Surveillance
Post-trade market abuse detection and KYT monitoring
The surveillance service monitors every executed trade in real-time via a post-trade hook. It detects market abuse patterns and generates alerts for compliance review. Alerts are queryable via the admin API.
Detection Patterns
Wash Trading
Detects circular trade patterns where the same account executes matching buy and sell orders on the same symbol with the same quantity within a 5-minute window.
| Parameter | Value |
|---|---|
| Detection window | 5 minutes |
| Match criteria | Same account, same symbol, opposite sides, same quantity |
| Severity | High |
| Action | Alert generated, trade IDs recorded |
Large Trade Alerts
Flags trades with notional value exceeding a configurable threshold.
| Parameter | Default |
|---|---|
| Threshold | $100,000 |
| Severity | Medium |
Structuring Detection
Identifies potential structuring (smurfing) where multiple transactions are placed just below the Currency Transaction Report (CTR) threshold to avoid reporting requirements.
| Parameter | Default |
|---|---|
| CTR threshold | $10,000 |
| Detection range | 80% -- 99% of threshold ($8,000 -- $9,900) |
| Minimum transactions | 3 within window |
| Detection window | 24 hours |
| Severity | High |
Velocity Monitoring
Detects abnormally high trading frequency for a single account.
| Parameter | Default |
|---|---|
| Window | 1 hour |
| Max trades | 50 per window |
| Dedup | One alert per account per window |
| Severity | Medium |
Price Spike Detection
Uses second-derivative analysis to detect parabolic/exponential price movements. The algorithm splits the observation window into two halves, computes the rate of price change in each half, and triggers if:
- Total price change exceeds the spike threshold (default 10%), or
- Acceleration (rate-of-change increase) exceeds the acceleration threshold (default 5%) and total move exceeds half the spike threshold
| Parameter | Default |
|---|---|
| Window | 5 minutes |
| Max price change | 10% |
| Acceleration threshold | 5% (second derivative) |
| Severity | Medium (high if >2x threshold, critical if >2x threshold) |
| Dedup | One alert per symbol per window |
Alert Structure
Each alert contains:
| Field | Description |
|---|---|
id | Unique alert identifier |
type | wash_trading, large_trade, structuring, velocity, price_spike |
severity | low, medium, high, critical |
account_id | Account that triggered the alert |
symbol | Affected instrument |
details | Human-readable description |
trade_ids | List of trades involved |
created_at | When the alert was generated |
status | open, investigating, resolved, escalated |
Alert Types
| Type | Code | Description |
|---|---|---|
| Wash Trading | wash_trading | Circular trade pattern |
| Spoofing | spoofing | Order placement/cancellation patterns |
| Layering | layering | Multi-level order manipulation |
| Front Running | front_running | Trading ahead of client orders |
| Insider Trading | insider_trading | Material non-public information |
| Market Manipulation | market_manipulation | General manipulation |
| Structuring | structuring | Just-below-threshold transactions |
| Velocity | velocity | Unusual trade frequency |
| Large Trade | large_trade | Trade above notional threshold |
| Price Spike | price_spike | Abnormal price acceleration |
KYT Configuration
The Know Your Transaction (KYT) configuration is tunable at runtime via surveillance.Service.SetKYTConfig():
cfg := surveillance.KYTConfig{
CTRThreshold: 10000, // USD
LargeTradeThreshold: 100000, // USD
VelocityWindow: 1 * time.Hour,
VelocityMaxTrades: 50,
StructuringWindow: 24 * time.Hour,
StructuringMinTxns: 3,
PriceSpikeWindow: 5 * time.Minute,
PriceSpikeMaxPct: 10.0, // percent
PriceSpikeAccelPct: 5.0, // percent
}
svc.SetKYTConfig(cfg)Admin Endpoints
| Endpoint | Description |
|---|---|
GET /v1/admin/surveillance/alerts | List all alerts |
GET /v1/admin/surveillance/alerts?status=open | Filter by status |
POST /v1/admin/markets/{symbol}/halt | Halt market (manual circuit breaker) |
POST /v1/admin/markets/{symbol}/resume | Resume halted market |
Alerts with severity high or critical should be escalated to compliance for potential SAR filing with FinCEN.
Alert Lifecycle
Detection -> Alert Created (open)
|
Investigation (investigating)
|
+-----------+-----------+
| | |
Escalated Resolved Filed
(to legal) (false pos) (SAR/STR)