Russian payment services provider Yandex.Money applies automation to examine several attributes of each transaction, looking for anomalies.

Evgeny Vinogradov, Yandex.Money

Evgeny Vinogradov, Head of Data Warehouse and Analytical Services Development, Yandex.Money

Nowadays data is more prevalent than ever and there is no question that machine learning is at the top of the hype curve. A form of artificial intelligence that enables computers to self-learn from available data and develop autonomously, machine learning is being applied across a wide variety of industries and sectors, bringing an additional layer of intelligence to everything from autonomous cars to healthcare.

The world of online payments is perfectly suited for machine learning capabilities. The datasets available for computation are vast and growing exponentially. Given enough data with associated outcomes, together with notions of what data features are relevant to predicting those outcomes, machine learning has the potential to solve many everyday problems, such as detecting malware and bolstering cybersecurity, to preventing money laundering and mitigating eCommerce fraud.

Why payments need an extra check

Regardless of the type of authorization, any transaction usually goes through the anti-fraud system check. This procedure allows for protection of all parties involved:

  1. the customer – from direct losses caused by fraud;
  2. the seller and their acquiring bank – from unauthorized payments resulting in refunds;
  3. Payment Service Provider (PSP) – from fines and user dissatisfaction.

For instance, we can have a look at the example of Yandex.Money, Russia’s leading PSP, which is implementing machine learning for fraud detection. Anti-fraud is set at the core of the Yandex.Money payment infrastructure, and all transactions or payment transfers get checked by it. If there is anything suspicious, anti-fraud might recommend an additional authentication process or give it a high risk rating. Yandex.Money connected anti-fraud to the machine learning module working in conjunction with the static rules for more accurate risk assessment.

A forecast is generated for each attribute of a new transaction specifying the range of possible values. If several attributes go beyond these specifications, that is an anomaly .

How robots make decisions

Working with the machine learning methods, Yandex.Money uses one of the popular analysis systems for creating the machine learning models – we’re going to call it ML. Let’s go through an example and see how it works.

In principle, the process is divided into two phases:

  1. In this phase, the model parameters are set and significant attributes are identified.
  2. Application of the results, i.e. classification of new operations. Each new transaction is classified in accordance with its risk level – high risk, fraudulent or secure.

Working from static rules, the anti-fraud algorithm sends a request with specific transaction attributes to the machine learning module for classification. The machine learning model analyzes it and returns a response defining the probability of the transaction being fraudulent.

Let’s take an example: a transaction, supposedly carried out on behalf of a user named Alex, is initiated on a Friday evening with the intention of buying game currency for Blizzard:

  • transaction amount – $250
  • the purchase is made from Australia;
  • the user works from Safari browser on Mac OS;
  • the user’s time is 15:23;
  • a dozen more attributes.

Separately, these attributes are not suspicious, as it’s not unusual for a Russian resident to travel, play games, or use other systems besides Windows.

But we’ve already met Alex, so we know that in the past few months his buying habits included mostly small household appliances and clothes in Russia for an average amount of $100. Just this morning he replenished his travel card in Moscow, so there should not be any fundamental changes in his behavior.


Of course, some conclusions can already be drawn from a simple comparison of attributes from two neighboring transactions. It’s unlikely Alex had invented a way to get from Moscow to Australia faster than an airplane. Such significant geographical difference should already attract attention and raise suspicion.

When it comes to the amounts, a simple comparison with the neighboring transaction wouldn’t be effective enough. Basically, there’s nothing suspicious in going from a ticket purchase to something larger, so the following approach is applied. Based on the available history data, a forecast is generated for each of the attributes of a new transaction specifying the range of possible values. If several attributes suddenly go beyond these specifications, that is an anomaly that needs to be carefully considered.

Additionally, sometimes the main interest lies not in specific values of any attributes, but in some qualitative characteristics based on them. Therefore, besides using data that already exists in the transaction, the system can generate additional transaction attributes, such as, for example, «Sum exceeding N $» instead of a simple numerical value for the sum, or the difference between the actual value of some basic attribute and its forecast — we will discuss this issue in more detail later.

> The results of the machine learning work don’t necessarily have to be decisive, as there are many static criteria in the anti-fraud rules which determine the outcome of the decision. Nevertheless, the results of this additional verification can significantly increase the accuracy of fraud detection.


If reality is different from forecast in too many ways, that’s a cause for suspicion and, for example, additional verification.

Anomaly detection area

In a transaction conducted with an online store, most of the risk is usually taken by the store, as it will have to deal with objections and refunds in case of any problems. That’s why the search for anomalies in user behavior in anti-fraud systems is given the most attention.

The store might also exhibit abnormal behavior and, just like ordinary users, become a target of scammers or switch to the dark side. Therefore, it’s important to detect suspicious activity from the store in time. Such changes in behavior can be identified from the similar changes in the nature of transactions and related attributes.


Difficulties in analysis

A set of attributes is compiled from the available operation data. The set is useless without the differentiation between “good” and “bad” values, so there has to be a line that, once crossed, can be used by the anti-fraud system to identify the transaction parameters as suspicious. This is where we’ll find the anomalous values for each attribute (in some cases, their combinations), and herein lies one of the greatest difficulties.

In order to build a confidence interval for the attributes of a good-natured transaction, the transaction history data of a particular user or store has to be extrapolated. Comparing the current transaction parameters value to the interval boundaries will reveal the anomaly. Sometimes it’s not absolute but normalized values that have to be compared. These kinds of issues are handled by the Yandex.Money analysts at the model preparation and training stage.

The following methods are used for the learning process:

  • probabilistic – forming all kinds of distribution for the objects of a class;
  • metric – calculating distances between objects;
  • correlation – determining quantitative relationships between several parameters of the system under study.

Sometimes, basic attributes such as the commodity group and the order amount are not enough to find patterns. Therefore, analysts compose additional, more complex attributes from the available data.

Any anomaly is an extraordinary event. It might seem simple enough to perform the normalization of the transaction history data (toss out too low and too high values) in order to get an approximate spread of “good” transactions. This doesn’t work as there are daily sales surges, price changes, sales.

For example, to detect abnormal attribute values Yandex.Money uses the following algorithm:

  1. extrapolate values of time series for each of the characteristics;
  2. calculate the difference between the actual value of the characteristic and one forecasted by the machine;
  3. if the difference is too great, and such anomalous events form into combination (IP, card’s BIN, the browser), then most likely, there’s something going on with this particular transaction.

Correctly selected threshold for determining a new abnormal attribute is important in order not to block most normal payments — that is, a deviation from the usual that we will consider significant enough to take action. There is no universal advice for the choice of a specific value, because this threshold can be considered the cost of error for business. Some would consider the rejection of ten good-natured transactions per day a suitable cost, and some are not ready to sacrifice any of them.


The good news is that each model of machine learning can be customized to have its own threshold.

It’s all about the shopper

It’s important to keep the user in mind amidst all the technology and complex math. Users are inclined to treat the inconvenience with understanding when it comes to additional security for their money. For example, the obsolete option of one-time codes from a scratch card can hardly be called convenient, yet many users calmly bear the lesser evil so that they could be protected from bigger one – fraudulent transactions made in their name. It’s important to maintain a balance of convenience and speed and reliability, avoiding excesses.

With any modifications to the «brains» of Yandex.Money, we pay special attention to the changes in each transaction’s processing time. Even the most perfect protection will be rejected by user if they have to wait for confirmation for several minutes. These days, transactions are carried out almost instantly, considering anti-fraud working in real time.


The anti-fraud system has always influenced online payments, evaluating each transaction according to static rules. It’s extremely important for us that the addition of risk assessment by machine learning does not increase the processing time. It was for this purpose that a mechanism was developed that allowed for classification by ML methods simultaneously with static rules.

But then we faced a new complex problem – sometimes static rules and machine learning can give different answers, and only one, the more suitable, has to be chosen in each particular situation. A special module was developed for these purposes, making the final decision.

The results of each verification under the new scheme are:

  • the rule system and the models of machine learning synchronously respond to the payment component;
  • the scoring and transaction data are sent to the history database for use in future transactions checking.

Now, the anti-fraud system has the ability to additionally assess the danger of a transaction based on statistics, and not press the «red button» if it simply follows the static rules. For users it means an additional level of protection and a more flexible response from the system even when the purchase stands out from the rest because of its attributes.


Peace of mind for business

Machine learning technologies involve working with huge amounts of data in order to create and implement correct forecasts. The complexity of the task is a perfect match for the multifaceted world of online fraud detection. For the anti-fraud system, an additional level of intelligence is critical, and the volume of passing data opens up wide opportunities for analysis.

Big companies are investing in machine learning not because it’s a fad or because it makes them seem cutting edge. They understand the consequences of getting this wrong – both in financial terms and in the damage fraud can cause to its relationship with customer.

While no system will ever be able to stop fraud entirely – the criminal mind will always find new and creative ways to exploit systems – the investment in robust systems of anti-fraud can have a massive preventative effect.


Yandex.Money is an online payment service based in Russia.