Financial Security + Anti-Fraud 2026 Deep Dive — Feedzai, Featurespace (Visa), Sift, Forter, Riskified, Stripe Radar, BioCatch, Socure, Jumio

Prologue — Fraud is an industry, and 2026 is an inflection point

In the early 2020s, anti-fraud was still a small team in the corner of a payments company. 2026 is different. Per Nilson Report, annual card fraud losses cleared $40B+; combined estimates from ACI Worldwide and LexisNexis Risk Solutions push global fraud losses near $2T global fraud loss. The two dominant axes are CNP (card-not-present) and ATO (account takeover), while scam-type fraud — voice phishing, romance scams, invoice fraud — causes losses of 2조원/yr in Korea alone.

In the US and Europe, Feedzai, Featurespace, Sift, Forter, Riskified, Stripe Radar, and Adyen RevenueProtect run the payment fraud line; NICE Actimize and FICO Falcon handle bank transaction monitoring; BioCatch, Socure, and Jumio handle identity and behavior. Visa's 2024 acquisition of Featurespace (around $1B) signaled that card networks want a native ML fraud engine.

Korea integrates cards, internet banking, and mobile through SuperBee anomaly detection, KB STAR Fraud Detection, Shinhan SAFE, Woori ARMS, and SecuLetter. Japan defends 不正利用 400億엔/yr with NEC Fraud Detection, NTT Data Anti-fraud, SMBC FraudDetection, and Rakuten BlueGate. Per 警察庁 statistics, SMS and e-commerce impersonation now dominate.

This piece maps the full landscape — what fraud patterns matter, which models, signals, and architectures are used, how they're operated, and how regulators and auditors enter the picture.

Chapter 1 · Fraud taxonomy — CNP, ATO, scam-type, BEC

The first step in fraud detection is classification. The same word "fraud" hides very different signals and SLAs.

CNP requires <50ms decisioning as the industry standard; ATO mixes behavioral signals, device signals, and threat intelligence. APP is the hardest category because victims wire money willingly — the UK Payment Systems Regulator made reimbursement mandatory in October 2024.

Chapter 2 · Feedzai — Portugal-born global ML fraud platform

Feedzai started in 2011 in Coimbra, Portugal. Founder Nuno Sebastiao came from academia and built a platform that applies ML to real-time transaction streams across payment fraud, transfer fraud, and AML.

Two core assets. First, the OpenML/FairML platform — model training, serving, monitoring, and explainability in one loop. Second, RiskOps — fraud, AML, and disputes (chargebacks) on a unified case system.

Lloyds Banking Group, Citi, Standard Chartered, and Banco BPI run real-time transaction monitoring on Feedzai. The SLA is <50ms decisioning with billions of transactions per day.

# Feedzai-style: GBM-based transaction fraud scoring (concept code)
import lightgbm as lgb
import numpy as np

FEATURES = [
    "amount_log",
    "merchant_risk_score",
    "country_risk_score",
    "velocity_1h_count",
    "velocity_24h_amount",
    "is_new_merchant",
    "is_new_device",
    "card_age_days",
    "geo_distance_last_tx_km",
    "time_since_last_tx_min",
    "is_holiday",
    "device_risk_score",
]

model = lgb.LGBMClassifier(
    n_estimators=800,
    num_leaves=63,
    learning_rate=0.03,
    subsample=0.8,
    colsample_bytree=0.8,
    objective="binary",
    metric="auc",
    is_unbalance=True,
)

def score(feature_vec: np.ndarray) -> dict:
    """Return fraud probability for a single transaction. <50ms is the target."""
    p = float(model.predict_proba(feature_vec.reshape(1, -1))[0][1])
    if p < 0.02:
        return {"action": "approve", "score": p}
    if p < 0.15:
        return {"action": "3ds_challenge", "score": p}
    if p < 0.45:
        return {"action": "manual_review", "score": p}
    return {"action": "decline", "score": p}

The pattern is to split thresholds into three steps — challenge, review, decline — to reduce false positives while catching false negatives.

Chapter 3 · Featurespace — Visa acquisition and the ARIC engine

Featurespace was born out of Cambridge, UK. In September 2024 Visa announced an acquisition for roughly $1B. The core tech is ARIC (Adaptive Real-time Individual Change-detection) — per-individual behavior modeling in real time.

Traditional GBM treats each transaction as an independent unit. ARIC differs: for each card/account it maintains a time-varying behavior model (Bayesian + neural net) and measures "unusual relative to this individual." HSBC, NatWest, TSYS, and Worldpay deployed it at scale.

The Visa acquisition is clear in intent: Visa wants to ship an ML fraud engine on top of VisaNet directly. That puts it head-to-head with Mastercard's Decision Intelligence + Brighterion (acquired 2017) lineup.

Chapter 4 · Sift (formerly Sift Science) — Digital Trust & Safety

Sift started in 2011 in San Francisco. Originally called Sift Science, now simply Sift. Beyond payment fraud, it covers ad fraud, content abuse, and account abuse under the umbrella of Digital Trust & Safety.

The core asset is global network data — 16,000+ sites feed into Sift, and a fraud signal at one site instantly propagates to others. This is the Sift Trust Graph.

Customers include DoorDash, Twitter (now X), Indeed, Yelp, and Patreon. Four product lines: Payment Protection, Account Defense, Dispute Management, and Content Integrity.

Chapter 5 · Forter — e-commerce payment fraud specialist

Forter started in 2013 in Israel. The angle is approval-first — focusing on not declining legitimate orders, rather than only minimizing fraud.

The cost of a single false positive in e-commerce averages 5-10x the order value. Nordstrom, ASOS, Sephora, and Priceline use Forter to recover that revenue.

Forter ships a chargeback guarantee model — if Forter approves a transaction and a chargeback follows, Forter pays. This creates strong alignment with the merchant.

Chapter 6 · Riskified — original chargeback guarantee model

Riskified (2012, Israel) industrialized the chargeback guarantee model. It IPO'd on NYSE in 2021 (RSKD); customers include Allbirds, Wayfair, and Prada.

Two core products — Decide (approve/decline) and Recover (auto-dispute on chargeback). Recover submits evidence (IP, shipping confirmation, AVS match, 3DS result) directly to card-network dispute systems.

Forter vs Riskified is the duopoly of CNP-fraud guarantee in e-commerce. The differences are pricing model and industry depth — Forter is hosted, Riskified is guarantee + recovery integrated.

Chapter 7 · Stripe Radar — the 99%+ accuracy story

Stripe Radar is the ML fraud detection embedded in Stripe. Radar for Fraud Teams is a separate SKU with a rule builder and case queue workflow.

Stripe's edge is the single-dataset scale — Stripe sees transactions from millions of merchants on the same pipeline. A fraud card spotted at one merchant immediately propagates. Per Stripe public posts, Radar classifies signals with 99%+ accuracy.

# Stripe Radar-style: rule + ML hybrid on transaction metadata (concept code)
from dataclasses import dataclass

@dataclass
class TxContext:
    amount_usd: float
    currency: str
    card_fingerprint: str
    ip_country: str
    billing_country: str
    cvc_check: str
    avs_check: str
    is_3ds: bool
    velocity_24h: int
    radar_ml_score: float  # 0.0-1.0

def radar_decide(ctx: TxContext) -> str:
    # 1. Rules: explicit block
    if ctx.cvc_check == "fail":
        return "block:cvc_fail"
    if ctx.velocity_24h > 10 and ctx.amount_usd > 500:
        return "block:velocity"
    # 2. 3DS challenge routing
    if ctx.radar_ml_score > 0.65 and not ctx.is_3ds:
        return "3ds_challenge"
    # 3. ML threshold
    if ctx.radar_ml_score > 0.85:
        return "block:ml"
    return "allow"

Radar is the rule + ML hybrid in production. Rules are merchant-tunable, ML is Stripe-operated with global data.

Chapter 8 · Adyen RevenueProtect — PSP-native anti-fraud

Adyen is a Dutch PSP that processes Spotify, Uber, eBay, and Booking. RevenueProtect is the anti-fraud module fused with Adyen's payment infrastructure.

The differentiator is payment ↔ fraud ↔ acquiring integration. A rule change is immediately reflected in payment routing (which acquirer to use). Similar to Stripe Radar's PSP-native model, but Adyen's depth in European card networks is distinct.

RevenueProtect leans hard on 3DS 2.0 + delegated authentication — optimizing PSD2 SCA (Strong Customer Authentication) exemptions via ML to minimize false friction.

Chapter 9 · NICE Actimize — global standard for transaction monitoring + AML

NICE Actimize is the financial crime division of Israel-based NICE. It covers payment fraud plus AML (anti-money-laundering), market manipulation, and employee misconduct — an integrated fraud + financial crime platform.

Core suites are IFM-X (Integrated Fraud Management), SAM (Suspicious Activity Monitoring), and CDD-X (Customer Due Diligence). HSBC, JP Morgan, and Wells Fargo deploy it.

Actimize's edge is AML + fraud integration — APP (authorized push payment) fraud overlaps with money-laundering patterns. Running them as separate systems means analysts see the same actor twice. Actimize unifies them in one case queue.

Chapter 10 · FICO Falcon Fraud — a neural net running since 1992

FICO Falcon Fraud launched in 1992 as a card-fraud detection product, and it's one of the original financial ML systems. It was neural-net-based from the start.

Per FICO, roughly 70% of card issuers and banks globally monitor card fraud on Falcon. Many Korean card issuers run it too.

Falcon's strength is the Consortium Model — globally anonymized data shares fraud signals across customers. A card flagged as fraud in the US automatically raises the risk score of cards under the same BIN in Korea.

# Falcon-style: consortium signal + per-card signal blend (concept code)
import numpy as np

def falcon_score(card_features, consortium_features, weights=(0.6, 0.4)):
    """
    card_features: per-card signals (velocity, geo, merchant_mcc)
    consortium_features: global fraud signals (BIN risk, merchant risk)
    """
    w_card, w_cons = weights
    card_risk = float(np.dot(card_features, np.random.randn(len(card_features))))
    cons_risk = float(np.dot(consortium_features, np.random.randn(len(consortium_features))))
    combined = w_card * card_risk + w_cons * cons_risk
    return 1 / (1 + np.exp(-combined))  # sigmoid 0-1

The 30-year FICO know-how is how to anonymize consortium data while preserving accuracy.

Chapter 11 · BioCatch — behavioral biometrics across 400+ banks

BioCatch (2011, Israel) leads the behavioral biometrics market. As of 2026 it is deployed in 400+ banks with billions of checks.

Behavioral biometrics looks at five clusters of signals.

• Typing rhythm — key down/up timing, between-key interval (flight time)
• Mouse pattern — curves, angles, velocity changes, jitter
• Touch gestures — swipe length, angle, pressure
• Device handling — gyroscope + accelerometer signal
• Interactions — dwell, scroll behavior, form-fill order

BioCatch catches two things with these signals — ATO (account takeover) and APP (voice phishing, romance scam). APP is especially interesting — when a victim transfers under coercion or guidance, the resulting behavior (long dwell, hesitation, off-rhythm input) is statistically distinct.

# BioCatch-style: keystroke rhythm based user identification (concept code)
import numpy as np
from sklearn.ensemble import IsolationForest

def extract_keystroke_features(events):
    """
    events: [{key, down_ms, up_ms}, ...]
    Returns dwell time, flight time statistics.
    """
    dwells, flights = [], []
    for i, e in enumerate(events):
        dwells.append(e["up_ms"] - e["down_ms"])
        if i > 0:
            flights.append(e["down_ms"] - events[i - 1]["up_ms"])
    return np.array([
        np.mean(dwells), np.std(dwells),
        np.mean(flights) if flights else 0.0,
        np.std(flights) if flights else 0.0,
    ])

# Per-user baseline model, returns anomaly score
def fit_user_baseline(history_features):
    return IsolationForest(contamination=0.05).fit(history_features)

def anomaly_score(baseline, current):
    return float(-baseline.score_samples(current.reshape(1, -1))[0])

BioCatch calls itself "continuous authentication" — not a single login event, but verification throughout the session.

Chapter 12 · Socure and Jumio — the identity verification duopoly

Identity verification (IDV) is the most important defense at onboarding. Socure and Jumio dominate globally.

Socure is strong in the US market. It blends SSN, name, DOB, email, phone, and device to produce an ID-match score. Capital One, Chime, and Public.com use it. Core tech is ID+ (intelligence matching) and Sigma Fraud (anomaly detection).

Jumio (2010, Palo Alto + Vienna) is the global standard for KYC + selfie + document verification. It recognizes ID documents from 200+ countries, supports NFC chip reading, and ships liveness detection in one flow. HSBC, Revolut, and BlaBlaCar use it.

Chapter 13 · Device fingerprinting — Fingerprint, Iovation, Distil

Device fingerprinting is one of the oldest tools in fraud detection — identifying devices without cookies.

Major vendors include Fingerprint (formerly FingerprintJS, split off in 2020) and Iovation (now part of TransUnion). Fingerprint offers a free open-source library plus a paid Pro model. Per vendor claims, accuracy is 99.5%+.

Signals combine 100+ browser/device cues — Canvas fingerprint, WebGL, AudioContext, fonts, timezone, screen resolution, battery, media devices, fonts list, plugins. Android/iOS native add IMEI surrogates and ID for Vendors.

# Fingerprint-style: device signal hashing (concept code)
import hashlib
import json

def device_fingerprint(signals: dict) -> str:
    """
    signals: {
        "canvas_hash": "...",
        "webgl_hash": "...",
        "audio_hash": "...",
        "fonts": [...],
        "timezone": "Asia/Seoul",
        "screen": "1920x1080@2x",
        "user_agent": "...",
    }
    """
    canonical = json.dumps(signals, sort_keys=True, separators=(",", ":"))
    return hashlib.sha256(canonical.encode("utf-8")).hexdigest()

The art is balance — too narrow and the same device looks different; too loose and different devices collide.

Chapter 14 · Transaction graphs — GNN-based ring fraud detection

Fraud is rarely a lone act — it's a ring. The same device, email domain, or wire-payee links many accounts. Graph neural networks (GNN) are strong at finding these rings.

Account A ──(same device)── Account B
   │                              │
   │(same IP/24)                  │(same payee)
   ▼                              ▼
Account C ──(same address)── Account D

Classic ML treats nodes as independent. GNNs read neighbor information — even if a node's own risk score is low, high-risk neighbors push the score up.

// Neo4j: money transfer fraud ring detection (concept query)
MATCH (a:Account)-[:USED_DEVICE]->(d:Device)<-[:USED_DEVICE]-(b:Account)
WHERE a <> b
WITH d, collect(distinct a) + collect(distinct b) AS accounts
WHERE size(accounts) > 5
MATCH (acc:Account)-[t:TRANSFER]->(recv:Account)
WHERE acc IN accounts
  AND t.amount > 1000000  // local currency
  AND t.created_at > datetime() - duration({days: 7})
RETURN d, accounts, count(t) AS transfer_count
ORDER BY transfer_count DESC

This pattern is essential for catching money-mule networks behind voice phishing.

Chapter 15 · 3DS 2.0 + delegated authentication

3-D Secure 2 (3DS 2.0) is EMV's payment authentication protocol. Unlike 1.0 it offers risk-based authentication — the issuer reads transaction data and can decide "safe enough, don't challenge the user."

The flow looks like this.

[merchant] → ARes request (device + user + tx data)
   ↓
[issuer ACS] → risk assessment
   ├── low: frictionless flow (no user prompt)
   └── high: challenge flow (OTP/biometric)

PSD2 SCA (Strong Customer Authentication) is mandatory in Europe, but there are exemptions — Transaction Risk Analysis (TRA), low-value (€30 or below), merchant-initiated transactions (MIT), and trusted-beneficiary lists.

Delegated authentication is the newer PSD2 SCA flow — issuers can delegate authentication to the merchant. Apple Pay and Google Pay satisfying SCA via device authentication is the canonical example.

Chapter 16 · FIDO2 passwordless — the passkey era

FIDO2 combines WebAuthn and CTAP2 (client ↔ authenticator protocol) to deliver strong, passwordless authentication. As of 2026, Apple, Google, and Microsoft all support Passkeys as a standard primitive.

Passkeys cut fraud two ways.

• Phishing-resistant: domain-bound, so they don't work on lookalike sites.
• Device-bound: private keys live in Secure Enclave/TPM/StrongBox.

Banks moving from passwords to Passkeys can cut a large fraction of ATO. Per Microsoft (2024), Passkey users see ATO at less than 1/10 the rate of password users.

Chapter 17 · Korea — voice phishing 2조원/yr, SuperBee, KB STAR, Shinhan SAFE, Woori ARMS

Korea's biggest peculiarity is voice phishing + messenger phishing. Cumulative voice-phishing losses in 2023-2024 per FSS and National Police Agency were around 2조원/yr, driven by impersonation of prosecutors, FSS, or loan officers.

The response stack.

• SuperBee: cross-card-issuer + bank anomaly detection collaboration network, with consortium data spotting BIN-level fraud.
• KB STAR Fraud Detection: KB Financial's in-house ML fraud system across internet banking transfers, card payments, and FX.
• Shinhan SAFE: Shinhan's integrated fraud platform — channel × product unified rules + ML.
• Woori ARMS: Woori Bank's Anti-fraud Risk Management System, with call analysis (customer center vs scammer impersonation) integrated.
• SecuLetter: email fraud / smishing security solution (BEC, invoice fraud).

Since 2024 FSS mandates multistage controls on suspicious voice-phishing transfers — delayed settlement, temporary suspension, and ATM withdrawal-limit reductions.

Chapter 18 · Japan — 不正利用 400億엔/yr, NEC, NTT Data, SMBC, Rakuten

Japan's annual card fraud losses, per JCA (Japan Credit Association), are 不正利用 400億엔/yr, with 90%+ in CNP.

Key vendors.

• NEC Fraud Detection: NEC's ML-based anti-fraud, used across banks, card issuers, and insurers.
• NTT Data Anti-fraud: NTT Data's anti-fraud platform, integrated with CAFIS (the domestic card-acquiring network).
• SMBC FraudDetection: SMBC Card's in-house fraud engine, paired with CardDX (digital card) and stronger ID checks.
• Rakuten BlueGate: Rakuten Group's payment authentication + fraud detection, unifying Rakuten Ichiba, Rakuten Card, and Rakuten Bank.

Per 警察庁 data, SMS and e-commerce impersonation grew 3x or more between 2020 and 2024. In November 2024 Japan's government tightened guidelines to mandate eKYC + マイナンバーカード-based identity proofing.

Chapter 19 · Model stack — GBM, neural net, GNN roles

A 2026 fraud-detection stack is typically three layers.

1. GBM (LightGBM / XGBoost): first-pass transaction-level scoring. Fast and strong on well-known features. Easy to meet <50ms decisioning SLAs.
2. Neural net (LSTM/Transformer): sequence pattern learning. Reads the last N transactions per user and flags anomalies.
3. GNN (GraphSAGE/PinSAGE): network structure learning. Asks "who is connected to whom" and "which ring." Usually runs offline or near-real-time and feeds embeddings into the real-time model.

# Hybrid: sequence model + graph signal (concept code)
import torch
import torch.nn as nn

class FraudHybrid(nn.Module):
    def __init__(self, tx_dim, graph_dim, hidden=128):
        super().__init__()
        self.tx_lstm = nn.LSTM(tx_dim, hidden, batch_first=True)
        self.graph_proj = nn.Linear(graph_dim, hidden)
        self.head = nn.Sequential(
            nn.Linear(hidden * 2, 64),
            nn.ReLU(),
            nn.Linear(64, 1),
        )

    def forward(self, tx_seq, graph_emb):
        _, (h, _) = self.tx_lstm(tx_seq)
        tx_h = h[-1]
        g = self.graph_proj(graph_emb)
        cat = torch.cat([tx_h, g], dim=-1)
        return torch.sigmoid(self.head(cat))

The point is that ensembles + guardrails beat any single model — when one model degrades, the others catch the slack.

Chapter 20 · <50ms decisioning infrastructure

The industry-standard SLA for real-time payment fraud is <50ms decisioning. The full merchant ↔ issuer round-trip lives in a 2-3 second budget, leaving roughly 50 ms for the fraud engine.

Patterns to hit it.

• Feature store: Redis / Aerospike / ScyllaDB to cache per-user/card/device signals. p99 read 1-2 ms.
• Model serving: ONNX Runtime, NVIDIA Triton, BentoML. CPU inference around p99 10 ms.
• Routing: Envoy / HAProxy for multi-region load balancing.
• Async updates: Kafka for transaction streaming, feature refresh by minute.

One Feedzai public case study has a global bank processing 5 billion transactions per day at p99 30 ms.

Chapter 21 · Explainability and regulation — GDPR, CCPA, FFIEC, FSS, JFSA

ML fraud detection has explainability obligations. EU GDPR Article 22 requires "meaningful information" about automated decisions. The US FFIEC and FCRA require adverse-action notices for credit/financial automated decisions.

Korea's FSS released an AI Guideline for Finance in 2021 and revised it in 2024, classifying fraud detection as a high-risk domain. Japan's FSA published guidelines in 2023 covering ML model governance, explainability, and monitoring.

In practice the response is SHAP/LIME-style model explanation libraries plus case-level audit logs. Decision reasons must be stored in a human-readable form and made available within 30 days when disputed.

Chapter 22 · Vendor matrix — global anti-fraud landscape

Chapter 23 · Fraud-pattern comparison — KR vs US vs JP

If the US is CNP-dominant, Korea is dominated by social-engineering and voice phishing; Japan leans on SMS phishing and e-commerce impersonation. Model design priorities shift accordingly.

Chapter 24 · Operational checklist — before launching a new fraud model

Pre-launch checks.

• Data split: time-based (train < val < test by time)? No leakage?
• Class imbalance: fraud is 0.1-1% of base. Stratified sample + class weight + focal loss.
• Feature leakage: does any post-label signal (e.g. chargeback outcome) leak into training features?
• Cost alignment: cost of one false positive vs one false negative? Choose threshold via expected loss.
• A/B guardrails: ship the challenger at 5-10% traffic for 7-14 days.
• Model monitoring: PSI/KS for input drift, ROC/PR for output drift.
• Incident response: if blocks spike, can you auto-roll-back?
• Regulatory logs: decision trace, SHAP attributions, 30-day dispute response.

References

1. Nilson Report — Card Fraud Losses Annual Report 2024 / 2025.
2. ACI Worldwide — Scamscope Report 2024.
3. LexisNexis Risk Solutions — True Cost of Fraud Study 2024.
4. Feedzai — RiskOps Platform Documentation. https://feedzai.com/
5. Featurespace — ARIC Risk Hub Whitepaper (Visa acquisition press release, 2024-09).
6. Sift — Digital Trust & Safety Index 2024.
7. Forter — Chargeback Guarantee Whitepaper.
8. Riskified — Annual Report 2024 (RSKD).
9. Stripe — Radar Documentation. https://stripe.com/docs/radar
10. Adyen — RevenueProtect Documentation. https://www.adyen.com/risk-management
11. NICE Actimize — Integrated Fraud Management (IFM-X) Datasheet.
12. FICO — Falcon Fraud Platform Datasheet.
13. BioCatch — Behavioral Biometrics Report 2024.
14. Socure — Sigma Fraud Suite Documentation.
15. Jumio — KYX Platform Documentation.
16. Fingerprint — Device Identification Whitepaper.
17. EMVCo — 3-D Secure 2.x Specification.
18. FIDO Alliance — FIDO2 / WebAuthn / Passkey Specifications.
19. PSD2 — Regulatory Technical Standards on SCA (EBA).
20. UK Payment Systems Regulator — APP Fraud Reimbursement Policy (2024-10).
21. FFIEC — Authentication and Access to Financial Institution Services Guidance.
22. Korea Financial Supervisory Service — AI Guideline for Finance (2021, revised 2024).
23. Korea National Police Agency — Voice Phishing Statistics (2023, 2024).
24. 警察庁 — 不正利用 and 特殊詐欺 Statistics (2020-2024).
25. Japan Credit Association — Card Fraud Loss Statistics.
26. Aite-Novarica — Global Anti-Fraud Vendor Landscape 2024.
27. Microsoft — Passkey Adoption Report 2024.
28. Neo4j — Graph Database for Fraud Detection Whitepaper.
29. Mastercard — Decision Intelligence + Brighterion Overview.
30. Visa — Visa Acquires Featurespace Press Release (2024-09-26).