Scenario Reference
This reference outlines the major types of rule scenarios. If you're looking for information about a certain scenario, try searching with ctrl+f.
Broadly, there are four types of scenarios:
- Anomaly detection: unusual patterns.
- Transaction structuring: where entity transaction behavior masks AML
- Set combinations(cardinality): flag alerts only when the data meets certain criteria.
- Denylist: where the involved objects are on Denylists
The following tables provide brief descriptions of some key scenarios. Note that this is not the exhaustive list. If you still need help making a certain rule, ask your CSM for guidance.
Vocab note: "Object"
In these tables, "object" refers to any piece of data that's processed by Unit21, e.g. transactions, entities, and instruments.
Anomaly Detection
| Scenario | Description | Example |
|---|---|---|
| Dormant Activity | Detects sudden activity after periods of account dormancy. Options Entities | All entities experiencing activity after of transaction dormancy with the following conditions (i) the next transaction has an amount greater than <$> (ii) the have previous transaction(s) before the dormancy period. |
| Historical Deviations A | Generates alert when an entity's recent transaction behavior deviates from the entity’s typical behavior. Options Entities | More than 5 transfers and $1,000 in value in one day differing over 3 standard deviations compared to the previous 30 days" |
| Historical Deviations B | Generates alert when entity transaction behavior deviates from historical system behavior Options Entities, Count | All entities where the deviation between transactions [amount >3000] in the last 120 days compared to those in the last 240 days have count greater than $2. Group alerts by entity. |
| Newly seen | Detects when a new transaction type occurs. Options Entities, Transactions | All entities seeing a newly seen value of field sent_currency compared to 12 weeks and a minimum previous count of 2. Group alerts by entity. |
Structuring and smurfing
| Scenario | Description | Example |
|---|---|---|
| Layering | Flags entities with two different groups of transactions in a time period in which one group constitutes a certain percent of the other group. Options Entities | "Flag entities that have at least 10K of deposits and at least 80% of that in withdrawals in a 2 hour span" |
| Pass through | Generates alert when there are large discrepancies between sent and received amounts. Options Entities, amount | All entities (i) that have at least 2 transactions (ii) have a minimum of these transactions' amount is greater than $1000 (iii) Where the net sent/received amount difference is greater than 500 in a 365 days period. Group alerts by entity. |
| Pass through transferred percent | Generates alert when there are large percentage discrepancies between sent and received amounts. Options Entities, amount | All entities who received an initial transaction amount sum threshold of $ 10000 and sent greater than 50 % of funds received from another user in a 365 days period. |
| Same Value Transactions | Detects consecutive transactions of same value. Options Entities, consecutive, [round numbers](#round-numbers | All entities experiencing at least 5 consecutive transactions of the same value in a 365 days period, with the individual transaction amounts being round numbers. |
Denylists
| Scenario | Description | Example |
|---|---|---|
| Blacklist String (Entities/Instruments) | Checks whether entities or instruments contain any of the data from a specified denylist | All entities having instrument_id that match any of the values in the selected denylist. Options: Entities, Transactions |
| Blacklist String (events) | Checks whether transactions contain data from a denylist Options: Entities, Transactions | All entities having transaction related event_subtype that match any values in the selected denylist. Group alerts by entity. |
| IP Blacklist (global) | Checks whether transactions, entities, or instruments contain an IP from the global blacklist | All entities, transactions, instruments from any IP address that is blacklisted. |
Combined sets (cardinalities)
| Scenario | Description | Example |
|---|---|---|
| Simple Count | Generates alerts after a certain number of transactions(e.g transactions over a certain value). Options: Entities, Transactions | All sender entities where the count of transactions >$10000 related unique transactions in a 365 days period is greater than 50. |
| Simple Count Relative | Generates alerts when ratio of transactions exceeds certain number | All entities where the ratio of count of transaction related unique sent_currency to the number of transactions in a 365 days period is greater than 2 having at least 5 transactions per group. |
| Simple Entity Count | Generates alert when number of transactions for an entity exceeds a certain number. Options: Entities, Transactions | All entities where the count of unique transactions is equal to $909. |
| Simple Count of entities and instruments | Generates alert for objects that meet combinations of values. Options entities, location and device | All ip_address where the count of unique Instruments is greater than 1000 |
| Simple Object Count | Generates alert for transactions that meet combinations of values. Options: Transactions | |
| Simple Statistics | Flags entities with transaction volumes above a certain threshold within a specific time interval. Options: Entities, Sum, Amount | All entities where the sum of transaction amount in a 365 days period is greater than 50000. |
| Simple Statistics with count | This scenario flags entities with transaction volume above a certain threshold and transaction related counts above a certain threshold, both within a specific time intervals. Options: Entities, Transactions, ID, Sum, Amount | All receiver entities having transactions where(i) the sum of sent_amount in a 365 days period is greater than 3400 And (ii) the count of unique transactions related to these transactions is greater than 6 |
| Top Transacting Entities | Filters for the entities that are in the upper range. Options: Entities, sum | Top 20 entities based on transaction sum in the last 7 days. |
| Transaction statistics A | This scenario flags entities with a group of transactions in a certain time range whose average transaction amount falls within a certain range. Options: Entities, With the condition of, less than | All entities that have 20 or more transactions in a 5 hour span where the average transaction amount is between $1000 and $2000 and the combined total volume is less than $8000" |
Updated 5 months ago