Setting custom anomaly detection thresholds
Configure your anomaly detection rules (for AML & compliance) to identify suspicious activities
Overview
Protecting your financial operations from fraudulent activities requires a careful balance of security measures and operational efficiency.
This guide will walk you through the essential settings for configuring fraud detection parameters, helping you establish effective barriers against unauthorized or suspicious transactions while minimizing false positives that could impact legitimate business operations.
Whether you’re new to fraud prevention or looking to optimize your existing security measures, understanding these thresholds is crucial for maintaining a robust defense against financial fraud.
Setting thresholds
Blnk automatically sets a minimum configuration once anomalies are activated for your Cloud workspace.
Similar transactions
Amount difference (%)
Amount difference (%)
Defines the acceptable range of variation between transaction amounts. With 5%, transactions within this percentage of each other are flagged as similar.
For example, a $100 transaction would match with transactions between $95 - $105.
Time window (in minutes)
Time window (in minutes)
The period in which the system looks for similar transactions. This creates a rolling 30-minute window where patterns are analyzed. Any similar transactions that occur within this timeframe are grouped together for analysis.
Minimum similar count
Minimum similar count
The number of similar transactions needed to trigger an alert. At least three transactions meeting the amount and time criteria must occur before the system flags suspicious activity.
Similarity score threshold (%)
Similarity score threshold (%)
The degree to which transactions must match across various characteristics to be considered similar. At 70%, transactions must share a significant number of attributes, such as transaction type or location, but don’t need to be identical.
Together, these settings create a balanced system for detecting suspicious patterns while minimizing false alarms.
For example, to trigger an alert, you would need at least 3 transactions (Minimum Similar Count) within 30 minutes (Time Window) that are within 5% of each other’s value (Amount Difference) and share at least 70% of their characteristics (Similarity Score).
Immediate withdrawals
Withdrawal ratio (%)
Withdrawal ratio (%)
The percentage of a deposit that, if withdrawn quickly, triggers an alert. For example, with a 70% setting, withdrawing 1,000 deposit would be flagged as suspicious.
Minimum amount
Minimum amount
The threshold amount that activates monitoring. Only deposits equal to or larger than $1,000 will be tracked for immediate withdrawal patterns. Smaller transactions are excluded from this check.
Time window (minutes)
Time window (minutes)
The monitoring period after a deposit. This creates a 5-minute window during which quick withdrawals are scrutinized. The system watches for withdrawal attempts during this short period after the qualifying deposit.
Cooldown period (hours)
Cooldown period (hours)
The waiting period enforced after flagging suspicious activity. Once an alert is triggered, the system continues enhanced monitoring for 24 hours to prevent repeated attempts at suspicious withdrawal patterns.
Consider a new deposit of $2,000. Because this exceeds the minimum amount ($1,000), the system begins monitoring. If someone attempts to withdraw $1,500 (75% of the deposit) within 5 minutes of the deposit, this would trigger an alert because it exceeds the 70% withdrawal ratio within the time window.
Balance frequency
Maximum fan-out ratio (%)
Maximum fan-out ratio (%)
The maximum percentage of funds that can be distributed to multiple accounts in a short time. For example, if 800 across multiple accounts would trigger an alert.
Maximum source frequency
Maximum source frequency
The maximum number of times funds can be received from the same source within the monitoring window. This helps identify unusual patterns of repeated deposits from a single origin.
Maximum destination frequency
Maximum destination frequency
Similar to source frequency, this limits how many times funds can be sent to the same destination. This helps catch potential money laundering patterns where funds are being funneled to specific accounts.
Minimum amount
Minimum amount
Only transaction amounts of 100 or more are monitored for these patterns. This threshold helps focus on meaningful transactions while ignoring small, routine transfers.
Unique counterparties
Unique counterparties
The number of different entities involved in the transaction chain that triggers monitoring. With a setting of 1, the system tracks patterns involving even a single counterparty.
Minimum fan out
Minimum fan out
The minimum number of separate transfers needed to trigger the fan-out detection. At least 5 different transfers must occur within the time window to be considered a potential fan-out pattern.
Fan-out time window (minutes)
Fan-out time window (minutes)
The time period during which the system monitors for fan-out patterns. All relevant transfers must occur within this 60-minute window to trigger an alert.
Dormant balance
Dormancy period (days)
Dormancy period (days)
The number of days an account must be inactive before being flagged as dormant.
Minimum amount
Minimum amount
The threshold balance that triggers dormancy monitoring. Only accounts holding $100 or more are tracked for dormancy.
Consider an account with a balance of $5,000 that hasn’t had any transactions (deposits, withdrawals, or transfers) for 12 days. Because this account exceeds the minimum amount threshold of $100 and has been inactive longer than the 10-day dormancy period, it would be flagged for review.
Suspicious word patterns
Custom keywords
Custom keywords
A customizable list of words or phrases that may indicate suspicious activity. You can add specific terms relevant to your business that, when detected in transaction descriptions or messages, should trigger additional scrutiny.
Minimum amount amount
Minimum amount amount
The number of keyword matches required to trigger an alert. With this set to 1, even a single occurrence of a suspicious word or phrase will flag the transaction for review.
Let’s say you’ve added custom keywords related to your industry’s specific risks. If a transaction description contains “rush processing” or “urgent transfer” (examples of potential custom keywords), the system would flag it because it meets the minimum match count of 1.
Amount deviation
Lookback period (hours)
Lookback period (hours)
This tells the system how far back to check for unusual trends. This helps establish what’s “normal” for each customer.
Minimum transactions
Minimum transactions
This defines the minimum number of transactions needed before we can determine what is unusual.
Deviation multiple
Deviation multiple
It determines how far a transaction amount can deviate from the typical pattern before being flagged as unusual. For example, if a customer typically transfers 3,000 might trigger an alert.
Minimum amount
Minimum amount
This only flags transactions above this amount. It helps to ignore small everyday transactions.
Let’s say you’ve added custom keywords related to your industry’s specific risks. If a transaction description contains “rush processing” or “urgent transfer” (examples of potential custom keywords), the system would flag it because it meets the minimum match count of 1.
High risk countries
[Country]-[State]-[Street]. For example, Brazil-Rio.Highest risk
Highest risk
These countries require the most stringent monitoring and may have specific transaction restrictions. Transactions involving these countries automatically trigger an anomaly and enhanced due diligence protocols.
High risk
High risk
A secondary tier for countries that present significant but not extreme risk levels. These countries require elevated monitoring but may have less stringent controls than the highest risk category. The platform allows adding countries that warrant careful attention but don’t need the most intensive scrutiny.
Elevated risk
Elevated risk
The lowest tier of the risk-based system, used for countries that require monitoring above standard levels but don’t present major concerns. This creates a graduated approach to risk management.
PEP screening
To enable PEP screening for your organization:
- Toggle on the main PEP Screening switch at the top to activate the overall monitoring system.
- Verify that Individual Screening is enabled (blue switch).
- Enable Organization Screening by clicking its switch, ensuring you can monitor both individual PEPs and organizations where PEPs have significant control (25% ownership or more).
Risk score thresholds
Risk score thresholds
The minimum risk level that triggers enhanced monitoring for individual PEPs. When an individual’s calculated risk score exceeds 70%, they receive additional scrutiny. This score is typically based on factors like their political position, transaction patterns, and connection to high-risk activities.
Ownership threshold
Ownership threshold
The minimum percentage of ownership or control by PEPs that triggers organizational screening. If PEPs own or control 25% or more of an organization, that entity receives enhanced monitoring. This helps identify organizations that might be used as vehicles for moving funds on behalf of politically exposed persons.
Check frequency (days)
Check frequency (days)
Need help?
Let’s help you get started with Cloud! Whether you’re setting up your first workspace or adding Cloud to your existing tools, our team is here to help you succeed.
Contact our Support team to get answers and expert guidance on making the most of Cloud.