Keshless Hub

Appearance

AML Rules Catalog

Complete reference of all 43 AML detection rules deployed in the Keshless platform. Rules are organized by detection category and sourced directly from the aml_rules database table.

Each rule has a conditions JSON field containing its parameters, a severity level, and an isActive toggle.

Threshold Rules

Transaction amount-based detection.

Rule IDNameSeverityKey Parameters
AML-TH-001Large Cash Transaction - Reporting ThresholdHIGHthresholdAmount: 3000
AML-TH-002Very Large Transaction - Enhanced ScrutinyCRITICALthresholdAmount: 4500
AML-TH-003Medium-High Transaction AlertMEDIUMthresholdAmount: 2000

AML-TH-001 — Large Cash Transaction - Reporting Threshold

Mandatory reporting threshold as per Eswatini FIU regulations.

ParameterValueDescription
thresholdAmount3000SZL amount triggering mandatory report

AML-TH-002 — Very Large Transaction - Enhanced Scrutiny

Enhanced scrutiny for large transactions. Also used as the daily cumulative threshold by the DB-enforcement layer.

ParameterValueDescription
thresholdAmount4500SZL amount triggering enhanced scrutiny

AML-TH-003 — Medium-High Transaction Alert

Monitor transactions approaching the reporting threshold.

ParameterValueDescription
thresholdAmount2000SZL amount triggering monitoring alert

Structuring Rules

Detecting transaction splitting to avoid thresholds.

Rule IDNameSeverityKey Parameters
AML-ST-001Structuring - Multiple Transactions Below ThresholdCRITICALthresholdAmount: 3000, thresholdCount: 5, timeWindowHours: 24
AML-ST-002Rapid Small Transactions - Smurfing PatternHIGHthresholdAmount: 1000, thresholdCount: 10, timeWindowHours: 48

AML-ST-001 — Structuring - Multiple Transactions Below Threshold

Classic structuring to avoid CTR reporting.

ParameterValueDescription
thresholdAmount3000Amount being structured around
thresholdCount5Minimum transactions to trigger
timeWindowHours24Detection window

AML-ST-002 — Rapid Small Transactions - Smurfing Pattern

Potential smurfing activity with many small transactions.

ParameterValueDescription
thresholdAmount1000Maximum individual amount
thresholdCount10Minimum transaction count
timeWindowHours48Detection window

Velocity Rules

Detecting abnormal transaction frequency spikes.

Rule IDNameSeverityKey Parameters
AML-VEL-001Transaction Volume Spike - 300% IncreaseHIGHpercentageChange: 300, timeWindowHours: 24
AML-VEL-002Extreme Velocity - 500% SpikeCRITICALpercentageChange: 500, timeWindowHours: 12

AML-VEL-001 — Transaction Volume Spike - 300% Increase

Sudden unexplained increase in transaction activity.

ParameterValueDescription
percentageChange300Percentage increase vs daily average
timeWindowHours24Detection window

AML-VEL-002 — Extreme Velocity - 500% Spike

Critical velocity anomaly.

ParameterValueDescription
percentageChange500Percentage increase vs daily average
timeWindowHours12Detection window

Behavioral Rules

User behavior analysis for inconsistencies.

Rule IDNameSeverityKey Parameters
AML-BEH-001Transaction Exceeds Customer LimitHIGH
AML-BEH-002Unusual Pattern for OccupationMEDIUMthresholdAmount: 2000, occupations list
AML-BEH-003Massive Anomalous WithdrawalHIGHmaxMultiplier: 1.5, averageMultiplier: 3
AML-BEH-004Repeated Limit-Breach AttemptsHIGHmaxAttemptsPerDay: 3, timeWindowHours: 24

AML-BEH-001 — Transaction Exceeds Customer Limit

Transaction inconsistent with customer risk profile. No additional parameters — checked against user's assigned limits.

AML-BEH-002 — Unusual Pattern for Occupation

High-value transactions inconsistent with stated income source.

ParameterValueDescription
thresholdAmount2000Amount considered unusual for listed occupations
occupationsstudent, unemployed, retired, homemakerOccupations with lower expected volumes

AML-BEH-003 — Massive Anomalous Withdrawal

Sudden large withdrawals indicating potential account compromise, money laundering exit, or insider theft.

ParameterValueDescription
maxMultiplier1.5Max single withdrawal vs account balance ratio
averageMultiplier3Withdrawal must be 3x above user's average
minBaselineTransactions5Minimum history needed for baseline

AML-BEH-004 — Repeated Limit-Breach Attempts

Repeated attempts to breach transaction limits — potential system probing.

ParameterValueDescription
maxAttemptsPerDay3Maximum failed limit-breach attempts
timeWindowHours24Detection window

Enhanced monitoring for Politically Exposed Persons (FATF Recommendation 12).

Rule IDNameSeverityKey Parameters
AML-PEP-001PEP High-Value TransactionHIGHthresholdAmount: 2500
AML-PEP-002PEP Cumulative Daily ThresholdHIGHdailyCumulativeThreshold: 10000
AML-PEP-003PEP Receiving From Multiple SourcesCRITICALminSources: 3, minTotalAmount: 5000

AML-PEP-001 — PEP High-Value Transaction

Enhanced monitoring for PEPs as per FATF recommendations.

ParameterValueDescription
thresholdAmount2500Lower threshold than standard users

AML-PEP-002 — PEP Cumulative Daily Threshold

Monitors total daily transaction volume for PEPs. Lower cumulative thresholds because their position creates opportunities for corruption.

ParameterValueDescription
dailyCumulativeThreshold10000Daily cumulative limit for PEPs

AML-PEP-003 — PEP Receiving From Multiple Sources

PEP receiving payments from 3+ different senders within 24 hours — potential bribery/corruption.

ParameterValueDescription
minSources3Minimum distinct senders
minTotalAmount5000Minimum aggregate amount
timeWindowHours24Detection window

Network Analysis Rules

Graph-based detection of fund flows between entities.

Rule IDNameSeverityKey Parameters
AML-NET-001Funnel Account (Many-to-One)CRITICALminSenders: 5, minTotalAmount: 10000
AML-NET-002Fan-Out Pattern (One-to-Many)HIGHminRecipients: 5, minTotalAmount: 10000
AML-NET-003High-Risk Counterparty TransactionHIGHriskScoreThreshold: 700

AML-NET-001 — Funnel Account (Many-to-One)

Multiple senders to single recipient — fund consolidation/collection pattern.

ParameterValueDescription
minSenders5Minimum distinct senders
minTotalAmount10000Minimum aggregate amount
timeWindowHours24Detection window

AML-NET-002 — Fan-Out Pattern (One-to-Many)

Single sender distributing to many recipients — fund dispersal pattern.

ParameterValueDescription
minRecipients5Minimum distinct recipients
minTotalAmount10000Minimum aggregate amount
timeWindowHours24Detection window

AML-NET-003 — High-Risk Counterparty Transaction

Transaction with high-risk, PEP, or sanctioned counterparty.

ParameterValueDescription
riskScoreThreshold700Counterparty risk score threshold (0-1000)

High Risk Transaction Rules

Patterns strongly associated with money laundering techniques.

Rule IDNameSeverityKey Parameters
AML-HR-001Round Number TransactionsMEDIUM
AML-HR-002Rapid Back-and-Forth TransactionsCRITICAL
AML-HR-003Nighttime Large TransactionsMEDIUMthresholdAmount: 3000
AML-HR-004Circular Transaction Pattern - Round TripCRITICALthresholdAmount: 1000, timeWindowHours: 48
AML-HR-005Pass-Through Account PatternHIGHminAmount: 1500, thresholdCount: 3

AML-HR-001 — Round Number Transactions

Round numbers often indicate illicit funds. Checked via pattern detection.

AML-HR-002 — Rapid Back-and-Forth Transactions

Potential money laundering layering technique — circular and back-and-forth patterns.

AML-HR-003 — Nighttime Large Transactions

Large transactions during unusual hours.

ParameterValueDescription
thresholdAmount3000Amount triggering nighttime alert

AML-HR-004 — Circular Transaction Pattern - Round Trip

Round-trip money movement — strong indicator of money laundering.

ParameterValueDescription
thresholdAmount1000Minimum amount for detection
timeWindowHours48Window to detect round-trip
similarityPercentage80How similar amounts must be (%)

AML-HR-005 — Pass-Through Account Pattern

Pass-through accounts used to obscure money trails in the layering stage.

ParameterValueDescription
minAmount1500Minimum transaction amount
thresholdCount3Minimum pass-through transactions
timeWindowHours3Rapid movement detection window
similarityPercentage75Amount similarity threshold (%)

Pattern Detection Rules

Automated detection of suspicious transaction patterns.

Rule IDNameSeverityKey Parameters
AML-PAT-001Repeated Identical AmountsMEDIUMminAmount: 500, thresholdCount: 5
AML-PAT-002Just-After-Midnight TransactionsMEDIUMwindowMinutes: 30, consecutiveDays: 2
AML-PAT-003Rapid Sequential WithdrawalsHIGHminCount: 3, minTotalAmount: 5000
AML-PAT-004Deposit-Immediate-Withdrawal (Cash-Out)CRITICALminAmount: 3000, timeWindowMinutes: 60

AML-PAT-001 — Repeated Identical Amounts

Multiple identical-amount transactions indicating structuring or smurfing.

ParameterValueDescription
minAmount500Minimum individual amount
thresholdCount5Minimum identical transactions
timeWindowHours48Detection window

AML-PAT-002 — Just-After-Midnight Transactions

Transactions timed to exploit daily limit resets.

ParameterValueDescription
windowMinutes30Minutes after midnight
consecutiveDays2Minimum consecutive days
thresholdAmount2000Minimum amount

AML-PAT-003 — Rapid Sequential Withdrawals

Rapid back-to-back withdrawals indicating account drain or cash-out.

ParameterValueDescription
minCount3Minimum sequential withdrawals
minTotalAmount5000Minimum aggregate amount
maxIntervalMinutes15Maximum time between withdrawals

AML-PAT-004 — Deposit-Immediate-Withdrawal (Cash-Out)

Immediate deposit-withdrawal cycle — classic money laundering cash-out pattern.

ParameterValueDescription
minAmount3000Minimum transaction amount
timeWindowMinutes60Maximum time between deposit and withdrawal
similarityPercentage70Amount similarity threshold (%)

Account Lifecycle Rules

New and dormant account monitoring.

Rule IDNameSeverityKey Parameters
AML-ACC-001Dormant Account ReactivationHIGHinactiveDays: 30, thresholdAmount: 5000
AML-ACC-002New Account Rapid ActivityHIGHaccountAgeDays: 7, maxDailyAmount: 10000
AML-ACC-003Incomplete KYC High-Value TransactionCRITICALthresholdAmount: 1000

AML-ACC-001 — Dormant Account Reactivation

Dormant account reactivation with high-value activity.

ParameterValueDescription
inactiveDays30Days of inactivity before considered dormant
thresholdAmount5000Amount triggering alert on reactivation

AML-ACC-002 — New Account Rapid Activity

New account with abnormally high transaction activity.

ParameterValueDescription
accountAgeDays7Account age threshold (days)
maxDailyAmount10000Maximum expected daily amount
maxTransactionsPerDay5Maximum expected daily transactions

AML-ACC-003 — Incomplete KYC High-Value Transaction

High-value transaction from unverified account — compliance violation.

ParameterValueDescription
thresholdAmount1000Amount triggering KYC compliance alert

Digital Wallet Rules

Wallet-specific patterns including NFC and top-up behavior.

Rule IDNameSeverityKey Parameters
AML-DIG-001Top-Up Then Immediate TransferHIGHminAmount: 3000, timeWindowMinutes: 30
AML-DIG-002NFC Tap BurstMEDIUMminConsecutiveTaps: 4, maxIntervalSeconds: 120
AML-DIG-003Geographic AnomalyMEDIUMdistanceThresholdKm: 100

AML-DIG-001 — Top-Up Then Immediate Transfer

Immediate top-up-to-transfer cycle — wallet used as pass-through conduit.

ParameterValueDescription
minAmount3000Minimum top-up amount
timeWindowMinutes30Maximum time between top-up and transfer
topupPercentageTransferred80Percentage of top-up transferred out

AML-DIG-002 — NFC Tap Burst

Rapid NFC tap burst — potential card fraud or vendor collusion.

ParameterValueDescription
minConsecutiveTaps4Minimum consecutive NFC taps
maxIntervalSeconds120Maximum seconds between taps

AML-DIG-003 — Geographic Anomaly

Sudden geographic shift in transaction location — potential account takeover.

ParameterValueDescription
distanceThresholdKm100Distance threshold in kilometers

Mobile Money Rules

Mobile money specific monitoring.

Rule IDNameSeverityKey Parameters
AML-MM-001Large Mobile Money TransactionMEDIUMthresholdAmount: 2000
AML-MM-002Excessive Mobile Money ActivityHIGHthresholdCount: 50, thresholdAmount: 500

AML-MM-001 — Large Mobile Money Transaction

Monitor large mobile money movements.

ParameterValueDescription
thresholdAmount2000Amount triggering monitoring

AML-MM-002 — Excessive Mobile Money Activity

Unusual mobile money velocity.

ParameterValueDescription
thresholdCount50Maximum transactions in window
thresholdAmount500Per-transaction threshold
timeWindowHours24Detection window

Vendor Specific Rules

Monitoring vendor transaction patterns.

Rule IDNameSeverityKey Parameters
AML-VND-001Vendor Disproportionate VolumeHIGHMonthly thresholds by business size
AML-VND-002Vendor Immediate Cash-OutHIGHminAmount: 2000, timeWindowMinutes: 30
AML-VND-003Vendor-to-Vendor TransferMEDIUMminAmount: 1000, thresholdCount: 2

AML-VND-001 — Vendor Disproportionate Volume

Vendor transaction volume inconsistent with business type/size.

ParameterValueDescription
monthlyThresholdSmallBusiness100000Monthly limit for small businesses
monthlyThresholdMedium500000Monthly limit for medium businesses

AML-VND-002 — Vendor Immediate Cash-Out

Vendor immediate cash-out after receiving payment — pass-through indicator.

ParameterValueDescription
minAmount2000Minimum payment amount
timeWindowMinutes30Maximum time between receive and cash-out
similarityPercentage70Amount similarity threshold (%)

AML-VND-003 — Vendor-to-Vendor Transfer

Inter-vendor transfers — unusual for retail, potential layering between shell businesses.

ParameterValueDescription
minAmount1000Minimum transfer amount
thresholdCount2Minimum transfers to trigger
timeWindowHours48Detection window

Counter-Financing of Terrorism detection.

Rule IDNameSeverityKey Parameters
AML-CFT-001Regular Small Payments PatternMEDIUMmaxAmount: 1000, minOccurrences: 4
AML-CFT-002Multiple Small Donors to One RecipientHIGHminDonors: 8, minAggregateAmount: 3000

AML-CFT-001 — Regular Small Payments Pattern

Regular scheduled small payments to same recipient — potential terrorism financing.

ParameterValueDescription
maxAmount1000Maximum individual amount
minOccurrences4Minimum recurring payments
lookbackDays30Detection window (days)
maxVariancePercentage20Maximum amount variance between payments (%)

AML-CFT-002 — Multiple Small Donors to One Recipient

Multiple small contributions aggregating to significant sum — crowdfunding terrorism financing typology.

ParameterValueDescription
minDonors8Minimum distinct donors
maxIndividualAmount500Maximum per-donor amount
minAggregateAmount3000Minimum total amount
timeWindowDays7Detection window (days)

Regional Risk Rules

Geographic risk assessment for Eswatini regions.

Rule IDNameSeverityKey Parameters
AML-GEO-001Border Region High-Risk TransactionsMEDIUMBorder region list
AML-GEO-002High-Crime Urban AreasLOWUrban center list

AML-GEO-001 — Border Region High-Risk Transactions

Border regions with higher cross-border crime risk.

ParameterValue
regionsHhohho, Lubombo, Matsapha, Ngwenya, Lomahasha, Lavumisa

AML-GEO-002 — High-Crime Urban Areas

Urban centers requiring enhanced monitoring.

ParameterValue
regionsManzini, Mbabane, Big Bend

Regulatory Reporting Rules

Mandatory reporting obligations.

AML-REP-001 — Mandatory CTR Threshold

Severity: CRITICAL

Mandatory FIU reporting for transactions >= SZL 50,000 (MLTFP Act Section 13).

ParameterValueDescription
reportingThreshold50000Mandatory CTR amount (SZL)

Business Sector Rules

Industry-specific risk assessment.

AML-BUS-001 — High-Risk Business Sector Transaction

Severity: MEDIUM

Cash-intensive businesses require enhanced scrutiny.

ParameterValueDescription
thresholdAmount2000Amount triggering sector-based alert
occupationsmoney_changer, casino, real_estate, car_dealer, jewelry, art_dealer, precious_metalsHigh-risk business types

DB Schema Reference

Rules are stored in the aml_rules table:

ColumnTypeDescription
idstringPrimary key
ruleIdstringUnique rule code (e.g., AML-TH-002)
namestringHuman-readable name
descriptionstringWhat the rule detects
categorystringRule category
conditionsJSONParameters and thresholds
actionsJSONActions when triggered
severityenumLOW, MEDIUM, HIGH, CRITICAL
isActivebooleanWhether rule is enabled
prioritynumberEvaluation priority
createdAttimestampCreation date
updatedAttimestampLast update

Internal use only - Keshless Payment Platform

Copyright © 2026 Keshless