What are Scenario Models?

You can create rules using our scenario models which are use-case scenarios you can choose.

Scenarios you can choose from include:

Simple Filter
IP Blacklist
Dormant Activity
Structuring
Insider Trading
and much more.

For example:

The Simple Filter scenario can flag transactions that use a certain credit card.
The IP Blacklist scenario can flag transactions that come from IPs in countries like Iran.
The Dormant Activity scenario can find transactions from users in your platform that have not used their account for over a year and suddenly have thousands of transactions in under a week.

When you select your ideal scenario, you can complete the logic by selecting information from drop-down menus to create the rule you want.

For example, if you select the dormant scenario, then you can choose from a dropdown menu how long the dormancy period is -> 30 days, 60 days, 3 months...

Let's take a quick look at the scenarios you can choose from:

Anomaly Detection

These scenarios looks for anomalous behaviors.

Scenario Name	Description	Use-Case	Example
Dormant Activity	Generate an alert if a user or business suddenly revitalizes an account after a period of dormancy.	Large cash withdrawals from a previously dormant or inactive account	Flag an account that has made a transaction worth over $1,000.00 and the previous transaction was made over 180 days ago
Historical Deviations A	Generate an alert if the transaction amount falls outside of the expected distribution (based on average transaction amounts).	Sum/count/amount of transactions falls outside of a specified range Count anomalous transactions	Flag an account if it is transacting funds to a high-risk country above their standard deviation plus 2
Historical Deviations B	Generate an alert if the transaction total amount differs by a specific amount.	Account suddenly has a spike in transactions Look for deviations in transactions	Flag if a merchant's selling volume has increased 100% or more in 30 days
Newly Seen	Generate an alert if an entity has a suspicious number of new actions or new transactional information compared to its past.	Account adds a lot of new credit cards Account transacts from an never before seen IP address	Flag if a user transacts from an unknown IP address based on historical records (not a previously known IP)

Blacklists

These scenarios compare entity information and transactions to matchlists (whitelists, blacklists).

Scenario Name	Description	Use-Case	Example
Entity Blacklist	Generate an alert if an entity comes from a matchlist (a list your organization maintains of fraudulent users/businesses).	314A business check	Flag if the business is on a terrorism financing watchlist
Blacklist String (Entities / Instruments)	Generates an alert if an instrument or entity has any information that is blacklisted in a matchlist.	Account with a spam email accounts	Flag if an account uses IP address 250.45.675.20
Blacklist String (Events)	Generates an alert if an entity makes a transaction with any blacklisted information held in a matchlist.	Transaction made with suspected stolen credit card	Flag if a customer has transactions with parties in high risk foreign countries
Country-subdivision Blacklist / Whitelist	Generates an alert if an entity is/isn't a sub-state match in the matchlist (works with whitelisting and blacklisting).	Allow transactions in certain states only	Flag if user is not in IP whitelist (a list called "IP whitelisting - US States" with allowed state CA, NY, MI, and VI)
IP Blacklist (Global)	Generate an alert if an entity comes from a global matchlist of blacklisted entities (a universal list of fraudulent users/businesses maintained by Unit21).	Business has a domain name with poor reputation (spamhaus)	Flag user with significant associations with publicly blacklisted and low reputation IP addresses (TOR, proxies, IP blacklists, spam lists, hosting services)

Cardinality

These scenarios are looking for a specific number of events that have occurred in transactions.

Scenario Name	Description	Use-Case	Example
Same Value Transactions	Generate an alert if an entity is making a number of transactions of the same value in a given time period (either consecutively or non-consecutively).	User repeatedly sends $5	Flag round value amounts done consecutively within a short period
Simple Count	Generate an alert if an entity makes X amount of transactions in Y time.	Business transacts over $1,000,000.00	Flag any transaction of $100,000 or higher for merchants with the label ‘new’.
Simple Count Relative	Generate an alert if X occurs in Y percent of the user/business transactions.	User has too many bounced checks	Flag a user if 70% of their transactions in 1 week have `status = FAILED`
Simple Entity Count	Generate an alert if an entity has X transactions instruments sent currency ...	Account has over 5000 transactions in a week	Flag a customer transacting more than 4 transactions in 24 hours
Simple Object Count (Entities / Instruments)	Generate an alert if X address email address ip address ... is used by a unique instrument, user or business Y times.	Two or more accounts have the same address	Flag if a phone number is associated to more than one customer
Simple Object Count (Transactions)	Generate an alert if X address email address ip address ... is used in a transaction Y times with each transaction having the same Z (instrument / address...).	Multiple transactions with the same credit card all used different currencies	Flag merchants with multiple phone numbers

Statistics

These scenarios use simple mathematical methods to flag transactions with unexpected amounts and events.

Scenario Name	Description	Use-Case	Example
Simple Statistics	Generate an alert if a instrument or entity transacts min avg max sum > or < or = to X amount.	A business has a lot of credit card disputes and chargebacks	Flag if the value of debit card refunds > $1000 over a period of 7 days
Simple Statistics with Count	Generate an alert if a instrument or entity (identified by id, phone # or email address) transacts min avg max sum > or < or = to X amount in Y count of transactions.	A business makes over 10 transactions to the same user	Flag if multiple companies send at least $5,000 to the same contractor in a month
Simple Statistics with Custom Field	Generate an alert if a instrument or entity transacts min avg max sum > or < or = to X (where X is a required custom data field)	A user transacts more than their credit allows	Flag if entities conduct 1 or more transactions within a 24hr period which aggregates to more than 100% of the entity’s AUM (assets under management)
Top Transacting Entities	Generate an alert if an entity has the largest sum/count of transactions over a given time period compared to all other users / businesses.	Accounts with top most transactions in Iran	Flag the top 5 accounts with cash deposits in the past 30 days

Structuring / Smurfing

These are standard AML scenarios for flagging smurfs and transactions with:

entities acting as intermediaries
amounts just under recordable/flaggable thresholds

Scenario Name	Description	Use-Case	Example
Entity Specific Conduit	Generate an alert if a pair of entities transact X amount in Y period AND the net sum of the transactions is Z between them.	Two accounts sending money back and forth but the net amount transferred is low	Flag entities that have a sequence of back and forth transactions with the same (set of) associated counterparties
Layering	Generate an alert if an entity has X percent of transactions meet Y criteria and then a subset of those meet Z criteria.	Check an entity for money in versus money out (sender versus receiver activity) Velocity checker	Flag an entity with high velocity of funds
Pass-Through	Generate an alert if an entity has X ratio between received and sent funds in a transaction (i/e if an entity receives X, how much of X is transacted in Y time).	Looking for a middle man Look at net sent/received $ in transactions	Flag large or structured deposits immediately followed by series of withdrawals within a short period
Pass-Through Transferred Percent	Generate an alert if an entity sent X percent of their funds to another user / business.	Entity received a large initial amount of $ and a large percentage of it is sent to a single user	Flag an entity that receives a lot of money and then sends out most of what it received
Structuring	Generate an alert if a pattern of nonconsecutive transactions are all fiat dollar values similar to each other.	Structured movement of funds such as 'entity receives $10K and sends out $3K, $3K and $4K` Lots of similar $ amounts in transactions	Flag if more than 10 transactions took place in the past 3 months with amounts 25% of each other
Transaction Funds Ratio	Generate an alert if an entity receives transactions and X percent of the amount comes from Y state/country/zip code (out of all you previous locations)	Unexpected change in location of sender from received funds Unexpected location for a majority of senders in a transaction	Flag HOAs that receive payments from more than 10 homeowners and over half of the total collected or half of the payments received came from homeowners residing in a different state
Transaction Statistics A	Generate an alert if the average individual transaction volume > X and < Y AND with/without combined volume < or > Z.	Transactions with amounts near regulatory thresholds but not exceeding it Smurfing	Flag if a certain number of transactions that lie within a range that's close to regulation thresholds of $10,000

Other

These are industry specific scenarios or extremely broad scenarios with a lot of flexibility for configuration.

Scenario Name	Description	Use-Case	Example
Aggregate Difference (Transactions)	Generate an alert for an entity where the difference between A deposits and outgoing B transactions is greater than X amount in Y period.	A and B require custom data and simple code `custom_data->field == condition`	Flag if customers in Nigeria who’s total deposits – total outgoing transactions = over the regulatory limit of 300,000 NGN
Alerted Transactions II	Generate an alert for entities with at least Y alerts with X amount and alert them again.	Requires a previously alerted entity that meets X new conditions Has X count/amount of previous alerts Only count the alerts if it flags this amount Ignore 'with every transactions's value'	Flag employers using desktop payroll to submit larger than usual payroll transactions to themselves as opposed to employees
Chainalysis Alert - Risk levels	Generate an alert if an entity has X risk alert from chainalysis with Y amount.	Requires external alert from chainalysis Filter on chainalysis alerts and amount	Flag when a shopper is associated with one or more Chainalysis high risk alerts in a one-month period where the flagged USD amount is greater than 10,000 USD
Multiple Occurrences	Generate an alert if an entity triggers a rule X times (amount of triggers) in Y period.	Look for entities that trigger a rule multiple times	Flag if a high velocity rule is alerted twice
Insider Trading	Generate an alert if an entity makes a transaction similar to another entity X time later.	Look for entities that behave similarly	Flag if two employees in the company sell the same stock
Simple Filters	Generate an alert if an entity has X.	Wide filter match	Flag if my customer tries to ACH funds to another one of my customer
Simple Sequence	Generate an alert if an entity exhibits the following X sequence of events in X time.	Detect sequences such as $100, $200, $300 transacted Requires python code Legacy functionality, not currently supported	Flag change in basic information over three times in 30 days: `action.action_type in ('tax_id_numbers', 'addresses', 'phones', 'emails', 'password_change')`