> ## Documentation Index
> Fetch the complete documentation index at: https://docs.finwatch.finance/llms.txt
> Use this file to discover all available pages before exploring further.

# The then Clause: Defining Actions

The `then` clause is the decision output of your rule. It tells the FinWatch engine what to **do** when the conditions are met.

### Verdicts

A verdict is a mandatory action keyword that represents the engine's decision about the transaction.

| Verdict   | Semantic Meaning                                                  | Use Case                                                     |
| --------- | ----------------------------------------------------------------- | ------------------------------------------------------------ |
| `block`   | **Hard stop.** Prevent the transaction from proceeding.           | Sanctioned countries, known fraud, blacklisted accounts.     |
| `review`  | **Soft hold.** Flag for human analyst review.                     | Unusual patterns, high-value transactions, borderline cases. |
| `approve` | **Explicit approval.** Mark the transaction as safe.              | Whitelisted entities, pre-verified transactions.             |
| `alert`   | **Passive notification.** Don't stop the transaction, but notify. | Low-confidence patterns, monitoring, trend tracking.         |

**When to use which:**

* **`block`**: You are **certain** this is malicious. False positives here mean lost revenue and angry customers.
* **`review`**: You are **suspicious** but not certain. A human must make the final call.
* **`alert`**: You want to **observe** a pattern without impacting the customer experience. Good for new rules in shadow mode.
* **`approve`**: Rarely used in practice. Most rules detect bad things; explicit allow rules are for override scenarios.

### Risk Score

**Syntax:** `score <float>`

**Purpose:** A numerical representation of confidence or severity, used by the risk consolidation engine to aggregate risk across multiple rules that fire on the same transaction.

**Key Facts:**

* Must be a valid floating-point number.
* Recommended range: `0.0` to `1.0`.
* If omitted, defaults to `0.0`.
* The risk consolidator combines scores from all triggered rules to produce a final risk assessment.

**Scoring Strategy:**

| Score Range | Meaning                               | Example                                |
| ----------- | ------------------------------------- | -------------------------------------- |
| `0.0 - 0.3` | Low confidence / informational        | Minor pattern match, slight anomaly    |
| `0.3 - 0.6` | Medium confidence / suspicious        | Unusual but not definitive             |
| `0.6 - 0.8` | High confidence / likely fraud        | Strong pattern match, multiple signals |
| `0.8 - 1.0` | Very high confidence / definite fraud | Known bad actor, sanctioned entity     |

**Example:**

```ws theme={null}
// Low confidence: just an unusual time
then review score 0.3 reason "Transaction at unusual hour"

// High confidence: sanctioned country + high value
then block score 0.95 reason "High-value transfer to sanctioned country"
```

### Reason

**Syntax:** `reason "<text>"`

**Purpose:** A human-readable explanation of why the rule fired. This text is surfaced to:

* Fraud analysts reviewing flagged transactions.
* Compliance reports for auditors.
* API responses back to the calling system.
* Logs for debugging and monitoring.

**Key Facts:**

* Must be a double-quoted string.
* If omitted, defaults to `"No reason provided"`.
* Should be **specific** and **actionable**.

**Good vs. Bad Reasons:**

| Bad                | Good                                                           |
| ------------------ | -------------------------------------------------------------- |
| `"Flagged"`        | `"Transaction amount ($15,000) exceeds $10,000 AML threshold"` |
| `"Suspicious"`     | `"5 failed transactions from same source in last hour"`        |
| `"Rule triggered"` | `"Destination country (IR) is on OFAC sanctions list"`         |

**Best Practice:** Include the **specific data point** that caused the trigger in the reason string where possible. This saves analysts from having to dig through raw transaction data.
