You can create rules using our scenario models which are use-case scenarios you can choose.
Scenarios you can choose from include:
- Simple Filter
- IP Blacklist
- Dormant Activity
- Insider Trading
- and much more.
- The Simple Filter scenario can flag transactions that use a certain credit card.
- The IP Blacklist scenario can flag transactions that come from IPs in countries like Iran.
- The Dormant Activity scenario can find transactions from users in your platform that have not used their account for over a year and suddenly have thousands of transactions in under a week.
Your organization may not be able to access all of the scenarios listed.
Ask your CSM for more details.
When you select your ideal scenario, you can complete the logic by selecting information from drop-down menus to create the rule you want.
For example, if you select the dormant scenario, then you can choose from a dropdown menu how long the dormancy period is -> 30 days, 60 days, 3 months...
Let's take a quick look at the scenarios you can choose from:
These scenarios looks for anomalous behaviors.
|Dormant Activity||Generate an alert if a user or business suddenly revitalizes an account after a period of dormancy.||
||Flag an account that has made a transaction worth over $1,000.00 and the previous transaction was made over 180 days ago|
|Historical Deviations A||Generate an alert if the transaction amount falls outside of the expected distribution (based on average transaction amounts).||
||Flag an account if it is transacting funds to a high-risk country above their standard deviation plus 2|
|Historical Deviations B||Generate an alert if the transaction total amount differs by a specific amount.||
||Flag if a merchant's selling volume has increased 100% or more in 30 days|
|Newly Seen||Generate an alert if an entity has a suspicious number of new actions or new transactional information compared to its past.||
||Flag if a user transacts from an unknown IP address based on historical records (not a previously known IP)|
These scenarios compare entity information and transactions to matchlists (whitelists, blacklists).
|Entity Blacklist||Generate an alert if an entity comes from a matchlist (a list your organization maintains of fraudulent users/businesses).||
||Flag if the business is on a terrorism financing watchlist|
|Blacklist String (Entities / Instruments)||Generates an alert if an instrument or entity has any information that is blacklisted in a matchlist.||
||Flag if an account uses IP address 250.45.675.20|
|Blacklist String (Events)||Generates an alert if an entity makes a transaction with any blacklisted information held in a matchlist.||
||Flag if a customer has transactions with parties in high risk foreign countries|
|Country-subdivision Blacklist / Whitelist||Generates an alert if an entity is/isn't a sub-state match in the matchlist (works with whitelisting and blacklisting).||
||Flag if user is not in IP whitelist (a list called "IP whitelisting - US States" with allowed state CA, NY, MI, and VI)|
|IP Blacklist (Global)||Generate an alert if an entity comes from a global matchlist of blacklisted entities (a universal list of fraudulent users/businesses maintained by Unit21).||
||Flag user with significant associations with publicly blacklisted and low reputation IP addresses (TOR, proxies, IP blacklists, spam lists, hosting services)|
These scenarios are looking for a specific number of events that have occurred in transactions.
|Same Value Transactions||Generate an alert if an entity is making a number of transactions of the same value in a given time period (either consecutively or non-consecutively).||
||Flag round value amounts done consecutively within a short period|
|Simple Count Relative||Generate an alert if X occurs in Y percent of the user/business transactions.||
||Flag a user if 70% of their transactions in 1 week have
|Simple Entity Count||Generate an alert if an entity has X
||Flag a customer transacting more than 4 transactions in 24 hours|
|Simple Object Count (Entities / Instruments)||Generate an alert if X
||Flag if a phone number is associated to more than one customer|
|Simple Object Count (Transactions)||Generate an alert if X
||Flag merchants with multiple phone numbers|
These are standard AML scenarios for flagging smurfs and transactions with:
- entities acting as intermediaries
- amounts just under recordable/flaggable thresholds
|Entity Specific Conduit||Generate an alert if a pair of entities transact X amount in Y period AND the net sum of the transactions is Z between them.||
||Flag entities that have a sequence of back and forth transactions with the same (set of) associated counterparties|
|Layering||Generate an alert if an entity has X percent of transactions meet Y criteria and then a subset of those meet Z criteria.||
||Flag an entity with high velocity of funds|
|Pass-Through||Generate an alert if an entity has X ratio between received and sent funds in a transaction (i/e if an entity receives X, how much of X is transacted in Y time).||
||Flag large or structured deposits immediately followed by series of withdrawals within a short period|
|Pass-Through Transferred Percent||Generate an alert if an entity sent X percent of their funds to another user / business.||
||Flag an entity that receives a lot of money and then sends out most of what it received|
|Structuring||Generate an alert if a pattern of nonconsecutive transactions are all fiat dollar values similar to each other.||
||Flag if more than 10 transactions took place in the past 3 months with amounts 25% of each other|
|Transaction Funds Ratio||Generate an alert if an entity receives transactions and X percent of the amount comes from Y state/country/zip code (out of all you previous locations)||
||Flag HOAs that receive payments from more than 10 homeowners and over half of the total collected or half of the payments received came from homeowners residing in a different state|
|Transaction Statistics A||Generate an alert if the average individual transaction volume > X and < Y AND with/without combined volume < or > Z.||
||Flag if a certain number of transactions that lie within a range that's close to regulation thresholds of $10,000|
These are industry specific scenarios or extremely broad scenarios with a lot of flexibility for configuration.
|Aggregate Difference (Transactions)||Generate an alert for an entity where the difference between A deposits and outgoing B transactions is greater than X amount in Y period.||
||Flag if customers in Nigeria who’s total deposits – total outgoing transactions = over the regulatory limit of 300,000 NGN|
|Alerted Transactions II||Generate an alert for entities with at least Y alerts with X amount and alert them again.||
||Flag employers using desktop payroll to submit larger than usual payroll transactions to themselves as opposed to employees|
|Chainalysis Alert - Risk levels||Generate an alert if an entity has X risk alert from chainalysis with Y amount.||
||Flag when a shopper is associated with one or more Chainalysis high risk alerts in a one-month period where the flagged USD amount is greater than 10,000 USD|
|Entity Matching Links||Generate an alert if an entity has similar information to another entity.||
||Flag if three or more users use the same credit card|
|Insider Trading||Generate an alert if an entity makes a transaction similar to another entity X time later.||
||Flag if two employees in the company sell the same stock|
|Multiple Occurrences||Generate an alert if an entity triggers a rule X times (amount of triggers) in Y period.||
||Flag if a high velocity rule is alerted twice|
|Relative Transaction Amount Sequence||Generate an alert for an entity with 2 consecutive transactions within a certain period.||
||Flag if a customer buys a stock high and sells low same day.|
|Simple Filters||Generate an alert if an entity has X.||
||Flag if my customer tries to ACH funds to another one of my customer|
|Simple Sequence||Generate an alert if an entity exhibits the following X sequence of events in X time.||
||Flag change in basic information over three times in 30 days:
Updated 6 months ago