Best Practice Rules
These are recommended workflow rule configurations for common compliance programs. Each rule set is designed to balance compliance rigor with operational efficiency. Customize the thresholds and priorities to match your organization's risk appetite.
For background on rule structure and the conditions system, see Workflow Rules.
Standard Fintech Program
For payment companies, neobanks, lending platforms, and general financial services. This is the most common configuration and closely mirrors the built-in defaults that TrustGate ships with.
Rule 1: Auto-Approve Low Risk
Applicants with low risk scores and no screening hits are approved immediately, reducing manual workload for your compliance team.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Auto-approve low risk",
"description": "Approve applicants with low risk and no screening hits",
"conditions": {
"risk_level": ["low"],
"has_sanctions_hit": false,
"has_pep_hit": false
},
"action": "auto_approve",
"priority": 100,
"is_active": true
}'
Rule 2: Manual Review for Medium Risk
Medium-risk applicants are routed to the review queue for a compliance officer to evaluate before a decision is made.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Review medium risk",
"description": "Route medium-risk applicants to manual review",
"conditions": {
"risk_level": ["medium"]
},
"action": "manual_review",
"priority": 200,
"is_active": true
}'
Rule 3: Auto-Reject Critical Risk with Sanctions
Applicants at critical risk who also have a confirmed sanctions hit are automatically rejected. This is the strongest automated action and should be set at a high priority.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Auto-reject critical sanctions",
"description": "Reject critical-risk applicants with confirmed sanctions hits",
"conditions": {
"risk_level": ["critical"],
"has_sanctions_hit": true
},
"action": "auto_reject",
"notify_on_match": true,
"notification_channels": ["email"],
"priority": 900,
"is_active": true
}'
Rule 4: Escalate PEP Hits
Any applicant flagged as a Politically Exposed Person is escalated to a senior compliance officer, regardless of their overall risk score.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Escalate PEP hits",
"description": "Escalate all PEP matches to senior compliance for enhanced due diligence",
"conditions": {
"has_pep_hit": true
},
"action": "escalate",
"assign_to_role": "senior_compliance",
"notify_on_match": true,
"priority": 800,
"is_active": true
}'
Rule 5: Flag High-Risk Countries
Applicants from FATF grey-list or black-list jurisdictions are routed to manual review with a notification, ensuring geographic risk is always surfaced.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Flag high-risk countries",
"description": "Manual review for applicants from FATF grey/black list countries",
"conditions": {
"country": ["KP", "IR", "SY", "MM", "AF", "YE"]
},
"action": "manual_review",
"notify_on_match": true,
"priority": 500,
"is_active": true
}'
Priority Summary
| Priority | Rule | Action |
|---|---|---|
| 900 | Auto-reject critical sanctions | auto_reject |
| 800 | Escalate PEP hits | escalate |
| 500 | Flag high-risk countries | manual_review |
| 200 | Review medium risk | manual_review |
| 100 | Auto-approve low risk | auto_approve |
High-Risk Industry Program
For crypto exchanges, gambling platforms, precious metals dealers, and other industries with elevated regulatory scrutiny. This configuration is intentionally conservative: it routes more applicants to manual review and uses lower risk thresholds for automated actions.
Rule 1: Auto-Reject Any Sanctions Hit
In high-risk industries, any sanctions match triggers an automatic rejection with immediate notification. No exceptions.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Auto-reject sanctions",
"description": "Immediately reject any applicant with a sanctions hit",
"conditions": {
"has_sanctions_hit": true
},
"action": "auto_reject",
"notify_on_match": true,
"notification_channels": ["email", "slack"],
"priority": 1000,
"is_active": true
}'
Rule 2: Escalate PEP Hits
PEP matches require senior review with enhanced due diligence documentation before any decision is made.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Escalate PEP hits",
"description": "PEP matches require senior compliance review and EDD",
"conditions": {
"has_pep_hit": true
},
"action": "escalate",
"assign_to_role": "senior_compliance",
"notify_on_match": true,
"notification_channels": ["email", "slack"],
"priority": 950,
"is_active": true
}'
Rule 3: Manual Review All Medium Risk and Above
In high-risk industries, anything above low risk goes to manual review. This is stricter than the standard fintech program.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Review medium risk and above",
"description": "All medium, high, and critical risk applicants require manual review",
"conditions": {
"risk_level": ["medium", "high", "critical"]
},
"action": "manual_review",
"notify_on_match": true,
"priority": 500,
"is_active": true
}'
Rule 4: Enhanced Country Screening
An expanded list of high-risk jurisdictions including FATF grey-list countries. Adjust this list based on your specific regulatory requirements.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Enhanced country screening",
"description": "Manual review for expanded high-risk country list (FATF grey + black list)",
"conditions": {
"country": ["KP", "IR", "SY", "MM", "AF", "YE", "PK", "HT", "VU", "JM", "TZ", "UG"]
},
"action": "manual_review",
"notify_on_match": true,
"notification_channels": ["email"],
"priority": 800,
"is_active": true
}'
Rule 5: Auto-Approve Only Lowest Risk
Only applicants with a risk score below 20 and no screening hits of any kind are auto-approved.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Auto-approve lowest risk only",
"description": "Auto-approve only when risk score is under 20 with no hits",
"conditions": {
"risk_score_max": 20,
"has_sanctions_hit": false,
"has_pep_hit": false
},
"action": "auto_approve",
"priority": 100,
"is_active": true
}'
Rule 6: Default Hold
Any applicant not caught by the above rules is placed on hold for investigation rather than defaulting to manual review.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Default hold for investigation",
"description": "Hold all remaining applicants for further investigation",
"conditions": {},
"action": "hold",
"priority": 0,
"is_active": true
}'
Priority Summary
| Priority | Rule | Action |
|---|---|---|
| 1000 | Auto-reject sanctions | auto_reject |
| 950 | Escalate PEP hits | escalate |
| 800 | Enhanced country screening | manual_review |
| 500 | Review medium risk and above | manual_review |
| 100 | Auto-approve lowest risk only | auto_approve |
| 0 | Default hold for investigation | hold |
Low-Friction Program
For low-risk use cases such as age verification, basic identity confirmation, loyalty programs, or non-financial onboarding. This configuration maximizes throughput by auto-approving most applicants and only flagging truly problematic cases.
Rule 1: Auto-Reject Sanctions
Even in low-friction programs, sanctions matches must always be caught.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Reject sanctions hits",
"description": "Always reject applicants with sanctions matches",
"conditions": {
"has_sanctions_hit": true
},
"action": "auto_reject",
"notify_on_match": true,
"priority": 1000,
"is_active": true
}'
Rule 2: Review Critical Risk Only
Only critical-risk applicants go to manual review. High and medium risk are auto-approved in this program.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Review critical risk",
"description": "Only critical-risk applicants require manual review",
"conditions": {
"risk_level": ["critical"]
},
"action": "manual_review",
"priority": 500,
"is_active": true
}'
Rule 3: Auto-Approve Everything Else
All remaining applicants are auto-approved. This is the catch-all rule with the lowest priority.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Auto-approve all others",
"description": "Default: auto-approve all applicants not caught by higher-priority rules",
"conditions": {},
"action": "auto_approve",
"priority": 0,
"is_active": true
}'
Priority Summary
| Priority | Rule | Action |
|---|---|---|
| 1000 | Reject sanctions hits | auto_reject |
| 500 | Review critical risk | manual_review |
| 0 | Auto-approve all others | auto_approve |
How to Load These Rules
Option 1: Create Rules via API
Use the POST /api/v1/workflows/rules endpoint to create each rule individually, as shown in the cURL examples above. This gives you full control over every rule and its configuration.
Option 2: Seed TrustGate Defaults
If you want a quick starting point, use the seed endpoint to load TrustGate's built-in default rule set. The defaults are similar to the Standard Fintech Program above.
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules/seed-defaults \
-H "Authorization: Bearer YOUR_API_KEY"
Response:
{
"status": "success",
"rules_created": 5,
"rule_names": [
"Auto-approve low risk",
"Escalate sanctions hits",
"Review high risk",
"Review high-risk countries",
"Default manual review"
]
}
The seed endpoint will return an error if your tenant already has existing workflow rules. Delete all existing rules first if you want to re-seed from defaults.
Option 3: Script It
Create a shell script that issues multiple cURL calls in sequence. This is useful for repeatable deployments across environments.
#!/bin/bash
API_URL="https://api.bytrustgate.com/api/v1/workflows/rules"
AUTH="Authorization: Bearer YOUR_API_KEY"
# Rule 1
curl -s -X POST "$API_URL" \
-H "$AUTH" -H "Content-Type: application/json" \
-d '{"name":"Auto-approve low risk","conditions":{"risk_level":["low"],"has_sanctions_hit":false,"has_pep_hit":false},"action":"auto_approve","priority":100}'
# Rule 2
curl -s -X POST "$API_URL" \
-H "$AUTH" -H "Content-Type: application/json" \
-d '{"name":"Review medium risk","conditions":{"risk_level":["medium"]},"action":"manual_review","priority":200}'
# Add more rules as needed...
echo "Rules created."
Customizing Rules
Adjusting Risk Thresholds
The risk_level condition accepts any combination of low, medium, high, and critical. You can also use risk_score_min and risk_score_max for numeric thresholds instead of named levels.
For example, to flag anyone with a risk score of 40 or above for manual review:
{
"name": "Review elevated risk scores",
"conditions": {
"risk_score_min": 40
},
"action": "manual_review",
"priority": 300
}
The risk score ranges that correspond to named levels are:
| Score Range | Risk Level |
|---|---|
| 0-25 | low |
| 26-50 | medium |
| 51-75 | high |
| 76-100 | critical |
Adding Country Lists
The country condition accepts ISO 3166-1 alpha-2 country codes as a list. Add or remove codes to match your regulatory requirements. Common high-risk country groupings:
- FATF Black List:
KP,IR,MM - FATF Grey List (partial):
SY,AF,YE,PK,HT,VU,JM,TZ,UG
Combining Conditions
All conditions in a rule use AND logic. Every condition must match for the rule to fire. To create OR logic, use separate rules at the same priority level.
For example, to escalate applicants who are either PEP or from a high-risk country, create two rules:
{
"name": "Escalate PEPs",
"conditions": {"has_pep_hit": true},
"action": "escalate",
"priority": 800
}
{
"name": "Escalate high-risk countries",
"conditions": {"country": ["KP", "IR", "SY"]},
"action": "escalate",
"priority": 800
}
Changing Priorities
Rules are evaluated from highest priority to lowest. The first matching rule determines the action. When designing your rule set:
- 900-1000: Hard blocks and critical escalations (sanctions, auto-rejects)
- 700-899: Screening-based escalations (PEP, country risk)
- 400-699: Risk-level-based routing (high risk, medium risk)
- 100-399: Permissive rules (auto-approve low risk)
- 0-99: Default catch-all rules
Testing Before Deployment
Use the test endpoint to verify a rule matches the applicants you expect before activating it:
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules/{rule_id}/test \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"applicant_id": "APPLICANT_UUID"}'
This returns a detailed breakdown of which conditions matched and which did not, without taking any action on the applicant.
Next Steps
- Workflow Rules -- Full API reference for rule CRUD operations
- Risk Factors -- Configure which signals feed into risk scoring
- Country Risk -- Geographic risk configuration
- About Risk Scoring -- How risk scores are calculated