then clause is the decision output of your rule. It tells the FinWatch engine what to do when the conditions are met.
Verdicts
A verdict is a mandatory action keyword that represents the engine’s decision about the transaction.
When to use which:
block: You are certain this is malicious. False positives here mean lost revenue and angry customers.review: You are suspicious but not certain. A human must make the final call.alert: You want to observe a pattern without impacting the customer experience. Good for new rules in shadow mode.approve: Rarely used in practice. Most rules detect bad things; explicit allow rules are for override scenarios.
Risk Score
Syntax:score <float>
Purpose: A numerical representation of confidence or severity, used by the risk consolidation engine to aggregate risk across multiple rules that fire on the same transaction.
Key Facts:
- Must be a valid floating-point number.
- Recommended range:
0.0to1.0. - If omitted, defaults to
0.0. - The risk consolidator combines scores from all triggered rules to produce a final risk assessment.
Example:
Reason
Syntax:reason "<text>"
Purpose: A human-readable explanation of why the rule fired. This text is surfaced to:
- Fraud analysts reviewing flagged transactions.
- Compliance reports for auditors.
- API responses back to the calling system.
- Logs for debugging and monitoring.
- Must be a double-quoted string.
- If omitted, defaults to
"No reason provided". - Should be specific and actionable.
Best Practice: Include the specific data point that caused the trigger in the reason string where possible. This saves analysts from having to dig through raw transaction data.
.png?fit=max&auto=format&n=0JF6z69u57hmqsWm&q=85&s=531373acedba0eb783b669f6d558dfd8)