Transaction Monitoring

Overview of Transaction Monitoring

Introduction

Monitor and safeguard your customers beyond onboarding. Fraud and financial crime don’t stop at account creation — and neither do we. FrankieOne continuously monitors user behaviour across logins, sessions, and transactions, triggering real-time checks to detect both fraud and AML risks.

Key terminologies

  • Activity: any action performed by a user on a client’s platform that FrankieOne monitors for suspicious behavior and risk assessment

    • Transaction: A financial event performed by a user on the client’s platform such as a deposit or withdrawal.
    • Event: A behavioural or non-financial event performed by a user on the client’s platform such as logins, password changes or account changes. These are presented as “Behaviour” in Portal.

  • Alerts: A record created for each Result type checked, visible in the Portal, and managed by AML/Fraud officers. It represents a fraud, AML, or device/customer characteristics matter that requires attention that is generated from a transaction or event with a medium or higher risk level.

  • Issue: An alert created due to a triggered rule.

    • Fraud Issue: Detect instances where are client or customer may be at risk of financial loss due to deliberate deception or misrepresentation.
    • AML Issue: Detect potential instances of money laundering, terrorism financing, proliferation financing, or other financial crime.
    • Device/Customer Characteristics Issue: Detect unauthorized, or unusual behavior or activity related to identity attributes (e.g. phone number or email address) or device activity (using device intelligence, IP intelligence and behavioral biometrics).

  • Entity: Representation of what is being checked for fraudulent activity. It collects all relevant data for an individual from multiple sources for a comprehensive view.

Key features and signals

Payment screening

Assess fraud signals like device signals, transaction amount, transaction velocity on network, Payment method risk at the point of transaction to enable the client to allow, flag or block based on company policy/business logic.

Transaction and activity monitoring

Analyze ongoing transaction patterns to identify potential money laundering such as recipient risk, transaction pattern anomalies, volume over time, and customer profile changes. Monitor device intelligence and behavioural signals across customer interactions such as device fingerprinting, biometrics, login/session anomalies, geolocation analysis.

  • Device intelligence: Identifies devices via cookies and device fingerprinting. Based on the data gathered, we can effectively flag suspicious devices (emulators / scripts) and sessions (proxies / VPNs / remote desktop) typically used to create synthetic accounts.

  • Behavioral biometrics: Detects fraudsters via their intrinsic behaviours. For example, fraudsters are 30x more likely to copy and paste bank details, less likely to hesitate when pasting values, and more likely to use advanced shortcuts and straight line mouse movements.

Use cases

The following use cases are examples of where FrankieOne can help you with transaction and activity monitoring.

Fraudsters use entirely fabricated (synthetic) identities or stolen personal information to open new accounts, obtain credit, or conduct fraudulent transactions.

Signals detected

  • New device usage

  • Unusual login activity (new locations, devices, times), IP address irregularities (known proxies/VPNs, geographically inconsistent)

  • Remote desktop or emulator usage

  • Copy/paste behavior during sensitive interactions

  • Hesitation/typing speed anomalies

  • Changes to sensitive account details (password, address, phone, email, 2FA, payment method update) followed by high-risk actions

  • Multiple accounts from same device/IP

  • Device fingerprint changes

  • Temporary emails

  • Multiple emails associated with a device

  • Unusual email or phone characteristics (disposable, VoIP, newly registered domain)

Relevant industries

  • Financial institutions (banks, superannuation, credit unions, insurance)

  • Payment companies (fintech, payment service providers, remittance services)

  • Cryptocurrency exchanges

  • E-commerce

  • Digital wallets

  • Online gaming or gambling

  • Lending platforms

These are fraud activities involving financial transactions:

  • Payment fraud / card-not-present (CNP) fraud - Unauthorized transactions made using stolen credit card details or payment credentials

  • Electronic funds transfers - Fraudulent transactions completed using unauthorized or through social engineering (e.g. for scams)

  • Electronic funds transfers

  • Crypto purchase and transfers

  • Direct debit

  • International payments and transfers

Signals detected

  • Transaction amount (e.g. high transaction amount or frequency for a new user)

  • Transaction velocity on network (e.g. multiple transactions to different recipients shortly after account creation)

  • Payment method risk

  • Device signals during transaction

  • Inconsistent application data

  • Multiple applications from the same device or IP address

  • Unusual device interactions during application

  • Rapid withdrawal of loan funds post-approval

  • Non-repayment of first loan

Relevant industries

  • Financial institutions (banks, superannuation, credit unions, insurance)

  • Payment companies (fintech, payment service providers, remittance services)

  • Cryptocurrency exchanges

  • E-commerce

  • Digital wallets

  • Online gaming or gambling

  • Lending platforms

  • Travel and hospitality

These are fraud activities involving applications:

  • Loan and Credit Application Fraud - Fraudulent applications for loans or credit, often involving false information or synthetic identities, manipulating financial statements, income, and employment details.

Signals detected

  • Inconsistent application data

  • Multiple applications from the same device or IP address

  • Unusual device interactions during application

  • Use of synthetic identities

  • Disposable/temporary emails or VoIP phone numbers

  • New device usage / unusual login activity

  • Rapid withdrawal of loan funds post-approval / Non-repayment of first loan

  • Account age and activity history

  • Mismatch between IP location and declared address

  • Brute force attempts or rapid account creation followed by immediate bonus withdrawal

Relevant industries

  • Financial institutions (banks, credit unions, lending platforms)

  • Payment companies (fintech, payment service providers, digital wallets)

  • Cryptocurrency exchanges

  • E-commerce and online retail (for credit-based purchases)

  • Online gaming or gambling (for credit lines or promotional offers)

  • Any industry offering sign-up bonuses, credit, or requiring identity verification for account creation.

Detecting patterns indicative of money laundering, including structuring, transactions with high-risk entities or jurisdictions, and evasion of sanctions.

  • Structuring (smurfing) - money launderers split large transactions into multiple smaller ones to evade reporting thresholds

  • High-risk jurisdictions / geolocation risk - transactions involving countries or regions known for high money laundering or terrorism financing risks, or inconsistencies in user location.

  • Sanctions evasion - attempting to conduct transactions with individuals, entities, or countries subject to sanctions

Signals detected

  • Suspicious frequency of low-value transactions (multiple deposits or withdrawals below reporting thresholds)

  • Transaction volume velocity (exceeding limits over daily/weekly/monthly periods)

  • Transactions to or from high-risk jurisdictions

  • Transactions originating from unusual IP addresses, known proxy/VPN services, or geographically inconsistent locations for the user

Relevant industries

  • Financial institutions (banks, superannuation, credit unions, insurance)

  • Payment companies (fintech, payment service providers, remittance services)

  • Cryptocurrency exchanges

  • E-commerce

  • Digital wallets

  • Online gaming or gambling

  • Lending platforms

Encompasses activities by organized groups, such as fraud farms, money mule networks, and attempts to abuse promotions or manipulate systems

  • Fraud farms / organized fraud rings - coordinated efforts by criminal groups to create numerous fraudulent accounts or execute multiple fraudulent transactions

  • Money mule activity - individuals (often unknowingly recruited) transfer illicit funds on behalf of criminal organizations

  • Bonus or promotion abuse - users exploit promotional offers, welcome bonuses, or referral programs by creating multiple accounts or manipulating systems

Signals detected

  • Multiple accounts created from the same device, IP address or network

  • Emulator pr virtual machine (VM) usage

  • Bot activity

  • Rapid multiple login attempts (brute force simulation)

  • Profile changes before large transaction (indicating account takeover to facilitate mule activity)

  • Transactions from a new or untrusted device

  • Unusual login activity

  • Unusual transaction patterns (e.g. receiving funds from multiple unknown sources and immediately forwarding them)

  • Device used for login linked to multiple other suspicious accounts

  • Rapid succession of deposits and withdrawals with minimal retained account balance

  • Multiple accounts linked to the same device or IP address

  • Similar user details across different accounts

  • Rapid account creation followed by immediate withdrawal of bonus funds

Relevant industries

  • Any industry with digital accounts and promotional offers: financial institutions, e-commerce, online gaming and gambling, fintechs, and software-as-a-service (SaaS) providers.

Malicious acts committed by employees, such as embezzlement, creating ghost accounts, or manipulating records.

Signals detected

  • Unauthorized transfers from digital wallets

  • Unusual login activity to wallet

  • Linking of new, suspicious payment methods

  • Large or frequent transactions inconsistent with user history

  • Device intelligence indicating compromised device

Relevant industries

Any industry with internal financial processes or access to sensitive data (e.g., financial institutions, retail, e-commerce and software-as-a-service (SaaS) providers).

How it works

1

Initial transaction and activity assessment

When a customer performs a transaction or activity on your platform (e.g., a login, deposit, or withdrawal), your system sends this activity data, along with relevant signals (like device information collected via FrankieOne’s SDK), to FrankieOne.

Our solution immediately processes this data, applying configured rules and leveraging real-time intelligence from various sources (e.g., device intelligence, behavioral biometrics, network analysis).

2

Perform risk assessment

Consuming the risk signals into our configurable customer risk rating engine the solution will determine the overall risk for a customer based on a consistent set of risk factors and policies specific to your business.

This high-risk activity triggers the creation of alerts within the FrankieOne Portal for review by your AML/Fraud officers.

3

Determine the entity’s monitoring status

Based on your policy, dynamically define the entity’s monitoring status from various data points available such as risk level and alerts.

4

Resolve alerts

Review each alerts detected during a customer’s transaction or activity accordingly by tagging them as false positive, true positive and in review.

To learn more, see the Implementation Guide or Features Guide.