Skip to main content
Version: 1.1

Merchant-Initiated Fraud Detection (MIF)

This document provides a detailed overview of how Fraudio’s Merchant-Initiated Fraud (MIF) Detection product works. It is intended for technical and risk teams who want to understand the underlying detection logic beyond the API layer.

Fraudio’s MIF product leverages machine learning techniques to identify sequences of transactions that indicate fraudulent merchant behaviour. When the system determines that a merchant is likely to be fraudulent, it generates a fraud report containing the supporting evidence and risk rationale.

Scope & Coverage

Fraud Types Detected

Fraudio’s MIF solution is primarily designed to detect merchant bust-out fraud — a scheme in which fraudsters control one or more merchant accounts to process transactions with stolen or unauthorised payment cards.

Typical bust-out scenarios include:

  • Fraudsters initially process legitimate transactions to establish trust with an acquiring bank or payment processor.
  • Once a positive history is built, they rapidly increase volumes of fraudulent transactions using stolen or counterfeit card data.
  • The fraudster disappears after chargebacks and fraud notifications start arriving, leaving losses with the acquirer or processor.

While bust-out fraud is the primary target, the system also detects other merchant-initiated fraud behaviours due to their similar patterns:

  • Identity Swap – Using a third party’s identity to obtain merchant accounts.
  • Business Remodelling – Misrepresenting business type or risk category, then pivoting to prohibited or high-risk goods/services.
  • Transaction Laundering – Processing illicit transactions through another business’s legitimate merchant credentials.
  • Money Laundering – When it manifests through bust-out-like behaviour such as rapid cash-out of illicit funds. (Note: for comprehensive monitoring of money-laundering activity, Fraudio provides a dedicated AML product)
tip

For a conceptual overview of the fraud types that this product covers, see the MIF Interview on Fraudio's website.

Limitations

The MIF product is not intended to cover:

  • Fraud scenarios outside the documented pattern categories – The MIF product only focuses on the behaviours listed in the Merchant Fraud Scenarios overview below.
  • Patterns that cannot be triggered due to missing or incomplete data – Certain models depend on specific inputs. For example, refund-based patterns require reliable refund indicators; if these fields are missing or inaccurate, those alerts will not fire.
  • Cases where systemic data quality issues redefine “normal” behaviour – If the incoming transaction data is heavily delayed, incorrect, or inconsistent (e.g., MCCs misclassified, volumes duplicated, timestamps inaccurate, wrong currency), the models will learn and baseline against this distorted data. In such cases, the system may fail to identify anomalies because the faulty data has effectively become the “normal” reference.

If your risk appetite or fraud concerns extend beyond the current scope, Fraudio can work with you to evaluate and expand coverage.

Behavioural & Statistical Patterns

Fraudio detects behavioural patterns typically associated with merchant bust-out fraud, where a merchant's transactional activity deviates from what is normal for that merchant or for similar merchants in the global network.

Defining "Normal" Behaviour

Fraudio builds a behavioural baseline using the global merchant dataset:

  • Self-comparison: recent transaction sequences are compared with a merchant’s own historical data (days to months).
  • Peer comparison: a merchant’s behaviour is benchmarked against similar peers across all Fraudio clients, using factors such as:
    • Merchant Category Code (MCC)
    • Country
    • MCC + country combinations
    • Cluster analysis (based on volume, average ticket value, KYC level, and other factors)

When an alert is raised, the report reason will indicate whether the anomaly is historical ("compared to the merchant's past"), peer-based ("compared to similar merchants") or both.

Outlier Definition

A transaction sequence is considered an outlier when one or more statistical features deviate significantly from the mean — typically by several standard deviations, with thresholds dynamically determined by machine learning models.

Example report reason:

Detected an outlying sequence of transactions with a high maximum capture amount compared to the merchant’s peer group.

It is important to note that not all outliers imply fraud. Fraud labels, domain knowledge, model calibration, and client feedback loops help the system focusing on combinations of outliers that historically signal fraudulent merchant behaviour.

Merchant Fraud Scenarios

Fraudio translates detected anomalies into comprehensive report reasons, each describing a type of transactional behaviour that deviates from what is normally expected. These report reasons can be grouped under different Merchant Fraud Scenarios to provide a higher-level understanding of the kinds of behaviours the system monitors and may flag as elevated risk.

ScenarioDescriptionKey Indicators
Volume & Velocity ShiftsMonitors sudden growth in transaction count or value to achieve early detection of bust-out merchants that suddenly increase processing• High number of high-risk authorisations
• Sharp rise in total authorised/captured amount
• Daily/weekly capture count spikes
• Transactions occurring much faster than usual
Geographic Exposure & Location ShiftsMonitors merchants whose activity moves into new or riskier geographies to detect merchants expanding into unfamiliar markets that may signal mule operations• Sudden rise in transactions from high-risk countries
• Rapid shift from domestic to cross-border processing
• Unusual currency mix changes
Payment Channel & Method ChangesMonitors shifts in how payments are processed to detect merchants moving to riskier, less secure channels• Rising share of CNP, MOTO, or 3DS-disabled transactions
• Increased use of magstripe or fallback transactions
Refund & Settlement BehaviourMonitors merchant instability through refunds to flag refund fraud or cash-out schemes• High ratio or total amount of refunds
• Refunds exceeding captures (negative net balance)
Decline Patterns & Fraud IndicatorsMonitors failed attempts and elevated risk signals to reveal card testing, mule networks, or compromised accounts• Unusual ratio of failed authorisations
• High share of suspected fraud response codes
• High proportion of high-risk PFD scores
Timing AnomaliesMonitors when the merchant transacts to surface scripted attacks, card testing, or coordinated fraud runs• Spike in overnight transactions
• Sudden weekend/holiday processing
• "Sleeping merchant" pattern
Repetition & Value PatternsMonitors scripted or manipulated behaviour to highlight automation, testing, or staged bust-outs• Many authorisations with same card(s)/amount
• Sudden jump in maximum ticket size
Network & Relationship RiskMonitors merchants connected to known high-risk entities to uncover organised fraud rings and shell networks• Shared payment instruments across merchants
• Overlapping device fingerprints/IPs
• New merchants linked to flagged entities
Chargeback & Fraud Notification SpikesMonitors abnormal dispute or fraud claim activity to surface merchants with escalating disputes before regulatory impact• Rising chargeback ratio or count
• Sudden surge in first chargebacks
• Breaching scheme risk thresholds
Shopper Identity & Authentication AnomaliesMonitors suspicious behaviour in merchant identifiers to flag account farming, synthetic identity use, or fraudulent sign-ups• Mismatched cardholder data
• Disposable emails or high-velocity new accounts
• High AVS/CVV failure rates
Device / IP Intelligence GapsMonitors merchants attracting unusual technical activity to identify organised fraud testing or bot-driven carding• High percentage of anonymised IPs
• One device for wide range of cards/BINs

Each of these pattern types can be expressed as a report reason such as:

Detected an outlying sequence of high total amount of captures with a high diversity of countries, compared to the merchant's historical transactions.

Detected a sequence of transactions with a high ratio of refunds (above 50%) out of all captures.

Detected an outlying sequence of transactions with a high ratio of 3DS-disabled transactions compared to the merchant's peer group.

The system may combine several anomalous signals when generating a single alert, providing a transparent and traceable rationale for why the merchant's behaviour is assessed as elevated risk.

Technical Overview

Having established the behavioural patterns that Fraudio's system detects, the following section examines the technical implementation of this detection capability. It details the transformation of merchant activity from raw transaction streams into enriched behavioural merchant intervals, incorporating both historical and peer context. These enriched intervals serve as the foundation for the multi-stage modelling pipeline that identifies abnormal behavioural shifts and quantifies fraud risk.

MIF Data Flow

The flow illustrates how raw transaction data moves through Fraudio's detection stack — from ingestion and feature enrichment to model scoring, explanation generation, and delivery of actionable outputs.

  1. Data ingestion → transactions & metadata
  2. Feature enrichment → aggregates, embeddings, peer context
  3. Model matrix → unsupervised anomaly detection → supervised models → ensemble scoring
  4. Score consolidation → single fraud classification
  5. Explanation layer → report reason based on the most relevant risk factor
  6. API output → fraud report for operational review or automated decisioning

Data & Feature Enrichment

Accurate detection of merchant-initiated fraud requires understanding how a merchant behaves over time, not just how individual transactions look in isolation. Therefore, Fraudio builds a comprehensive behavioural snapshot for each merchant at every detection interval. This creates a single, enriched data view that provides the context needed for effective fraud detection.

The enrichment process begins with a basic merchant interval profile derived from recent transactional data and merchant metadata:

{
    "interval_end": "2025-10-25T22:59:59Z",
    "merchantid": "29810",
    "merchantname": "Money Corporation",
    "mcccode": "7995",
    "merchantcountry": "GB",
    "kyc_level": "1",
    "registrationdate": "2020-08-01T14:19:21Z"
}

From this raw input, Fraudio progressively builds a richer view of behaviour by adding features derived from statistical aggregates, state models, peer relationships, network links, and other advanced techniques. After enrichment, the same merchant interval carries the merchant's complete behavioural context:

{
    "interval_end": "2025-10-25T22:59:59Z",
    "merchantid": "29810",
    "merchantname": "Money Corporation",
    "mcccode": "7995",
    "merchantcountry": "GB",
    "kyc_level": "1",
    "registrationdate": "2025-08-25T23:59:59Z",
    "merchant_1d_txn_count": 42,
    "merchant_7d_avg_txn_count": 31,
    "merchant_1d_txn_count_zscore": 2.04,
    "merchant_1d_refund_ratio": 0.08,
    "merchant_90d_avg_refund_ratio": 0.03,
    "merchant_1d_refund_ratio_zscore": 2.50,
    "mcccode_merchant_1d_refund_ratio_zscore": 8.94,  
    "merchantcountry_merchant_1d_avg_refund_ratio_zscore": 1.11,    
    "linked_merchants": 3,
    "shared_cards_with_flagged_merchants": 27
}

This creates a rich, multi-level feature matrix that forms the foundation for the subsequent modelling stages through techniques including statistical aggregation, state modelling, representation learning, forecasting, clustering, peer analysis, and link analysis — each contributing a complementary perspective on merchant behaviour.

Historical Aggregates

Historical aggregation forms the core of Fraudio's behavioural enrichment and is the most critical foundation for detecting merchant-initiated fraud. It captures how a merchant's activity evolves over time and distinguishes natural fluctuations from abnormal behavioural shifts.

Time Windows & Statistical Measures

At every detection interval, Fraudio computes statistical aggregates over multiple rolling time windows:

  • 1 day - Recent activity
  • 7 days - Weekly patterns
  • 30 days - Monthly patterns
  • 90 days - Quarterly trends
  • Multi-year - Long-term baselines (where data allows)

Across key merchant dimensions (merchant, MCC, and merchant country), it measures:

  • Frequency - How often events occur
  • Mean - Average values
  • Standard deviation - Variability
  • Skewness - Distribution shape
  • Kurtosis - Distribution tail behavior
Z-Score Normalization

Each observation is normalised into a standard score (z-score), expressing how many standard deviations it deviates from its historical mean. This transformation allows consistent comparison across time and merchants, adjusting for scale differences, seasonal patterns, and recurring cycles such as holidays, pay-day peaks, or weekend effects.

Because the z-score scales deviations by the merchant's own historical variability, it naturally reflects how "normal" a peak is:

  • Predictable patterns (e.g., Friday sales spikes) become part of expected variation
  • Unexpected changes (e.g., sudden volume surges) produce high z-scores
  • Seasonal businesses (e.g., travel merchants) adapt to their natural cycles

Example: A travel merchant with predictable seasonal summer peaks will not appear anomalous during its usual busy months, whereas a similar surge in winter, outside its established pattern, would yield a strong outlier signal.

This adaptive scaling helps alerts arise from genuine behavioural changes rather than from predictable, recurring patterns.

Peer Group Analysis

Whereas historical aggregates measure deviation from a merchant's own past, peer group analysis evaluates deviation from comparable merchants across Fraudio's global network.

At each detection interval, every merchant is benchmarked against a dynamically defined peer set derived from clustering and historical aggregates (based on the MCC, merchant country, and merchant profile). The merchant's behavioural metrics are compared against the statistical distribution of those peers to determine whether its current activity falls within expected variation for that segment.

This provides external context for assessing risk. A merchant may remain consistent with its historical baseline yet process significantly higher refund ratios or cross-border volumes than similar businesses in the same region and category. In such cases, the peer-relative z-score highlights that the merchant is operating outside normal peer behaviour, even if its own trend appears stable.

Peer benchmarking also helps mitigating seasonal or geographically driven effects. When market-wide fluctuations occur — for example, increased volumes during national holidays or regional sales events — the peer distribution adjusts accordingly.

Together, the historical baseline and peer analysis establish complementary behavioural references: the first quantifies internal deviations, the second external deviations. This dual perspective forms the contextual foundation for the subsequent modelling and risk-scoring stages.

Unsupervised Learning – Clustering

To support accurate peer group comparisons, Fraudio applies unsupervised clustering to identify merchants with genuinely similar behavioural characteristics, moving beyond broad classifications such as MCC or country.

Clustering enables the system to build more precise peer groups by grouping merchants based on multi-dimensional behavioural features — including transaction volume, average ticket value, approval rate, refund ratio, KYC level, and geographic footprint. This results in merchant segments that reflect actual operational similarity rather than static categorical definitions.

Each cluster provides two complementary signals for subsequent analysis:

  • Cluster-level statistics (e.g., mean refund ratio, approval rate, transaction velocity) that define expected behaviour within the group;
  • Distance metrics that quantify how far an individual merchant deviates from its cluster centre or whether its recent behaviour indicates a drift toward another cluster.

For example, a small e-commerce merchant that begins processing transactions similar in scale and risk profile to high-volume travel aggregators would move significantly away from its established cluster centroid, generating an anomaly signal for downstream models.

This clustering framework provides the structural basis for dynamic peer group definition, ensuring that comparisons and outlier detection reflect actual behavioural similarity rather than static business categorisation.

Fraud often involves networks of interconnected entities. Detecting hidden relationships enables early identification of coordinated bust-out schemes.

Fraudio builds a graph of linked identifiers such as cards, emails, IP addresses, device fingerprints, bank accounts, and terminal IDs. Graph algorithms then measure connectivity, detect communities of related merchants, and identify central nodes that connect many suspicious entities.

For example, two seemingly unrelated merchants might share a large set of cards or devices, revealing an organised fraud ring. A new merchant with strong links to previously confirmed bust-out accounts is scored as higher risk even before abnormal transaction behaviour emerges.

The techniques described above form the core of Fraudio's behavioural enrichment framework, providing the primary context for detecting merchant-initiated fraud. In addition to these, several complementary techniques are applied where applicable to enhance detection precision or address specific data characteristics.

Hidden Markov Models (HMM)

Fraudsters often shift behaviour abruptly, moving from low, apparently safe activity to aggressive cash-out. Hidden Markov Models (HMMs) are used to detect these unlikely transitions.

An HMM assumes a merchant operates in a small set of latent behavioural states such as steady trading, gradual growth, or high-risk cash-out. Each state has characteristic feature distributions — for instance, amount ranges, approval rates, refund ratios, or card origin mix. The model learns a transition matrix describing the probability of moving between states.

A legitimate merchant might slowly increase ticket size over time. A bust-out actor could jump directly from low, stable amounts to very high amounts with many declines — a transition the HMM scores as highly improbable and flags as suspicious.

Representation Learning

Some behavioural shifts are too complex to express with simple statistics. Fraudio applies representation learning to capture these hidden, high-dimensional patterns directly from transaction sequences.

Specifically, Contrastive Predictive Coding (CPC) is applied: an unsupervised technique that predicts future steps in a sequence and learns a latent context vector summarising merchant behaviour. This embedding captures complex sequential dynamics beyond simple aggregates or explicit state models.

If a merchant’s card-origin mix or transaction rhythm begins to drift in ways not explicitly modelled, the CPC representation shifts, allowing downstream models to react without requiring manual feature redesign.

Forecasting – Time Series Analysis

Bust-out fraud frequently appears as a break in expected trends — sudden volume growth, changing approval rates, or refund spikes. Time-series forecasting helps detect these early.

Each merchant’s transactions are modelled as a temporal sequence. Fraudio applies Long Short-Term Memory (LSTM) neural networks to forecast expected metrics such as transaction volume, approval rate, or refund share. Actual observations are compared to these forecasts to identify significant deviations.

If a merchant predicted to grow gradually suddenly triples daily sales or sees approval rates collapse, the LSTM flags the behaviour as an unexpected break, providing an early warning signal.

Hybrid ML-Based Scoring

Fraudio evaluates merchant transaction intervals using a suite of complementary models that operate simultaneously to provide comprehensive fraud detection.

Model Types

Model TypePurposeKey Advantage
UnsupervisedIdentify deviations from established behavioral normsDetects new, unknown fraud patterns
SupervisedLeverage historical fraud labels to recognize known patternsHigh accuracy on known fraud types
EnsembleIntegrate outputs from multiple approachesUnified, robust fraud recommendation

The outputs from these distinct approaches are integrated through an ensemble framework to produce a single, unified fraud recommendation.

Unsupervised Learning – Anomaly Detection

Fraud patterns evolve quickly, while reliable labels such as chargebacks may take weeks to appear. Relying only on historically labelled data risks overlooking new or fast-emerging schemes.

Fraudio addresses this with autoencoder-based anomaly detection. An autoencoder is a neural network trained to capture the normal behaviour of merchants by compressing past transaction sequences into a compact internal representation and then reconstructing them. When a new behaviour cannot be reconstructed well, the reconstruction error increases. A high error indicates that the observed activity deviates from the established norm and is flagged as potentially anomalous. Because this method is not dependent on prior fraud labels, it can detect outliers and new patterns as soon as they arise.

Example: A long-established merchant suddenly begins processing large cross-border card payments would produce a high reconstruction error and be surfaced early for review, even if no similar case has previously been labelled as fraud.

Scenario: A small e-commerce merchant (typically processing $5K-10K monthly) suddenly begins processing $50K+ in cross-border transactions

Key Features: High z-score (3.2), high recent historical sum, ecommerce

Detection: Autoencoder reconstruction error spikes from 0.15 to 0.85 (normal range: 0.1-0.3) because the model cannot accurately reconstruct the new, unprecedented transaction patterns that deviate significantly from the merchant's learned behavioral baseline

Result: Merchant flagged for review

Supervised Learning

Historical fraud cases provide essential signals about fraudulent behaviour. Fraudio leverages these labelled examples to train tree-based machine learning models, capable of recognising similar high-risk patterns in new merchant activity.

At the core of this approach are Random Forests — ensembles of hundreds or even thousands of individual decision trees.

Each tree is built from a series of branching decisions, where every split considers a specific feature or threshold — for example, refund rate, average ticket size, or approval ratio.

The depth of a tree determines how many of these sequential conditions are applied, allowing the model to capture complex, multi-factor relationships within the data.

While a single tree might represent a limited view of risk, a Random Forest combines the outputs of many deep trees, each trained on slightly different data samples and feature subsets.

This structure allows the model to evaluate an enormous number of parameter combinations and interactions — far beyond what could realistically be analysed by a human or encoded in manual rules.

Each tree contributes a "vote" to the final outcome, and the aggregated result provides a robust, data-driven decision on fraud likelihood.

An additional advantage is explainability: by analysing how features contribute across all trees, Fraudio derives feature importance scores and translates them into clear report reasons.

Provide Labels to Improve Detection Quality

As the name implies, supervised learning requires labelled data — historical examples where merchant behaviour has been confirmed as fraudulent or legitimate. Because merchant evaluations are often subjective and depend on each organisation's specific risk tolerance and business context, your own merchant evaluations are essential for effective training. High-quality, consistent labelling ensures that the model learns patterns aligned with your definitions of fraud and produces reliable, context-appropriate results.

Ensemble Learning

No single modelling technique is optimal for every merchant type or fraud pattern. To achieve a robust and adaptable fraud score, Fraudio combines multiple specialised models.

Different models are trained for distinct merchant segments — for example, grouped by MCC category or transaction profile. An ensemble layer then integrates their outputs, weighting each model’s contribution according to its historical performance for that segment. The result is a single fraud probability that balances the strengths of anomaly detection, deep learning, and tree-based approaches.

For a small e-commerce merchant, the ensemble may rely more on unsupervised anomaly signals and peer-group deviations, while for a high-volume travel merchant it may give greater weight to supervised models. This adaptive combination delivers a single, reliable score that remains effective across diverse fraud scenarios.

Model Explainability and Decision Transparency

The model architecture is designed to produce outputs that are both interpretable and auditable.

  • After scoring, Fraudio analyses each decision to identify which input features and model components contributed most to the outcome.
  • These contributions are ranked and expressed as domain-specific report reasons — concise, rule-like statements that summarise the most relevant behavioural factors (e.g., “Unusually high refund ratio compared to peers”, “Volume spike compared to historical trend”).
  • When multiple signals contribute to a decision, the system highlights the most significant risk drivers while preserving the complete feature-level contribution data for audit and regulatory review.

Example

Internal: Gradient-boosted trees used merchant_7d_refund_rate, peer_group_max_capture, and an LSTM-based trend-break feature.

Output explanation: Detected an outlying sequence with unusually high refund ratio compared to peers and a sudden break in historical approval trend.

This explainability layer translates complex model reasoning into structured, interpretable outputs that closely resemble logical rules, while maintaining full traceability to the underlying model computations. This ensures that every detection can be clearly understood, reviewed, and validated.

Model Development and Iteration Lifecycle

Fraudio’s detection capability is designed as an adaptive system that evolves through structured improvement cycles.

Each iteration integrates new data, operational outcomes, and analyst feedback to maintain model relevance, accuracy, and alignment with emerging fraud patterns.

StagePurpose and Key Activities
Baseline ControlsA validated configuration of rules and models is deployed to production, establishing the reference performance metrics for detection coverage, precision, and operational efficiency.
Observation and FeedbackThe system operates in production under controlled monitoring. Alert outputs are reviewed by analysts and clients to assess accuracy, workload impact, and practical relevance. Observations from this stage inform areas for refinement.
Scenario ExpansionInsights from production feedback and new behavioural data are incorporated into the detection framework. This may include new anomaly dimensions, adjusted thresholds, or the introduction of additional feature sets to extend coverage.
Retraining and CalibrationModels are retrained or recalibrated using newly labelled cases and updated baselines. Parameters and thresholds are optimised to improve precision–recall balance and ensure alignment with client risk appetite.
Validation and BacktestingUpdated models and configurations are tested against both historical and current datasets to confirm performance stability and incremental improvement prior to redeployment.
Continuous ImprovementOnce validated, the new configuration becomes the updated baseline. The process repeats at defined intervals, ensuring sustained effectiveness as data characteristics, merchant profiles, and fraud patterns evolve.

Structured iteration supports:

  • Adaptability – models and rules are updated to reflect newly observed behaviours.
  • Consistency – detection thresholds and alert logic remain aligned with current operational data.
  • Reliability – performance is verified through regular backtesting and feedback review.

Each cycle establishes a new baseline that incorporates the most recent data and observations, keeping detection accurate and stable over time.

Model Governance & Compliance

Fraudio’s MIF detection is operated under a formal governance framework to ensure reliability, transparency, and regulatory compliance.

Data Quality & Input Controls

  • Continuous monitoring of feed completeness and timeliness (e.g., refunds, MCCs, device data).
  • Automated validation rules detect missing or inconsistent fields; safe defaults or fallbacks are applied when possible (e.g., coalescing lower-frequency aggregates).
  • Ingestion errors and data drift are logged.

Model Lifecycle Management

  • Models are retrained or recalibrated on a defined schedule and when significant data or fraud pattern drift is detected.
  • Post-deployment monitoring tracks stability, false positives/negatives, and key population metrics.

Threshold & Risk Appetite Calibration

  • Detection thresholds are initially set using historical data and adjusted over time based on client risk appetite (e.g., conservative vs balanced modes).
  • Safeguards ensure extreme threshold changes are reviewed before going live.

Auditability & Decision Traceability

  • Every scored transaction sequence is logged with the model version, features, derived aggregates, and reason codes at decision time.
  • This audit trail allows regulators or clients to reproduce any past decision, even if models have since evolved.

Human Oversight & Reporting

  • Alerts flow into case management where trained analysts can review, annotate, and escalate.
  • All overrides and dismissals are logged with user, timestamp, and reason.
  • Upon development request, we can work together to have outputs support regulatory reporting (e.g., SAR/STR filing, Visa/Mastercard fraud and chargeback programs).