Scenario Models


What are Scenario Models?

You can create rules using our scenario models which are use-case scenarios you can choose.

Scenarios you can choose from include:

  • Simple Filter
  • IP Blacklist
  • Dormant Activity
  • Structuring
  • Insider Trading
  • and much more.

For example:

  • The Simple Filter scenario can flag transactions that use a certain credit card.
  • The IP Blacklist scenario can flag transactions that come from IPs in countries like Iran.
  • The Dormant Activity scenario can find transactions from users in your platform that have not used their account for over a year and suddenly have thousands of transactions in under a week.

When you select your ideal scenario, you can complete the logic by selecting information from drop-down menus to create the rule you want.

For example, if you select the dormant scenario, then you can choose from a dropdown menu how long the dormancy period is -> 30 days, 60 days, 3 months...


Let's take a quick look at the scenarios you can choose from:

Anomaly Detection

These scenarios looks for anomalous behaviors.

Scenario Name Description Use-Case Example
Dormant Activity Generate an alert if a user or business suddenly revitalizes an account after a period of dormancy.
  • Large cash withdrawals from a previously dormant or inactive account
Flag an account that has made a transaction worth over $1,000.00 and the previous transaction was made over 180 days ago
Historical Deviations A Generate an alert if the transaction amount falls outside of the expected distribution (based on average transaction amounts).
  • Sum/count/amount of transactions falls outside of a specified range
  • Count anomalous transactions
Flag an account if it is transacting funds to a high-risk country above their standard deviation plus 2
Historical Deviations B Generate an alert if the transaction total amount differs by a specific amount.
  • Account suddenly has a spike in transactions
  • Look for deviations in transactions
Flag if a merchant's selling volume has increased 100% or more in 30 days
Newly Seen Generate an alert if an entity has a suspicious number of new actions or new transactional information compared to its past.
  • Account adds a lot of new credit cards
  • Account transacts from an never before seen IP address
Flag if a user transacts from an unknown IP address based on historical records (not a previously known IP)


These scenarios compare entity information and transactions to matchlists (whitelists, blacklists).

Scenario Name Description Use-Case Example
Entity Blacklist Generate an alert if an entity comes from a matchlist (a list your organization maintains of fraudulent users/businesses).
  • 314A business check
Flag if the business is on a terrorism financing watchlist
Blacklist String (Entities / Instruments) Generates an alert if an instrument or entity has any information that is blacklisted in a matchlist.
  • Account with a spam email accounts
Flag if an account uses IP address 250.45.675.20
Blacklist String (Events) Generates an alert if an entity makes a transaction with any blacklisted information held in a matchlist.
  • Transaction made with suspected stolen credit card
Flag if a customer has transactions with parties in high risk foreign countries
Country-subdivision Blacklist / Whitelist Generates an alert if an entity is/isn't a sub-state match in the matchlist (works with whitelisting and blacklisting).
  • Allow transactions in certain states only
Flag if user is not in IP whitelist (a list called "IP whitelisting - US States" with allowed state CA, NY, MI, and VI)
IP Blacklist (Global) Generate an alert if an entity comes from a global matchlist of blacklisted entities (a universal list of fraudulent users/businesses maintained by Unit21).
  • Business has a domain name with poor reputation (spamhaus)
Flag user with significant associations with publicly blacklisted and low reputation IP addresses (TOR, proxies, IP blacklists, spam lists, hosting services)


These scenarios are looking for a specific number of events that have occurred in transactions.

Scenario Name Description Use-Case Example
Same Value Transactions Generate an alert if an entity is making a number of transactions of the same value in a given time period (either consecutively or non-consecutively).
  • User repeatedly sends $5
Flag round value amounts done consecutively within a short period
Simple Count Generate an alert if an entity makes X amount of transactions in Y time.
  • Business transacts over $1,000,000.00
Flag any transaction of $100,000 or higher for merchants with the label ‘new’.
Simple Count Relative Generate an alert if X occurs in Y percent of the user/business transactions.
  • User has too many bounced checks
Flag a user if 70% of their transactions in 1 week have status = FAILED
Simple Entity Count Generate an alert if an entity has X
  • transactions
  • instruments
  • sent currency
  • ...
  • Account has over 5000 transactions in a week
Flag a customer transacting more than 4 transactions in 24 hours
Simple Object Count (Entities / Instruments) Generate an alert if X
  • address
  • email address
  • ip address
  • ...
is used by a unique instrument, user or business Y times.
  • Two or more accounts have the same address
Flag if a phone number is associated to more than one customer
Simple Object Count (Transactions) Generate an alert if X
  • address
  • email address
  • ip address
  • ...
is used in a transaction Y times with each transaction having the same Z (instrument / address...).
  • Multiple transactions with the same credit card all used different currencies
Flag merchants with multiple phone numbers


These scenarios use simple mathematical methods to flag transactions with unexpected amounts and events.

Scenario Name Description Use-Case Example
Simple Statistics Generate an alert if a instrument or entity transacts
  • min
  • avg
  • max
  • sum
> or < or = to X amount.
  • A business has a lot of credit card disputes and chargebacks
Flag if the value of debit card refunds > $1000 over a period of 7 days
Simple Statistics with Count Generate an alert if a instrument or entity (identified by id, phone # or email address) transacts
  • min
  • avg
  • max
  • sum
> or < or = to X amount in Y count of transactions.
  • A business makes over 10 transactions to the same user
Flag if multiple companies send at least $5,000 to the same contractor in a month
Simple Statistics with Custom Field Generate an alert if a instrument or entity transacts
  • min
  • avg
  • max
  • sum
> or < or = to X (where X is a required custom data field)
  • A user transacts more than their credit allows
Flag if entities conduct 1 or more transactions within a 24hr period which aggregates to more than 100% of the entity’s AUM (assets under management)
Top Transacting Entities Generate an alert if an entity has the largest sum/count of transactions over a given time period compared to all other users / businesses.
  • Accounts with top most transactions in Iran
Flag the top 5 accounts with cash deposits in the past 30 days

Structuring / Smurfing

These are standard AML scenarios for flagging smurfs and transactions with:

  • entities acting as intermediaries
  • amounts just under recordable/flaggable thresholds
Scenario Name Description Use-Case Example
Entity Specific Conduit Generate an alert if a pair of entities transact X amount in Y period AND the net sum of the transactions is Z between them.
  • Two accounts sending money back and forth but the net amount transferred is low
Flag entities that have a sequence of back and forth transactions with the same (set of) associated counterparties
Layering Generate an alert if an entity has X percent of transactions meet Y criteria and then a subset of those meet Z criteria.
  • Check an entity for money in versus money out (sender versus receiver activity)
  • Velocity checker
Flag an entity with high velocity of funds
Pass-Through Generate an alert if an entity has X ratio between received and sent funds in a transaction (i/e if an entity receives X, how much of X is transacted in Y time).
  • Looking for a middle man
  • Look at net sent/received $ in transactions
Flag large or structured deposits immediately followed by series of withdrawals within a short period
Pass-Through Transferred Percent Generate an alert if an entity sent X percent of their funds to another user / business.
  • Entity received a large initial amount of $ and a large percentage of it is sent to a single user
Flag an entity that receives a lot of money and then sends out most of what it received
Structuring Generate an alert if a pattern of nonconsecutive transactions are all fiat dollar values similar to each other.
  • Structured movement of funds such as 'entity receives $10K and sends out $3K, $3K and $4K`
  • Lots of similar $ amounts in transactions
Flag if more than 10 transactions took place in the past 3 months with amounts 25% of each other
Transaction Funds Ratio Generate an alert if an entity receives transactions and X percent of the amount comes from Y state/country/zip code (out of all you previous locations)
  • Unexpected change in location of sender from received funds
  • Unexpected location for a majority of senders in a transaction
Flag HOAs that receive payments from more than 10 homeowners and over half of the total collected or half of the payments received came from homeowners residing in a different state
Transaction Statistics A Generate an alert if the average individual transaction volume > X and < Y AND with/without combined volume < or > Z.
  • Transactions with amounts near regulatory thresholds but not exceeding it
  • Smurfing
Flag if a certain number of transactions that lie within a range that's close to regulation thresholds of $10,000


These are industry specific scenarios or extremely broad scenarios with a lot of flexibility for configuration.

Scenario Name Description Use-Case Example
Aggregate Difference (Transactions) Generate an alert for an entity where the difference between A deposits and outgoing B transactions is greater than X amount in Y period.
  • A and B require custom data and simple code custom_data->field == condition
Flag if customers in Nigeria who’s total deposits – total outgoing transactions = over the regulatory limit of 300,000 NGN
Alerted Transactions II Generate an alert for entities with at least Y alerts with X amount and alert them again.
  • Requires a previously alerted entity that meets X new conditions
  • Has X count/amount of previous alerts
  • Only count the alerts if it flags this amount
  • Ignore 'with every transactions's value'
Flag employers using desktop payroll to submit larger than usual payroll transactions to themselves as opposed to employees
Chainalysis Alert - Risk levels Generate an alert if an entity has X risk alert from chainalysis with Y amount.
  • Requires external alert from chainalysis
  • Filter on chainalysis alerts and amount
Flag when a shopper is associated with one or more Chainalysis high risk alerts in a one-month period where the flagged USD amount is greater than 10,000 USD
Multiple Occurrences Generate an alert if an entity triggers a rule X times (amount of triggers) in Y period.
  • Look for entities that trigger a rule multiple times
Flag if a high velocity rule is alerted twice
Insider Trading Generate an alert if an entity makes a transaction similar to another entity X time later.
  • Look for entities that behave similarly
Flag if two employees in the company sell the same stock
Simple Filters Generate an alert if an entity has X.
  • Wide filter match
Flag if my customer tries to ACH funds to another one of my customer
Simple Sequence Generate an alert if an entity exhibits the following X sequence of events in X time.
  • Detect sequences such as $100, $200, $300 transacted
  • Requires python code
  • Legacy functionality, not currently supported
Flag change in basic information over three times in 30 days: action.action_type in ('tax_id_numbers', 'addresses', 'phones', 'emails', 'password_change')

Did this page help you?