Model Input Features

Audience: Data Science, Fraud Operations, IT Last updated: March 2026 Version: 4.2

FraudShield AI models consume five categories of input features: transaction attributes, account and entity attributes, behavioral enrichment data, third-party enrichment data, and historical profile aggregates. This page describes each category, the specific fields used, and their data requirements.

Required vs. recommended fields Required fields must be present in the API request for scoring to proceed. Recommended fields are optional but significantly improve model accuracy. Missing recommended fields degrade risk coverage for specific RI categories. Fields marked enrichment are added by the platform — you don't need to supply these in the request.

Transaction attributes

Core fields describing the payment event. These are always available from the originating payment system and should always be included in every scoring request.

Field	Type	Required	Description
`transaction_id`	string	Required	Unique transaction identifier from core banking. Used for idempotency and audit trail correlation.
`transaction_type`	string (enum)	Required	Payment type. Values: `WIRE`, `ACH_CREDIT`, `ACH_DEBIT`, `RTP`, `FEDNOW`, `CARD_CNP`, `P2P`, `INTERNAL_TRANSFER`.
`channel`	string (enum)	Required	Originating channel. Values: `WEB`, `MOBILE`, `BRANCH`, `API`, `IVR`, `BATCH`.
`amount`	decimal	Required	Transaction amount in the currency specified. Supports up to 2 decimal places.
`currency`	string (ISO 4217)	Required	ISO 4217 currency code, e.g. `USD`, `EUR`, `GBP`.
`timestamp`	ISO 8601 datetime	Required	Transaction initiation time in UTC. Used for velocity calculations and time-of-day pattern analysis.
`memo`	string	Recommended	Payment description or reference. Used by NLP memo analysis for social engineering signal detection.

Account and entity attributes

Identifies the originating account and beneficiary. Both originator and beneficiary data are used by RI calculations for relationship analysis and new payee detection.

Field	Type	Required	Description
`originator.account_id`	string	Required	Internal account identifier for the sending party. Used as the primary profile lookup key.
`originator.customer_id`	string	Required	Customer CIF or party ID. Enables cross-account entity profiling.
`originator.account_open_date`	ISO 8601 date	Recommended	Account opening date. Drives the `RI_ACCOUNT_AGE_DAYS` and Early Account Monitoring (EAM) risk indicators.
`beneficiary.account_number`	string	Required	Destination account number. Hashed and used for new payee detection and mule account matching.
`beneficiary.routing_number`	string	Recommended	ABA routing number or equivalent. Used for domestic bank classification and high-risk routing analysis.
`beneficiary.country`	string (ISO 3166-1)	Recommended	Destination country code. Required for `RI_PAYEE_HIGH_RISK_COUNTRY` and OFAC/sanctions list matching.
`beneficiary.name`	string	Recommended	Beneficiary name. Used for name-account consistency checks and watchlist screening.

Behavioral enrichment data

Behavioral signals are supplied by your channel (web or mobile SDK) and describe how the user interacted with the session. These are among the most predictive features for account takeover detection. Integrate the FraudShield Behavioral SDK to capture these signals automatically.

Field	Type	Description	RIs enabled
`behavioral.session_id`	string	Session identifier from the web or mobile SDK. Links behavioral data to the session profile.	All behavioral RIs
`behavioral.keystroke_dynamics`	object	Keystroke timing (dwell time, flight time) captured during credential entry. Compared against the user's enrolled biometric model.	`RI_KEYSTROKE_ANOMALY_SCORE`
`behavioral.mouse_dynamics`	object	Mouse movement velocity, click patterns, scroll behavior. Detects automated tooling and remote access sessions.	`RI_SESSION_NAVIGATION_BOT`
`behavioral.navigation_path`	array	Ordered list of pages/screens visited before the transaction was submitted. Unusual paths (direct-to-payment) are high-risk signals.	`RI_NAVIGATION_ANOMALY`
`behavioral.session_duration_s`	integer	Total session duration in seconds. Very short sessions with high-value payments are a mule indicator.	`RI_SESSION_DURATION_SHORT`
`behavioral.copy_paste_detected`	boolean	Whether the account number or beneficiary field was copy-pasted rather than typed. Associated with social engineering scams.	`RI_COPY_PASTE_BENEFICIARY`

Third-party enrichment data

FraudShield AI calls configured enrichment providers at scoring time and automatically appends the results to the transaction before RI calculation. You don't supply these fields in the API request — the platform manages provider calls internally.

Enrichment type	Provider (default)	Key fields added	RIs enabled
IP intelligence	MaxMind GeoIP2 + IPQualityScore	`ip_country`, `ip_city`, `is_vpn`, `is_tor`, `is_proxy`, `fraud_score`	`RI_IP_COUNTRY_MISMATCH`, `RI_TOR_EXIT_NODE`, `RI_VPN_DETECTED`
Device fingerprinting	ThreatMetrix (LexisNexis)	`device_id`, `device_type`, `is_new_device`, `device_risk_score`, `remote_access_detected`	`RI_DEVICE_FINGERPRINT_CHANGE`, `RI_REMOTE_ACCESS_TOOL`
Identity verification	Experian IdentityIQ / Socure	`identity_score`, `synthetic_id_flag`, `address_verified`	`RI_SYNTHETIC_ID_SCORE`, `RI_ADDRESS_MISMATCH`
Beneficiary account intelligence	Early Warning Services (Zelle network)	`beneficiary_account_age_days`, `beneficiary_is_known_mule`	`RI_MULE_ACCOUNT_CONFIRMED`, `RI_NEW_PAYEE_FIRST_TXN`
Sanctions screening	Accuity Firco / SWIFT Compliance Analytics	`ofac_hit`, `sanctions_list_match`	Triggers hard BLOCK decision (overrides score)

Configuring enrichment providers Enrichment provider credentials and call order are configured in enrichment-providers.yaml. See Model Configuration — Enrichment for details.

Historical profile aggregates

Behavioral profiles store aggregated historical transaction data for each account and entity. The profile store is updated in real time as each transaction is processed. RI calculations query profiles to compare the current transaction against the entity's established behavioral baseline.

Profile dimensions

Dimension	Description	Time windows
Account profile	Aggregates for a single account: rolling transaction counts, amounts, payee lists, channel usage, and average session characteristics.	1H, 4H, 24H, 7D, 30D, 90D
Entity profile	Cross-account aggregates for the same customer (CIF). Detects velocity and amount anomalies across multiple accounts owned by one person.	24H, 7D, 30D
Payee / beneficiary profile	History of transactions sent to a specific beneficiary account from any account in the institution. Used for mule account detection.	7D, 30D, 90D
Device profile	Accounts and sessions associated with a device fingerprint. Identifies device sharing across unrelated accounts (mule network indicator).	30D, 90D
Network graph	Entity relationship graph: shared phones, addresses, devices, IPs. Graph-based RIs use centrality and clustering scores to detect organized fraud rings.	Continuous (updated daily for bulk; real-time for known high-risk nodes)

Profile maturation period

New accounts have limited behavioral history, which reduces the effectiveness of profile-based RIs. FraudShield AI applies an Early Account Monitoring (EAM) window for accounts opened in the last 90 days. During EAM, the platform:

Applies a score uplift factor to compensate for thin profile data.
Activates the MDL_1PF_APPFRAUD first-party fraud detection model in parallel.
Reduces the HIGH threshold by 50 points so more transactions route to REVIEW.

Profile data quality drives model accuracy Sending all transaction types (including low-value and approved transactions) to the scoring API ensures the profile store builds an accurate behavioral baseline. Selective scoring — only submitting high-value transactions — degrades velocity and baseline RIs.