Rule configuration is console-only. All rule tuning — thresholds, conditions, actions, mode — happens from Transactions → Rules → Library in the Business Console. For an end-to-end walkthrough of how rules contribute to scoring, see risk scoring.
How presets are organised
Every preset belongs to a bundle (its functional family) and a category (its broader risk theme). Bundles let you toggle related rules together from the console; categories drive scoring and reporting.| Bundle | What it covers |
|---|---|
finance | Structuring, large transactions, cumulative volume, country spread, layering, mule fan-in, smurfing |
aml_ctf | Sanctions, PEP, suspicious payment references, round-amount layering, rapid in-and-out |
aml_monitoring | Blockchain-derived high-risk source-of-funds exposure, terrorist financing, child exploitation |
anomaly_detection | High velocity, dormant reactivation, off-hours activity |
fatf | High-risk jurisdiction exposure |
device_intelligence | Device fingerprint reuse, multi-fingerprint accounts, IP/browser anomalies, VPN/proxy, impossible travel |
fraud_prevention_multi_accounting | Shared fingerprints across distinct subjects |
fraud_prevention_app | Authorised push payment / first-time payee / scam victim signals |
fraud_prevention_ato | Account takeover composite signals (PII change, new payment method) |
fraud_prevention_consortium | Counterparties flagged by other institutions in the shared network |
crypto_monitoring | Mixer/darknet/sanctioned wallet exposure, chain hopping, unhosted wallets, VASP gaps |
travel_rule | Global and regional Travel Rule obligations (12 regimes) |
responsible_gaming | Safer-play deposit/withdrawal limits, self-exclusion, off-hours play |
e_commerce | Card testing microtransactions, chargeback indicators, billing-country mismatch, affiliate burst |
check_fraud | Out-of-range / missing-number / duplicate-presented / dark-web-watchlist / washed checks, kiting |
bnpl | Failed-repayment first-party fraud, shared identifiers across BNPL accounts, fresh-account installments |
How to read this page
Each rule lists itslibrary_key (stable identifier you can reference in the API or console URL), the conditions and aggregation that make it fire, and the default actions it takes. Numeric thresholds shown here are the ship defaults — every value is editable per application without losing the rule’s identity.
Finance bundle
These rules apply to every transaction withtransaction_type = FINANCE. They model the regulatory baseline (BSA/FinCEN reporting thresholds, FATF velocity heuristics) plus money-mule and smurfing patterns.
Structuring & near-threshold
library_key | Trigger | Default action |
|---|---|---|
structuring-inbound | ≥20 inbound transfers under $10,000 by the same subject within 30 days | +35 score |
structuring-outbound | ≥20 outbound transfers under $10,000 by the same subject within 30 days | +35 score |
single-transaction-just-below-threshold | A single transaction between 9,999 | +25 score |
round-amount-layering | Transfer amount equals a suspiciously round value (25k, 100k, 500k, $1M…) | +20 score |
Volume & velocity
library_key | Trigger | Default action |
|---|---|---|
large-single-transaction | Single transaction ≥ $25,000 | +50 score, IN_REVIEW |
cumulative-outbound-volume | Outbound volume ≥ $100,000 in 30 days | +45 score, IN_REVIEW |
cumulative-inbound-volume-90d | Inbound volume ≥ $200,000 in 90 days | +30 score, IN_REVIEW |
cumulative-outbound-volume-7d | Outbound volume ≥ $50,000 in 7 days | +30 score, IN_REVIEW |
business-4h-inbound-volume | Business inbound volume ≥ $30,000 in any 4-hour window | +30 score, IN_REVIEW |
business-4h-outbound-volume | Business outbound volume ≥ $30,000 in any 4-hour window | +30 score, IN_REVIEW |
high-velocity-inbound | ≥20 inbound transactions in 7 days | +25 score |
high-velocity-outbound | ≥20 outbound transactions in 7 days | +25 score |
Layering, mule & smurfing
library_key | Trigger | Default action |
|---|---|---|
rapid-in-and-out-movement | An outbound preceded by an inbound within 6 hours | +60 score, IN_REVIEW |
cash-deposit-followed-by-withdrawal | Cash deposits ≥ $50,000 in 72h followed by a cash withdrawal | +30 score, IN_REVIEW |
money-mule-fan-in-to-counterparty | A counterparty receives transfers from ≥5 distinct subjects in 7 days | +30 score, IN_REVIEW |
rapid-repeated-payments-same-counterparty | ≥5 outbound transfers to the same counterparty in 24 hours | +30 score, IN_REVIEW |
cross-border-small-amount-velocity | A subject sends amounts under $1,000 to ≥4 distinct counterparty countries in 24h | +30 score, IN_REVIEW |
high-risk-jurisdiction-smurfing | ≥5 outbound transfers under $1,000 to the same high-risk country in 7 days | +30 score, IN_REVIEW |
many-unique-counterparties-24h | Subject transacts with ≥6 distinct counterparties in 24h | +30 score, IN_REVIEW |
many-unique-payment-methods-7d | Subject rotates through ≥4 distinct payment methods in 7 days | +30 score, IN_REVIEW |
counterparty-country-spread-24h | Subject transacts with ≥4 distinct counterparty countries in 24h | +30 score, IN_REVIEW |
Behavioural anomalies
library_key | Trigger | Default action |
|---|---|---|
dormant-account-reactivation | First transaction ≥ $1,000 after ≥365 days of inactivity | +20 score |
off-hours-high-value-finance | High-value transfer (≥ $5,000) tagged as off-hours for the subject’s locale | +25 score |
AML / CTF bundle
These rules model classic AML/CTF typologies that don’t depend on blockchain enrichment — they apply universally to fiat and crypto transfers.library_key | Trigger | Default action |
|---|---|---|
sanctions-counterparty | Counterparty (or wallet) returns a sanctions hit | +90 score, DECLINED |
pep-counterparty-exposure | Counterparty is a politically-exposed person | +40 score, IN_REVIEW |
suspicious-payment-reference | Payment reference contains keywords linked to illicit proceeds | +45 score, IN_REVIEW |
high-risk-jurisdiction-exposure | Counterparty country or subject IP country is on the high-risk list | +40 score, IN_REVIEW |
high-risk-inbound-single | Inbound ≥ $20,000 from a high-risk country | +30 score, IN_REVIEW |
high-risk-outbound-single | Outbound ≥ $20,000 to a high-risk country | +30 score, IN_REVIEW |
IRN, PRK, SYR, AFG, RUS, MMR. You can override the list per application.
AML blockchain monitoring bundle
These rules consume the enriched data produced by Didit’s AML blockchain screening — they’re most useful for crypto-native and VASP applications.library_key | Trigger | Default action |
|---|---|---|
aml-high-risk-source-exposure | ≥30% of source funds originate from sanctioned, darknet, stolen, ransomware, or scam categories | +70 score, IN_REVIEW |
aml-multiple-risky-counterparties | ≥3 connections to high-risk entities in the source-of-funds graph | +50 score, IN_REVIEW |
aml-terrorist-financing-exposure | Any terrorist-financing exposure on the wallet | +100 score, DECLINED |
aml-child-exploitation-exposure | Any child-exploitation-material exposure on the wallet | +100 score, DECLINED |
aml-wallet-risk-score-medium | Provider wallet-risk score between 40 and 70 | +30 score |
Crypto monitoring bundle
Wallet-level exposure rules, plus VASP and Travel-Rule-adjacent integrity checks.library_key | Trigger | Default action |
|---|---|---|
crypto-mixer-exposure | Wallet linked to a mixer or obfuscation service | +80 score, IN_REVIEW |
crypto-darknet_market-exposure | Darknet-market wallet exposure | +80 score, IN_REVIEW |
crypto-sanctioned-exposure | Sanctioned wallet exposure | +90 score, IN_REVIEW |
crypto-stolen_funds-exposure | Stolen-funds wallet exposure | +85 score, IN_REVIEW |
crypto-scam-exposure | Scam wallet exposure | +70 score, IN_REVIEW |
crypto-ransomware-exposure | Ransomware wallet exposure | +90 score, IN_REVIEW |
crypto-hacked_exchange-exposure | Hacked-exchange wallet exposure | +80 score, IN_REVIEW |
crypto-gambling_unlicensed-exposure | Unlicensed-gambling wallet exposure | +60 score, IN_REVIEW |
crypto-wallet-risk-score-critical | Provider wallet score ≥ 90 | +90 score, IN_REVIEW |
crypto-wallet-risk-score-high | Provider wallet score ≥ 70 | +60 score, IN_REVIEW |
crypto-unhosted-wallet-large-outbound | Outbound ≥ $1,000 to an unhosted wallet | +45 score, IN_REVIEW |
crypto-repeated-unhosted-wallet-withdrawals | ≥5 outbound transfers to unhosted wallets in 24h | +35 score, IN_REVIEW |
crypto-many-new-wallets-per-subject | Subject sends to ≥5 distinct wallets in 24h | +40 score, IN_REVIEW |
crypto-chain-hopping-pattern | Same subject moves funds across ≥3 blockchains in 24h | +45 score, IN_REVIEW |
crypto-missing-vasp-id-high-value | Hosted-wallet transfer ≥ $1,000 with no VASP identifier | +30 score, IN_REVIEW |
Travel Rule bundle
Travel Rule rules apply only totransaction_type = TRAVEL_RULE. Each regional regime ships four rules (pending counterparty, pending action, missing data, failed exchange).
Global Travel Rule
library_key | Trigger | Default action |
|---|---|---|
travel-rule-pending-counterparty | Status is PENDING_COUNTERPARTY (waiting on the counterparty VASP) | +35 score, IN_REVIEW |
travel-rule-pending-action | Status is PENDING_ACTION (applicant action required) | +35 score, AWAITING_USER |
travel-rule-missing-required-data | Required = true and obligations remain unresolved | +50 score, IN_REVIEW |
Regional regimes
The same four-rule template is applied per regime. Substitute<regime> below for any of: australia, dubai, eu, hong_kong, india, indonesia, japan, kazakhstan, singapore, south_africa, turkey, uk.
library_key template | Trigger |
|---|---|
travel-rule-<regime>-pending-counterparty | Regime-tagged transfer waiting on counterparty VASP |
travel-rule-<regime>-pending-action | Regime-tagged transfer needs applicant action |
travel-rule-<regime>-missing-required-data | Regime-tagged transfer is required but unresolved |
travel-rule-<regime>-failed-exchange | Regime-tagged transfer failed |
Device intelligence & fraud prevention
These rules turn signals from the client SDK (device fingerprint, IP, browser, session age) and provider enrichment into fraud-detection events.Device fingerprint & multi-accounting
library_key | Trigger | Default action |
|---|---|---|
multi-accounting-shared-fingerprint | One device fingerprint reused across ≥3 distinct subjects in 7 days | +50 score, IN_REVIEW |
multiple-device-fingerprints-for-same-subject | One subject appears on ≥3 distinct fingerprints in 24h | +20 score |
same-fingerprint-transaction-burst | ≥6 transactions from one fingerprint in 24h | +30 score |
same-ip-multi-accounting | One IP shared by ≥3 distinct subjects in 7 days | +30 score |
same-ip-transaction-burst | ≥6 transactions from one IP in 24h | +30 score |
same-fingerprint-multiple-payment-methods | One fingerprint cycling through ≥4 payment methods in 7 days | +30 score |
shared-payment-method-across-subjects | One payment method reused by ≥3 distinct subjects in 7 days | +30 score |
many-ip-addresses-per-subject | Subject uses ≥4 distinct IPs in 24h | +30 score |
new-browser-and-new-ip-combination | Subject shows ≥3 distinct browsers AND ≥3 distinct IPs in 24h | +30 score |
IP, network & VPN
library_key | Trigger | Default action |
|---|---|---|
vpn-or-proxy-high-value | VPN or proxy detected on a transfer ≥ $5,000 | +30 score |
impossible-travel-between-transactions | Subject transacts from ≥2 distinct IP countries within 1 hour | +30 score |
Behavioural composite
library_key | Trigger | Default action |
|---|---|---|
browser-spoofing-password-reuse | Browser-spoofing detected AND ≥2 transactions reusing the same password hash in 30 minutes | +30 score |
remote-access-high-value-transfer | Remote-access tool detected on a transfer ≥ $5,000 | +30 score |
low-session-age-high-value-transfer | Transfer ≥ $5,000 within 30 seconds of session start | +30 score |
synthetic-identity-fresh-account-high-value | Account opened in the last 7 days transacts ≥ $1,000 | +30 score |
Account takeover & APP fraud
library_key | Trigger | Default action |
|---|---|---|
recent-pii-change-and-transaction | Transfer ≥ $1,000 within the recent-PII-change window | +45 score, IN_REVIEW |
new-payment-method-high-value | Transfer ≥ $5,000 using a payment method added in the last 7 days | +30 score |
first-time-payee-high-value | Outbound ≥ $5,000 to a counterparty the subject has never paid before | +40 score, IN_REVIEW |
consortium-flagged-counterparty | Transfer ≥ $500 whose counterparty was reported by another institution | +60 score, IN_REVIEW |
Affiliate & bonus abuse
library_key | Trigger | Default action |
|---|---|---|
repeated-bonus-campaign-from-same-fingerprint | ≥6 transactions on the same campaign + fingerprint in 2h | +35 score |
shared-fingerprint-across-bonus-campaigns | One fingerprint claims ≥3 distinct campaigns in 7 days | +30 score |
affiliate-fraud-repeated-fingerprint | ≥5 transactions on the same affiliate + fingerprint in 2h | +30 score |
Responsible gaming bundle
For iGaming applications. These rules are designed to detect both player-protection signals and bonus-abuse patterns.library_key | Trigger | Default action |
|---|---|---|
responsible-gaming-rapid-deposits | ≥10 inbound transactions of the same action in 24h | +20 score |
responsible-gaming-rapid-withdrawals | ≥8 outbound transactions of the same action in 24h | +20 score |
responsible-gaming-cumulative-deposits-7d | Inbound volume ≥ $5,000 in 7 days | +20 score |
responsible-gaming-cumulative-withdrawals-7d | Outbound volume ≥ $5,000 in 7 days | +20 score |
responsible-gaming-self-excluded-activity | Any transaction from a self-excluded account | +20 score |
responsible-gaming-loss-limit-hit | Activity continues after a loss-limit signal | +20 score |
responsible-gaming-bonus-hunting | ≥4 same-campaign + same-fingerprint transactions in 24h | +20 score |
responsible-gaming-multiple-payment-methods | ≥4 distinct payment methods in 7 days | +20 score |
responsible-gaming-off-hours-high-value | Off-hours-tagged play ≥ $1,000 | +20 score |
responsible-gaming-failed-withdrawals | ≥3 failed-withdrawal attempts | +20 score |
responsible-gaming-many-counterparties | ≥5 distinct counterparties in 24h | +20 score |
E-commerce bundle
For marketplaces and merchant-of-record applications.library_key | Trigger | Default action |
|---|---|---|
ecommerce-card-testing-microtransactions | ≥10 transactions ≤ $5 from the same fingerprint in 1h | +30 score |
ecommerce-high-order-velocity | ≥8 transactions on one fingerprint in 30 minutes | +30 score |
ecommerce-chargeback-indicator | Provider/workflow has flagged a chargeback indicator | +30 score |
ecommerce-billing-country-mismatch | Billing-country mismatch on a transaction ≥ $500 | +30 score |
ecommerce-shared-payment-method | Payment method reused by ≥3 e-commerce subjects in 7 days | +30 score |
ecommerce-shared-ip-multi-accounting | One IP shared across ≥4 e-commerce subjects in 24h | +30 score |
ecommerce-remote-checkout-high-value | Remote-access detected on checkout ≥ $1,000 | +30 score |
ecommerce-affiliate-burst | ≥5 transactions on same affiliate + fingerprint in 2h | +30 score |
Check fraud bundle
For applications submitting check-deposit transactions. Each rule fires offcustom_values.check_* flags the caller sets when a check carries a known risk signal (washing, missing MICR, dark-web-listed serial, etc.).
library_key | Trigger | Default action |
|---|---|---|
check-amount-out-of-range | Check amount flagged as outside the account’s normal range AND ≥ $1,000 | +40 score, IN_REVIEW |
check-missing-or-invalid-number | Check arrived with a missing, inconsistent, or non-sequential check number | +35 score, IN_REVIEW |
check-duplicate-presentation | Same check appears to have been deposited twice (mobile + branch) | +70 score, IN_REVIEW |
check-on-dark-web-watchlist | Check serial / image was found on a dark-web or Telegram stolen-check feed | +90 score, DECLINED |
check-altered-or-washed | Check shows chemical-erasure, MICR alteration, or other washing evidence | +70 score, IN_REVIEW |
check-deposit-rapid-multi-bank | Same subject deposits checks across ≥3 distinct counterparty banks within 24h (kiting) | +45 score, IN_REVIEW |
BNPL bundle
For buy-now-pay-later providers. Surfaces first-party-fraud (non-payment) and identifier-sharing patterns specific to installment lending.library_key | Trigger | Default action |
|---|---|---|
bnpl-failed-repayment-velocity | ≥2 recent failed repayments on the subject — first-party fraud signal | +45 score, IN_REVIEW |
bnpl-shared-identifier-across-accounts | Phone, email or address has been seen on multiple distinct BNPL subjects | +40 score, IN_REVIEW |
bnpl-high-installment-on-fresh-account | Installment ≥ $500 from an account opened in the last 7 days | +35 score |
Reference: standards behind the library
Every preset in Didit’s library maps to a widely-accepted AML, fraud, or compliance typology. The standards we lean on:| Source | Typologies contributed to the library |
|---|---|
| FATF recommendations | Structuring, rapid movement of funds, high-risk jurisdiction exposure, counterparty PEP / sanctions screening |
| FinCEN advisories | BSA / CTR reporting thresholds, dormant-account reactivation, suspicious cash patterns |
| NACHA rules | ACH specific thresholds and off-hours patterns |
| Wolfsberg principles | Correspondent banking and private banking typologies |
| Egmont Group typologies | Cross-border and layering patterns |
| Industry best practice | Velocity windowing, impossible-travel, first-time-payee, device-fingerprint reuse, BNPL first-party fraud signals |
Customising presets
Every preset can be:- Tuned — change thresholds, windows, score values, or actions per application
- Disabled — switch a preset to
DISABLEDmode and it stops evaluating without losing its identity - Tested — switch a preset to
TESTmode to evaluate it shadow-mode without affecting transaction outcomes - Extended — create custom rules that complement or override presets