Every transaction is scored in under 80ms by an XGBoost model trained on your fraud patterns. A configurable rule engine applies business-specific blocks and reviews — with full SHAP explainability, a fraud analyst queue, and an immutable audit log for regulatory compliance.
<80ms
decision latency
real-time scoring
0.1%
false positive rate
precision-tuned model
94%
fraud detection rate
on validation set
100%
transactions logged
full audit trail
Typical build: 5–7 week sprint · Fixed price · Zero delivery risk
Trigger
Transaction event
Decision latency
<80ms P99
Model
XGBoost + rules
Fraudsters adapt faster than manual rule updates. A rule written for last month's fraud pattern misses this month's attack. Without an ML layer, your false negative rate climbs steadily as fraud evolves while your team plays catch-up.
Blunt velocity rules block legitimate customers travelling, buying in new categories, or making large purchases. Every false positive is a customer service call, a churned user, or an unrecovered transaction — all preventable costs.
When a transaction is blocked, analysts can't see why without an explainability layer. This slows review queue resolution and makes it impossible to identify whether a block was a model error or a genuine fraud catch.
This is the actual pipeline Kovil AI builds and deploys — not a diagram. Here's what runs inside every node.
The fraud detection pipeline is triggered by a transaction event stream — either a Kafka topic (for high-volume payment processors) or a synchronous webhook (for lower-volume integrations). The event payload contains: transaction_id, user_id, amount, currency, merchant_id, merchant_category, device_fingerprint, IP address, geolocation, payment method type, and timestamp. The pipeline must return a decision within 80ms for card-present transactions.
A Python feature engineering layer queries Redis for the user's transaction history and computes 50+ features in real time: transaction velocity (txns in last 1/5/15/60 minutes), average transaction amount deviation, new merchant flag, new device flag, impossible travel score (distance / time since last transaction), time-of-day anomaly score, and merchant risk category. Historical features are precomputed and cached in Redis with a 24-hour TTL.
The feature vector is passed to a trained XGBoost or LightGBM classifier. The model returns a fraud_probability score between 0 and 1, a risk_tier (low / medium / high), and the top 5 feature importances for that specific prediction (used for analyst explainability). The model is retrained weekly on new confirmed fraud labels. Model serving is via FastAPI with model versioning — multiple model versions can run simultaneously for A/B testing.
The ML score is passed to a configurable decision engine that applies business-specific rules on top of the raw probability. Rules include: hard blocks (score > 0.95 always blocks), velocity limits (>5 transactions in 60 seconds always reviews), whitelist (known good merchant IDs bypass), blacklist (known bad user IDs always block), and amount-based thresholds. Rules are stored as admin-configurable YAML — no engineering change needed to add or modify a rule.
Based on the decision engine output, the pipeline takes one of three actions: BLOCK — the transaction is declined and the user receives an immediate decline notification with a support contact. REVIEW — the transaction is held and the user is prompted for 3D Secure or OTP verification (for borderline risk). APPROVE — the transaction passes and the payment is authorised. Fraud analyst queue items are enriched with the full feature vector, ML score, and rule trigger for efficient manual review.
All blocked and reviewed transactions are written to a fraud case management system. Analysts see: the full feature vector, ML score breakdown with SHAP values, rule trigger details, the user's full transaction history, and recommended actions. Real-time Slack alerts fire for high-value blocked transactions (configurable threshold). The case management system tracks resolution outcomes — which are fed back as labels for model retraining.
Every transaction — approved, blocked, or reviewed — is written to an immutable audit log with: transaction ID, timestamp, feature vector snapshot, model version, fraud score, decision engine output, rule triggers, and final action taken. The log supports SAR (Suspicious Activity Report) generation, PCI-DSS audit requirements, and scheme (Visa/Mastercard) fraud reporting. Retention is configurable per jurisdiction (typically 5–7 years).
ML fraud scoring
Gradient boosting classifier trained on confirmed fraud labels. Returns a 0–100 fraud probability score with SHAP feature importances for explainability.
Feature engineering & model serving
Computes 50+ real-time behavioural features and serves the ML model via a low-latency FastAPI endpoint with sub-80ms P99 response time.
Real-time feature cache
Caches user transaction velocity, device history, and merchant interaction features with TTL expiry for sub-millisecond feature lookups.
Transaction event stream
High-throughput transaction event pipeline for payment processors. Supports millions of transactions per day with guaranteed delivery and replay.
Orchestration & alerting
Manages the non-real-time parts: analyst queue enrichment, Slack fraud alerts, case management updates, and daily reporting.
Audit log & case management
Immutable fraud decision log with full feature vector snapshots. Supports SAR generation, regulatory reporting, and model retraining data pipelines.
Kovil AI scopes, builds, trains, and deploys this pipeline end-to-end. You get a production fraud system with trained model, configurable rules, and analyst tooling — fully managed delivery.
During the build sprint, we train the initial model on your historical confirmed fraud labels (minimum 6 months of data recommended). We use your transaction data to engineer features relevant to your specific product — card payments, ACH, crypto, or lending. The model is then validated on a holdout set and calibrated to your target false positive rate before deployment.
The end-to-end pipeline (feature engineering + model inference + decision engine) is designed for sub-80ms P99 latency for synchronous integrations. Feature caching in Redis is the primary latency lever — cache hit rates above 95% are typical for active users. For Kafka-based integrations with async decision delivery, latency targets are relaxed to sub-500ms.
False positive rate is the primary optimisation target during calibration. We tune the decision threshold to your specified false positive budget (typically 0.1–0.5% of legitimate transactions). The review queue (soft block + 3DS/OTP) handles borderline cases without hard declining them. Post-launch, we monitor false positive rates weekly and retune as needed — included in the post-launch support period.
Yes. Business rules are stored in a YAML configuration file. Adding, modifying, or removing rules (thresholds, whitelists, blacklists, velocity limits) requires only a config update and pipeline restart — no code deployment. We document every configurable rule parameter and provide a rules management runbook during handover.
The audit log captures all data required for PCI-DSS fraud monitoring compliance: transaction IDs, timestamps, model scores, decision rationale, and analyst actions. The system supports SAR generation for AML reporting. Specific regulatory requirements vary by jurisdiction and licence type — we review these during scoping and configure the logging schema accordingly.
Book a 30-minute discovery call. We'll scope the fraud pipeline for your transaction volumes, fraud patterns, and regulatory requirements — fixed price, zero delivery risk.
Typical sprint: 5–7 weeks · Fixed-price · Fully managed delivery · Post-launch support included