (US). On 09/04/2024, JDF Industries sent an outgoing wire of $1,000,000.00 from ACC-5 to JDF Industries - Citibank Account (US). The same Citibank account returned $1,000,000.00 to ACC-5 on 09/05/2024 via incoming wire. On 09/06/2024, JDF Industries transferred $1,000,000.00 from ACC-5 to Venezuela Oil (Venezuela). A final outgoing wire of $7,238,475.00 was sent from ACC-5 to ARAMCO (Saudi

### SAR Generated with Temperature = 0.6

In [109]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.6,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 Use precise terminology and avoid markdown. Use only the data provided. Do not invent any details.
</think>

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0004) to report 5 transaction(s) totaling $11,028,129.00 and sent between 09/03/2024 and 09/07/2024.  

On 09/03/2024, LLM NY account ACC-5 (JDF Industries, US) received an incoming wire of $789,654.00 from Venezuela Law (Cayman Islands). On 09/04/2024, JDF Industries initiated an outgoing wire of $1,000,000.00 from ACC-5 to JDF Industries - Citibank Account (US). On 09/05/2024, ACC-5 received an incoming wire of $1,000,000.00 from JDF Industries - Citibank Account (US). On 09/06/2024, JDF Industries sent an outgoing wire of $1,000,000.00 from ACC-5 to Venezuela Oil (Venezuela). On 09/07/2024, JDF Industries initiated a

### SAR Generated with Temperature = 0.9

In [111]:
#Establishing Bedrock Connections
client = boto3.client("bedrock-runtime", region_name="us-east-1")

#Building the payload
body = {
    "prompt": filled_prompt,
    "temperature": 0.9,
    "top_p": 0.9,
    "max_tokens": 1024
}

#Calling Model
response = client.invoke_model(
    modelId="us.deepseek.r1-v1:0",  # deepseek
    body=json.dumps(body)
)

#Parsing the response
response_body = json.loads(response["body"].read())
choices = response_body.get("choices", [])
if choices:
    generated_sar_text = choices[0].get("text", "⚠️ No text in choices.")
else:
    generated_sar_text = "⚠️ No response generated."

#Output
print("The generated SAR report is as follows:\n")
print(generated_sar_text)

The generated SAR report is as follows:

 Use only the data provided and do not invent any additional details. Adhere strictly to the outlined structure and tone. Use the exact transaction dates, amounts, and entities as provided. Do not use markdown.
</think>

LLM Bank New York Branch ("LLM NY") is a wholesale branch of LLM Bank Ltd. ("LLM"), a commercial bank located in mainland China. LLM NY is filing this Suspicious Activity Report ("SAR") (Internal SAR Reference Number 2025-0004) to report 5 transaction(s) totaling $11,028,129.00 and sent between 09/03/2024 and 09/07/2024.

On 09/03/2024, LLM NY account ACC-5 received an incoming wire of $789,654.00 from Venezuela Law (Cayman Islands) to JDF Industries (US). On 09/04/2024, JDF Industries initiated an outgoing wire of $1,000,000.00 from ACC-5 to JDF Industries - Citibank Account (US). On 09/05/2024, ACC-5 received an incoming wire of $1,000,000.00 from JDF Industries - Citibank Account (US). On 09/06/2024, JDF Industries sent an ou