All blueprints
Data Pipelinescomplex complexity

Fraud Detection System

Architecture for real-time fraud detection with feature engineering, scoring, rules, and feedback loops that keep up with evolving attack patterns.

7

Components

5

Considerations

4

Alternatives

complex

Complexity

Fit

When this blueprint fits

And when to walk away from it

When to use this

Fraud losses are material to the business, manual review cannot keep up with volume, and you need millisecond decisions during checkout, account creation, or login. Fintech, marketplaces, and high-value e-commerce all need this layer.

When NOT to use this

If your fraud rate is low and a provider rule engine (Stripe Radar, Adyen RevenueProtect) handles it, do not build this in-house. The point of building is to capture patterns the provider does not see.

Architecture

System components

Key building blocks of this architecture, layered from infrastructure up.

01

Event Capture

Capture user, device, network, and transaction events with high cardinality and low latency. The richer the feature set, the better the model. Device fingerprinting, IP reputation, and behavioural signals (typing rhythm, mouse movement) all matter.
KafkaSegmentFingerprintJSCustom SDK
02

Feature Store

Online and offline feature stores for model serving and training. Online for sub-100ms scoring, offline for batch training. Feature parity between the two is the hardest engineering problem in MLOps.
FeastTectonRedisBigQuery
03

Scoring Service

Real-time ML scoring of incoming events with low-latency inference and explainability outputs. XGBoost or LightGBM models served via ONNX cover most fraud workloads at single-digit millisecond latency.
XGBoostLightGBMONNXTriton
04

Rules Engine

Deterministic rules layered on top of ML scores for compliance, regulatory, and product-specific cases. Pure ML is too brittle for regulated products; a rules layer gives compliance teams direct control without code changes.
OPACustom DSLRule SheetsDecision Tables
05

Case Management

Queue suspicious cases for human review with prioritisation, evidence aggregation, and outcome tracking. Reviewers see all relevant signals in one screen and decide in under a minute. Their decisions feed back into model training.
Internal UIWorkflow EngineAudit Trail
06

Feedback Loop

Capture analyst decisions, chargeback outcomes, and customer appeals to retrain models. Labels are the bottleneck. Without a clean labelling pipeline, your model degrades silently as fraud patterns shift.
Label StoreTraining PipelineDrift Detection
07

Adversarial Monitoring

Detect model drift, attack pattern shifts, and false-positive spikes in real time. Fraud is adversarial: the moment your model works, attackers adapt. Continuous monitoring is non-negotiable.
Drift DetectionAnomaly DetectionDashboards

Planning

Critical considerations

The things I have learned the hard way and would not skip on the next build.

Always combine ML and rules. Pure ML is too brittle for compliance and pure rules cannot keep up with novel attacks. The hybrid approach lets compliance teams control hard requirements while ML catches patterns rules cannot express.
Build for explainability so analysts trust the scores. Black-box models lose internal credibility fast. SHAP values or rule-equivalent explanations help reviewers act on the output.
Plan for adversarial drift. Fraud changes faster than your model. Continuous retraining, holdout monitoring, and a tight feedback loop are how you stay ahead.
Balance friction against revenue. Every false positive is a legitimate customer turned away. Tune thresholds with the business, not the data science team alone.
Common in fintech and e-commerce. Contact me.

Options

Alternative approaches

Where I would consider a different shape entirely, with the trade-offs spelled out.

Alternative 01
Sift or Forter for managed fraud platforms with their own consortium data. Cheaper than building, less control over the model.
Alternative 02
Stripe Radar for Stripe-native fraud screening if the only surface is checkout.
Alternative 03
Sardine for crypto and account-takeover fraud with strong device intelligence.
Alternative 04
Unit21 for case management and rules when ML is not yet justified but operations needs structure.

Implementation

Related playbooks

Step-by-step guides for the harder parts of this architecture.

Designing Event-Driven Systems

Event-driven architectures unlock real autonomy between services, and they expose a whole new category of bugs if you do not respect their constraints. This playbook is the design discipline I use: model events as facts, version schemas carefully, choose the right broker, build idempotent consumers, handle ordering and failure, and add the observability that makes async systems debuggable in production.

Read playbook

Production Monitoring & Observability

Observability is not three pillars on a slide, it is the difference between knowing why your system is misbehaving and guessing. This playbook is the monitoring stack I deploy on every production system: error tracking, structured logging, performance metrics, distributed tracing, and the dashboards and alerts that turn raw data into actionable signal without paging everyone at 3 AM.

Read playbook

In practice

Related case studies

Where I have applied this blueprint to real builds and what changed in practice.

Fintech Platform Modernization

Architectural transformation of a payment processing platform from a struggling monolith to a scalable, compliant services architecture.

View case study

Marketplace Trust and Safety Platform

A real-time trust-and-safety platform for a high-volume marketplace, blending rules, ML scoring, and human review into one decisioning system.

View case study

Thinking

Related insights

Essays where I argue the trade-offs behind the choices in this blueprint.

An LLM Evaluation Framework That Works

How to systematically evaluate LLM applications with a practical framework covering automated metrics, human evaluation, and continuous monitoring.

Read essay
Need a partner on this?

Need help implementing this blueprint?

I help teams adapt blueprints like this to their specific requirements and ship from planning through production.

Start a projectGet in touch

Next up

Media | complex complexity

Video Streaming Platform

Architecture for video-on-demand and live streaming with adaptive bitrate, DRM, and analytics that survives global audiences.

Data Pipelines

More in this category

Other blueprints with overlapping concerns.

complex

Data Pipeline Architecture

Scalable data pipeline for ingestion, processing, and analytics with stream and batch capabilities, governance, and quality monitoring.

7 components
complex

Event-Driven Architecture

Event-driven system architecture with message queues, event sourcing, CQRS, and sagas for complex workflows that need auditability and decoupling.

7 components
Previous

Payment Processing Pipeline

Next

Video Streaming Platform