Scenario Reference

This reference outlines the major types of rule scenarios. If you're looking for information about a certain scenario, try searching with ctrl+f.

Broadly, there are four types of scenarios:

  • Anomaly detection: unusual patterns.
  • Transaction structuring: where entity transaction behavior masks AML
  • Set combinations(cardinality): flag alerts only when the data meets certain criteria.
  • Denylist: where the involved objects are on Denylists

The following tables provide brief descriptions of some key scenarios. Note that this is not the exhaustive list. If you still need help making a certain rule, ask your CSM for guidance.


Vocab note: "Object"

In these tables, "object" refers to any piece of data that's processed by Unit21, e.g. transactions, entities, and instruments.

Anomaly Detection

Dormant ActivityDetects sudden activity after periods of account dormancy. Options EntitiesAll entities experiencing activity after of transaction dormancy with the following conditions (i) the next transaction has an amount greater than <$> (ii) the have previous transaction(s) before the dormancy period.
Historical Deviations AGenerates alert when an entity's recent transaction behavior deviates from the entity’s typical behavior. Options EntitiesMore than 5 transfers and $1,000 in value in one day differing over 3 standard deviations compared to the previous 30 days"
Historical Deviations BGenerates alert when entity transaction behavior deviates from historical system behavior Options Entities, CountAll entities where the deviation between transactions [amount >3000] in the last 120 days compared to those in the last 240 days have count greater than $2. Group alerts by entity.
Newly seenDetects when a new transaction type occurs. Options Entities, TransactionsAll entities seeing a newly seen value of field sent_currency compared to 12 weeks and a minimum previous count of 2. Group alerts by entity.

Structuring and smurfing

LayeringFlags entities with two different groups of transactions in a time period in which one group constitutes a certain percent of the other group. Options Entities"Flag entities that have at least 10K of deposits and at least 80% of that in withdrawals in a 2 hour span"
Pass throughGenerates alert when there are large discrepancies between sent and received amounts. Options Entities, amountAll entities (i) that have at least 2 transactions (ii) have a minimum of these transactions' amount is greater than $1000 (iii) Where the net sent/received amount difference is greater than 500 in a 365 days period. Group alerts by entity.
Pass through transferred percentGenerates alert when there are large percentage discrepancies between sent and received amounts. Options Entities, amountAll entities who received an initial transaction amount sum threshold of $ 10000 and sent greater than 50 % of funds received from another user in a 365 days period.
Same Value TransactionsDetects consecutive transactions of same value. Options Entities, consecutive, [round numbers](#round-numbersAll entities experiencing at least 5 consecutive transactions of the same value in a 365 days period, with the individual transaction amounts being round numbers.


Blacklist String (Entities/Instruments)Checks whether entities or instruments contain any of the data from a specified denylistAll entities having instrument_id that match any of the values in the selected denylist. Options: Entities, Transactions
Blacklist String (events)Checks whether transactions contain data from a denylist Options: Entities, TransactionsAll entities having transaction related event_subtype that match any values in the selected denylist. Group alerts by entity.
IP Blacklist (global)Checks whether transactions, entities, or instruments contain an IP from the global blacklistAll entities, transactions, instruments from any IP address that is blacklisted.

Combined sets (cardinalities)

Simple CountGenerates alerts after a certain number of transactions(e.g transactions over a certain value). Options: Entities, TransactionsAll sender entities where the count of transactions >$10000 related unique transactions in a 365 days period is greater than 50.
Simple Count RelativeGenerates alerts when ratio of transactions exceeds certain numberAll entities where the ratio of count of transaction related unique sent_currency to the number of transactions in a 365 days period is greater than 2 having at least 5 transactions per group.
Simple Entity CountGenerates alert when number of transactions for an entity exceeds a certain number. Options: Entities, TransactionsAll entities where the count of unique transactions is equal to $909.
Simple Count of entities and instrumentsGenerates alert for objects that meet combinations of values. Options entities, location and deviceAll ip_address where the count of unique Instruments is greater than 1000
Simple Object CountGenerates alert for transactions that meet combinations of values. Options: Transactions
Simple StatisticsFlags entities with transaction volumes above a certain threshold within a specific time interval. Options: Entities, Sum, AmountAll entities where the sum of transaction amount in a 365 days period is greater than 50000.
Simple Statistics with countThis scenario flags entities with transaction volume above a certain threshold and transaction related counts above a certain threshold, both within a specific time intervals. Options: Entities, Transactions, ID, Sum, AmountAll receiver entities having transactions where(i) the sum of sent_amount in a 365 days period is greater than 3400 And (ii) the count of unique transactions related to these transactions is greater than 6
Top Transacting EntitiesFilters for the entities that are in the upper range. Options: Entities, sumTop 20 entities based on transaction sum in the last 7 days.
Transaction statistics AThis scenario flags entities with a group of transactions in a certain time range whose average transaction amount falls within a certain range. Options: Entities, With the condition of, less thanAll entities that have 20 or more transactions in a 5 hour span where the average transaction amount is between $1000 and $2000 and the combined total volume is less than $8000"