Built-in rule bundles
Didit provides a pre-configured rule library for every application with transaction monitoring enabled. These rules are based on common regulatory typologies and can be customized or disabled:| Bundle | Examples |
|---|---|
| Finance | Structuring detection (inbound/outbound), large single transactions above reporting thresholds |
| AML/CTF | Cumulative volume limits, rapid in-and-out movement, sanctions counterparty matching, PEP counterparty exposure, suspicious payment reference keywords |
| Anomaly detection | High velocity inbound/outbound, dormant account reactivation after 12+ months of inactivity |
| FATF | High-risk jurisdiction exposure for counterparties and subject IPs |
| Device intelligence | Repeated bonus-campaign use from the same device fingerprint, multiple device fingerprints for the same subject |
| Fraud prevention | Multi-accounting via shared device fingerprints across distinct subjects |
| Crypto monitoring | Mixer/obfuscation service exposure, high-risk wallet addresses (darknet, sanctioned, stolen funds) |
| Responsible gaming | Rapid deposit bursts within short windows |
| E-commerce | E-commerce specific transaction patterns |
Rule anatomy
Each rule consists of:| Component | Description |
|---|---|
| Title & description | Human-readable name and explanation of what the rule detects |
| Category | Logical grouping (e.g., finance, aml_ctf, crypto_monitoring, device_intelligence) |
| Mode | Active (live evaluation), Disabled (skipped), or Test (evaluated but results don’t affect the transaction) |
| Evaluation mode | All (every condition must match) or Any (at least one condition must match) |
| Scope | Limits which transactions the rule applies to — by transaction type, direction, or other filters |
| Conditions | Field-level checks — compare transaction fields against values using operators like eq, lt, gte, in, contains_any, exists |
| Aggregation | Velocity windows — aggregate historical transactions over a time period (e.g., count, sum, or distinct count over 1 hour, 7 days, 30 days) |
| Actions | What happens when the rule matches (see below) |
Actions
When a rule matches a transaction, one or more actions are executed. Each rule can have multiple actions that are all applied together:| Action | Description |
|---|---|
| Add score | Add a specified number of points to the transaction’s risk score. The cumulative score across all matched rules determines whether the transaction crosses the review or decline threshold. |
| Change status | Directly set the transaction status to IN_REVIEW, DECLINED, or AWAITING_USER. This takes effect immediately regardless of the score. |
| Add tags | Automatically tag the transaction for categorization and filtering (e.g., high-risk, structuring-suspect). |
| Add note | Attach an automated note to the transaction for analyst context. |
| Add to list | Add the applicant, counterparty, or other entity to a blocklist, allowlist, or custom list. |
Scoring
When a transaction matches one or more rules, the scores are combined:- Each rule match contributes to the transaction’s overall risk score via the
add_scoreaction - The final score determines the transaction status based on your application’s score thresholds
- If any rule has a
change_statusaction, that status is applied directly —DECLINEDalways takes priority
| Setting | Default | Description |
|---|---|---|
| Review threshold | 60 | Scores at or above this value trigger IN_REVIEW |
| Decline threshold | 85 | Scores at or above this value trigger DECLINED |
Creating custom rules
Custom rules are created and managed from the Business Console:- Go to Transactions > Rules in the console
- Click Create Rule
- Define the rule title, description, and category
- Set the mode —
Activeto run live, orTestto evaluate without affecting transactions - Choose the evaluation mode —
All(every condition must match) orAny(at least one) - Set the scope — which transaction types or directions the rule applies to
- Add conditions — field comparisons like amount thresholds, country codes, custom property checks
- Optionally add aggregation — velocity checks over a time window (count, sum, or distinct count)
- Define one or more actions — add score, change status, add tags, add notes, or add to list
- Save and enable the rule
Velocity windows (aggregation)
Velocity rules aggregate historical transaction data over a time period to detect patterns that single-transaction checks would miss:| Metric | Description |
|---|---|
| Count | Number of transactions matching the filters in the window |
| Sum | Total of a numeric field (e.g., preferred_currency_amount) in the window |
| Distinct count | Number of unique values for a field (e.g., distinct device fingerprints) in the window |
- A time window (e.g.,
1h,6h,1d,7d,30d) - Filters to narrow which historical transactions are included (e.g., same subject, same direction, same device)
- An operator and threshold (e.g., count >= 20)
Example patterns
| Pattern | How it works |
|---|---|
| Structuring | Count of transactions below $10,000 for the same subject in 30 days >= 20 |
| High velocity | Count of inbound transactions for the same subject in 7 days >= 20 |
| Rapid in-and-out | Current transaction is outbound + count of inbound transactions for the same subject in 6 hours >= 1 |
| Multi-accounting | Distinct count of subjects sharing the same device fingerprint in 7 days >= 3 |
| Dormant reactivation | Days since subject’s previous transaction >= 365, combined with amount >= $1,000 |
Condition operators
Rules support the following comparison operators for conditions:| Operator | Description | Example |
|---|---|---|
eq | Equal to | direction eq "OUTBOUND" |
lt | Less than | amount lt 10000 |
gte | Greater than or equal | preferred_currency_amount gte 25000 |
gt | Greater than | travel_rule_obligations_count gt 0 |
in | Value is in a list | counterparty_country in ["IRN", "PRK", "SYR"] |
contains_any | Text contains any keyword | payment_details contains_any ["terror", "weapon"] |
exists | Field is present | subject_device_fingerprint exists true |
AML transaction screening
Didit integrates with external AML and blockchain analytics providers to enrich transactions with risk intelligence. When a transaction is submitted, the system can:- Screen counterparties against global sanctions and watchlist databases
- Evaluate wallet addresses (for crypto transactions) against blockchain intelligence data, including mixer exposure, sanctioned entity connections, and high-risk service interactions
- Check applicant AML status by cross-referencing the transaction’s linked user against their latest AML screening results
API reference
List rules
Retrieve all rules including execution counters.
Get settings
Retrieve score thresholds and configuration.