Fraud Plus
Purpose of this document
This document provides business, technical (including configuration), and implementation details for specific features within the ES Loyalty feature set. This document specifically addresses a subset of functionality centred on Fraud Plus.
Core concepts
Fraud Plus is a feature designed to detect potentially fraudulent, erroneous, or excessive behaviors, and to provide information and recommendations to users or other systems on how to respond when they occur. This feature is architected as a module that sits outside of the core operational ES Loyalty technical stack. It integrates with ES Loyalty today and can be enhanced in the future to add additional metrics, actions, and reporting. It may also serve other systems through its APIs. The overall result is greater awareness when these behaviors occur, automated action on occurrence, and a reduction in negative outcomes such as program abuse, incorrect point issuance, and fraudulent redemptions.
How Fraud Plus monitors activity
The ES Loyalty platform sends transaction metrics and account metrics to Fraud Plus in real time (or asynchronously) whenever transactions occur or account events are triggered. These metrics contain rich contextual information, including:
- Transaction type (for example,
PURCHASE,ACTIVITY,ADJUSTMENT,DISCRETIONARY,POINTS_TRANSFER,ADHOC_REDEEM) - Transaction parts (for example,
REDEEM,HOUSEHOLD_REDEEM,BASE,BONUS,TARGETED,DISCRETIONARY) - Account identifiers
- Store information
- Amounts and point values
Fraud Plus aggregates this data across configurable time windows (day, week, month) and evaluates rules to detect concerning patterns. For example:
- Total redemption attempts (BURN activity) across any transaction type containing
REDEEMorHOUSEHOLD_REDEEMparts - Discretionary earn transactions (
DISCRETIONARYtype) aggregated by day, week, or month - Post-purchase earn (PPE type) frequency patterns
- Points transfer activity (
POINTS_TRANSFERtype) across time periods - Purchase transaction counts regardless of earn or burn activity
- Email update frequency on accounts
Advice actions
Fraud Plus provides "advice" when specific rules are triggered — for example, "Member has redeemed more than 10 times in a 7-day period" or "Member received discretionary points 5 times in 24 hours."
Actions may include one of the following:
- Logging the event and blocking redemption for a configured duration (for example, 15 days)
- Only logging the event for monitoring purposes
- Blocking the action itself (for example, blocking a redemption request at POS or online)
- Issuing warnings to console operators during session start
When advice is returned, it contains the following fields:
- Entity: What is being advised on (for example,
ACCOUNT) - Context: The business activity type (for example,
REDEMPTION) - Posture: The recommended action (for example,
BLOCK,WARN) - Duration: How long the advice remains active
Configuration
The ES Loyalty Fraud Plus system contains a set of rules configured to detect and manage fraudulent or other sensitive behaviors. These rules are composed of the following sections.
Operating modes
- Synchronous mode: Fraud Plus advice is checked in real time during operations (for example, at session start or during a redemption attempt).
- Asynchronous mode: Metrics are sent to Fraud Plus, and advice is returned via event bus and stored for later enforcement.
Aggregation types
Aggregation types define different ways that events are grouped or aggregated for analysis. The available aggregation types are:
- Member: Rules evaluated per individual account
- Program: Rules evaluated across the entire loyalty program
- Member group: Rules evaluated for specific cohorts or segments
System advice rules
Configurable rule definitions specify which patterns to detect. Examples include:
ADVICE_CHECK_ACCOUNT_BURN_DAY/WEEK/MONTH— Monitors redemption frequencyADVICE_CHECK_ACCOUNT_DISCRETIONARY_EARN_DAY/WEEK/MONTH— Tracks manual point adjustmentsADVICE_CHECK_ACCOUNT_PURCHASE_TRANSACTION_COUNT_DAY/WEEK/MONTH— Monitors transaction volumeADVICE_CHECK_ACCOUNT_EARN_FROM_PPE_DAY/WEEK/MONTH— Tracks post-purchase earn patternsADVICE_CHECK_ACCOUNT_EARN_FROM_POINTS_TRANSFER_DAY/WEEK/MONTH— Monitors point transfer activityADVICE_CHECK_ACCOUNT_EMAIL_UPDATE_DAY/WEEK/MONTH— Detects frequent profile changes
Each rule can be independently enabled or disabled and configured with custom thresholds.
Alert-only console display
This configuration option lets the system display fraud alerts in a console view without taking any automatic action. This is useful for monitoring and visibility purposes.
Configurable member identifiers
Member identifiers can be configured to use different fields or attributes to uniquely identify
members in the fraud detection system. This allows flexibility in how members are tracked and
analyzed. Supported identifiers are AccountID, LoyaltyId, and ExternalIdentifier.
Redemption block release
When a redemption is blocked due to fraud detection, this configuration allows for:
- Defining the duration that advice remains active
- Console operator override capabilities with audit trails
- Manual advice removal with reason codes
Rule engine configuration
The rule engine is the core component that evaluates fraud conditions. It can be configured with:
- Rule threshold values
- Enabled or disabled rules per client
- Action mappings for each rule (
BLOCK,WARN,LOG) - Time window specifications (day, week, month)
- Override lists for specific contexts
Monitoring and alerting
This section covers configuration for how fraud events are monitored and what alerts are sent when fraud is detected, including integration with the ES Console for operator visibility.
Integration points
Fraud Plus integrates with other systems and components within ES Loyalty as follows:
- OAuth-based API authentication
- EventBridge integration for async advice delivery
- DynamoDB storage of advice records in the
AccountMetadatatable - Real-time enforcement at POS session start and redemption endpoints