Risk Analytics Release Notes

The services and endpoints listed below will be removed with the next version. We recommend customers who are using any of these services and endpoints to migrate to the OneSpan Trusted Identity platform API before December 31, 2023!

For every removed service, a replacement is already available in the OneSpan Trusted Identity platform API.

In the Risk Analytics API Reference service API, the following services will be removed:

• eventvalidation (v2)
• transaction (v2)
• bulkfile-upload (v1)

The following standalone services which are not part of a service API will also be removed:

• eventvalidation (v1)
• login (v1)
• transaction (v1)
• checksessionstatus (v1)
• fido-metadata

Rule design can now be based on a "four eyes" principle, maker–checker authorization, to separate duties and comply with certain regulations. This process requires two different individuals to complete certain tasks, i.e. certain operations initiated by one individual (maker) can only be executed after approval by another individual (checker). Accordingly, as prerequisite for using this feature, the role for the maker-users must contain the Enable access to Hierarchy and Enable access to Hierarchy in maker mode clearances, and the role for the checker-users must contain the Enable access to Hierarchy and Enable access to Hierarchy in checker mode clearances.

Maker–checker authorization for rule management is based on the following main principles:

• All maker–checker authorization applies at the Campaign level
• The Edit mode for makers is only allowed for inactive campaigns
• Makers submit their changes by requesting to toggle a campaign on or off
• Validation by a checker is performed by accepting or rejecting the toggle actions

Using maker–checker authorization is optional.

For more information, refer to OneSpan Risk Analytics Administrator Guide.

While completing some alerts in batch with the Complete 50 action on the Risk & Relationship Management page, some of the completed alerts were randomly failing to reference the corresponding relationship, making it impossible to access the customer details from the related alert.

This issue has been fixed.

Potential failure of some factor computations was observed when maintenance operations or failover occurred with the Couchbase cluster nodes used by Risk Analytics in the TID infrastructure.

This issue has been fixed.

The Role administration section in the Risk Analytics Administrator Guide does not mention that the user role with the ADMIN_ROLE permission rights cannot be changed to another role.

This issue has been fixed. The Risk Analytics Administrator Guide has been updated to include information about the default roles for master and non-master administrators.

When a mobile event was sent to the Data Collector web service with coordinates of a location in Kosovo, a lookup error was generated in the Risk Analytics logs. This error occurred because the Risk Analytics Geolocation Services returned the country code XK which is based on the GIS coordinate (Risk Analytics GIS Location Service for mobile events). The XK code, however, was not included in the internal country code table since this table is based on the ISO list of country codes.

This issue has been fixed. The XK country code was added to the Risk Analytics country reference table.

The model underlying the Data on Session report aggregated data from transactions and non-monetary events in a single source. This, however, caused problems with the indexing and brought the CPU load almost to the maximum, when used.

This issue has been fixed. The report model has been optimized to prevent long database queries. This now allows to use separate indexes for transactions and non-monetary events, respectively.

Custom event types were not correctly exported from Risk Analytics Presentation Service. When certain custom event types (transactions as well as non-monetary events) were created and exported, they were correctly created as TXN or NME types but were not added to the dashboard data upon import.

This issue has been fixed. A script was added to ensure correct import of the event types and to take into account manually created custom events.

In the SUPERVISE & INVESTIGATE tab of the Presentation Service, the Notification page was related to a historical feature that has already been deprecated and no longer applicable since a long time. This page has now been removed.

All exported files produced by the Risk Analytics Presentation Service now specify the character used as a value separator (a semicolon ";" character) in their header, to avoid a parsing mismatch when reopening these files with CSV editors.

This applies to the CSV export of console logs in the Export/Import and Environment pages, and the reports generated or scheduled in the Reports page.

To keep Risk Analytics up to date, we have added support for the Edge browser, and removed support for Internet Explorer 11.

Risk Analytics now supports the Chrome and Edge browsers.

When running a rule test for historical events, the result of the test was unexpectedly impacting the further review of these events in the Event Detail screen. A rule that matched for these events during the rule test was added in the list of matched rules in the Event Detail screen.

This issue has been fixed.

Ampersand "&" characters in the value of some string fields were causing failure on the daily factor computation when sending events to Risk Analytics, inducing multiple computation retries that caused high database load and decreased performance.

This issue has been fixed.

When an event with a missing or empty field value was tested against campaign, division, or rule criteria for not being part of a hotlist, there was a discrepancy depending on whether the hotlist was empty or not. A criteria testing if such a field was not in a given hotlist was correctly evaluated as TRUE if the hotlist was empty (contained no records), but was wrongly evaluated as FALSE if the hotlist did contain any records.

This issue has been fixed.

This issue, and the corresponding fix, are relevant only for customers using the NOT IN or NOT EXISTS hotlist clause in campaigns, divisions, or rules.

It is important to highlight that existing campaigns, divisions, and rules using the NOT IN or NOT EXISTS hotlist clause will not automatically be fixed after the Risk Analytics version update. Only new campaigns, divisions, and rules, or ones modified after the update, will use the fixed algorithm. To fix an existing campaign, division, or rule, just edit it in Presentation Service and type in, for example, a small change in description prior re-saving it.

Please note that compiling a complete hierarchy (Non Mon Events, Transactions...) will not be sufficient to regenerate campaigns, divisions, and rules with the fixed algorithm.

Some mobile non-monetary events or transaction fields collected in the mobile CDDC clear data were not correctly mapped and were not received and stored by Risk Analytics as expected:

• BLUETOOTH_DEVICE_LIST
• BOUNDED_BT_DEVICE_LIST
• DEVICE_MODEL
• WIFI_BSSID_LIST
• CONNECTED_BT_DEVICE_LIST
• CONNECTED_BSSID
• MOB_APP_RELEASE_DATE
• NETWORK_NAME
• KEYBOARD_ID
• LAUNCHER_ID
• MOB_TIMEZONE

This issue has been fixed.

Several missing fields have been added and can now be used as criteria of campaigns, divisions, or rules. These fields can help users to build rules to manage specific fraud cases.

The following fields are now available in rules related to non-monetary events and transactions (for both digital and corporate banking environments):

• USER_REF
• APPLICATION_REF
• FINGERPRINT_RAW
• EXTERNAL_REF

The following fields are now available in rules related to transactions only (for both digital and corporate banking environments):

• REASON_CODE
• DEBTOR_IBAN
• DEBTOR_NAME

Login to the Risk Analytics Presentation Service was failing on a random basis for all users.

Risk Analytics Presentation Service was potentially entering an anomalous state for internal reasons (timeout during the execution of the reports) or for possible external reasons (interruptions in the network connectivity).

This issue has been fixed. Risk Analytics Presentation Service now detects and recovers from these errors automatically.

If an error occurred while reading an existing Couchbase document, the document was improperly considered not found and was reset at rewrite, causing improper calculation of the related factors and corruption of the Couchbase document.

This issue has been fixed. To avoid reset and corruption of existing Couchbase documents, rewrite is now prevented if the existing Couchbase documents fail to read.

The B_NEW_IP factor was not calculated correctly when it was an existing IP address. The value was always set to true.

This issue has been fixed.

Any amount fields that exceeded 15 significant digits (with or without decimal digits) were not displayed properly in the Presentation Service grids (Latest Events, Score Analysis, My Alerts, Customer Events) and the Event Detail page.

This issue has been fixed.

In the hotlist management in Risk Analytics Presentation Service, the Delete Selected button was available to users even if they did not have the Enable access to Hot List in edit mode permission. However, the hotlist record was not deleted, even when the user clicked the button.

This issue has been fixed.

The field BRANCH_LOCATION can now be used as criteria of campaigns, divisions, or rules in Risk Analytics. Using this field allows you to build rules that make decisions based on the branch location origin.

All amount-related fields in Risk Analytics, such as AMT_TXN, had a size limitation of 10 digits and 2 decimals. This caused issues for certain currencies.

The size limit has been increased to support up to 20 digits and 3 decimals (23,3). Bracketed numbers show the character limit of that field. The first number is the total number of allowed characters. The second number is the number of allowed decimal places.

This new feature is currently subject to two known issues. See Known Issues for further details.

Risk Analytics has been enhanced to now display the events creation date in the local time zone of the fraud analyst operator in Presentation Service.

A new Local Event Date field can now be optionally displayed in addition to the former Event Date field displayed in the Presentation Service datagrids (Latest Events, Score Analysis, My Alerts).

On the Event Details page, a new Local Created Date field can now be optionally displayed in addition to the former Created Date field.

The new Local Event/Created Date field provides information on the event creation date that has been converted to the local time zone as configured on the client machine of the fraud analyst using the Presentation Service. This can provide a more relevant creation date information for customers dealing with local traffic only.

A new Support Role has been added in Risk Analytics Presentation Service.

This role grants OneSpan technical customer support staff access to the Presentation Service console in the customer's environment for troubleshooting and support purposes.

Risk Analytics now supports Oracle parallel queries. This makes SQL statements more performant by using available CPUs to spread the load and complete the task faster. For further details, refer to the Oracle documentation (e.g. About Parallel Queries or How Parallel Execution Works).

New additional fields and factors are now available for use in rules, to correlate countries of origin for both web and mobile events. This serves to detect any abnormal change in the country of origin for web and mobile events coming from the same user.

Before, in the rule criteria fields and factors, the country was considered separately if initiated from a web event (based on the IP address) or from a mobile event (based on the GIS location).

The following new fields and factors are now available in rules:

• IP_GIS_COUNTRY (field)

  Provides information about the country of the event, independent if the event was triggered on the web or from a mobile device (based on the IP country or GIS country, depending on the context).

• IP_GIS_COUNTRY_ALPHA_COD (field)

  IP_GIS_COUNTRY, represented in ISO-Alpha code.

• SAME_SESSION_COUNTRY (factor)

  Checks if the country of the current event is the same as the country used for the previous web or mobile event in the same session.

• PREVIOUS_WEB_MOB_EVT_DISTANCE (factor)

  Measures the distance in km between the current and the previous web or mobile event of the same user.

For more information about these new factors, refer to the OneSpan Risk Analytics Quick Start Guides.

The following factors did not behave as expected when the session changed:

• SAME_SESSION_IP
• SAME_SESSION_ISP
• SAME_SESSION_IP_COUNTRY
• SAME_SESSION_IP_CONTINENT.

These factors must check if the IP, ISP, IP Country, or IP Continent in the current event are the same as in the previous event of the same session. The factor was not reinitialized when receiving an event with a new session.

This issue has been fixed.

The Match Phonetically feature that can be used for the match keys of match rules did not function correctly and was not able to perform a sounds like recognition. Consequently, the related rule did not match as expected.

This issue has been fixed.

Very rarely, posting events failed when performed during the reload sequence of the Data Collector web service cache. This applied e.g. when the cache reload was triggered during the import of the configuration file in the Presentation Service, or during the creation of a new Risk Analytics environment in the Presentation Service.

This issue has been fixed.

The description of the following factors has been updated in the Risk Analytics for Digital Banking Quick Start Guide and Risk Analytics for Corporate Banking Quick Start Guide:

• SAME_SESSION_DEVICE
• SAME_LAST_SESSION_DEVICE
• PREVIOUS_EVT_DISTANCE
• IS_PREVEVT_SAME_NETWORK
• IS_PREVEVT_SAME_GIS_CITY
• IS_PREVEVT_SAME_GIS_COUNTRY
• IS_PREVEVT_SAME_GIS_CONTINENT
• IS_PREVEVT_SAME_PIN_PROT
• IS_PREVEVT_SAME_FINGER_PROT
• IS_PREVEVT_SAME_FACE_PROT
• IS_PREVEVT_SAME_BEHAVIOR_PROT

The documents previously did not indicate that the factors were related to the previous event for

(1) the same session, or

(2) the same relationship_ref (retail user- Digital Banking) or the same user_ref (corporate user - Corporate Banking), or

(3) the same mobile application UID.

For Match Rules, the Match Key definition can optionally include usage of a substring feature. When using the substring feature, the second parameter to enter is Substring Length, not the Substring End Position that was indicated.

This issue has been fixed. The parameter label now matches the real behavior.

Import of configuration file in the Presentation Service between version 2.9.0 and 2.9.3 was potentially preventing the correct computation of some Daily Factors afterward (e.g. the AVG_ROOTING_PROBA factor group).

This issue has been fixed. Incriminated Daily Factors will now be calculated normally as from the new version.

On some mobile operating systems, the application language value collected by the Mobile Security Suite CDDC SDK for the CDDC data property 57 (applicationLanguage) of the mobile CDDC message is longer than the typical five characters. Application languages with more than five characters were not supported and produced a failure when the mobile event was posted to Risk Analytics.

This issue has been fixed. The corresponding MOBILE_APP_LANGUAGE field now supports up to 50 characters.

For mobile requests, when the transaction or event date is not present in the request payload, it is taken from the mobile CDDC data. In such cases, an issue occurred in the date/time format.

This issue has been fixed.

There was an issue, where it was possible for an IP address to be flagged as both a corporate proxy and an anonymous or transparent proxy. The expected behavior, however, is that the IP address is flagged as either an anonymous or a transparent proxy, as the case may be. These two flags should take precedence over the corporate proxy.

This issue has been fixed.

For mobile requests where neither the transaction date nor the clear date is present in the mobile CDDC data an issue occurred with displaying the TXN date in OneSpan Risk Analytics Presentation Service.

This issue has been fixed.

The following factors of the type SAME_SESSION_XXX were not behaving as expected:

• SAME_SESSION_IP

• SAME_SESSION_ISP

• SAME_SESSION_IP_COUNTRY

• SAME_SESSION_IP_CONTINENT

The unexpected behavior occurred when an event was presented without providing the related XXX field in the middle of the session. The corresponding factor was then reset, and the subsequent event in the session was not considering the last XXX field known for the session.

This issue has been fixed.

When a rule triggered the hotlist record management action, if the hotlist field value was not provided then an empty record was unexpectedly created in the related hotlist.

This issue has been fixed.

When exporting audit data from the Presentation Service Audit page (using the Download button), some information was missing in the exported Excel file (e.g. in the case of a delete report action, the technical data related to the action was empty).

This issue has been fixed.

• Any numeric fields that exceed 15 significant digits (with or without decimal digits) might not be displayed properly. In some cases, their display in the Presentation Service grids (Latest Events, Score Analysis, My Alerts, Customer Events) and the Event Details may be affected.

  This is only a display issue, all numerical values are correctly recorded in Risk Analytics.

• Amounts including 3 decimal digits are not displayed in full in the Presentation Service grids (Latest Events, Score Analysis, My Alerts, Customer Events). Displayed amounts are rounded down to 2 decimal digits.

  This is only a display issue, all numerical values are correctly recorded in Risk Analytics.

Access to the Forensic Analysis polar chart was only available when looking at the events in the grids of the Latest Events and Score Analysis pages. Now it is also possible to access the Forensic Analysis polar chart via the events in the grids of the My Alerts and Customer Events pages.

The report column headers in the generated reports are formed with the entity and column names of the extracted data. If the name was too long, the full string was truncated.

To have unequivocal header names in the generated reports, full column header names without any truncation are retained to avoid confusion or misinterpretation.

A new response code has been added: ChallengeFIDO, with the response code value 14.

This response can be used to indicate that a FIDO-based authentication or registration must be performed.

In the Rule Management page, the navigation pane on the left that displays the rules and hotlists was emptied when the user created or edited the rule action type Launch workflow. This issue has been fixed.

The Complete 50 action in the Risk & Relationship Management page unexpectedly locked the next alert in the queue (if any). This issue has been fixed.

Rarely and on a random basis, the Complete 50 action on the Risk & Relationship Management page unexpectedly flagged the alerts as Completed when the user selected the outcome On hold custom date. This issue has been fixed.

Since version 2.11.1, the new option to limit sending email notifications to particular email domains caused issues. Some email notifications that were not whitelisted were blocked in a queue and then resent when unblocked. This caused a pollution of email notifications in the recipients’ inboxes.This issue has been fixed.

When posting events to API /events or API /transactions, the tppIP and psuDeviceID fields are provided when you send events coming from a third-party provider (TPP) application. In previous versions, these two fields were incorrectly flagged as mandatory fields. This caused an issue for redirected or decoupled signatures where these fields cannot be provided because they do not apply for events coming from the bank's application (web and trusted device applications) during a redirect or decoupled authentication approach.

tppRef is the only mandatory field for all TPP events and redirect and decoupled authentication approaches.

This issue has been fixed.

The U_NEW_xxx_SESSION factors were incorrectly calculated after a null or missing value for a related field and were sent during the session. After the first transaction, the values of the U_NEW_xxx_SESSION were reset in each subsequent transaction in the same customer session. The expected behavior is for the value not to be reset. This issue has been fixed.

Risk Analytics Presentation Service now supports the ability to display a contrast between the before and after states on the Audit page for several actions across the Risk Analytics application. Additionally, the Audit page was enhanced to make the data more readable and protected against some vulnerabilities.

A contrast between Original Value and New Value was added as audit improvement for the following features:

• Reports management
• User Administration updates
• Personal Settings and Personal Settings updates
• Application Settings
• Alerts Email Notification, for both tabs i.e. New Alert Notification and Escalation Notification

You can display the added contrast when you click Show Data.

In addition, vulnerabilities were removed for hotlist actions, and the content was improved. This can also be displayed when clicking Show Data.

When currency settlement information was provided in a transaction, the currency settlement value was not displayed on the Latest Events page. This issue has been fixed.

When selecting to display the score of mobile events in the settings of the Score Analysis page (Score Type Mobile), this selection was lost and Presentation Service switched back to web events as a default when sorting the elements of the grid by a particular column (e.g. Event Date) and refreshing the page. This issue has been fixed.

During the creation of a report query in the Reports page, when adding a sorting criterion (a specific column of a specific entity), the sorted element did not indicate the parent entity in the sorting panel but only the column name. This issue has been fixed.

On the My Alerts page, the Clear button on the Alert Settings panel that resets the settings to the default values did not work when the user selected an option and clicked Clear. The button was only functional if the user had clicked Apply in the Alert Settings panel before clicking Clear. This issue has been fixed.

Due to a regression issue, the Complete 50 function in the Risk & Relationship Management page to complete up to 50 pending alerts in one shot was not working anymore. This issue has been fixed.

The following IP proxy fields were not mapped correctly and always produced a value set to 0. The fields had to be amended so that the IP proxy information is correctly mapped under AUDIT & REPORT > Reports.

• IP_ANONYMOUS_PROXY
• IP_CORPORATE_PROXY
• IP_TRANSPARENT_PROXY

This issue has been fixed.

When using TXN_DATE_TIME (for transactions) or NON_MON_EVENT_DATE (for non-monetary events) instead of the CREATED_DATE parameter as the history date reference, the selection of the historical time period in history rules and match rules was not correct.

The events where the date for TXN_DATE_TIME or a NON_MON_EVENT_DATE was later than the actual date at the execution of the rule, were incorrectly considered in the history rules and match rules. This issue has been fixed.

Risk Analytics now supports additional fields collected in the mobile CDDC clear data in case of mobile non-monetary events or transactions.

The following fields that are part of the mobile CDDC clear data can now be used in the rules, grids, and reports of Risk Analytics Presentation Service:

• BLUETOOTH_DEVICE_LIST
• BOUNDED_BT_DEVICE_LIST
• DEVICE_MODEL
• WIFI_BSSID_LIST
• CONNECTED_BT_DEVICE_LIST
• CONNECTED_BSSID
• MOB_APP_RELEASE_DATE
• NETWORK_NAME
• KEYBOARD_ID
• LAUNCHER_ID
• MOB_TIMEZONE

When editing an existing hotlist record, it is now possible to modify the value of the hotlist record.

The audit logs for created, modified, or deleted hotlist records now provide an additional HotListName element by providing the name of the parent hotlist. The log entry also includes the name of the hierarchy to which the hotlist belongs (i.e. Common, Non Mon Events, Transactions, Relationships etc.).

In addition to the two new fields, 14 new factors have been defined to aggregate data for a given contract. These new factors are:

• CO_NUM_DAYS_SINCE_LAST_EVENT
• U_NUM_TXN_SUCCESS_CO_LNGTIME
• U_NUM_TXN_ATTEMPT_CO_LNGTIME
• U_TXN_AMT_SUCCESS_CO_LNGTIME
• CO_BENEFICIARY_AGE_TXN
• CO_BENEFICIARY_AGE_NME
• CO_NUM_EVENTS_SUCCESS_LNGTIME
• U_LAST_SCA_CO_AGE
• CO_FIRST_EVENT_AGE
• CO_STDDEV_TXN_AMOUNT_LNGTIME
• CO_IP_ISP_AGE
• CO_COOKIE_AGE
• CO_IP_COUNTRY_AGE
• CO_DEVICE_AGE

The following fields are available:

• IP_TYPE: type of IP address
• IP_PROXY_TYPE: network protocol the server uses to proxy the user connection
• IP_HOSTING_FACILITY: indicates whether the connection originated at a facility that provides storage, computing, or telecommunication services
• IP_STATE: information for states and provinces in all countries where they exist
• IP_STATE_CODE: alpha code corresponding to the state
• IP_AREA_CODE: phone number prefix assigned to the corresponding city

Additional dynamic variables can be also added in the available notification email templates, both for the subject and the message body. These new variables are:

• ID number of the alert record
• User Ref (only in case of corporate banking environments)

New standard non-monetary event types have been added for both the Digital Banking and Corporate Banking environments. These events allow pushing some new events of the following types to Risk Analytics:

• AlertSetup
• ChangeAlertDelivery
• ChangeLimit
• AddChequePrintingPayee
• ChequePrintingRequest

In addition, to improve performance, indexes were restructured and unused CLOB columns have been removed from some tables related to both non-monetary events and transactions.

For a database schema upgrade, this re-structuring can lead to an increased duration when upgrading from a previous version of Risk Analytics, especially during the stage of 2.9.2 to 2.9.3 post-script execution.