FraudShield AI Engine · Documentation
Home › Risk Scoring Model
Confidential · Internal Use Only

Risk Scoring Model

Audience: Fraud Operations, Data Science Last updated: March 2026 Version: 4.2

The FraudShield AI Engine risk scoring model produces a composite Risk Score (0–1000) for every transaction in real time. The score aggregates signals from over 200 Risk Indicators (RIs), behavioral profile data, and one or more ML detection models tuned for specific transaction channels and fraud typologies.

Real-time only The risk score is always calculated synchronously, before a transaction is authorized or posted. Decisions returned by the Decisioning Engine are applied inline, not retrospectively.

Score architecture

The composite risk score is built in three layers. Each layer feeds into the next before the final score is produced.

Score computation layers
Layer 1: Risk Indicators (RIs)
  ─────────────────────────────────────────────────────────────────
  Raw transaction + enrichment data + behavioral profiles
  → 200+ RIs calculated (each RI returns a sub-score 0–100)
  Examples:
    RI_VELOCITY_TRANSFER_1H     : 78   (high velocity in last 1 hour)
    RI_NEW_PAYEE_FIRST_TXN      : 90   (new beneficiary, first transaction)
    RI_IP_COUNTRY_MISMATCH      : 65   (IP country ≠ account country)
    RI_DEVICE_FINGERPRINT_CHANGE: 55   (new device not seen before)
    RI_AMOUNT_SPIKE_3SD         : 82   (amount > 3 std deviations above mean)

Layer 2: Detection Models (channel-specific ML)
  ─────────────────────────────────────────────────────────────────
  RI sub-scores + raw features → XGBoost / Neural Network model
  → Model output: fraud probability (0.00–1.00)
  → Scaled to 0–950 within the composite score

Layer 3: Composite Risk Score
  ─────────────────────────────────────────────────────────────────
  Weighted combination of model output + policy rule boosts
  → Final Risk Score: 0–1000
  → Risk level: LOW / MEDIUM / HIGH / CRITICAL
  → Decision: APPROVE / STEP-UP / REVIEW / BLOCK

Risk Indicators (RIs)

A Risk Indicator is a calculated signal derived from the current transaction, historical behavioral profile data, or external enrichment. Each RI produces a numeric sub-score (0–100) that represents the degree of anomaly or risk for that specific signal.

RI categories

Category Description Example RIs Count
Velocity Transaction frequency and volume over rolling time windows (1H, 4H, 24H, 7D, 30D) RI_VELOCITY_TRANSFER_1H, RI_COUNT_PAYEES_24H 38
Amount anomaly Deviation of transaction amount from historical mean and percentiles for the entity RI_AMOUNT_SPIKE_3SD, RI_AMOUNT_ROUND_NUMBER 24
Beneficiary / payee New payee, high-risk payee country, payee account age, and payee network analysis RI_NEW_PAYEE_FIRST_TXN, RI_PAYEE_HIGH_RISK_COUNTRY 31
Device & channel Device fingerprint changes, new browser, unusual channel for entity, channel switching RI_DEVICE_FINGERPRINT_CHANGE, RI_CHANNEL_SWITCH_SAME_SESSION 27
Network / IP IP geolocation mismatch, VPN/proxy detection, impossible travel, TOR exit node RI_IP_COUNTRY_MISMATCH, RI_TOR_EXIT_NODE 19
Behavioral biometrics Keystroke dynamics, mouse movement patterns, session navigation anomalies RI_KEYSTROKE_ANOMALY_SCORE, RI_SESSION_NAVIGATION_BOT 22
Account lifecycle Account age, recent credential change, dormancy break, new payee ratio RI_ACCOUNT_AGE_DAYS, RI_CREDENTIAL_CHANGE_72H 18
Network graph Entity-to-entity relationships, mule network indicators, shared device/IP clustering RI_MULE_NETWORK_SCORE, RI_SHARED_DEVICE_CLUSTER 27

Detection models

Detection models are channel- and typology-specific ML models that transform RI values and raw transaction features into a fraud probability score. Each model is trained on labeled fraud data for its specific detection domain.

Available detection models

Model ID Detection domain Algorithm Channels Status
MDL_WIRE_ATO Account Takeover — Wire / RTGS XGBoost Web, Mobile Active
MDL_ACH_FRAUD ACH fraud — debit origination XGBoost + rule ensemble ACH origination Active
MDL_RTP_MULE Money mule — RTP / FedNow Neural network (LSTM) RTP, FedNow Active
MDL_CARD_CNP Card-not-present fraud Gradient Boosting eCommerce, API Active
MDL_1PF_APPFRAUD First-party fraud — application Logistic Regression + XGBoost stacking New account, loan origination Active
MDL_INTERNAL_EMP Insider / employee fraud Isolation Forest + XGBoost Internal banking systems Beta
Model selection is automatic FraudShield AI selects the appropriate detection model based on the transactionType and channel fields in the incoming transaction. You don't need to specify a model ID in the API request.

Score ranges and risk levels

The composite Risk Score maps to four risk levels. The default decision thresholds below apply out of the box. Your fraud operations team should tune these thresholds to match your institution's risk appetite.

Score range Risk level Default decision Typical action
0 – 299 LOW APPROVE Transaction passes through. No alert generated.
300 – 549 MEDIUM APPROVE Transaction passes. Soft alert logged for batch review.
550 – 749 HIGH STEP-UP / REVIEW Challenge authentication presented or alert sent to Case Manager.
750 – 1000 CRITICAL BLOCK Transaction blocked. Real-time alert to Case Manager and SIEM.
Thresholds are configurable Default thresholds are a starting point only. For production deployments, calibrate thresholds against your false positive rate (FPR) and false negative rate (FNR) targets. See Threshold Tuning for the full process.

Scoring workflow

  1. Transaction received

    The core banking or payment system sends the transaction event to the FraudShield Scoring API (POST /api/v3/score) synchronously before authorization.

  2. Enrichment

    The platform calls configured enrichment providers (IP intelligence, device fingerprinting, behavioral biometrics, identity verification) and appends enrichment data to the transaction object.

  3. Profile lookup

    The behavioral profile store is queried for account-level and entity-level aggregates: rolling counts, amounts, payee lists, and session history.

  4. RI calculation

    All applicable Risk Indicators are evaluated using the enriched transaction + profile data. Each RI returns a sub-score (0–100). High-value RIs are flagged for the explainability output.

  5. ML model scoring

    The channel-specific detection model ingests RI values and raw features, returning a fraud probability that is scaled into the composite score range.

  6. Policy rule evaluation

    Configurable policy rules in the Decisioning Engine can boost or suppress the score, or override the decision outright (for example, a regulatory hold or whitelist match).

  7. Decision returned

    The scoring API returns the composite score, risk level, decision, top contributing RIs, and a correlation ID — typically within 80–150 ms end to end.

Multi-channel model coverage

FraudShield AI models are trained and calibrated per channel. The same transaction amount and beneficiary may carry very different risk scores depending on whether the transaction originated via mobile push payment, web banking, or a branch instruction. Channel context is always a first-class feature.

Channel Base Transaction Activity (BTA) Primary detection models
Web banking WEB_EXTERNAL_TRANSFER, WEB_BILL_PAY MDL_WIRE_ATO, MDL_ACH_FRAUD
Mobile app MOB_EXTERNAL_TRANSFER, MOB_P2P MDL_WIRE_ATO, MDL_RTP_MULE
ACH origination ACH_CREDIT_ORIGINATION, ACH_DEBIT_ORIGINATION MDL_ACH_FRAUD
RTP / FedNow RTP_SEND, FEDNOW_SEND MDL_RTP_MULE, MDL_WIRE_ATO
Card (CNP) CARD_CNP_PURCHASE, CARD_CNP_AUTH MDL_CARD_CNP
New account / origination NEW_ACCOUNT_OPEN, LOAN_APPLICATION MDL_1PF_APPFRAUD