Technical Reference

Platform Capability
Matrix

Complete coverage status for all fraud detection capabilities, agent technology stacks, regulatory framework mapping, and source tool architecture. Architecture v2.1 · Fraud Detection Agentic AI.

✓ COVEREDProduction-ready

◐ PHASE 2Roadmap · 8–16 weeks

— OUT OF SCOPEBy design

Sub-Agents
Parallel

Source Tools
Equal Authority

Fraud Typologies
Covered

Dual

Regulatory
Framework

HITL Gates
Mandatory

Section 1

Fraud Typology Coverage

Fraud Type	Status	Detection Method	Primary Signal	Notes
Account Takeover (ATO)	✓ COVERED	Credential event + behavioral biometrics + account state deviation	BioCatch session anomaly + new device fingerprint	Includes Reg E provisional credit clock start on unauthorized transaction confirmation.
Business Email Compromise (BEC)	✓ COVERED	First-time payee + account age + wire amount deviation + email metadata	GNN: first-time payee topology + XGBoost velocity	FBI IC3 referral memo auto-generated. FinCEN-compliant SAR narrative assembled.
Synthetic Identity Fraud	✓ COVERED	SSN/DOB cross-validation + credit file age + bust-out velocity pattern	Account State: bust-out pattern + ThreatMetrix identity risk	Detects 8–24 month account seasoning patterns. Flags minor SSN associations.
Mule Account Networks	✓ COVERED	Graph Neural Net topology + common device fingerprint + IP clustering	GNN: network topology traversal <2 seconds	Full network SAR naming all participant accounts. Graph visualized in evidence tab.
Check Fraud / Check Kiting	◐ PHASE 2	Float analysis + deposit/withdrawal velocity + same-day settlement patterns	Account State + SQL transaction analysis	Check image analysis not yet integrated. Float pattern detection estimated 8 weeks.
Card-Not-Present Fraud	◐ PHASE 2	Device fingerprint + geo-velocity + merchant category risk scoring	BioCatch device intel + FIS card transaction history	CNP pipeline requires card network integration. Estimated 10–12 weeks.
Elder Financial Exploitation	◐ PHASE 2	Unusual withdrawal patterns + new beneficiary + cognitive decline indicators	Account State behavioral baseline deviation	Adult Protective Services referral integration required. 12–16 weeks.
First-Party Fraud	◐ PHASE 2	Dispute pattern analysis + Reg E claim history + chargeback velocity	Account State: dispute pattern + Reg E claim history	Distinguishing first-party from ATO requires dispute history integration. 8–10 weeks.
Zelle / P2P Payment Fraud	✓ COVERED	Recipient velocity + device + mule network detection	GNN: Zelle counterparty topology (demonstrated in Scenario 04)	P2P fraud is covered within the mule network typology using GNN topology analysis.
Wire Fraud (BEC subset)	✓ COVERED	As BEC above + SWIFT/Fedwire metadata + correspondent bank risk	GNN: counterparty topology + XGBoost amount anomaly	Covered within BEC typology. International wire adds OFAC screening layer.

Section 2

Agent-Level Capabilities

Agent	Status	Core Capability	Technology Stack	Notes
TXN-RISK Transaction Risk Scorer	✓ COVERED	Real-time transaction risk score 0–100. Ensemble: XGBoost (tabular) + GNN (graph topology). <200ms inference target.	XGBoost · Graph Neural Net · Feature pipeline via Kafka	Mandatory HITL before any action is taken. Score informs, does not decide.
ACCT-STATE Account State Analyzer	✓ COVERED	36-month behavioral baseline construction. Deviation scoring. ATO indicator detection. Velocity, geographic, payee anomaly.	FIS · Fiserv Core Banking · SQL time-series analysis · Kafka/Flink	Baseline construction on first pipeline run takes 45–90 seconds. Subsequent runs use cached baseline.
BIO-BEHAV Behavioral Biometrics	✓ COVERED	Session biometric analysis: keystroke, mouse, swipe, device fingerprint, session metadata. Bot/RAT/credential stuffing detection.	BioCatch Enterprise API · ThreatMetrix (LexisNexis Risk) · Sardine	Session data must be piped from online banking SDK. 3-4 week integration for SDK instrumentation.
REG-COMP Regulatory Compliance	✓ COVERED	Regulatory obligation determination: Reg E provisional credit (5 BD), SAR (30 CD), CTR (>$10K, 15 CD), OFAC block report (10 BD). Deadline tracking and escalation.	Rule engine: Reg E 12 CFR §1005.11, BSA 31 USC §5318(g), OFAC 31 CFR §501.603	Mandatory HITL approval gates all Reg E determinations. Analyst decision timestamped and logged.
CASE-MGT Case Management	✓ COVERED	Complete case file assembly: fraud narrative, evidence exhibits, SAR narrative draft, Reg E determination memo, HITL packet, priority routing (P0/P1).	NICE Actimize · Verafin · SAR Pre-fill module · LangChain	SAR narrative draft is analyst-review grade — not auto-filed. BSA Officer is always filer of record.
LIVE-AI Live Custom AI	✓ COVERED	Scenario 05: Full 5-agent pipeline on live Claude Sonnet API. Any entity, any transaction, any fraud type. Demonstrates novel scenario handling.	Anthropic Claude Sonnet · claude-sonnet-4-20250514 · Streaming API	Requires Anthropic API key input in demo UI. Cost: $0.02–$0.05 per pipeline run.

Section 3

Source Tool Technology Stacks

SOURCE TOOL 1Transaction Risk ML

Technology

XGBoost Ensemble: Gradient-boosted trees trained on tabular fraud features — transaction amount, velocity, time-of-day, merchant category, counterparty age. Handles structured signal efficiently at high throughput.

Graph Neural Net

GNN (PyTorch Geometric): Traverses account-to-account transaction topology. Identifies mule networks, bust-out rings, and money flow patterns that XGBoost cannot detect from individual transactions alone.

Integration: Feature pipeline via Apache Kafka. Real-time feature computation via Flink. Model serving via MLflow/KServe. Inference target <200ms end-to-end. Models retrained weekly on rolling 90-day window.

SOURCE TOOL 2Account Intelligence

Core Banking Integration

FIS / Fiserv: Bidirectional REST API integration with core banking. Retrieves 36-month rolling transaction history, account metadata, beneficiary history, login events, and prior dispute record.

Baseline Construction

Statistical baseline: Rolling mean, standard deviation, and percentile distributions for: transaction amounts, velocity by day-of-week, payee concentration, geographic access patterns. Deviation scoring triggers alert escalation.

SOURCE TOOL 3Behavioral Biometrics

BioCatch Enterprise

Behavioral biometrics: keystroke cadence, mouse movement, mobile swipe patterns, cognitive fingerprint. Detects when a legitimate user's account is operated by a fraudster or bot, even post-authentication.

ThreatMetrix (LexisNexis)

Device intelligence network: device fingerprinting, IP reputation, proxy/VPN/Tor detection, device-to-account association history. Identifies new device on known account as ATO indicator.

Sardine

Fraud and compliance platform focused on digital banking: account opening fraud, P2P payment fraud, crypto fraud. Strong on Zelle and ACH fraud patterns. Supplements ThreatMetrix for digital-native fraud.

SOURCE TOOL 4Regulatory Engine

Deterministic rule engine implementing the dual BSA-AML and Reg E regulatory framework. Not probabilistic — obligation determinations are binary outputs governed by codified regulatory rules.

SAR FILING

30 calendar days from suspicion identification. 31 U.S.C. §5318(g). T-14 and T-5 escalation alerts.

REG E CREDIT

5 business days provisional credit for unauthorized transactions. 12 C.F.R. §1005.11. Clock starts at notification.

CTR FILING

15 calendar days for cash transactions >$10,000. 31 CFR §1010.311. Auto-populated on qualifying events.

OFAC BLOCK

10 business days to report blocking. 31 CFR §501.603. Immediate transaction block on SDN match.

SOURCE TOOL 5Case Management

Integrates with existing fraud case management platforms via webhook and REST API. CAIBots enriches the case; analysts continue working in their existing UI. No workflow replacement — workflow augmentation.

NICE Actimize

Bidirectional REST API. CAIBots receives Actimize case events and writes enriched case data back. Priority routing (P0/P1) integrates with Actimize queue management. SAR pre-fill data formats compatible with Actimize SAR module.

Verafin

Webhook integration for alert forwarding. Verafin maintains case ownership; CAIBots enriches with 5-agent output. Network SAR data (mule detection) formatted for Verafin's network SAR module. EDD documentation writeback supported.

Section 4

Regulatory Framework Coverage

Regulation	Status	Specific Obligation	Implementation
Reg E · 12 C.F.R. §1005.11	✓ COVERED	Unauthorized transaction investigation, provisional credit within 5 business days, 45-day investigation deadline	REG-COMP agent determines eligibility. HITL gate required. Clock tracked and escalated at T-2 and T-1. All determinations timestamped and immutably logged.
BSA / SAR · 31 U.S.C. §5318(g)	✓ COVERED	30-day SAR filing from suspicion identification. FinCEN BSA E-Filing. BSA Officer as filer of record.	CASE-MGT agent assembles FinCEN-compliant SAR narrative. HITL gate mandatory. Agent never submits. T-14 and T-5 deadline alerts surfaced to analyst.
CTR · 31 CFR §1010.311	✓ COVERED	15-day filing for cash transactions >$10,000. Structuring detection under §1010.314.	REG-COMP auto-identifies CTR threshold triggers. CTR pre-filled from transaction data. HITL approval required before filing.
OFAC SDN · 31 CFR §501.603	✓ COVERED	Immediate blocking on SDN match. 10 business-day report to OFAC. Form TDF-90-22.50.	Real-time OFAC screening via TXN-RISK agent. Immediate transaction block on match. 10-day clock tracked. HITL required for report submission.
FFIEC BSA/AML Examination Manual	✓ COVERED	Examination-ready documentation. Evidence chain. Model validation documentation.	Complete audit trail with regulatory citations. Reproducible evidence chain within 24 hours of examiner request. SR 11-7 model documentation package available.
CFPB Supervision · 12 U.S.C. §5514	✓ COVERED	Unfair, deceptive, or abusive acts or practices (UDAAP). Fraud loss reimbursement fairness.	Reg E determination accuracy directly impacts UDAAP exposure. All determinations documented with supporting evidence for CFPB examination.
FBI IC3 Referral	✓ COVERED	IC3 complaint submission for BEC, wire fraud, and elder fraud.	CASE-MGT auto-generates IC3 referral memo for qualifying BEC and wire fraud cases. Analyst submits via IC3 portal; memo is pre-filled with required fields.
SR 11-7 Model Risk Management	✓ COVERED	Model validation documentation. Conceptual soundness. Ongoing monitoring framework.	Full SR 11-7 documentation package available. XGBoost and GNN models documented with feature importance, validation methodology, and performance benchmarks.

Section 5

HITL Gate Specification

Gate	Classification	Trigger	Analyst Action Required	SLA
Reg E Provisional Credit	MANDATORY	Unauthorized transaction confirmed by REG-COMP agent	Approve or deny provisional credit. Document rationale. System auto-logs decision with timestamp.	5 Business Days
SAR Filing Authorization	MANDATORY	CASE-MGT SAR narrative assembled and routed to HITL queue	Review full narrative, approve, digitally sign, submit via FinCEN BSA E-Filing. Agent never submits.	30 Calendar Days
Wire Recall Authorization	MANDATORY	Outgoing wire with TXN-RISK score >85 on confirmed ATO	Authorize or deny wire recall. Irreversible action. Time-critical — most wire recalls must occur within 24–48 hours of origination.	24–48 Hours
Account Freeze / Closure	MANDATORY	Confirmed mule account or synthetic identity bust-out	Authorize account restriction or closure. Confirm notification requirements. Document regulatory basis.	As needed
OFAC Block Report	MANDATORY	SDN match confirmed by TXN-RISK agent	Confirm blocking action, complete Form TDF-90-22.50, submit to OFAC. Verify blocking report filed within 10 business days (31 CFR §501.603).	10 Business Days

Questions on Capability Gaps?

Phase 2 capabilities have estimated build timelines. Custom fraud typologies not listed can be scoped in the architecture call. The 5-agent pipeline is extensible to new signal domains.

Schedule Architecture Call → Implementation Guide