Risk Decisioning & Signals Fusion
One-line relationship: C8, the brain the rest of the risk layer feeds — device fingerprinting (C7), behavioral biometrics (C7), and RAT/malware detection (C6) each produce one signal; this is where they combine into a single allow/challenge/block call, expressed through adaptive authentication.
What it is
No individual signal in the risk layer is trustworthy alone. A new device alone might just mean a new phone; an unusual location alone might just mean travel; a slight behavioral drift alone might just mean the user is tired or using a different input device. Risk decisioning is the fusion layer that combines device intelligence, behavioral signal, fraud/malware indicators, and transaction context (amount, payee, velocity) into one score — because the combination is what actually discriminates fraud from ordinary variation, where any single signal produces too many false positives to act on directly.
Rules engines vs machine learning
Production risk engines typically blend both: hard rules for unambiguous cases (a confirmed RAT indicator should always block, regardless of what a model says), and a learned model for the graduated cases where the right threshold isn’t obvious and shifts over time as fraud patterns evolve. The Step-Up Simulator demo models this with fixed weights for legibility; a real system tunes those weights continuously against labeled fraud outcomes.
The gateway tie-in
The risk decision has to actually change what happens at the point of the request — which means C8 ties directly into C5, the gateway’s policy enforcement. A “step-up required” decision from the risk engine has to translate into the gateway actually withholding the API response until a stronger factor completes; a decision made by the risk engine that the gateway can’t act on is just an analytics dashboard, not a control.
What to take to the client
The value of the risk layer is entirely in the fusion, not any one signal’s individual strength. When evaluating a vendor or a build-vs-buy decision here, the right question isn’t “how accurate is your device fingerprint” in isolation — it’s how well the combined score discriminates real fraud from ordinary account activity, and how directly that score can be wired into an enforcement point that actually changes the outcome.