Xiaomi Risk Control Practices: Architecture, Rule Engine, and Machine Learning

At a June 19 internet‑finance system salon, Xiaomi senior R&D engineer Deng Wenjun presented the company's risk‑control practice, outlining how the team tackled high bad‑debt rates in the early "attempt" phase by defining simple limit, frequency, and attribute‑relation rules for accounts, devices, and transactions.

During the "development" phase, the team adopted the open‑source Drools rule engine to manage an expanding set of rules, separating ordinary rules from CEP (complex event processing) rules, and built a management console that allowed rule changes to be deployed within minutes, dramatically improving development and operational efficiency.

To address latency and monitoring issues, the team introduced a gray‑scale risk‑control system that validates new rules against historical orders before production release, and re‑engineered data collection to separate real‑time CEP data from offline log analysis, cutting response time to one‑quarter of the original.

In the "expansion" stage, Xiaomi incorporated machine‑learning techniques, constructing a feature set of 17 transaction attributes (e.g., recent spend, device usage, geographic consistency) and evaluating four classifiers, ultimately selecting a random‑forest model that was deployed as a service callable from Drools rules.

By integrating user‑ and device‑profile data from the Xiaomi ecosystem, the team built scoring dimensions (repayment ability, dependency, normality) and used them to filter fraudulent transactions, achieving a 40% reduction in theft cases over several months.

Finally, the presentation highlighted the need for internal data sharing and external cooperation, proposing a centralized risk‑control group to provide services such as identity verification across Xiaomi's expanding financial products (loans, insurance, installment payments).

The subsequent Q&A covered practical details of Drools rule definition, random‑forest model deployment, feature engineering, privacy safeguards (user consent and machine‑readable data), and team organization, emphasizing rapid iteration over academic rigor.