Real-Time Fraud Detection
Graph neural network + transformer + gradient-boosted tree ensemble for a digital bank processing 2M+ daily transactions. Detects synthetic identity fraud, account takeover, and transaction anomalies in 47ms.
The Problem
A digital-first bank with 2M+ daily transactions was losing $12M annually to fraud. Existing rule-based system caught 40% of fraudulent transactions but generated an 8.3% false positive rate, blocking legitimate customers and creating support overhead. Synthetic identity fraud and sophisticated account takeover attacks were undetectable by rules.
The Dataset
18 months of transaction data: 1.2B transactions, 4.2M accounts, 180K labeled fraud cases across 12 fraud typologies. Graph data: account-to-account transfer networks, device fingerprints, session behavior sequences, and geolocation trajectories. Feature store with 400+ engineered features per transaction.
Model & Approach
Three-model ensemble with learned meta-classifier:
- Graph Neural Network (GNN): GraphSAGE architecture on the transaction network graph — detects money mule rings, synthetic identity clusters, and collusion patterns invisible to per-transaction analysis.
- Temporal Transformer: Sequence model on per-account transaction history — captures behavioral anomalies, session hijacking patterns, and out-of-pattern spending.
- Gradient-Boosted Trees (XGBoost): Feature-engineered model on 400+ tabular features — handles velocity checks, device anomalies, geolocation jumps, and known pattern matching.
- Meta-Classifier: Lightweight neural net combining the three model outputs with confidence calibration and explainability scores.
Architecture
Kafka stream ingestion → real-time feature computation (Flink) → parallel model inference (GNN, Transformer, XGBoost) → meta-classifier → decision engine → multi-tier review routing. Feature store (Feast) for online/offline feature consistency. Model serving via Triton Inference Server with GPU acceleration for GNN/Transformer, CPU for XGBoost.
Deployment
AWS with multi-AZ redundancy. Kubernetes with GPU nodes for model inference. Blue-green deployment with shadow mode: new models run in parallel for 2 weeks before going live. Automated retraining pipeline runs weekly on new fraud labels. SOC 2 Type II compliant infrastructure with PCI DSS encryption standards.
Results
ROI
$8.2M annual savings — $6.8M from reduced fraud losses + $1.4M from lower false positive support costs. 75% reduction in manual fraud analyst review queue. Regulatory compliance improved: zero BSA/AML audit findings since deployment.
Why It Was Hard
Latency was the constraint. All three models must return predictions in under 100ms for real-time transaction decisioning. The GNN required pre-computed graph embeddings updated every 5 minutes—stale embeddings miss new fraud rings.
Class imbalance was extreme: 0.015% fraud rate. Standard training produced a model that said "not fraud" 99.985% of the time and was technically accurate. SMOTE oversampling + focal loss + stratified sampling solved this.
What We Learned
The GNN was the differentiator. It caught fraud patterns that per-transaction models fundamentally cannot detect—collusion rings, money mule networks, and synthetic identity clusters. The ensemble outperformed any single model by 23% on F1 score.
Shadow mode deployment is non-negotiable for fraud systems. Two weeks of parallel running caught 3 edge cases that would have blocked legitimate high-value transactions.
FAQ
Does this work with existing fraud rules?
Yes. The AI runs alongside rule-based systems. Rules catch known patterns; AI catches novel patterns and synthetic identity fraud that rules miss.
How do you handle false positives?
Multi-tier review: low-confidence → automated secondary check; medium → analyst queue; high-confidence → blocked immediately. 2.1% false positive rate with continuous retraining.
What's the latency budget?
Sub-100ms requirement. Our system achieves 47ms p95 including feature computation, inference, and decision routing.