SystemOverflow
LearnFraud Detection & Anomaly DetectionSupervised Anomaly Detection (Imbalanced Classification)3 of 6
Fraud Detection & Anomaly DetectionSupervised Anomaly Detection (Imbalanced Classification)Hard⏱️ ~3 min

Production Architecture: Online Scoring, Feature Freshness, and Latency Budgets

Latency Budgets

Production fraud scoring happens in the critical path of payment authorization. The total authorization window is 300-800ms including network hops, database lookups, and issuer responses. Risk scoring must complete within 10-30ms at p99 to leave room for everything else. Many teams target sub-5ms model inference on commodity CPUs.

The budget breaks down: 1-2ms for feature retrieval from cache, 2-5ms for model inference, 1-2ms for decision logic and logging. Every millisecond matters at scale. At 10,000 transactions per second, a 10ms slowdown means 100,000 additional in-flight requests waiting.

Feature Freshness

Features mix static attributes and streaming aggregates. Static features (device fingerprint, merchant category, card metadata) come from key-value stores with sub-millisecond reads. Streaming features are the differentiator: payment attempts per card in last 10 minutes, total spend in last 24 hours, distinct devices per email in last 7 days.

Streaming features update through real-time pipelines with 100ms to few-second lag. High-value velocity checks (attempts in last 10 minutes) need sub-1-second freshness. Longer horizon features (7-day aggregates) tolerate 10-60 second lag. Stale features miss velocity attacks where fraudsters hit a card 5 times in 2 minutes.

Two Stage Architecture

A common pattern separates fast and slow paths. The fast path scores with precomputed features in under 10ms for checkout decisions. The slow path runs asynchronously after approval with richer graph features and secondary models, taking 100-500ms. High-risk transactions flagged by slow path trigger post-authorization holds.

💡 Monitoring Essentials: Track score distribution shifts (alert on PSI > 0.2), feature staleness (alert if streaming lag > 5s), and precision on fast feedback proxies that arrive within hours instead of the 30-90 day chargeback delay.
💡 Key Takeaways
Risk scoring must complete in 10-30ms at p99 within 300-800ms total authorization window
Static features from cache in 1-2ms; model inference in 2-5ms; decision logic in 1-2ms
Streaming features (velocity checks) need sub-1-second freshness to catch rapid fraud
Two-stage pattern: fast path (10ms) for checkout, slow path (100-500ms) for async review
Monitor score distribution shifts (PSI > 0.2), feature staleness, and fast feedback proxies
📌 Interview Tips
1Break down latency budget: 1-2ms feature retrieval, 2-5ms inference, 1-2ms decision
2Explain freshness requirements: velocity checks need sub-1s, 7-day aggregates tolerate 60s
3Describe two-stage pattern: fast path blocks at checkout, slow path flags for post-auth hold
← Back to Supervised Anomaly Detection (Imbalanced Classification) Overview
Production Architecture: Online Scoring, Feature Freshness, and Latency Budgets | Supervised Anomaly Detection (Imbalanced Classification) - System Overflow