Risk Signals
This reference documents all fraud risk signals detected by TrustGate, their severity, and recommended actions.
Signal Categories
Document Signals
Signals from document verification:
| Signal | Severity | Description |
|---|---|---|
document_tampered | Critical | Signs of physical or digital tampering |
document_forged | Critical | Document appears to be fake |
mrz_mismatch | High | MRZ data doesn't match visual zone |
security_features_missing | High | Expected security features not found |
document_expired | Medium | Document past expiration date |
document_quality_poor | Low | Low image quality affects verification |
document_type_mismatch | Medium | Document doesn't match claimed type |
data_inconsistency | Medium | Data fields are inconsistent |
Biometric Signals
Signals from biometric verification:
| Signal | Severity | Description |
|---|---|---|
face_mismatch | Critical | Face doesn't match document photo |
liveness_failed | Critical | Failed liveness detection |
deepfake_detected | Critical | AI-generated face detected |
photo_of_photo | High | Selfie is a photo of a photo |
screen_capture | High | Selfie taken from a screen |
mask_detected | High | Face mask or covering detected |
multiple_faces | Medium | Multiple faces in frame |
face_partially_visible | Low | Face not fully visible |
Device Signals
Signals from device intelligence:
| Signal | Severity | Description |
|---|---|---|
device_fraud_confirmed | Critical | Device linked to confirmed fraud |
device_emulator | High | Virtual machine/emulator detected |
device_rooted | Medium | Rooted Android device |
device_jailbroken | Medium | Jailbroken iOS device |
automation_detected | High | Browser automation tools |
headless_browser | High | Headless browser detected |
vpn_detected | Medium | VPN connection detected |
tor_detected | High | Tor network detected |
proxy_detected | Medium | Proxy server detected |
datacenter_ip | Medium | IP from hosting provider |
Email Signals
Signals from email verification:
| Signal | Severity | Description |
|---|---|---|
email_disposable | High | Disposable email service |
email_fraud_domain | Critical | Domain associated with fraud |
email_spam_trap | Critical | Known spam trap address |
email_new_domain | Medium | Domain < 30 days old |
email_invalid | High | Email doesn't exist |
email_free_provider | Low | Free email (Gmail, etc.) |
email_catch_all | Low | Domain accepts all addresses |
email_role_account | Low | Generic address (info@, admin@) |
Phone Signals
Signals from phone verification:
| Signal | Severity | Description |
|---|---|---|
phone_fraud_history | Critical | Phone linked to fraud |
phone_voip | Medium | VoIP number detected |
phone_virtual | High | Virtual phone service |
phone_prepaid | Low | Prepaid SIM card |
phone_ported_recently | Medium | Number ported in last 30 days |
phone_sim_swap | High | Recent SIM swap detected |
phone_invalid | High | Invalid phone number |
phone_country_mismatch | Medium | Phone country differs from claimed |
Velocity Signals
Signals from velocity checks:
| Signal | Severity | Description |
|---|---|---|
multiple_apps_same_device | High | 3+ apps from same device |
multiple_apps_same_ip | High | 5+ apps from same IP |
multiple_apps_same_email | High | Email used in multiple apps |
multiple_apps_same_phone | High | Phone used in multiple apps |
rapid_resubmission | Medium | Resubmitted within 24 hours |
document_reused | High | Same document in multiple apps |
Geographic Signals
Signals from location analysis:
| Signal | Severity | Description |
|---|---|---|
sanctioned_country | Critical | Sanctioned jurisdiction |
high_risk_country | High | High-risk jurisdiction |
ip_country_mismatch | Medium | IP location differs from claimed |
timezone_mismatch | Low | Browser timezone mismatch |
impossible_travel | High | Location change too fast |
Behavioral Signals
Signals from behavior analysis:
| Signal | Severity | Description |
|---|---|---|
copy_paste_data | Low | Data was copy-pasted |
rapid_form_fill | Medium | Form filled suspiciously fast |
session_anomaly | Medium | Unusual session behavior |
multiple_sessions | Low | Multiple concurrent sessions |
How Signals Are Used
The risk engine combines signals from all categories into an overall risk assessment. Each signal has a category, score (0-100), and weight that contributes to the overall risk score.
Risk Signal Categories in the Engine
The risk engine organizes signals into these categories (defined in RiskCategory):
| Category | Description | Weight |
|---|---|---|
aml | Sanctions/PEP/adverse media hits | High |
document | Document verification issues | Medium-High |
identity | Identity mismatch, country risk | Medium |
device | VPN, proxy, suspicious device | Medium |
behavior | Suspicious patterns | Low-Medium |
address | Address verification status | Low-Medium |
Get Risk Breakdown for an Applicant
To see how signals contribute to an applicant's risk score, use the risk breakdown endpoint:
curl -X GET "https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/risk-breakdown" \
-H "Authorization: Bearer YOUR_API_KEY"
This returns a weighted breakdown across four risk dimensions:
- Geographic Risk (25%): Country + IP mismatch
- Product Risk (15%): Product type scoring
- Channel Risk (20%): Device/network signals
- Customer Risk (40%): AML + identity + address + document signals
Get Full Risk Assessment
For the detailed signal-level view, use the risk assessment endpoint:
curl -X GET "https://api.bytrustgate.com/api/v1/workflows/risk/{applicant_id}" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"applicant_id": "550e8400-e29b-41d4-a716-446655440000",
"overall_level": "medium",
"overall_score": 35,
"recommended_action": "manual_review",
"signals": [
{
"category": "device",
"signal_name": "vpn_detected",
"score": 40,
"weight": 0.15,
"description": "VPN connection detected",
"details": {}
},
{
"category": "identity",
"signal_name": "country_risk",
"score": 30,
"weight": 0.2,
"description": "Applicant country has elevated risk",
"details": {}
}
],
"assessment_time": "2026-01-20T14:30:00Z",
"applied_rule_name": null,
"final_action": null
}
Get Risk Assessment History
curl -X GET "https://api.bytrustgate.com/api/v1/workflows/risk/{applicant_id}/history?limit=10" \
-H "Authorization: Bearer YOUR_API_KEY"
Signal-Based Workflow Rules
Use workflow rules to automate actions based on risk assessment results. Rules use flat condition dictionaries -- they do not reference individual signals directly but instead match on aggregate risk levels and screening outcomes.
Auto-Reject for High Risk with Sanctions Hits
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Reject high risk with sanctions",
"description": "Auto-reject applicants with critical risk and sanctions hits",
"conditions": {
"risk_level": ["critical"],
"has_sanctions_hit": true
},
"action": "auto_reject",
"notify_on_match": true,
"priority": 950
}'
Escalate PEP Matches
curl -X POST https://api.bytrustgate.com/api/v1/workflows/rules \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Escalate PEP matches",
"description": "Escalate any applicant with PEP hits for enhanced due diligence",
"conditions": {
"has_pep_hit": true
},
"action": "escalate",
"assign_to_role": "senior_compliance",
"notify_on_match": true,
"priority": 800
}'
See Workflow Rules for the full rule configuration reference.
Signal Correlation
High-Risk Combinations
These signal combinations indicate high fraud probability:
| Combination | Fraud Probability |
|---|---|
deepfake_detected + any | 95%+ |
document_tampered + face_mismatch | 90%+ |
device_emulator + vpn_detected | 85%+ |
email_disposable + phone_virtual | 75%+ |
multiple_apps_same_device + rapid_resubmission | 70%+ |
Next Steps
- About Fraud Prevention - Overview
- Device Intelligence - Device signals detail
- Workflow Rules - Automate responses