Three API Patterns PSPs Use to Wire In Fraud Detection

Marcus Weld · · 7 min read
Abstract technical integration concept for payment system APIs

One of the first questions a fraud ops lead asks when evaluating a new detection tool is: how does this integrate with what we already have? It's the right question to start with. Fraud detection tools that require re-architecting the payment flow are expensive to deploy and operationally risky — any change that sits inline in the payment path carries latency budget requirements and failure mode implications that most engineering teams treat with appropriate caution. The integration pattern matters as much as the detection capability itself.

Having worked through integrations across several PSP tech stacks — from a cloud-native digital bank built on event-driven microservices to a legacy core-banking PSP layering modern APIs on top of batch-processing infrastructure — we've seen how payment fraud detection tools typically get wired in. There are three patterns that cover the majority of practical cases.

Pattern 1: Synchronous Scoring API with Inline Decision Gate

The most common integration pattern for transaction-layer fraud scoring is a synchronous API call inserted into the payment submission flow. When the customer confirms a payment instruction, the PSP's payment processing service calls out to the fraud scoring API before submitting the instruction to the clearing infrastructure. The API returns a risk score, and the PSP applies a decision rule: below threshold, let the payment proceed; above threshold, add friction or queue for manual review.

The architecture constraint here is latency. Faster Payments is designed to complete in seconds. If the fraud scoring API call adds 500ms under normal conditions but occasionally spikes to 3-4 seconds under load, you have a UX problem and potentially a Faster Payments SLA problem. The API needs to return in well under 500ms at the 99th percentile, which means the scoring logic needs to be optimised for response time, not just accuracy.

For honeybot-derived fingerprint lookups, this pattern works well. The AVIEL API call at payment submission is a hash lookup against a known-bad account ledger — sort code + account number combination, or a phone number extracted from the payment reference or payer metadata. Hash lookups are fast. The latency overhead at p99 is under 80ms in our current deployment configuration, which is within the tolerance of any PSP we've integrated with.

The failure mode to design for is: what happens if the fraud scoring API is unavailable? A synchronous inline call that blocks on API failure will block payments. The standard pattern is a circuit breaker with a default-allow policy — if the API doesn't respond within timeout, the payment proceeds with a flag for post-processing review. This means brief API outages don't generate customer-visible payment failures, but do create a window where APP scam payments might proceed without being flagged. Your monitoring needs to alert on circuit breaker trips promptly.

Pattern 2: Event Stream Subscription with Async Enrichment

Many PSPs — particularly those built on event-driven architectures like Kafka or AWS EventBridge — route payment events through a notification bus. Every payment submission, status update, and outcome generates an event. Fraud detection tools can subscribe to those events asynchronously: they receive the payment event, score it, and push alerts back to the PSP's alert handling system, which can trigger holds, callbacks, or flags against in-progress payments.

The advantage of this pattern is decoupling. The fraud detection tool is not in the critical payment path. If it's slow or temporarily unavailable, payments continue. The risk is timing: for a Faster Payment that completes in 23 seconds, an async enrichment tool that processes events in a 30-second average window will often generate an alert after the payment has already cleared. This is fine for intelligence aggregation — building the scammer fingerprint ledger, generating post-hoc fraud intelligence reports — but it's not a pre-transfer interception mechanism for fast payments.

The practical use of this pattern for real-time APP fraud interception requires the async enrichment to be genuinely fast — sub-5-second event processing — and the PSP's downstream alert handling to be capable of triggering a payment hold that can still catch the transaction before it reaches the clearing infrastructure. This is architecturally possible for PSPs that have a payment staging layer (a brief hold queue before clearing submission), but not for PSPs with no such buffer.

We've seen this pattern used effectively for one specific honeybot intelligence use case: high-confidence known-bad accounts that have appeared in multiple honeybot conversations get pre-loaded into the fraud scoring API's hot cache, so the synchronous pattern 1 lookup is effectively pre-computing what the async enrichment would have found. The async pattern feeds the hot cache; the synchronous pattern queries it.

Pattern 3: Sidecar API at the Banking App Layer

The third pattern doesn't touch the payment infrastructure at all. It operates at the banking app layer — either via a mobile SDK embedded in the PSP's consumer app, or via a server-side API call that enriches the payment initiation screen before the customer sees the payment details confirmation.

From the customer's perspective, the sidecar call can populate a warning or risk indicator directly in the payment flow, contextual to the specific payee details they've entered. The customer types in the sort code and account number from their WhatsApp conversation with the scammer. Before they reach the confirm screen, the app silently calls the sidecar API, gets back a high-confidence APP fraud signal for that account, and renders a specific contextual warning: "This account was associated with a reported investment fraud attempt in the last 72 hours."

That specific warning is meaningfully different from a generic "be careful of scams" overlay. A scammer cannot coach their victim around a warning that names the specific account detail they just gave them. If the victim sees that warning and it describes exactly the investment opportunity the scammer presented, the social engineering narrative collapses.

The sidecar pattern requires the PSP's mobile team to add the API call to the payment flow — typically a few hours of engineering work if the banking app has a modular payment initiation component. The API response needs to return within ~300ms to be inserted before the confirmation screen renders without noticeable latency. The primary engineering discussion at integration time is usually around fallback behavior: if the sidecar API is unavailable, the confirmation screen renders normally without the enriched warning. That's the right failure mode — don't block the payment, don't break the UX.

Choosing the Right Pattern

The choice between these patterns usually comes down to the PSP's existing architecture and their risk tolerance for inline API dependencies. For a cloud-native digital bank with low-latency microservices and good circuit breaker tooling, pattern 1 (synchronous inline) gives the strongest pre-transfer interception coverage. For a PSP with a modular consumer app but batch-processing payment infrastructure, pattern 3 (sidecar at app layer) is often the cleanest path to a real-time customer-facing warning without touching the core payment flow.

Pattern 2 (async event stream) is best suited for fraud intelligence aggregation and feeding the hot caches that make patterns 1 and 3 fast — it's a supporting pattern rather than a standalone pre-transfer interception mechanism for Faster Payments specifically.

We're not saying one pattern is universally superior. Each has different latency profiles, different failure modes, and different engineering integration costs. What matters is that the fraud detection signal reaches the payment decision point before funds move — and all three patterns, implemented correctly, can achieve that.

Authentication and Data Handling at the Integration Boundary

A note on the API authentication and data minimisation questions that come up in every integration discussion. The AVIEL API uses per-PSP API keys with short-lived token rotation, and the payload at the integration boundary is deliberately minimal: sort code + account number for the ledger lookup in pattern 1, or sort code + account number + phone number for the enriched sidecar response in pattern 3. We do not receive transaction amounts, customer names, or customer account identifiers. The lookup is about the destination account and the reported scammer contact, not about the victim's data.

This matters for the UK GDPR data minimisation obligation and for PSPs' own DPA (Data Processing Agreement) review processes. A fraud API that requires PII about the sending customer triggers a more complex GDPR review than one that operates on destination account identifiers only. We designed the integration boundary that way deliberately, because it makes the integration review faster and the data governance obligations cleaner for both parties.

Every PSP has a different internal approvals process for third-party API integrations. The common pathway we've navigated is: engineering review (latency + failure modes), security review (API auth + data in transit), and legal/compliance review (DPA + GDPR basis). In our experience so far, the data minimisation approach shortens the legal/compliance stage significantly compared to integrations that pass customer PII at the boundary.