Banking use-case brief

A four-page brief for the fraud, risk, security, and procurement teams evaluating device intelligence at a bank — the business case, six high-value use cases, the architecture and compliance detail, and a competitive view with a procurement checklist. Built to print or export cleanly to a 4-page PDF.

Talk to us
BUREIN  ·  Banking Use-Case Brief
01 / 04
The business case

The signal layer every fraud solution is built on — in your team's hands

Every fraud solution rests on the same finite set of device signals — the same hardware tells, sensor characteristics, OS surfaces, and runtime evidence. There is no secret corpus one vendor has and another does not; there is only what the device makes available. Burein is the on-device SDK — for web, iOS, and Android — that hands that signal layer, in full, to your internal fraud, identity, and authentication teams. You build the solutions; Burein supplies the primitive.

What has changed since your current tooling was chosen

Bank fraud has moved. Card-present fraud and crude bot traffic are no longer where the losses sit. The 2026 loss curve is driven by scam-induced authorised transfers, account takeover of real accounts, AI agents operating genuine logins, and mobile malware that runs inside the customer's own device and session.

$58.3BProjected annual fraud loss to financial institutions by 2030
$15.6BUS account-takeover losses in 2024, up from $12.7B in 2023
4.41×Total cost to a North American FI for every $1 of fraud loss
350%+Growth in account-takeover attempts, 2022 to 2023

Why cloud device-intelligence stalls inside a bank

Procurement and privacy. Cloud fingerprinting ships end-user device data to a third-party SaaS and its sub-processors. Under GDPR, DORA, India's DPDP, and Saudi Arabia's PDPL, that is a cross-border transfer your DPO and regulator must approve — frequently the reason a fraud project never ships.
A dependency on the critical path. A cloud lookup adds 200–800 ms to every login and payment, degrades on poor networks, and is defeated the moment an attacker — or a corporate proxy — blocks the vendor's domain at the network edge.
A vendor that resells your own data. The prevailing model takes your customers' device telemetry, folds it into a vendor's proprietary algorithm, and sells the resulting score back to you — at a premium, in a black box, and as a dependency you cannot unwind. The asset is your data; the leverage is theirs. Mature fraud teams running Feedzai, SAS, or in-house models want the primitive, not the verdict.

The Burein difference

Software, not a data processor

Runs entirely on the device and makes zero network calls. There is no end-user data for Burein-the-company to hold — no DPA, no sub-processor, no cross-border transfer to clear.

The primitive, not a verdict

Exposes the full signal layer — 1,000+ raw signals and a tunable on-device risk engine — to your team. Enrich your own models with leverage you keep, instead of paying a vendor to derive a score from your customers' data.

Day-one wins, layered roadmap

Start where the ROI is fastest: friction-minimised 2FA and silent continuous authentication. Layer the harder detections — ATO, scam-in-progress, mobile RASP — on your timeline, with your team.

Loss figures are third-party industry and regulator estimates (compiled from public fraud-loss research), cited here for context — they are not Burein measurements. This document describes Burein product capability and architecture.

© 2026 Burein  ·  Every signal. On device. Yours alone.  ·  Rev. 05/2026
Page 1 of 4
BUREIN  ·  Banking Use-Case Brief
02 / 04
From day-one wins to deeper fraud-loss reduction

A ladder of solutions on one signal primitive

Because the signal layer is exposed cleanly, you don't have to wait for a flagship deployment to start extracting value. Start with the lowest-hanging wins on day one — then layer the harder detections on top, on your timeline, with your team.

Day one — low-hanging wins
1

Friction-minimised 2FA

Most banks challenge every login with the same 2FA prompt — yet the overwhelming majority of those challenges go to genuine customers on devices they have used for years. The friction costs conversion; the alert volume costs operations.

Detects  device-history match + clean signal profile recognised_deviceno_anti_detectno_agenticno_runtime_threat
Decision  Skip the challenge for recognised, low-risk devices; preserve it precisely where the evidence calls for it. Same security posture, a fraction of the friction.
2

Silent continuous authentication

A single login event is a poor proxy for trust. The device's threat state, behavioural signature, and runtime integrity can — and do — change mid-session.

Detects  continuous evaluation of visitor_id + behavioural signature + runtime threats via subscribe() streaming mode
Decision  Recognise a trusted device invisibly across the journey; surface a challenge or tear down the session only when the evidence shifts. Auth becomes a property of the session, not a single gate.
Next layer — fraud-loss reduction
3

Account takeover at login

The credentials are valid — but the session is credential-stuffing automation, an AI agent, an anti-detect browser, or a device this customer has never used.

Detects  WEBDRIVER_PRESENTAGENTIC_BROWSER_USEANTI_DETECT_BROWSERFARM_BROWSER_PROFILE + device-history mismatch
Decision  Step up only the genuinely risky fraction of logins; let recognised devices through untouched.
4

Scam-in-progress — remote-access fraud

A real, correctly-authenticated customer is being talked through a transfer by a fraudster over AnyDesk or TeamViewer — the fastest-growing retail-banking loss in India, SEA, and Brazil.

Detects  SCREEN_SHARE_ACTIVEOVERLAY_ATTACK_RISK + remote-access app running + active call
Decision  Hold or delay the transfer, surface a scam-specific warning, or route to callback — while the session is still live.
5

Mobile malware & accessibility abuse

A banking trojan with Accessibility permissions is reading the screen, auto-filling fields, and harvesting OTPs on the customer's own phone.

Detects  BANKING_TROJAN_IOCACCESSIBILITY_ABUSEOVERLAY_ATTACK_RISK
Decision  Refuse to render balances and transfer screens until the device is clean, and tell the customer why.
6

New-account & synthetic-identity fraud

An onboarding wave is actually one fraud ring on a handful of devices — emulators, cloned apps, and a device farm cycling stolen and synthetic identities.

Detects  EMULATOR_QEMUVIRTUAL_APP_HOSTEDAPP_REPACKAGED + one-device-many-accounts clustering
Decision  Cluster applications by device evidence at KYC — before the account funds and before a money mule is created.
And the deeper integrity layer — Frida hook detection, app repackaging, jailbreak, code injection, TLS interception — is in every report, ready when your AppSec team is. (Architecture and data path: page 3.)
© 2026 Burein  ·  Every signal. On device. Yours alone.  ·  Rev. 05/2026
Page 2 of 4
BUREIN  ·  Banking Use-Case Brief
03 / 04
For your security, privacy & procurement teams

Architecture, compliance & commercials

The detail your CISO, AppSec lead, DPO, and procurement team will ask for — why the architecture is the compliance story, how it integrates, and how it is licensed.

One SDK · three layers · zero egress

Collectorspull 1,000+ raw signals
Risk enginescores & flags on-device
Packagerbuilds & signs the report
Your backendverifies & consumes
Zero egress — Burein makes no outbound network call at any point. The property is verifiable in the CycloneDX SBOM and by independent binary analysis.
Integrates in four steps
  1. Embed the SDK. npm for web (~65 KB core); Swift Package Manager / CocoaPods for iOS and Maven for Android (≤ 1.8 MB).
  2. Set a banking risk profile. domain:"banking", a sensitivity level, and per-threat overrides. Rules and models ship inside the binary.
  3. Collect at sensitive moments. Call the public Burein.collect() method on login, onboarding, payee-add, or transfer; subscribe() streams new threats mid-session.
  4. Attach & verify. Add the signed report to your own outgoing API call — typically as an X-Burein-Report header — over the transport your stack already runs. Your backend checks the Ed25519 signature, then feeds signals and threats into your existing fraud engine.
Commercial model
  • Per-app, per-platform annual licence, priced on monthly-active-user bands.
  • No per-event or per-API fees — there is no API and nothing to meter.
  • Source-available at the Enterprise tier for regulated buyers who must read every line.
  • Enterprise tier adds a tunable risk engine, custom rules, a local calibration tool, and read-only source audit access.
  • Every tier ships a CycloneDX SBOM, reproducible builds, and SLSA Level 3 provenance.

Compliance posture

  • GDPR · DPDP · PDPL · CCPA — Burein is not a data processor. No end-user data leaves the device, so there is no sub-processor and no cross-border transfer for your DPO or regulator to clear.
  • DORA — Classified as supplied software, not an ICT third-party service — the lighter oversight category for EU financial entities.
  • PCI DSS — Never touches the PAN; safe to run on checkout and authentication paths.
  • HIPAA — Produces no PHI; embeddable in covered apps where relevant.
  • SOC 2 · ISO/IEC 27001 — Cover Burein's own build, release pipeline, and operations.
© 2026 Burein  ·  Every signal. On device. Yours alone.  ·  Rev. 05/2026
Page 3 of 4
BUREIN  ·  Banking Use-Case Brief
04 / 04
Competitive view & procurement

How Burein compares — and what to ask any vendor

One signal primitive against the prevailing models in device intelligence, and the five questions that separate a real on-device SDK from a SaaS that resells you your own data.

How Burein compares

Capability Cloud fingerprint SaaS Mobile RASP vendor Burein
Web device-identity depth
Mobile runtime integrity (RASP)
On-device only · zero egressPartial✓ by design
AI-agent & scam-vector detectionEarly✓ first-class
One signal schema · web + iOS + Android
Raw signals owned by the bankPartial
Your team builds the algorithm — not the vendorPartial
Report delivered via public SDK method — your transportPartial

Procurement checklist — five questions for any vendor

  • Does the SDK make any outbound network call? Anything other than zero starts your sub-processor and cross-border-transfer review.
  • Does the vendor's cloud see end-user device data? If yes, the DPA / GDPR / DPDP / DORA cycle begins — and your DPO will own its length.
  • Do you receive the raw signals, or only a derived score? If only the score, the algorithm is the vendor's; you cannot tune, audit, or replace it.
  • Can your fraud team build solutions on top of the SDK? Day-one wins like friction-minimised 2FA and silent continuous auth require unfettered access to the signal layer.
  • What is the SDK's coverage of 2026 threat vectors? Agentic actors, screen-share scams, accessibility-abuse malware, banking trojans — first-class detections or roadmap items?

Start with day-one wins. Layer the rest.

A 30-minute scoping call, a signal-and-use-case walkthrough mapped to your fraud stack, then a focused pilot — typically friction-minimised 2FA and silent continuous auth first, deeper fraud detections next.

info@burein.com burein.com/contact
© 2026 Burein  ·  Every signal. On device. Yours alone.  ·  Rev. 05/2026
Page 4 of 4