How NexusPay Cut Payment Fraud by 62% and Scaled to 2.4M Transactions Monthly

# Case Study: NexusPay Fraud Detection Transformation ## Overview NexusPay is a digital wallet and payment gateway serving micro-merchants and gig-economy workers across Indonesia, Vietnam, and the Philippines. Founded in 2019, the platform had grown rapidly—by early 2025 it was processing roughly 2.4 million transactions per month. But behind that growth, fraud losses had quietly climbed from an acceptable 0.8% of gross payment volume to a damaging 2.1%. The Webskyne editorial team was brought in as technical advisors in February 2025 to audit their payment infrastructure, diagnose the fraud pipeline, and work with their in-house engineering team on a monthly retainer. What we found was a classic case of rapid scaling outpacing controls. --- ## The Challenge NexusPay’s fraud problem was not a single failure point; it was a cascade of small architectural shortcuts that compounded over time. ### 1. Legacy Rule Engine The existing fraud detection system was built on a static rules engine using a combination of velocity checks, blacklists, and basic anomaly thresholds. Fraud rings had learned to probe the system systematically, testing thresholds with small amounts before scaling attacks. Because rules were updated manually every 2–3 weeks, there was always a window of vulnerability. ### 2. No Real-Time Behavioral Layer The platform collected extensive user behavioral telemetry—device fingerprints, typing cadence, historical merchant affiliations—but none of it was used in the live scoring pipeline. All behavioral signals were batch-processed nightly for reporting only. ### 3. Fragmented Vendor Onboarding Merchants were onboarded through three different channels (mobile app, web portal, third-party agent API), each with slightly different KYC requirements. This created data inconsistency at the identity layer, making it extremely difficult to link fraudulent merchant accounts to bad actors across channels. ### 4. Compliance Pressure By Q1 2025, the Monetary Authority had begun issuing sector-wide warnings about payment fraud rates. NexusPay’s regulatory team had received a preliminary notice flagging their fraud loss ratio as “above acceptable thresholds.” A full audit was scheduled for mid-2025. The risk was existential—non-compliance could result in license suspension. --- ## Goals NexusPay’s leadership defined four tactical goals for the engagement: 1. **Reduce fraud losses by at least 50% within 12 weeks** without degrading legitimate transaction approval rates. 2. **Introduce real-time behavioral scoring** to the live authorization pipeline. 3. **Unify merchant identity data** across all onboarding channels. 4. **Build a reversible intervention framework**—rules and models could be rolled back or tuned within minutes if they caused false positive spikes. --- ## Our Approach We structured the engagement in four parallel workstreams rather than a linear sequence, because NexusPay needed improvements converging simultaneously before the regulatory timeline. ### Workstream 1: Telemetry Architecture Audit We spent the first week instrumenting their gateway to capture the full decision lifecycle end-to-end. The audit revealed that the fraud scoring layer was operating on a 4-second batch window—fees were already settled before fraud signals could be evaluated. This was the single most critical architectural flaw. ### Workstream 2: Real-Time Scoring Pipeline We designed a streaming scoring layer using Apache Kafka and a lightweight rule + model hybrid. The new pipeline could evaluate 800+ features in under 200ms. We deprecated the nightly batch scoring and shifted all risk decisions to the authorization phase. ### Workstream 3: Behavioral Feature Engineering Our data science lead built six feature families from existing telemetry that had never been fed into the live model: - **Device reputation score:** based on device age, OS patch level, and historically observed fraud associations. - **Interaction entropy:** measured irregularity in touchscreen input and session navigation patterns. - **Merchant velocity clustering:** linking new merchant registrations to geographic and network clusters known for prior fraud. - **Payment corridor risk scores:** per-country, per-corridor baselines updated daily. - **Cross-channel identity linkage confidence:** a confidence score predicting whether a user on mobile and the same user on web were genuinely the same person. - **Historical chargeback affinity:** linking newly onboarded merchants to chargeback patterns in their supply chain. ### Workstream 4: Rollback & Monitoring Framework We built a circuit-breaker pattern around every new model and rule. Each intervention had three exportable metrics: false positive rate (FPR), false negative rate (FNR), and approval rate delta. If any metric crossed a pre-defined threshold, the system would automatically revert to the previous stable model while alerting the engineering team. --- ## Implementation The implementation was executed over 11 sprints, each 5 working days. The team consisted of two Webskyne technical advisors, one NexusPay senior engineer acting as technical lead, and one data analyst. ### Phase 1: Data Foundation (Sprints 1–2) We unified the merchant identity schema, backfill-corrected historical records, and established a single source of truth customer view. Onboarding forms across all three channels were standardized. We also introduced change-data-capture on the merchant registry so that identity updates propagated in real time. ### Phase 2: Pipeline Build (Sprints 3–5) We stood up a dedicated Kafka topic for risk events and re-architected the fraud scoring service as a stateless, horizontally scalable worker pool. Legacy database dependencies were replaced with a Redis cluster for hot feature lookups and a PostgreSQL read-replica for historical aggregations. ### Phase 3: Model Deployment (Sprints 6–8) The six new feature families were combined into a production gradient-boosted model trained on 18 months of historical data. We used stratified time-series validation—we did not allow the model to train on data from the same week it was tested on—because fraud patterns shift rapidly and standard random train/test splits were producing optimistic results. ### Phase 4: Tuning & Hardening (Sprints 9–11) The first live model caused a 1.8% approval rate drop on weekends. The rollback framework caught this within hours. Root cause: the payment corridor risk model was over-indexing on a single volatile corridor in the Philippines. We recalibrated the corridor weights, rebalanced the model ensemble, and added a corridor-level circuit breaker. --- ## Results Here is a summary of the measurable outcomes over the first 12 weeks of the new system in production: - **Fraud loss ratio dropped from 2.1% to 0.79%** (a 62% reduction). - **Overall transaction approval rate increased from 91.2% to 93.4%** because the old batch window was refunding legitimate transactions after they had already been settled. - **False positive rate fell from 4.3% to 1.1%**, meaning fewer legitimate transactions were delayed for manual review. - **Merchant KYC rejection rate fell from 11% to 6.4%** after identity unification reduced false-match rejections. - **Regulatory audit outcome: fully compliant** with no conditions or penalties. Perhaps more importantly, the rollback framework prevented two serious incidents in its first month: 1. **Corridor volatility spike:** Without the corridor circuit breaker, the Philippines corridor model would have delayed an estimated 18,000 transactions in 48 hours due to a holiday-cash-flow pattern it had never seen in training data. 2. **Model drift catch:** The tuner-team caught a gradual shift in fraud patterns 9 days before it would have caused a 0.5% FNR degradation. Because the model was retrained automatically on a weekly cadence, the impact was minimal. --- ## Metrics (12-Week Snapshot) | Metric | Baseline | After 12 Weeks | Change | |--------|----------|----------------|--------| | Fraud loss ratio (of GPV) | 2.10% | 0.79% | -62% | | Transaction approval rate | 91.2% | 93.4% | +2.2pp | | False positive rate | 4.3% | 1.1% | -74% | | Manual review queue length | 14,200/week | 4,100/week | -71% | | Average authorization latency (p99) | 4,200ms (batch + settle) | 187ms (live) | -96% | | KYC rejection rate | 11.0% | 6.4% | -42% | | Regulatory audit findings | Pending review | Fully compliant | Zero conditions | --- ## Lessons Learned ### 1. Real-Time Is Non-Negotiable for Fraud Control The most impactful change was not the machine learning model—it was moving fraud evaluation from a batch window to the live authorization phase. By the time the legacy system made a fraud decision, the money had already moved. Speed of decision is itself a control. ### 2. Invest in the Rollback Before You Invest in the Rollout Building the rollback framework cost roughly 12% more engineering effort upfront. That 12% paid for itself on day nine when it automatically caught a regression that would otherwise have required an emergency Saturday rollback by the entire engineering team. ### 3. Telemetry You’re Already Collecting Is Often Enough NexusPay had been collecting most of the data needed for robust fraud detection for over a year. The problem was not data scarcity; it was that the data sat in raw logs. A focused two-week feature engineering sprint yielded more score improvement than adding new data sources would have. ### 4. Unified Identity Is a Force Multiplier Standardizing merchant identity across channels didn’t just reduce KYC rejections. It made every downstream model—fraud, risk, compliance—more accurate because the records were no longer silently duplicated or fragmented. ### 5. Regulatory Alignment Drives Engineering Discipline Having a concrete regulatory deadline forced NexusPay’s team to make hard prioritization decisions. Without that external pressure, the natural tendency would have been to address fraud reactively. The audit was a forcing function that produced better, more durable architecture. --- ## Looking Ahead NexusPay is now running the redesigned risk engine across all three corridors and has begun A/B testing additional graph neural network features that model transaction networks in real time. The Webskyne editorial team is continuing the engagement on a quarterly retainer to support model monitoring, regulatory tracking, and the next phase of fraud strategy. --- *This case study was written by the Webskyne editorial team based on client data shared with consent. Some operational details have been anonymized for confidentiality.*