Implementation Guide - Transaction and Activity monitoring | FrankieOne

Prerequisites

Access to the APIs and proper authentication

Your Customer Success Manager will provide you with a starter pack containing everything you need for each environment. You should have the following:

Resource	UAT / Sandbox	Production
Portal URL	https://portal.uat.frankie.one	https://portal.frankie.one
API Base URL	https://api.uat.frankie.one/v2	https://api.frankie.one/v2
Transaction and Activity Monitoring API Base URL	https://api.uat.frankie.one/v2	https://api.frankie.one/v2
Customer ID	Your unique UAT Customer ID	Your unique Production Customer ID
API Key	Your secret UAT API Key	Your secret Production API Key

Test your connection

The easiest way to verify that your credentials and connection are working is to call our simple health check endpoint: /ruok. This endpoint doesn’t require a request body and is used purely to confirm successful authentication.

Request - Health check

curl --location '[https://api.uat.frankie.one/v2/kyc/ruok](https://api.uat.frankie.one/v2/kyc/ruok)' \--header 'api_key: {{your_uat_api_key}}' \--header 'X-Frankie-CustomerId: {{your_uat_customer_id}}'

Response

If you receive an error, double-check that your API key and Customer ID are correct and that you are using the correct base URL for the environment.

Workflow configured for transaction and activity monitoring

Confirm your workflow setup

Before you can start verifying customers, your account needs to be configured with at least one workflow and one service profile. Your Customer Success Manager typically sets these up for you.

You can confirm your setup by calling the GET /v2/workflows endpoint. This will list all the executable monitoring workflows available to you. For Transaction and Activity Monitoring, it is critical to have only one workflow with a lifecyclePhase: MONITORING and monitoringTypes: [“ACTIVITY”]

Request - Get workflows

curl --location '[https://api.uat.frankie.one/v2/workflows](https://api.uat.frankie.one/v2/workflows)' \--header 'api_key: {{your_uat_api_key}}' \--header 'X-Frankie-CustomerId: {{your_uat_customer_id}}'

You should receive a 200 OK response with a workflows array. If the array is empty, please contact your Customer Success Manager to get your workflows published.

Response - Get workflows

{
  "requestId": "req_01J...",
  "workflows": [
    {
      "serviceName"   : "KYC",
      "workflowId"    : "wf_01J...",
      "workflowName"  : "Monitoring",
      "type"          : "SYSTEM",
      "lifecyclePhase": "MONITORING",
      "monitoringTypes": ["ACTIVITY"]
    }
  ]
}

Risk rules set up in the rule engine

Account configuration required

Device and behavioural intelligence must be configured for your account by FrankieOne. This includes advanced features like detecting multiple users linked to one device, IP address analysis, phone or mouse movement patterns, high-risk information entry (e.g. excessive copying and pasting), and remote software detection.

Please speak with your Customer Success Manager if you are interested in enabling or adjusting this feature.

Next Steps

You’ve successfully authenticated and confirmed your setup. Now you’re ready to start building. Follow our implementation guides for common use cases.

Integration Overview

Product function	Event and Transaction channels
Monitoring	Transaction and Activity Monitoring API Send financial transaction and non-financial activity details (e.g., registration, login, fiat deposits/withdrawals, crypto deposits/withdrawals, password changes, bank account changes, address changes) Evaluate the details provided against configured fraud and money laundering rulesets, incorporating risk data points like email/phone number analysis, behavioral fingerprint, device intelligence, time, and location
Review and manage	FrankieOne Portal, Transaction and Activity Monitoring API Manage and resolve alerts by changing statuses to False positive, True positive, and In review

Product function

Event and Transaction channels

Monitoring

Transaction and Activity Monitoring API

Send financial transaction and non-financial activity details (e.g., registration, login, fiat deposits/withdrawals, crypto deposits/withdrawals, password changes, bank account changes, address changes)
Evaluate the details provided against configured fraud and money laundering rulesets, incorporating risk data points like email/phone number analysis, behavioral fingerprint, device intelligence, time, and location

Review and manage

FrankieOne Portal, Transaction and Activity Monitoring API

Manage and resolve alerts by changing statuses to False positive, True positive, and In review

Getting started with Transaction and Activity Monitoring

1: Use the Transaction and Activity Monitoring API

Start sending transaction and activity details to FrankieOne by calling Evaluate an activity endpoint

Evaluate activity request

curl --location 'localhost:8103/v2/activities' \
--header 'X-Frankie-CustomerID: 3d6d52a5-aed0-4f22-86c0-4d78ae1e807a' \
--header 'api_key: X' \
--header 'Content-Type: application/json' \
--data '{
    "activity": {
        "session": {
            "token": "'"$TOKEN"'"
        },
        "party": {
            "entityId": "'"c5cd506d-9402-465c-a695-c800e4d8e330"'",
            "entityType": "INDIVIDUAL"
        },
        "detail": {
            "customAttributes": {
                "transactionRiskScore": {
                  "type": "NUMBER",
                  "value": "750" 
                },
                "purposeOfTransaction": {
                  "type": "STRING",
                  "value": "International property purchase"
                },
                "sourceOfFunds": {
                  "type": "STRING",
                  "value": "Savings from employment"
                }
            },
            "activityType": "TRANSACTION",
            "activityAt": "2025-09-02T05:38:02.000360071+00:00",
            "transaction": {
                "amount": 200000.00,
                "currency": "AUD",
                "currencyType": "FIAT",
                "transferMethod": "BANK_TRANSFER",
                "counterpartyAmount": 200000.00,
                "counterpartyCurrency": "AUD",
                "counterpartyCurrencyType": "FIAT",
                "counterpartyTransferMethod": "BANK_TRANSFER",
                "transactionType": "WITHDRAWAL",
                "description": "Payment for real estate in New York",
                "account": {
                    "type": "SAVINGS",
                    "pan": "331387321",
                    "hashedPan": "763d54d45eada3bd9431541d8478caea5d39027fe6e7211de67ac7ddf680092a",
                    "maskedPan": "******321",
                    "name": "super saver",
                    "class": "PERSONAL",
                    "externalIdentifier": "089217ASIJI99",
                    "externalIdentifierType": "EXTERNAL_ID_NUMBER"
                },
                "merchant": {
                    "merchantIdentifier": "REALESTATEINC001",
                    "industryCodes": [
                        {
                            "code": "6513",
                            "description": "Real Estate Agents and Managers",
                            "type": "MCC"
                        }
                    ]
                },
                "transactionIdentifier": "'"$TRANSACTION_ID"'"
            },
            "counterparty": {
                "entityName": "Global Property Investments LLC",
                "account": {
                    "type": "SAVINGS",
                    "pan": "123783133",
                    "hashedPan": "96b5c78f239e5d4b408ff0d934f7e6a930b2072e16461ebec57607ba16985643",
                    "maskedPan": "******133",
                    "name": "Property Sales Account",
                    "class": "BUSINESS"
                }
            }
        }
    }
}'

High-level process flow

Activity evaluation

Customer sends transaction / activity data to FrankieOne.
FrankieOne will pass the activity data to the service provider
- Frankie checks the entity data store and enrich the customer request with additional data
- Frankie enriches the activity data to the service provider, handling mapping between models
Vendor assesses the data provided against Customer rules to make a point-in-time evaluation of the activity risk.
- All risks, rules checked and additional evaluation data are returned to FrankieOne
- FrankieOne maps vendor data back to common model
FrankieOne will persist the resulting evaluation information
1. Create the activity record
  1. Create the device data retrieved from the provider
    1. Store the evaluation data (risk, signals etc)
  2. Return the evaluation data to the customer for a final risk-based decisioning
2. Asynchronous Enhanced Processing – Push an activity event to the internal message queue for enhanced processing
  1. The event message is consumed by the internal activity assessment service.
  2. If the activity does not meet the risk criteria to trigger an alert or further assessment, then no further action is taken.
  3. If the activity does meet the risk criteria for an alert, it will retrieve the activity data, and create an assessment result which represents the alert details.
  4. Once done, it will push a message into the workflow engine message queue to trigger relevant monitoring workflows.
  5. Inside the monitoring workflow, the Activity Monitor Step will consume relevant results to build up a view of alerts that should be actioned.
  6. This workflow will also generate risk assessments that combine risk factors across the onboarding and monitoring life cycle phases of the relevant entity.

The `session` object

Provides a token to link together activities within the same end-user session. This is important for identifying grouped activities and contributes to risk calculations by allowing FrankieOne to analyze a sequence of user actions as a single, coherent session. For example, all actions from a user login to a significant transaction can be linked together. The session token may be provided to tie in the activity to a longer running overall session. There are a few options for session tokens, including generating one via Create Individual Session or passing an existing one from your system.

The `party` object

Identifies the individual or organization performing the activity. It’s essential for linking the activity to an existing entity in FrankieOne. Key details include:

entityId: The unique identifier for the individual or organization in FrankieOne.
entityType: Specifies whether the party is an INDIVIDUAL or ORGANIZATION.

Additional details like addresses, emailAddresses, phoneNumbers, and externalReference (e.g. customer ID in your core banking system) help to give context the party’s profile for more accurate risk assessment.

The `details` object

Contains specific information about the activity being evaluated.

activityType: Categorizes the activity broadly (e.g. TRANSACTION, EVENT).
eventType: Provides a more granular classification of the activity (e.g. LOGIN, WITHDRAWAL, DEPOSIT, PASSWORD_CHANGE). This is critical for triggering specific rules relevant to the event.
activityAt: Timestamp of the activity.
customAttributes: Allows you to pass any additional context-specific data that might be relevant for your custom rules.

These objects are further detailed in the API documentation.

2: Review alerts

Once an activity has been deemed to be alerting, relevant workflows will be triggered and the alerts will be consumed and presented in the workflowResult object. This object is the key to understanding the outcome, the reason for any alerts, and the granular details of the checks performed. Operators will typically review these alerts via the Portal, where issues are flagged for manual review.

via API

Get the result of the evaluation by calling the Get Workflow Execution Results endpoint. The workflowResult object in the response will contain the comprehensive details needed to interpret the outcome.

Get workflow execution result request

curl https://api.uat.frankie.one/v2/individuals/entityId/serviceprofiles/serviceName/workflows/workflowName/executions/workflowExecutionId \
     -H "api_key: X" \
     -H "X-Frankie-CustomerID: 12345678-1234-1234-1234-123456789012"

via Portal

To learn how Fraud and Compliance Officers can review alerts generated via Portal here, review Entity View.

Interpreting the results

The workflowResult object provides a structured, top-down view of the evaluation. Here’s how to interpret the key sections, focusing on Transaction and Activity Monitoring:

Overall outcome (`workflowResult` top-level fields)

API	Portal
`workflowExecutionState`: This confirms the workflow’s technical status. It must be `COMPLETED` for the status to be considered final and for you to reliably review the activity’s details. Other states like `IN_PROGRESS`, `ERROR`, `TIMEOUT`, `CANCELED`, or `TERMINATED` indicate the workflow did not finish successfully.	Not displayed in Portal
`status` : This represents a conclusive recommendation (configured status in your selected workflow) for the activity after evaluation and accounts for any manual overrides. For monitoring workflows, common/preferred statuses include - `CLEAR` (no negative information found) - `REVIEW` (requires manual review due to identified issues)	No issues (CLEAR) Needs attention (REVIEW)
`result`: This field holds the original, automated outcome of the workflow before any manual changes. It is useful for auditing and understanding the system’s initial verdict versus any human intervention.	Not displayed in Portal

Issues

This array will contain a list of problems that may require manual review. If the status is REVIEW, this array will provide the specific reasons why the activity needs further investigation.

For Transaction and Activity Monitoring, this might include flags of different types for unusual transaction patterns, device anomalies, or AML concerns with issueCategory: ACTIVITY. The Portal will display these as “Activity” as seen in the image below.

Entities flagged with issue Activity

Issue Type	Description
ACTIVITY_AML	An issue identified during an Anti-Money Laundering (AML) check within the activity monitoring workflow. This could be due to potentially high-risk financial behavior patterns detected during transaction or activity monitoring.
ACTIVITY_FRAUD	An issue identified as potential fraud during the transaction and activity monitoring workflow. This can stem from indicators of fraudulent intent related to financial activities.
ACTIVITY_EVENT	An issue identified as potential fraud during the activity monitoring workflow. This can stem from indicators that are non-transactional or behavioral by nature such as device anomalies, or unusual login patterns or interactions with the device.

Workflow step results

The workflowStepResults array is a log of each step in the workflow, explaining how the overall status was reached. Each object in this array corresponds to a step configured in your monitoring workflow (e.g. AML check, device check, transaction velocity check).

stepName

API stepName: The name of the specific step that was executed

ACTIVITY_AML - a step dedicated to performing AML checks on the activity.
ACTIVITY_FRAUD - a step dedicated to performing fraud checks on the activity.

Portal stepName: ACTIVITY_AML is available

stepName: ACTIVITY_FRAUD is available

result

API result: The outcome of this specific step. For monitoring, this can be:

CLEAR (step passed): The step completed successfully without identifying any issues.
HIT (step identified an issue): The step identified a potential issue or match according to its configured rules.
ERROR (technical issue with the step): The step encountered an unrecoverable technical error during its execution. Portal HIT, Expanded view

CLEAR, Expanded view

HIT Expanded view

summary

API summary: A concise, human-readable summary of the step’s outcome.

{
    "amlActivityCount": 3,
    "amlActivityTruePositiveCount": 0,
    "eventActivityCount": 0,
    "eventActivityTruePositiveCount": 0,
    "fraudActivityCount": 0,
    "fraudActivityTruePositiveCount": 0,
    "stepName": "ACTIVITY_MONITOR"
}

Portal

Not displayed in Portal

risk

API risk: The risk assessment specific to this step, including the score it contributed to the overall workflowRiskScore and workflowRiskLevel.

Portal

Activity alerts

Understanding Process Results for Activity Alerts

On evaluations each activity will have activity results but only activity results that are considered “alerting” will represented as Process Result Objects (PROs) that are treated as alerts and considered needs action.

For the deepest level of detail, look inside a workflowStepResult at its processResults array. A Process Result Object (PRO) is the raw evidence from a single check against a single data source (e.g., a specific device fingerprint provider, an AML watchlist provider).

processResultId: A unique identifier for this specific piece of evidence.
systemStatus: The lifecycle status of this PRO (e.g., VALID, STALE, MARKED_INVALID). A STALE status means the underlying entity data has changed since this check was performed and it might need re-evaluation. Only the alerts with a systemStatus: VALID will be displayed in Portal.
class: The high-level category of the check performed, for Transaction and Activity Monitoring, it’s ACTIVITY.
objectType: The specific data element that was checked (e.g., INDIVIDUAL, TRANSACTION, DEVICE).
result: The outcome of this specific PRO (e.g., MATCH for a hit, CLEAR for no hit, CREATED for data fetched).
manualStatus: If an operator has manually reviewed this specific PRO, their conclusion (e.g., TRUE_POSITIVE, FALSE_POSITIVE, IN_REVIEW) is recorded here. This is directly linked to the statuses described in Section 3.
providerResult: An object containing details from the downstream data provider, including the source of the data.
supplementaryData: A rich, context-specific object containing detailed metrics or extracted data, like AML hits details or specific device intelligence data. This is where most of the alerts or rows in the table gets its details as seen in the Portal.

3: Resolve alerts

Portal display	API manualStatus	Description
Needs attention	Null	Indicates that the alert requires review and resolution.
In review	IN_REVIEW	Indicates that the alert is being actively investigated or reviewed.
True positive: Reject	TRUE_POSITIVE_REJECT	Indicates that the activity was confirmed or suspected to be fraudulent or high-risk, and the associated activity was rejected (e.g. transaction blocked).
True positive: Accept	TRUE_POSITIVE_ACCEPT	Indicates that the activity was confirmed or suspected to be fraudulent or high-risk, and the associated activity was accepted (e.g. transaction approved with override).
False positive	FALSE_POSITIVE	Indicates the alert was reviewed, and confirmed or assumed to be genuine or low-risk.

via API

Given the activity results update its status by calling Update Activity results endpoint

curl -X 'PATCH' \
  'localhost:8103/v2/individuals/819011ac-6f61-4a79-87e1-70851cdb69ac/results/activity' \
  -H 'accept: application/json' \
  -H 'api_key: X' \
  -H 'X-Frankie-CustomerID: 3d6d52a5-aed0-4f22-86c0-4d78ae1e807a' \
  -H 'X-Frankie-Username: fred.flintstone@frankieone.com' \
  -H 'Content-Type: application/json' \
  -d '{
  "processResults": [
    "01K9DYRS7PYYZXRCS62SE7KTWG"
  ],
  "manualStatus": "TRUE_POSITIVE_ACCEPT",
  "comment": {
    "text": "Update after speaking to customer over the phone directly.",
    "entityId": "819011ac-6f61-4a79-87e1-70851cdb69ac",
    "entityType": "INDIVIDUAL"
  }
}'

via Portal

Features

4: Re-evaluate the results

This is crucial for the entity’s overall risk score, which are calculated based on historical activity, and device or customer characteristics.

Once all alerts have been resolve, you must re-run the workflow for the entity.

To update the status: The overall workflowResult.status will only be changed by the system from REVIEW to PASS or CLEAR after the workflow is executed again and the steps included in the monitoring workflow confirms that no unresolved hits remain.
To clear issues: The re-execution will cause the steps to re-evaluate the issues. If all PROs that previously caused an ACTIVITY issue are now classified as FALSE_POSITIVE, the issue will be cleared from the workflow result.

This re-evaluation ensures that your entity’s compliance status is officially updated, reflects the latest risk assessment, and maintains an accurate audit trail.

via API

To trigger a re-evaluation via API, you will execute the workflow again. Refer to the Execute a workflow for the given service profile documentation.

via Portal

The Portal will automatically re-run the workflow for you once all alerts associated with an activity have been resolved (i.e. no alerts with “Needs attention” and “In review” status remain).

Detecting manual overrides

It’s crucial to know if a workflow’s result was changed by a person. When an operator manually changes the status (e.g., from FAIL to PASS), the following fields are populated:

statusOverrideRequestId: The unique ID of the override request.
statusOverrideBy: The user who performed the override.
statusOverrideAt: The timestamp of the override.

To detect an override, check if statusOverrideRequestId exists and is not empty.

5: (Optional) Retrieve all activities

Fetch historical information about the transactions to help get context of the user behavior and investigate.

Get Activities request

curl -X 'GET' \  
  'localhost:8103/v2/individuals/d2859e0c-1f63-4208-947a-038bcb7b1e5e/activities?sortField=ACTIVITY_AT&sort=ASC&limit=20&page=1' \                           
  -H 'accept: application/json' \
  -H 'api_key: X ' \ 
  -H 'X-Frankie-CustomerID: ae6f0c56-ddba-4be6-9137-0861b68f52c3' \
  -H 'X-Frankie-Username: fred.flintstone@frankieone.com'

Error handling

The FrankieOne API uses a standardized error format to ensure that you can reliably handle issues that arise from bad requests, server problems, or invalid data. All non-2xx responses will return a consistent JSON error object.

Please refer to the general API Error Codes documentation for a comprehensive list of error types and their meanings. This document replaces any specific error handling guides for individual products unless explicitly stated otherwise.