Rules library

Explore ready-to-use rules you can adapt to your own risk strategy.

Card

Transfer

Withdrawal

Crypto

Acquiring

Events

Internal employee transfer

Attempted transfer between a customer account and a known bank employee account

Abnormal refund ratio

Merchant refund volume exceeds 20% of total sales volume in a 7-day rolling window

Elderly social engineering

Customer over 65 sending a first-time transfer to a high-risk jurisdiction

Remote access detection

User logged in while a remote desktop protocol (AnyDesk, TeamViewer) was active on the device

PII change followed by payout

Phone or email changed followed by a high-value transfer or withdrawal within 24 hours

Circular funds flow

Funds move from Account A to B to C and back to A within 72 hours

Peeling chain behavior

5+ small outgoing transfers to unique crypto exchange addresses within 1 hour

Sudden crypto on-ramping

Customer with no history of crypto activity sends >$5000 to an exchange within 24 hours

High-risk VASP interaction

Outgoing transfer to a crypto exchange with known weak AML/KYC controls

Micro-deposit testing

Account receives 3+ incoming transfers <$1 from a known crypto exchange within 24 hours

Rapid crypto liquidation

Incoming transfer followed by ≥95% outbound to a crypto exchange within 4 hours

Rapid merchant peak

New merchant processes >$5000 within 48 hours of account activation

Repeat card acquiring

Merchant processes 3+ transactions from the same card number within 24 hours for a total ≥$1000

Commercial activity on personal account

User received 5+ transfers with labels like 'Invoice' or 'Service' on a retail account

Merchant volume spike

Total processed volume in 24 hours is 5x the merchant's daily average

Blacklisted card issuer

Acquiring transaction initiated from a card issued in a FATF blacklisted country

Merchant velocity spike

Transaction count in 24 hours is 5x the merchant's daily average

Unusual merchant ticket size

Acquired transaction amount is ≥10x the merchant's historical average ticket size

Rapid beneficiary addition

3+ new beneficiaries added to the account within a 24-hour period

Activity volume spike

Daily transaction count is >3x the daily average of the previous 30 days

Multiple salary pay-ins

User received 2+ transfers labelled as salary from different emitters within 14 days

Device login velocity

10+ successful logins from the same device ID within 3 hours

Immediate gambling spend

User receives a pay-in and spends ≥80% of it at a gambling institution within 24 hours

Multiple cross-border pay-ins

User received 3+ cross-border transfers within a 3-day rolling window

Incorrect PIN then CNP

An 'Incorrect PIN' decline followed by a successful Card-Not-Present transaction within 3 hours

Reciprocal funds flow

User receives a transfer and sends the exact same amount back to the sender within 72 hours

Contactless merchant velocity

3+ contactless payments to the same merchant within a 12-hour period

High-frequency gambling spend

20+ card payments to gambling institutions within a 30-day period

High-frequency crypto spend

10+ card payments to crypto institutions within a 30-day period

High-risk jurisdiction login

User logged in from a jurisdiction marked as high-risk or sanctioned

IP login velocity

10+ successful logins from the same IP address within 3 hours

Impossible travel login

Logins from two different countries or IP geo-locations in less than 3 hours

Shared device login

User logged in with a device used by a different account holder within the last 7 days

New device login

User successfully logged in with a device fingerprint never seen before on this account

Multiple withdrawals velocity

3+ withdrawals with a cumulated amount ≥$1000 within a 24-hour period

Spend vs Income mismatch

Monthly outbound volume exceeds the user's declared monthly income by ≥200%

Cross-border transfer threshold

User performed a cross-border transfer exceeding $1000

Late-night withdrawal anomaly

Withdrawal ≥$500 performed between 22:00 and 06:00 local time

Corporate receipt of salary

A registered corporate account receives a transfer explicitly labelled as 'Salary'

Manual crypto label

Transaction label contains crypto-related keywords (BTC, Binance, Kraken) on a P2P transfer

Precious metals dominance

Over 50% of the user's monthly outgoing transaction count is directed to precious metals merchants

Gambling transaction dominance

Over 50% of the user's monthly outgoing transaction count is directed to gambling MCCs

Crypto transaction dominance

Over 50% of the user's monthly outgoing transaction count is directed to crypto MCCs

Suspicious memo keywords

Transaction label contains high-risk keywords (e.g., 'drugs', 'scam', 'refund', 'bail')

Rapid activation spend

Total spend exceeds $1000 within the first 24 hours after account onboarding

Transfer balance depletion

Outgoing transfer amount matches ≥98% of the available account balance

Withdrawal balance depletion

Withdrawal amount matches ≥98% of the available account balance

Card payment balance depletion

Card payment amount matches ≥98% of the available account balance

Quasi-cash velocity

User spent >$1000 at money transfer or quasi-cash institutions within 7 days

Precious metals accumulation

User spent >$2000 at precious metals or jewelry merchants within 7 days

Excessive gambling concentration

User spent >$1000 or >50% of monthly income at gambling merchants within 7 days

High-volume crypto on-ramping

User spent >$2000 at cryptocurrency institutions within a 7-day rolling window

Round-sum salary

Transfer labelled as "Salary" but the amount is a perfect multiple of $100 (unusual for standard payroll)

Consolidation for payout

3+ different emitters send transfers to one beneficiary who then moves the total amount out within 24 hours

Multiple high-value pay-ins

Customer received 3+ transfers ≥$1000 from different emitters within 24 hours

Static high-value transfer

Transfer amount exceeds $5000 (Static threshold for standard segment)

Static high-value card payment

Card payment exceeds $1000 (Static threshold for standard segment)

Impossible travel velocity

Two physical card transactions in different countries where the distance/time ratio exceeds 800km/h

Static high-value withdrawal

Withdrawal amount exceeds $1000 (Static threshold for standard segment)

Card tester pattern

Small 'tester' Card-Present transaction (≤$10) followed by a large Card-Not-Present transaction (≥$500) within 3 hours

Withdrawal in FATF-listed country

Physical cash withdrawal performed in a FATF blacklisted or greylisted country

Transfer from FATF-listed country

Incoming transfer received from an emitter in a FATF blacklisted or greylisted country

Transfer to FATF-listed country

Outgoing transfer to a beneficiary in a FATF blacklisted or greylisted country

Card payment to FATF-listed country

Card payment made to a merchant registered in a FATF blacklisted or greylisted country

Beneficiary name mismatch

Beneficiary name provided by the emitter does not match the legal name of the account holder

High-value withdrawal on dormant account

A withdrawal >$500 made on an account with no activity in the last 90 days

Sudden pay-in on dormant account

An incoming transfer >$1000 received on an account with no activity in the last 90 days

High-value transfer on dormant account

An outgoing transfer >$1000 made on an account with no transaction history in the last 90 days

High-value card spend on dormant account

A card payment >$500 made on an account with no transaction history in the last 90 days

Transfer to high-risk BIC

Outgoing transfer to a BIC located in a high-risk or non-cooperative jurisdiction (FATF/Sanctions)

Sanctioned account match

Transaction involving an IBAN or account number present on a global or internal sanctions list

Transfer from high-risk BIC

Incoming transfer received from a BIC located in a high-risk or non-cooperative jurisdiction

Transfer structuring

5+ transfers from the same customer to the same beneficiary for a total ≥1000€ within 7 days

Card payment structuring

5+ payments from the same customer to the same merchant for a total ≥1000€ within 7 days

Immediate card spend of received funds

Card payment amount is ≥90% of total funds received within the previous 24 hours

High relative card spend

Card payment is ≥10x the user's average card spend over the last 60 days

High relative withdrawal amount

Withdrawal amount is ≥10x the user's average withdrawal amount over the last 60 days

Rapid funds pass-through

Transfer amount is ≥90% of the total funds received within the previous 24 hours

High relative transfer amount

Transfer amount is ≥10x the user's average transfer amount over the last 60 days

Immediate gambling spend

Credit/Refund Fraud

Tax Evasion

Third-Party Fraud

Account Takeover (ATO)

Scams

Money Laundering

Sanctions/CTF

Structuring

Mule Activity

User receives a pay-in and spends ≥80% of it at a gambling institution within 24 hours