Documentation Index
Fetch the complete documentation index at: https://docs.finwatch.finance/llms.txt
Use this file to discover all available pages before exploring further.
The then clause is the decision output of your rule. It tells the FinWatch engine what to do when the conditions are met.
Verdicts
A verdict is a mandatory action keyword that represents the engine’s decision about the transaction.
| Verdict | Semantic Meaning | Use Case |
|---|
block | Hard stop. Prevent the transaction from proceeding. | Sanctioned countries, known fraud, blacklisted accounts. |
review | Soft hold. Flag for human analyst review. | Unusual patterns, high-value transactions, borderline cases. |
allow | Explicit approval. Mark the transaction as safe. | Whitelisted entities, pre-verified transactions. |
approve | Synonym for allow. | Same as allow. |
deny | Synonym for block. | Same as block. |
alert | Passive notification. Don’t stop the transaction, but notify. | Low-confidence patterns, monitoring, trend tracking. |
block: You are certain this is malicious. False positives here mean lost revenue and angry customers.review: You are suspicious but not certain. A human must make the final call.alert: You want to observe a pattern without impacting the customer experience. Good for new rules in shadow mode.allow: Rarely used in practice. Most rules detect bad things; explicit allow rules are for override scenarios.
Risk Score
Syntax: score <float>
Purpose: A numerical representation of confidence or severity, used by the risk consolidation engine to aggregate risk across multiple rules that fire on the same transaction.
Key Facts:
- Must be a valid floating-point number.
- Recommended range:
0.0 to 1.0.
- If omitted, defaults to
0.0.
- The risk consolidator combines scores from all triggered rules to produce a final risk assessment.
Scoring Strategy:
| Score Range | Meaning | Example |
|---|
0.0 - 0.3 | Low confidence / informational | Minor pattern match, slight anomaly |
0.3 - 0.6 | Medium confidence / suspicious | Unusual but not definitive |
0.6 - 0.8 | High confidence / likely fraud | Strong pattern match, multiple signals |
0.8 - 1.0 | Very high confidence / definite fraud | Known bad actor, sanctioned entity |
// Low confidence: just an unusual time
then review score 0.3 reason "Transaction at unusual hour"
// High confidence: sanctioned country + high value
then block score 0.95 reason "High-value transfer to sanctioned country"
Reason
Syntax: reason "<text>"
Purpose: A human-readable explanation of why the rule fired. This text is surfaced to:
- Fraud analysts reviewing flagged transactions.
- Compliance reports for auditors.
- API responses back to the calling system.
- Logs for debugging and monitoring.
Key Facts:
- Must be a double-quoted string.
- If omitted, defaults to
"No reason provided".
- Should be specific and actionable.
Good vs. Bad Reasons:
| Bad | Good |
|---|
"Flagged" | "Transaction amount ($15,000) exceeds $10,000 AML threshold" |
"Suspicious" | "5 failed transactions from same source in last hour" |
"Rule triggered" | "Destination country (IR) is on OFAC sanctions list" |
.png?fit=max&auto=format&n=0JF6z69u57hmqsWm&q=85&s=531373acedba0eb783b669f6d558dfd8){kind=logo}