A Beginner’s Guide to Payment Risk Control: All You Need in One Article

Basic Risk Concepts

Risk : Probability that a loss occurs in a specific scenario at a specific time; the gap between desired outcome and actual result. Risk control aims to keep risk within an acceptable range, not to eliminate it.

Risk Event : Direct cause of loss, e.g., a fraudulent transaction in payments.

Risk Factor : Indirect cause or background condition that raises the probability of a risk event, such as proxy IP, new device login, or night‑time operation.

Risk Level : Grading of risk severity; the industry commonly uses three levels (see diagram).

Risk Control : Measures and methods that reduce the likelihood of risk events or mitigate loss when they occur. In payments, technology and rules protect fund safety.

Risk‑Control Coverage Rate : Proportion of actual risks that the system can detect and cover; higher coverage means fewer missed risks.

False‑Block Rate : Proportion of normal transactions incorrectly blocked; the industry typically targets <1% to minimise user disturbance.

Missed‑Risk Rate : Proportion of real risky transactions that are not detected; missed risks cause fund loss, so systems prefer false blocks over missed risks.

Payment Risk Types

Account Risk : Credential dumping, credential stuffing, phishing, or malware leading to account theft – the oldest and most common payment risk.

Transaction Risk : Malicious behaviours during the transaction process, such as automated order‑flooding, manual bulk orders, abnormally large orders, or scalper purchases (especially in e‑commerce).

Fund Risk : Risks to platform fund safety stemming from mismanagement of settled or retained funds. The People’s Bank of China’s 2013 “Customer Reserve Funds Management Measures” address this risk.

Cash‑Out Risk : Users convert credit‑card or loan limits into cash via fake purchases, self‑buy‑sell, or refund schemes; online payments make cash‑out costs very low.

Operational Risk : Losses caused by human error, employee violations, or internal control failures (process risk, employee fraud/over‑privilege, external risk).

Compliance Risk : Fines or reputation damage from failure to comply with extensive payment regulations.

Money‑Laundering Risk : Criminals use payment platforms to launder illegal funds; in 2016, 18 payment institutions were listed for key rectification.

Terrorist‑Financing Risk : Funds potentially flowing to terrorist organisations; the People’s Bank of China’s “Anti‑Money‑Laundering and Counter‑Terrorist Financing Management Measures” provide clear regulations.

Credit Risk : Counter‑party failure to fulfil contractual obligations, e.g., user default or merchant bankruptcy.

Reputation Risk : Brand damage and user loss caused by negative incidents, security breaches, or compliance failures.

Black‑Industry Attack Techniques

Database Dumping : Hackers breach web servers and steal user databases, often exploiting OS vulnerabilities, third‑party component flaws, or SQL injection.

Data Cracking : After obtaining encrypted databases, attackers use brute‑force, dictionary attacks, or rainbow tables to recover plaintext such as passwords or ID numbers.

Credential Stuffing : Stolen username‑password pairs from one site are tried on another; high success due to credential reuse.

Social‑Engineering Database : Compiled datasets containing usernames, passwords, and personal privacy data (addresses, travel records, etc.) that have grown to tens of millions of records.

Smurf Account : Bulk‑registered accounts used for coupon‑grabbing, order‑flooding, cash‑out, etc.; short‑lived, bound to virtual phone numbers and emulator devices.

Brush Order Fraud : Merchants or black‑industry actors create fake transactions to inflate sales, rankings, and reviews; detection is hard because of small accounts, virtual machines, VPNs, cheap virtual goods, and mutual brushing.

Coupon Abuse : Users exploit rule loopholes or bulk accounts to illegally obtain promotional benefits; spikes occur during major sales events.

Phishing : Impersonating legitimate institutions to lure users into revealing credentials, verification codes, etc.

Trojan Horse : Malicious software disguised as legitimate applications to steal credentials, intercept SMS codes, and remotely control devices.

Fake Base Station : Imitates carrier base‑station signals to hijack nearby mobile communications, including SMS verification codes.

Modem Pool : Devices that hold a large number of SIM cards simultaneously, used for bulk receipt of SMS codes, account registration, and other black‑industry services.

Risk‑Control System Architecture

Data Collection Layer : Gathers raw information such as transaction data, user behaviour, device fingerprints, and third‑party data via log harvesting, database sync, and pingback tracking.

Feature Engine : Derives predictive variables from raw data. Outputs four feature types: real‑time, aggregated (time‑window statistics), sequence (behaviour patterns), and graph (relationship networks).

Rule Engine : Evaluates transactions based on predefined IF‑THEN logic. Advantages: high performance, easy to understand, simple development. Disadvantages: one‑size‑fits‑all, easy to probe and bypass.

List Management System : Manages black, white, and gray lists; a hit triggers interception or special handling.

Model Engine : Machine‑learning module that scores transaction risk, outputting a continuous score (e.g., 0‑1000) for finer granularity than binary rule decisions. Common algorithms: LR, GBDT, XGBoost, neural networks, GNNs.

Decision Engine : Integrates outputs from the rule engine, list system, and model engine according to preset strategies to produce final decisions (pass, reject, verify, hand‑off). Supports rule orchestration, strategy composition, and A/B testing.

Execution Layer : Executes concrete actions based on decisions: automatic pass, enhanced verification (SMS/face/fingerprint), manual review, direct reject, account freeze, etc.

Operations Platform : Daily workbench for risk‑control staff, including rule configuration, list management, ticket handling, monitoring alerts, case analysis, reporting, and labeling feedback.

Alert & Monitoring System : Real‑time “nervous system” that senses anomalies and triggers alerts (balance monitoring, abnormal transaction monitoring, remote‑login alerts, email notifications).

Data and Feature Types

Device Fingerprint : Generates a unique identifier by collecting hardware info (CPU, screen, memory, sensors) and software info (OS, browser, fonts, plugins). Must be unique, consistent, and stable to identify devices rather than users.

User Persona : Multidimensional data describing user background and behaviour (demographics, contact info, asset characteristics, household traits, transaction preferences, behavioural features). Large volume, many dimensions, frequent updates.

Device Profiling : Profiles the device and its user characteristics; for unauthenticated users, device profiling is the sole identification method.

Item Profiling : Profiles the buyer group from the product perspective (price, category, launch time, promotion info, buyer distribution by time/location/amount/age/gender). Higher deviation indicates higher risk.

Knowledge Graph : Graph data structure representing entities (people, companies, devices, addresses, items) and their semantic relationships. Risk can be evaluated from relational angles—for example, if a high‑risk user A frequently trades with B, B’s risk level should be raised.

Static Data : Generated once and rarely modified (e.g., user name, gender, registration time, merchant establishment date).

Dynamic Data : Changes frequently over time (e.g., daily visit count, consumption amount, age).

Inferred Data : Derived from raw inputs via algorithms with confidence scores (e.g., gender inferred with 80% confidence based on purchase behaviour). Risk control heavily relies on inferred data.

Discrete vs. Continuous Data : Discrete data has limited values (gender, occupation); continuous data spans a wide range (amount, time). Modeling usually requires discretisation of continuous data via bucketing or binning.

Pingback Behaviour Reporting : Embedding scripts on pages to monitor user actions (clicks, keystrokes, dwell time, mouse trajectory) and asynchronously send data to servers; useful for inferring user preferences and emotional states.

Log Collection : Primary method for gathering risk‑control data; business systems output required data to log files, and the risk‑control system asynchronously consumes them.

List System

Blacklist : Collection of high‑risk entities (personal/company, IP, device‑ID, phone‑number, wallet‑address, geographic). A hit triggers interception or manual review.

Whitelist : Collection of trusted entities; a hit bypasses certain risk checks and allows direct pass. Applicable to internal staff, deeply KYC‑verified high‑value customers, trusted merchants, and test accounts. Must be used with extreme caution.

Graylist : Collection of suspicious but uncertain entities; a hit does not enforce hard interception but delays the transaction, adds verification, or places it under observation.

Central‑Bank AML List : Lists issued by the People’s Bank of China (sanctioned companies, terrorist individuals/organizations, UN‑designated high‑risk regions) that must be incorporated into risk‑control checks.

Public‑Security/Prosecution Collaboration List : Persons or entities involved in cases issued by police, procuratorates, or courts; after receipt, the corresponding entities must be fully blacklisted.

Dishonest Executed Person List : “Bad debtor” list published by the Supreme People’s Court; can be queried via the China Execution Information Public Network.

List Lifecycle Management : Standardised management of the entire lifecycle of list entries (creation, review, activation, monitoring, expiration, archiving) to prevent outdated lists causing false blocks or missed interceptions.

In‑Memory Database : Typical storage solution (Redis, Couchbase, etc.) for list data to achieve millisecond‑level matching.

Rule Engine Details

List‑Based Rule : Basic rule type; blacklist hit → intercept or manual review, whitelist hit → pass. Example: block transaction if user ID appears on the AML blacklist.

Frequency Rule : Limits operation frequency within time windows (e.g., ≤10 withdrawals per day).

Amount Rule : Sets thresholds on single‑transaction amounts or cumulative amounts. Example: single payment > 50,000 CNY triggers manual review; daily cumulative withdrawals must not exceed 100,000 CNY.

Business Rule : Rules tied to specific business scenarios. Example: a single user binding > 10 bank cards, a single bank card bound by > 5 users, or a phone number changed > 4 times within a week.

Behavioral Anomaly Rule : Detects inconsistencies between current behaviour and historical patterns. Example: payment location differs from usual login location; within 2 minutes the location jumps from Beijing to the United States.

Interception History Rule : If a user has been intercepted multiple times for a specific business, subsequent transactions automatically receive a higher risk level.

Rule Conflict : Occurs when a transaction hits contradictory rules (e.g., IP whitelist suggests pass while amount blacklist suggests block). Requires predefined priority strategies.

Rule Decay : Rules perform well initially but lose effectiveness as attackers learn and evade them; all rules have a lifecycle and need continuous maintenance.

Sliding Window : More precise frequency‑statistics method that always looks at the most recent N time units, avoiding attacks that exploit fixed‑interval boundaries.

Rule Hot‑Reload : Ability to update rule configurations dynamically without restarting the system; essential for frequent rule adjustments.

Models and Algorithms

Scorecard Model : Assigns weights and scores to each risk indicator, sums them to obtain a 0‑100 score, and maps it to a risk level. Originates from banking credit rating methods; strong interpretability.

Decision Tree : Tree‑structured classification model that makes a series of IF‑THEN judgments. Advantages: easy to understand, fast detection. Disadvantages: coarse results, cannot provide fine‑grained probability ordering.

Logistic Regression (LR) : Most common baseline model; outputs a probability between 0 and 1; coefficients directly indicate each feature’s risk contribution. Highly interpretable and suitable as a fallback model.

GBDT / XGBoost / LightGBM : Gradient‑boosted tree ensembles, currently the preferred algorithms for tabular data in risk control. High accuracy, can handle mixed features, robust to missing values. LightGBM balances performance and precision especially well.

Neural Network / DNN : Suitable for sequence and graph features. Automatically learns nonlinear patterns but requires large training data and suffers from poor interpretability (black‑box).

Graph Neural Network (GNN) : Deep‑learning models designed for graph‑structured data. Used in risk control for detecting organised fraud by analysing relationship networks.

Feature Engineering : Process of constructing and selecting effective features from raw data. Good feature engineering often matters more than algorithm choice; data determines the performance ceiling. Risk‑control features include real‑time, aggregated, sequence, and graph features.

Labeling : Human annotation of transaction data as normal, fraudulent, or suspicious to generate training samples. Manual review not only resolves cases but also teaches the model.

A/B Testing : Runs two or more strategies/models simultaneously to compare effectiveness. New rules or models must be validated via A/B testing before full rollout to avoid unintended losses.

Online Learning : Models automatically update with new feedback data after deployment. In adversarial environments, static models degrade quickly; online learning enables continuous improvement.

Decision and Handling

Auto‑Pass : Low‑risk transactions completed without human intervention; target auto‑pass rate > 80% to free resources for truly suspicious cases.

Step‑up Authentication : For medium‑risk transactions, requires additional user verification. Strength escalates from SMS code → voice verification → email verification → password → facial recognition → ID‑OCR.

Manual Review : Transactions that the system cannot automatically decide are handed to risk‑control analysts. Key metric: average review time < 30 minutes with high consistency.

Direct Reject : Extremely high‑risk transactions are blocked outright, often accompanied by account freeze or transaction limits.

Account Freeze : Restricts high‑risk accounts from making payments, withdrawals, etc.; users must appeal or undergo manual unfreeze.

Delayed Settlement : Orders that trigger risk rules are first frozen (funds held) and then manually reviewed. Money stays in the platform; after approval it is transferred to the merchant.

Manual Ticket : System‑generated tasks for human review. The workbench provides hit reasons, historical transactions, user profiles, and other context to help analysts decide quickly.

Verification Center : Independent service that manages various verification methods (SMS, facial, bank card, etc.). Risk control decides the need for verification; the verification center executes the interaction.

Penalty Center : Enforces punitive actions on confirmed violators (accounts, devices, merchants), such as transaction limits, account freeze, or blacklist inclusion. Supports configurable penalty strategies.

Metrics and Evaluation

Auto‑Pass Rate : Proportion of transactions automatically passed out of total transactions; higher rates indicate better automation. Typical target > 80%.

Precision : Ratio of truly risky transactions among all transactions flagged as risky by the model.

Recall : Ratio of truly risky transactions detected by the model out of all actual risky transactions.

KS Value (Kolmogorov‑Smirnov Statistic) : Measures a model’s ability to separate good and bad samples. Values > 40% are excellent, 30‑40% good, < 20% ineffective.

AUC (Area Under Curve) : Area under the ROC curve; values range 0.5‑1.0. Payment risk models typically require AUC > 0.75.

PSI (Population Stability Index) : Evaluates whether feature distributions have shifted after model deployment. PSI < 0.1 indicates stability; > 0.25 warns of significant drift requiring retraining.

Loss Rate : Proportion of actual monetary loss caused by missed interceptions relative to total transaction volume; the ultimate bottom‑line metric.

Complaint Rate : Proportion of user complaints caused by false blocks; directly impacts user experience and brand image.

Compliance and Regulation

KYC (Know Your Customer) : Identity verification process for users, typically divided into multiple levels.

KYB (Know Your Business) : Due‑diligence for corporate customers, including business registration verification, operational status checks, legal representative background, and ultimate beneficial owner (UBO) identification.

AML (Anti‑Money‑Laundering) : Regulatory requirement to prevent illegal funds from being converted into legitimate money via payment systems. Payment institutions must establish robust AML systems and Suspicious Transaction Reporting (STR) mechanisms.

CFT (Counter Financing of Terrorism) : Core compliance obligation alongside AML; requires screening transactions for links to sanctioned individuals or organisations.

Three Anti‑Checks : Collective term for anti‑money‑laundering, anti‑terrorist‑financing, and anti‑tax‑evasion. Legal duties that must be implemented during user onboarding and transaction monitoring.

STR (Suspicious Transaction Report) : When a payment institution detects a transaction with suspicious characteristics, it must submit a report to regulators; report quality directly affects compliance ratings.

CIP (Customer Identification Program) : Operationalisation of KYC, defining procedures and documentation requirements for establishing business relationships.

UBO (Ultimate Beneficial Owner) : Natural person who ultimately owns or controls a company/account; identifying UBOs prevents shell companies from being used for laundering or other illegal activities.

MCC Code (Merchant Category Code) : Four‑digit industry classification code defined by card networks (Visa, Mastercard, UnionPay) that identifies a merchant’s industry. Certain MCCs (e.g., gambling, adult content) are high‑risk and receive heightened risk‑control attention.

Operations and Management

Adversarial Defense : Ongoing arms race between risk control and black‑industry attackers; attackers constantly change tactics, devices, IPs, and rule boundaries, while risk‑control teams continuously upgrade strategies, rules, models, and data sources.

Closed Loop : Full‑chain management system covering pre‑, in‑, and post‑transaction stages. Post‑event feedback must flow back into the online system to form a closed loop.

SOP (Standard Operating Procedure) : Standardized operational steps for various risk‑control scenarios such as daily review, emergency response, list changes, and rule releases. SOPs ensure consistency and efficiency across personnel.

Red Team vs. Blue Team : Simulated attacks by a red team to test the risk‑control system, with a blue team defending, detecting, and responding. Regular exercises uncover system blind spots and validate incident‑response capabilities.