You can create rules using our scenario models which are use-case scenarios you can choose.
Scenarios you can choose from include:
- Simple Filter
- IP Blacklist
- Dormant Activity
- Insider Trading
- and much more.
- The Simple Filter scenario can flag transactions that use a certain credit card.
- The IP Blacklist scenario can flag transactions that come from IPs in countries like Iran.
- The Dormant Activity scenario can find transactions from users in your platform that have not used their account for over a year and suddenly have thousands of transactions in under a week.
When you select your ideal scenario, you can complete the logic by selecting information from drop-down menus to create the rule you want.
For example, if you select the dormant scenario, then you can choose from a dropdown menu how long the dormancy period is -> 30 days, 60 days, 3 months...
Let's take a quick look at the scenarios you can choose from:
These scenarios looks for anomalous behaviors.
|Dormant Activity||Generate an alert if a user or business suddenly revitalizes an account after a period of dormancy.||
||Flag an account that has made a transaction worth over $1,000.00 and the previous transaction was made over 180 days ago|
|Historical Deviations A||Generate an alert if the transaction amount falls outside of the expected distribution (based on average transaction amounts).||
||Flag an account if it is transacting funds to a high-risk country above their standard deviation plus 2|
|Historical Deviations B||Generate an alert if the transaction total amount differs by a specific amount.||
||Flag if a merchant's selling volume has increased 100% or more in 30 days|
|Newly Seen||Generate an alert if an entity has a suspicious number of new actions or new transactional information compared to its past.||
||Flag if a user transacts from an unknown IP address based on historical records (not a previously known IP)|
These scenarios compare entity information and transactions to matchlists (whitelists, blacklists).
|Entity Blacklist||Generate an alert if an entity comes from a matchlist (a list your organization maintains of fraudulent users/businesses).||
||Flag if the business is on a terrorism financing watchlist|
|Blacklist String (Entities / Instruments)||Generates an alert if an instrument or entity has any information that is blacklisted in a matchlist.||
||Flag if an account uses IP address 250.45.675.20|
|Blacklist String (Events)||Generates an alert if an entity makes a transaction with any blacklisted information held in a matchlist.||
||Flag if a customer has transactions with parties in high risk foreign countries|
|Country-subdivision Blacklist / Whitelist||Generates an alert if an entity is/isn't a sub-state match in the matchlist (works with whitelisting and blacklisting).||
||Flag if user is not in IP whitelist (a list called "IP whitelisting - US States" with allowed state CA, NY, MI, and VI)|
|IP Blacklist (Global)||Generate an alert if an entity comes from a global matchlist of blacklisted entities (a universal list of fraudulent users/businesses maintained by Unit21).||
||Flag user with significant associations with publicly blacklisted and low reputation IP addresses (TOR, proxies, IP blacklists, spam lists, hosting services)|
These scenarios are looking for a specific number of events that have occurred in transactions.
|Same Value Transactions||Generate an alert if an entity is making a number of transactions of the same value in a given time period (either consecutively or non-consecutively).||
||Flag round value amounts done consecutively within a short period|
|Simple Count||Generate an alert if an entity makes X amount of transactions in Y time.||
||Flag any transaction of $100,000 or higher for merchants with the label ‘new’.|
|Simple Count Relative||Generate an alert if X occurs in Y percent of the user/business transactions.||
||Flag a user if 70% of their transactions in 1 week have
|Simple Entity Count||Generate an alert if an entity has X
||Flag a customer transacting more than 4 transactions in 24 hours|
|Simple Object Count (Entities / Instruments)||Generate an alert if X
||Flag if a phone number is associated to more than one customer|
|Simple Object Count (Transactions)||Generate an alert if X
||Flag merchants with multiple phone numbers|
These scenarios use simple mathematical methods to flag transactions with unexpected amounts and events.
|Simple Statistics||Generate an alert if a instrument or entity transacts
||Flag if the value of debit card refunds > $1000 over a period of 7 days|
|Simple Statistics with Count||Generate an alert if a instrument or entity (identified by id, phone # or email address) transacts
||Flag if multiple companies send at least $5,000 to the same contractor in a month|
|Simple Statistics with Custom Field||Generate an alert if a instrument or entity transacts
||Flag if entities conduct 1 or more transactions within a 24hr period which aggregates to more than 100% of the entity’s AUM (assets under management)|
|Top Transacting Entities||Generate an alert if an entity has the largest sum/count of transactions over a given time period compared to all other users / businesses.||
||Flag the top 5 accounts with cash deposits in the past 30 days|
These are standard AML scenarios for flagging smurfs and transactions with:
- entities acting as intermediaries
- amounts just under recordable/flaggable thresholds
|Entity Specific Conduit||Generate an alert if a pair of entities transact X amount in Y period AND the net sum of the transactions is Z between them.||
||Flag entities that have a sequence of back and forth transactions with the same (set of) associated counterparties|
|Layering||Generate an alert if an entity has X percent of transactions meet Y criteria and then a subset of those meet Z criteria.||
||Flag an entity with high velocity of funds|
|Pass-Through||Generate an alert if an entity has X ratio between received and sent funds in a transaction (i/e if an entity receives X, how much of X is transacted in Y time).||
||Flag large or structured deposits immediately followed by series of withdrawals within a short period|
|Pass-Through Transferred Percent||Generate an alert if an entity sent X percent of their funds to another user / business.||
||Flag an entity that receives a lot of money and then sends out most of what it received|
|Structuring||Generate an alert if a pattern of nonconsecutive transactions are all fiat dollar values similar to each other.||
||Flag if more than 10 transactions took place in the past 3 months with amounts 25% of each other|
|Transaction Funds Ratio||Generate an alert if an entity receives transactions and X percent of the amount comes from Y state/country/zip code (out of all you previous locations)||
||Flag HOAs that receive payments from more than 10 homeowners and over half of the total collected or half of the payments received came from homeowners residing in a different state|
|Transaction Statistics A||Generate an alert if the average individual transaction volume > X and < Y AND with/without combined volume < or > Z.||
||Flag if a certain number of transactions that lie within a range that's close to regulation thresholds of $10,000|
These are industry specific scenarios or extremely broad scenarios with a lot of flexibility for configuration.
|Aggregate Difference (Transactions)||Generate an alert for an entity where the difference between A deposits and outgoing B transactions is greater than X amount in Y period.||
||Flag if customers in Nigeria who’s total deposits – total outgoing transactions = over the regulatory limit of 300,000 NGN|
|Alerted Transactions II||Generate an alert for entities with at least Y alerts with X amount and alert them again.||
||Flag employers using desktop payroll to submit larger than usual payroll transactions to themselves as opposed to employees|
|Chainalysis Alert - Risk levels||Generate an alert if an entity has X risk alert from chainalysis with Y amount.||
||Flag when a shopper is associated with one or more Chainalysis high risk alerts in a one-month period where the flagged USD amount is greater than 10,000 USD|
|Multiple Occurrences||Generate an alert if an entity triggers a rule X times (amount of triggers) in Y period.||
||Flag if a high velocity rule is alerted twice|
|Insider Trading||Generate an alert if an entity makes a transaction similar to another entity X time later.||
||Flag if two employees in the company sell the same stock|
|Simple Filters||Generate an alert if an entity has X.||
||Flag if my customer tries to ACH funds to another one of my customer|
|Simple Sequence||Generate an alert if an entity exhibits the following X sequence of events in X time.||
||Flag change in basic information over three times in 30 days:
Updated about 1 month ago