Designing a Real-Time Fraud Detection System

0,000 from new accounts, flag impossible travel) - Anomaly detection (isolation forest, autoencoder) for detecting novel fraud patterns the supervised model hasn't seen - A neural network (if latency budget allows) for complex feature interactions

*Latency:* The entire scoring pipeline must complete in < 100ms. Feature computation from pre-aggregated stores (Redis/Memcached) takes ~10-30ms. Model inference takes ~1-5ms. The bottleneck is feature retrieval, not model scoring.

3. Handling Class Imbalance:

• Cost-sensitive learning: Assign higher weight to fraud samples in the loss function. A false negative (missed fraud) costs orders of magnitude more than a false positive (declined legitimate transaction). Set class weights proportional to the cost ratio, not just the inverse frequency.
• Stratified sampling: Ensure every training batch contains fraud examples. Undersample the majority class rather than oversampling the minority -- SMOTE can create unrealistic synthetic examples.
• Evaluation metric: Never use accuracy. Use precision-recall AUC, or optimize for a specific recall target (e.g., catch 95% of fraud) and report the corresponding precision. The F1 score at the operating threshold is a useful summary.
• Threshold tuning: The model outputs a probability. The decision threshold should be set based on the business cost tradeoff: $\text{threshold}^{*} = \text{argmin} \; [C_{FN} \cdot FNR(t) + C_{FP} \cdot FPR(t)]$.
• Anomaly detection complement: Unsupervised methods (isolation forest, autoencoder reconstruction error) catch novel fraud patterns that the supervised model misses because they weren't in the training data.

4. Deployment and Monitoring:

*Deployment:* - Score every transaction in real-time. High-confidence fraud: auto-block. Low-confidence: auto-approve. Middle band: queue for human review. - Serve the model behind a low-latency API. Use a model registry (MLflow) for versioning.

*Monitoring:* - Track the score distribution over time. Distribution shift signals either changing fraud patterns or data pipeline issues. - Monitor precision and recall on a rolling basis using labeled data from human review. - Alert on sudden changes in fraud rate, score distribution, or feature distributions.

*Retraining:* - Retrain on a regular cadence (weekly or biweekly) incorporating newly labeled data. - Use the human review feedback loop: transactions flagged for review get labeled (fraud/not fraud) and feed back into training. - Watch for label delay: fraud may not be confirmed for days or weeks (chargebacks), so recent data has label noise. - A/B test new model versions: route a fraction of traffic to the new model and compare fraud catch rates.

Practical Considerations: - Cold start problem: new users have no behavioral history. Use population-level features and be more conservative (lower threshold) until sufficient history accumulates. - Adversarial adaptation: fraudsters learn the rules. Continuously add new features and retrain. Graph-based features (linking accounts by shared attributes) are harder to game than transaction-level features. - Explainability: regulations (and customer support) require explaining why a transaction was declined. Tree-based models with SHAP values provide this.

Answer: Build a layered pipeline: rule-based filters for obvious cases, a gradient-boosted tree for real-time ML scoring (< 100ms), and human review for the uncertain middle. Engineer behavioral and velocity features from pre-aggregated user profiles. Handle class imbalance with cost-sensitive learning and PR-AUC evaluation. Monitor score distributions and retrain weekly with feedback from human review labels.