Scenario Models


What are Scenario Models?

You can create rules using our scenario models which are use-case scenarios you can choose.

Scenarios you can choose from include:

  • Simple Filter
  • IP Blacklist
  • Dormant Activity
  • Structuring
  • Insider Trading
  • and much more.

For example:

  • The Simple Filter scenario can flag transactions that use a certain credit card.
  • The IP Blacklist scenario can flag transactions that come from IPs in countries like Iran.
  • The Dormant Activity scenario can find transactions from users in your platform that have not used their account for over a year and suddenly have thousands of transactions in under a week.


Your organization may not be able to access all of the scenarios listed.

Ask your CSM for more details.

When you select your ideal scenario, you can complete the logic by selecting information from drop-down menus to create the rule you want.

For example, if you select the dormant scenario, then you can choose from a dropdown menu how long the dormancy period is -> 30 days, 60 days, 3 months...


Let's take a quick look at the scenarios you can choose from:

Anomaly Detection

These scenarios looks for anomalous behaviors.

Scenario Name Description Use-Case Example
Dormant Activity Generate an alert if a user or business suddenly revitalizes an account after a period of dormancy.
  • Large cash withdrawals from a previously dormant or inactive account
Flag an account that has made a transaction worth over $1,000.00 and the previous transaction was made over 180 days ago
Historical Deviations A Generate an alert if the transaction amount falls outside of the expected distribution (based on average transaction amounts).
  • Sum/count/amount of transactions falls outside of a specified range
  • Count anomalous transactions
Flag an account if it is transacting funds to a high-risk country above their standard deviation plus 2
Historical Deviations B Generate an alert if the transaction total amount differs by a specific amount.
  • Account suddenly has a spike in transactions
  • Look for deviations in transactions
Flag if a merchant's selling volume has increased 100% or more in 30 days
Newly Seen Generate an alert if an entity has a suspicious number of new actions or new transactional information compared to its past.
  • Account adds a lot of new credit cards
  • Account transacts from an never before seen IP address
Flag if a user transacts from an unknown IP address based on historical records (not a previously known IP)


These scenarios compare entity information and transactions to matchlists (whitelists, blacklists).

Scenario Name Description Use-Case Example
Entity Blacklist Generate an alert if an entity comes from a matchlist (a list your organization maintains of fraudulent users/businesses).
  • 314A business check
Flag if the business is on a terrorism financing watchlist
Blacklist String (Entities / Instruments) Generates an alert if an instrument or entity has any information that is blacklisted in a matchlist.
  • Account with a spam email accounts
Flag if an account uses IP address 250.45.675.20
Blacklist String (Events) Generates an alert if an entity makes a transaction with any blacklisted information held in a matchlist.
  • Transaction made with suspected stolen credit card
Flag if a customer has transactions with parties in high risk foreign countries
Country-subdivision Blacklist / Whitelist Generates an alert if an entity is/isn't a sub-state match in the matchlist (works with whitelisting and blacklisting).
  • Allow transactions in certain states only
Flag if user is not in IP whitelist (a list called "IP whitelisting - US States" with allowed state CA, NY, MI, and VI)
IP Blacklist (Global) Generate an alert if an entity comes from a global matchlist of blacklisted entities (a universal list of fraudulent users/businesses maintained by Unit21).
  • Business has a domain name with poor reputation (spamhaus)
Flag user with significant associations with publicly blacklisted and low reputation IP addresses (TOR, proxies, IP blacklists, spam lists, hosting services)


These scenarios are looking for a specific number of events that have occurred in transactions.

Scenario Name Description Use-Case Example
Same Value Transactions Generate an alert if an entity is making a number of transactions of the same value in a given time period (either consecutively or non-consecutively).
  • User repeatedly sends $5
Flag round value amounts done consecutively within a short period
Simple Count Relative Generate an alert if X occurs in Y percent of the user/business transactions.
  • User has too many bounced checks
Flag a user if 70% of their transactions in 1 week have status = FAILED
Simple Entity Count Generate an alert if an entity has X
  • transactions
  • instruments
  • sent currency
  • ...
  • Account has over 5000 transactions in a week
Flag a customer transacting more than 4 transactions in 24 hours
Simple Object Count (Entities / Instruments) Generate an alert if X
  • address
  • email address
  • ip address
  • ...
is used by a unique instrument, user or business Y times.
  • Two or more accounts have the same address
Flag if a phone number is associated to more than one customer
Simple Object Count (Transactions) Generate an alert if X
  • address
  • email address
  • ip address
  • ...
is used in a transaction Y times with each transaction having the same Z (instrument / address...).
  • Multiple transactions with the same credit card all used different currencies
Flag merchants with multiple phone numbers

Structuring / Smurfing

These are standard AML scenarios for flagging smurfs and transactions with:

  • entities acting as intermediaries
  • amounts just under recordable/flaggable thresholds
Scenario Name Description Use-Case Example
Entity Specific Conduit Generate an alert if a pair of entities transact X amount in Y period AND the net sum of the transactions is Z between them.
  • Two accounts sending money back and forth but the net amount transferred is low
Flag entities that have a sequence of back and forth transactions with the same (set of) associated counterparties
Layering Generate an alert if an entity has X percent of transactions meet Y criteria and then a subset of those meet Z criteria.
  • Check an entity for money in versus money out (sender versus receiver activity)
  • Velocity checker
Flag an entity with high velocity of funds
Pass-Through Generate an alert if an entity has X ratio between received and sent funds in a transaction (i/e if an entity receives X, how much of X is transacted in Y time).
  • Looking for a middle man
  • Look at net sent/received $ in transactions
Flag large or structured deposits immediately followed by series of withdrawals within a short period
Pass-Through Transferred Percent Generate an alert if an entity sent X percent of their funds to another user / business.
  • Entity received a large initial amount of $ and a large percentage of it is sent to a single user
Flag an entity that receives a lot of money and then sends out most of what it received
Structuring Generate an alert if a pattern of nonconsecutive transactions are all fiat dollar values similar to each other.
  • Structured movement of funds such as 'entity receives $10K and sends out $3K, $3K and $4K`
  • Lots of similar $ amounts in transactions
Flag if more than 10 transactions took place in the past 3 months with amounts 25% of each other
Transaction Funds Ratio Generate an alert if an entity receives transactions and X percent of the amount comes from Y state/country/zip code (out of all you previous locations)
  • Unexpected change in location of sender from received funds
  • Unexpected location for a majority of senders in a transaction
Flag HOAs that receive payments from more than 10 homeowners and over half of the total collected or half of the payments received came from homeowners residing in a different state
Transaction Statistics A Generate an alert if the average individual transaction volume > X and < Y AND with/without combined volume < or > Z.
  • Transactions with amounts near regulatory thresholds but not exceeding it
  • Smurfing
Flag if a certain number of transactions that lie within a range that's close to regulation thresholds of $10,000


These are industry specific scenarios or extremely broad scenarios with a lot of flexibility for configuration.

Scenario Name Description Use-Case Example
Aggregate Difference (Transactions) Generate an alert for an entity where the difference between A deposits and outgoing B transactions is greater than X amount in Y period.
  • A and B require custom data and simple code custom_data->field == condition
Flag if customers in Nigeria whoโ€™s total deposits โ€“ total outgoing transactions = over the regulatory limit of 300,000 NGN
Alerted Transactions II Generate an alert for entities with at least Y alerts with X amount and alert them again.
  • Requires a previously alerted entity that meets X new conditions
  • Has X count/amount of previous alerts
  • Only count the alerts if it flags this amount
  • Ignore 'with every transactions's value'
Flag employers using desktop payroll to submit larger than usual payroll transactions to themselves as opposed to employees
Chainalysis Alert - Risk levels Generate an alert if an entity has X risk alert from chainalysis with Y amount.
  • Requires external alert from chainalysis
  • Filter on chainalysis alerts and amount
Flag when a shopper is associated with one or more Chainalysis high risk alerts in a one-month period where the flagged USD amount is greater than 10,000 USD
Entity Matching Links Generate an alert if an entity has similar information to another entity.
  • Look for entities with commonalities
Flag if three or more users use the same credit card
Insider Trading Generate an alert if an entity makes a transaction similar to another entity X time later.
  • Look for entities that behave similarly
Flag if two employees in the company sell the same stock
Multiple Occurrences Generate an alert if an entity triggers a rule X times (amount of triggers) in Y period.
  • Look for entities that trigger a rule multiple times
Flag if a high velocity rule is alerted twice
Relative Transaction Amount Sequence Generate an alert for an entity with 2 consecutive transactions within a certain period.
  • Look for entities that sell at a loss
Flag if a customer buys a stock high and sells low same day.
Simple Filters Generate an alert if an entity has X.
  • Wide filter match
Flag if my customer tries to ACH funds to another one of my customer
Simple Sequence Generate an alert if an entity exhibits the following X sequence of events in X time.
  • Detect sequences such as $100, $200, $300 transacted
  • Requires python code
  • Legacy functionality, not currently supported
Flag change in basic information over three times in 30 days: action.action_type in ('tax_id_numbers', 'addresses', 'phones', 'emails', 'password_change')