Scenario Models


What are Scenario Models?
You can create rules using our scenario models which are use-case scenarios you can choose.
Scenarios you can choose from include:
- Simple Filter
- IP Blacklist
- Dormant Activity
- Structuring
- Insider Trading
- and much more.
For example:
- The Simple Filter scenario can flag transactions that use a certain credit card.
- The IP Blacklist scenario can flag transactions that come from IPs in countries like Iran.
- The Dormant Activity scenario can find transactions from users in your platform that have not used their account for over a year and suddenly have thousands of transactions in under a week.


When you select your ideal scenario, you can complete the logic by selecting information from drop-down menus to create the rule you want.
For example, if you select the dormant scenario, then you can choose from a dropdown menu how long the dormancy period is -> 30 days, 60 days, 3 months...


Let's take a quick look at the scenarios you can choose from:
Anomaly Detection
These scenarios looks for anomalous behaviors.
Scenario Name | Description | Use-Case | Example |
---|---|---|---|
Dormant Activity | Generate an alert if a user or business suddenly revitalizes an account after a period of dormancy. |
|
Flag an account that has made a transaction worth over $1,000.00 and the previous transaction was made over 180 days ago |
Historical Deviations A | Generate an alert if the transaction amount falls outside of the expected distribution (based on average transaction amounts). |
|
Flag an account if it is transacting funds to a high-risk country above their standard deviation plus 2 |
Historical Deviations B | Generate an alert if the transaction total amount differs by a specific amount. |
|
Flag if a merchant's selling volume has increased 100% or more in 30 days |
Newly Seen | Generate an alert if an entity has a suspicious number of new actions or new transactional information compared to its past. |
|
Flag if a user transacts from an unknown IP address based on historical records (not a previously known IP) |
Blacklists
These scenarios compare entity information and transactions to matchlists (whitelists, blacklists).
Scenario Name | Description | Use-Case | Example |
---|---|---|---|
Entity Blacklist | Generate an alert if an entity comes from a matchlist (a list your organization maintains of fraudulent users/businesses). |
|
Flag if the business is on a terrorism financing watchlist |
Blacklist String (Entities / Instruments) | Generates an alert if an instrument or entity has any information that is blacklisted in a matchlist. |
|
Flag if an account uses IP address 250.45.675.20 |
Blacklist String (Events) | Generates an alert if an entity makes a transaction with any blacklisted information held in a matchlist. |
|
Flag if a customer has transactions with parties in high risk foreign countries |
Country-subdivision Blacklist / Whitelist | Generates an alert if an entity is/isn't a sub-state match in the matchlist (works with whitelisting and blacklisting). |
|
Flag if user is not in IP whitelist (a list called "IP whitelisting - US States" with allowed state CA, NY, MI, and VI) |
IP Blacklist (Global) | Generate an alert if an entity comes from a global matchlist of blacklisted entities (a universal list of fraudulent users/businesses maintained by Unit21). |
|
Flag user with significant associations with publicly blacklisted and low reputation IP addresses (TOR, proxies, IP blacklists, spam lists, hosting services) |
Cardinality
These scenarios are looking for a specific number of events that have occurred in transactions.
Scenario Name | Description | Use-Case | Example |
---|---|---|---|
Same Value Transactions | Generate an alert if an entity is making a number of transactions of the same value in a given time period (either consecutively or non-consecutively). |
|
Flag round value amounts done consecutively within a short period |
Simple Count | Generate an alert if an entity makes X amount of transactions in Y time. |
|
Flag any transaction of $100,000 or higher for merchants with the label ‘new’. |
Simple Count Relative | Generate an alert if X occurs in Y percent of the user/business transactions. |
|
Flag a user if 70% of their transactions in 1 week have status = FAILED |
Simple Entity Count | Generate an alert if an entity has X
|
|
Flag a customer transacting more than 4 transactions in 24 hours |
Simple Object Count (Entities / Instruments) | Generate an alert if X
|
|
Flag if a phone number is associated to more than one customer |
Simple Object Count (Transactions) | Generate an alert if X
|
|
Flag merchants with multiple phone numbers |
Statistics
These scenarios use simple mathematical methods to flag transactions with unexpected amounts and events.
Scenario Name | Description | Use-Case | Example |
---|---|---|---|
Simple Statistics | Generate an alert if a instrument or entity transacts
|
|
Flag if the value of debit card refunds > $1000 over a period of 7 days |
Simple Statistics with Count | Generate an alert if a instrument or entity (identified by id, phone # or email address) transacts
|
|
Flag if multiple companies send at least $5,000 to the same contractor in a month |
Simple Statistics with Custom Field | Generate an alert if a instrument or entity transacts
|
|
Flag if entities conduct 1 or more transactions within a 24hr period which aggregates to more than 100% of the entity’s AUM (assets under management) |
Top Transacting Entities | Generate an alert if an entity has the largest sum/count of transactions over a given time period compared to all other users / businesses. |
|
Flag the top 5 accounts with cash deposits in the past 30 days |
Structuring / Smurfing
These are standard AML scenarios for flagging smurfs and transactions with:
- entities acting as intermediaries
- amounts just under recordable/flaggable thresholds
Scenario Name | Description | Use-Case | Example |
---|---|---|---|
Entity Specific Conduit | Generate an alert if a pair of entities transact X amount in Y period AND the net sum of the transactions is Z between them. |
|
Flag entities that have a sequence of back and forth transactions with the same (set of) associated counterparties |
Layering | Generate an alert if an entity has X percent of transactions meet Y criteria and then a subset of those meet Z criteria. |
|
Flag an entity with high velocity of funds |
Pass-Through | Generate an alert if an entity has X ratio between received and sent funds in a transaction (i/e if an entity receives X, how much of X is transacted in Y time). |
|
Flag large or structured deposits immediately followed by series of withdrawals within a short period |
Pass-Through Transferred Percent | Generate an alert if an entity sent X percent of their funds to another user / business. |
|
Flag an entity that receives a lot of money and then sends out most of what it received |
Structuring | Generate an alert if a pattern of nonconsecutive transactions are all fiat dollar values similar to each other. |
|
Flag if more than 10 transactions took place in the past 3 months with amounts 25% of each other |
Transaction Funds Ratio | Generate an alert if an entity receives transactions and X percent of the amount comes from Y state/country/zip code (out of all you previous locations) |
|
Flag HOAs that receive payments from more than 10 homeowners and over half of the total collected or half of the payments received came from homeowners residing in a different state |
Transaction Statistics A | Generate an alert if the average individual transaction volume > X and < Y AND with/without combined volume < or > Z. |
|
Flag if a certain number of transactions that lie within a range that's close to regulation thresholds of $10,000 |
Other
These are industry specific scenarios or extremely broad scenarios with a lot of flexibility for configuration.
Scenario Name | Description | Use-Case | Example |
---|---|---|---|
Aggregate Difference (Transactions) | Generate an alert for an entity where the difference between A deposits and outgoing B transactions is greater than X amount in Y period. |
|
Flag if customers in Nigeria who’s total deposits – total outgoing transactions = over the regulatory limit of 300,000 NGN |
Alerted Transactions II | Generate an alert for entities with at least Y alerts with X amount and alert them again. |
|
Flag employers using desktop payroll to submit larger than usual payroll transactions to themselves as opposed to employees |
Chainalysis Alert - Risk levels | Generate an alert if an entity has X risk alert from chainalysis with Y amount. |
|
Flag when a shopper is associated with one or more Chainalysis high risk alerts in a one-month period where the flagged USD amount is greater than 10,000 USD |
Multiple Occurrences | Generate an alert if an entity triggers a rule X times (amount of triggers) in Y period. |
|
Flag if a high velocity rule is alerted twice |
Insider Trading | Generate an alert if an entity makes a transaction similar to another entity X time later. |
|
Flag if two employees in the company sell the same stock |
Simple Filters | Generate an alert if an entity has X. |
|
Flag if my customer tries to ACH funds to another one of my customer |
Simple Sequence | Generate an alert if an entity exhibits the following X sequence of events in X time. |
|
Flag change in basic information over three times in 30 days:
action.action_type in ('tax_id_numbers', 'addresses', 'phones', 'emails', 'password_change') |
Updated about 2 months ago