← Agent catalogue
AI Agent Profile · LendingIQ · Bengaluru
Fraud Risk Agent AI
Invoked via: loan origination system APIRuntime: AWS Bedrock · ap-south-1Model: Claude Sonnet 4Context window: 200K tokens
DivisionRisk division
Resume
What this agent does
The Fraud Risk Agent AI reads every incoming loan application for signals that suggest identity fraud, document fabrication, undisclosed liabilities, or coordinated application fraud — then maps the applicant's entity connections across prior applications, shared identifiers, and registry data to detect network patterns that individual-application analysis cannot see. It runs velocity checks to identify burst application behaviour across channels. Every output is a structured signal report for the human fraud analyst to investigate. The agent detects; humans determine.
Primary functions
Application Fraud Signals
Every application — synchronousInvoked when: application submitted to the loan origination system, before the underwriting agent processes the credit decision
- Reads the full application data — KYC documents, financial statements, stated identity fields, declared employment and income, contact details, and digital origination metadata — and checks for internal consistency: name spelling across documents, date of birth across identity documents versus bureau report, PAN linked to the stated name via NSDL records, address on utility bill matching stated address, and employer name consistent across salary slips and Form 16.
- Cross-checks stated financial data against verifiable signals: a salary slip showing ₹80,000 monthly income for an employer that bureau data shows was struck off from MCA filings six months ago; a GST-registered business that shows zero GST turnover but declares ₹40 lakh annual income; a property document citing a registration number that does not match CERSAI records. Each of these is a specific fraud signal, not a general suspicion.
- Checks the application against the fraud pattern corpus — the library of known modus operandi used in prior fraud cases at LendingIQ and from industry sharing — and flags any structural match: applications using a specific document format associated with a prior fraud ring, income certificate templates that match previously identified forged documents, or applicant profiles that match a known synthetic identity pattern.
- Does not authenticate physical documents — it cannot determine whether a document image has been digitally altered, whether a stamp or signature is genuine, or whether a letterhead is authentic. Document authentication requires forensic tools and trained human document examiners. The agent flags inconsistencies in document data; it does not verify the document itself.
Output: Application fraud signal report — each signal identified with the specific data points that triggered it, severity classification (Low / Medium / High), the fraud typology it maps to from the pattern corpus, and a composite fraud risk rating (Green / Amber / Red) that feeds into the underwriting agent's escalation logic.
Network Analysis
Per application and on periodic portfolio scanInvoked when: application is processed (real-time linkage check) or during monthly portfolio scan to detect slow-burn coordinated fraud patterns
- Maps the current applicant across every shared identifier in the application database — phone number, email address, PAN, Aadhaar hash, device ID, IP address, bank account number, employer name, and residential address — and identifies all prior applications at LendingIQ that share any of these identifiers, whether those applications were approved, declined, or withdrawn.
- Extends the network one degree further: where the current application shares an identifier with a prior declined or fraud-flagged application, it maps all other applications that share identifiers with that declined application — building the network graph that reveals whether this applicant is part of a cluster of connected applications that individually look clean but collectively show a coordinated pattern.
- Checks MCA director linkage data for business borrowers: where the borrower is a company director, it identifies all other companies the director controls, checks those companies' credit histories at LendingIQ, and flags where the director is associated with prior defaulted or fraud-flagged entities. A director with three prior clean-looking company applications that all defaulted within 12 months of disbursement is a network signal the individual-application view cannot see.
- Cannot access other lenders' databases, CIBIL's fraud exchange, or industry-wide fraud sharing networks autonomously. Cross-industry network analysis requires the agent to be provided with external fraud consortium data as an input — it cannot pull it independently. Where such data is not available, the network analysis is bounded to LendingIQ's own application history.
Output: Network linkage map — connected applications with shared identifier listed, network cluster visualisation (structured JSON for rendering), prior fraud or decline history of connected nodes, MCA director linkage summary for business borrowers, and a network risk assessment (Isolated / Connected / Cluster — requires investigation).
Velocity Checks
Per application and on batch triggerInvoked when: each application is processed, or when a batch velocity alert is triggered across the portfolio
- Checks the application entity and its associated identifiers against configurable velocity rules: number of applications from this PAN in the last 30 days, number of applications from this phone number in the last 7 days, number of applications from this device ID in the last 24 hours, number of applications from this IP address subnet in the last hour, and number of applications from this employer in the last 30 days.
- Applies context-sensitive velocity interpretation: five applications from the same employer in 30 days may be normal (a corporate loan scheme) or a fraud signal (a fake employer used across a ring) — the velocity check flags the pattern and presents the context, but the interpretation of whether it is benign or suspicious requires the human analyst to check the employer legitimacy and whether the five applicants have any prior relationship.
- For digital origination channels, checks device-level and session-level velocity: multiple applications completed within minutes from the same device suggest either a loan agent processing bulk applications (potentially legitimate, but requiring a different compliance review) or a fraud operation using a single device to submit multiple synthetic identities rapidly. The two scenarios look identical in velocity data but require different responses.
- Runs a portfolio-level velocity scan on a configurable schedule — weekly or on trigger — to detect slow-burn velocity patterns that real-time checks miss: 20 applications over 60 days from addresses within a single PIN code, all with the same employer, all approved without velocity flags at individual processing time, but collectively forming a pattern that warrants retrospective investigation.
Output: Velocity check report — each velocity rule applied with the observed count and the configured threshold, breached rules highlighted, context flags where velocity could be benign, and a portfolio-level velocity anomaly report for the periodic scan identifying clusters that warrant retrospective review.
Knowledge base
Application Database (full history)
Every application processed at LendingIQ — approved, declined, withdrawn — with all identifiers. The primary dataset for network analysis and velocity checks. Quality of network analysis is directly proportional to the completeness and consistency of identifier capture.
Fraud Pattern Corpus (RAG)
Known fraud typologies, modus operandi case studies, forged document templates identified in prior cases, and shared blacklist entries. Maintained by the fraud team and updated after each confirmed fraud case.
Velocity Rule Configuration
Configurable thresholds for each velocity dimension — per identifier type, time window, and channel. Set and maintained by the human fraud team. The agent applies the rules; the fraud team calibrates them based on confirmed fraud and false positive rates.
MCA & CERSAI Registry Data
Company director linkages, security interest registrations, struck-off company flags. Used for business borrower network analysis and employer verification cross-checks.
Bureau Enquiry Log
Recent bureau pulls on the applicant entity across all lenders — the hard enquiry log is a velocity signal for loan-seeking behaviour. Multiple bureau pulls in a short window can indicate loan stacking intent.
Fraud Detection Knowledge
Pre-training knowledge of application fraud typologies, document fraud patterns, synthetic identity construction, and coordinated fraud ring characteristics in Indian lending up to knowledge cutoff.
Hard guardrails
Will notDecline an application autonomously on a fraud flag. Fraud signals are inputs to a human investigation workflow. A Red-rated fraud flag triggers a mandatory human analyst review; it does not trigger an automatic decline. The underwriting agent receives the fraud signal and may Refer the case to human; the human makes the final credit and fraud determination.
Will notReport a borrower to FIU-IND, police, or any external authority. Regulatory fraud reporting requires a confirmed investigation outcome, legal review, and human sign-off. The agent identifies signals; the human fraud team and compliance team determine whether reporting obligations are triggered.
Will notAdd an entity to the blacklist autonomously. Blacklisting has material consequences for the entity — it affects their ability to access credit across LendingIQ's book. Blacklist additions require a confirmed fraud finding, human authorisation, and a documented decision trail that can withstand challenge.
Will notAccess other lenders' customer data, credit bureau fraud exchanges, or law enforcement databases autonomously. Cross-industry fraud intelligence requires formal data sharing arrangements and human-authorised data pulls. The agent analyses what it is given; it does not pull external data autonomously.
Will notAuthenticate physical documents or determine whether a document has been digitally manipulated. Document forensics require specialised tools and trained examiners. The agent cross-checks data fields in documents for consistency; it does not verify the document's physical authenticity.
Known limitations
The fraud pattern corpus ages as fraud evolves. A corpus that accurately describes fraud patterns from 18 months ago may miss new typologies entirely — synthetic identity methods, new document forgery techniques, or novel network structures that fraudsters have shifted to since the last corpus update. The agent is strong at detecting known fraud patterns; it is weaker at detecting genuinely novel fraud it has no prior example of.After every confirmed fraud case, conduct a structured debrief — what signals did the agent flag, what did it miss, and what new pattern needs to be added to the corpus? Treat the fraud pattern corpus as a living document updated at minimum monthly. Novel fraud that is not in the corpus will not be detected until it is.
Network analysis quality degrades with identifier inconsistency. If phone numbers, email addresses, or device IDs are not captured consistently across all origination channels — for example, a DSA-sourced application where the DSA records their own phone number rather than the borrower's — the network graph will be incomplete and linkages that should be detected will be missed.Standardise identifier capture fields across every origination channel — direct, DSA, digital, and assisted. Make borrower phone number and email mandatory fields that the system captures directly rather than allowing the DSA to populate them. Identifier quality is the foundation of network analysis reliability.
Velocity checks are only as well-calibrated as the thresholds set by the fraud team. Thresholds set too tight produce high false positive rates that slow legitimate origination and create unnecessary friction for genuine borrowers. Thresholds set too loose allow fraud to pass undetected. The right thresholds depend on current fraud patterns and business volumes that change over time.Review velocity thresholds quarterly — computing the false positive rate (legitimate applications flagged) and the false negative rate (confirmed frauds that passed velocity checks) for the prior period. Adjust thresholds based on observed outcomes, not intuition. This is the primary calibration lever for managing the trade-off between fraud detection and borrower experience.
The agent cannot detect intent — a borrower who genuinely intends to repay but has submitted a slightly inflated income looks identical in the data to one who intends to defraud. The fraud signals the agent detects are correlated with fraud but are not deterministic indicators of fraudulent intent. Misrepresentation exists on a spectrum from innocent rounding to deliberate falsification, and the data alone cannot distinguish between them.Human analyst review of fraud-flagged cases must include a structured interview with the borrower or their representative in high-signal cases before a final fraud determination is made. Data signals initiate the investigation; human judgment determines the outcome.
Loan stacking detection via bureau enquiry velocity is incomplete. Not all lenders pull bureau reports, and not all enquiries are visible in the bureau data at the point this agent processes an application — there is typically a 2–4 day lag before bureau enquiries appear. An applicant who has submitted applications at three other lenders in the last 48 hours may not yet show that activity in the bureau enquiry log the agent reads.Supplement bureau enquiry velocity checks with a cross-bureau enquiry pull (CIBIL + Experian or CRIF) to maximise enquiry coverage. Accept that some loan stacking will be invisible at origination and build a post-disbursement monitoring check — 30 days after disbursement, check whether the borrower's total bureau obligation has materially increased, which is a retrospective stacking indicator.
Important Reads
Learn more about how to deploy Fraud Risk Agent AI to your lending workflow.
- Use case #0001How Fraud AI Detects SIM-Swap Fraud at the Onboarding StageA SIM swap takes 4 minutes to execute at a telecom service centre. In those 4 minutes, a fraudster gains control of a phone number they do not own — the number linked to the victim's Aadhaar, bank account, and OTP delivery channel. By the time the victim realises their phone has no service, a loan application may already be in the system using their identity. The Fraud Risk AI detects the swap before the OTP is sent.Read article →
- Use case #0002Network Graph Analysis: How Fraud AI Links Connected Fraud RingsOrganised fraud rings do not operate as isolated individuals. They share phone numbers, addresses, devices, bank accounts, and IP addresses across dozens of applications submitted to the same or multiple lenders. Each application looks legitimate in isolation. The network graph makes the connections visible — and what looks like a creditworthy borrower on a single-application view becomes the obvious centrepiece of a coordinated fraud ring on a graph view.Read article →
- Use case #0003Velocity Checks: Stopping Repeat Fraud Applications Across LendersA fraudster who fails to get a loan from one lender simply tries the next. And the next. And the next — sometimes submitting to 8 to 12 lenders simultaneously, knowing that most institutions check their own history but not the application history the fraudster is building at every other lender at the same time. Velocity checks close this gap by reading the signals that only exist across the population of lenders — not within any single one.Read article →