Precision measures the proportion of correct classifications made by a machine learning model. In this series of blogs, we explore why precision is essential in combating fraud, scams, and financial crime.
Device intelligence provides you with confidence that a device you've seen before is accessing your digital banking channel. Behavioral intelligence tells you how likely it is that your customer is in control of that device and helps you to identify their intent. Together, they are the only combination that can answer both questions at once.
For years, the device sat at the center of digital banking security. Know the device, trust the session. That logic made sense when the threat was primarily credential theft and the attacker was working against the grain of a genuine user’s environment. It makes far less sense today.
Fraudsters have learned to work with recognized devices rather than against them. Genuine customers sell or hand over their accounts along with the devices that access them. Agentic AI navigates banking applications with the fluency of a human. Deepfakes pass identity checks that were never designed to interrogate whether the face in frame is real. And a device that looks entirely clean at one institution may already carry a fraud history at another.
The device has not become irrelevant, but the question financial institutions sought to answer using legacy device fingerprinting is no longer the right one. It is no longer enough to ask whether we have seen this device before. The question now is whether this device can be trusted, right now, in this session, in this context, and whether the person or system operating it is who they claim to be.
That second question is one that intelligence alone cannot answer. It requires behavior.
The blind spots in legacy device controls
Legacy device controls were built to evaluate what happens before access is granted. Most were not designed to validate whether the device itself can be trusted. A recognized device can still run a modified operating system, host a remote access tool, or operate within an environment designed to evade detection.
When a genuine customer upgrades their phone, the device identity is reset. Controls that rely on recognition treat this customer as an unfamiliar user, applying the same friction they would apply to a fraudster on a new device. The result is unnecessary step-up authentication, calls to customer service, re-enrollment, and a customer experience that erodes confidence precisely at the moment it should be strengthened. For every million customers who upgrade their devices, banks to which we’ve spoken typically spend between $600,000 and $800,000 per year on avoidable re-enrollment friction alone.
At the same time, a fraudster may present a new device to one institution that’s already been flagged by another. Without cross-institution visibility, that history is invisible. The device arrives with no apparent risk signal, and the bank’s controls have no basis for challenging it.
These are not edge cases. They are structural blind spots that legacy approaches were never designed to close. And they share a common root cause: Device recognition, without behavioral context, can tell you what arrived at the door but cannot tell you whether to let it in.
What has changed and why it matters now?
Three forces are joining to make the device layer more consequential than ever.
The first is threat landscape. Deepfake-assisted logins are passing identity checks in which banks spent years building trust. Agentic browsers navigate digital banking applications the way a genuine user would, adapting in real time to friction and proceeding through flows that rule-based systems were designed to let pass. BioCatch data shows agentic activity in approximately one of every 950 sessions, a figure that has risen sharply since the release of major agentic AI platforms in mid-2025 and continues to climb. These are not bot-executed scripts. They are systems that reason, adapt, and act independently. Crucially, many display device signals that appear entirely normal and only reveal their nature through the absence of true human behavior in the session.
The second is customer experience. Expectations for frictionless digital banking have never been higher. Password resets and device upgrades that trigger re-enrollment create operational costs and customer frustration that institutions can no longer absorb as an acceptable trade-off for security.
The third is platform and cost pressure. Banks are rationalizing vendor stacks, reducing SDK sprawl, and looking for solutions that do more with less. Legacy device fingerprinting and network-based solutions carry significant license costs, and the operational overhead of managing multiple vendor integrations compounds that further. Institutions that have consolidated onto the BioCatch Align SDK have reported material reductions in both technology spend and integration complexity.
Precision at the device layer
DeviceIQ approaches the device differently. Rather than asking only whether a device has been seen before, it asks 1.) whether the device can be trusted before granting access, and 2.) whether the environment in which it is operating is what it appears to be.
This distinction matters most in times that legacy controls overlook. Pre-login, in the window between an app loading and credentials being entered or a biometric check being performed, is where some of the most sophisticated device fraud now occurs. DeviceIQ establishes device trust at app launch, surfacing environment integrity signals, device risk indicators and a deterministic device identifier directly to the hosting application without an API call. The bank has the information it needs before the session truly begins.
That pre-login posture changes what is possible downstream. A jailbroken device, an emulated environment, or a device running known deepfake-enabling tools: These can all be identified and addressed before a customer reaches the login screen, and before a biometric check is attempted. It’s far more costly to interrupt a session once it’s underway.
For genuine customers, the effects run in the opposite direction. DeviceIQ identifies genuine device upgrades with close to 60% accuracy within two weeks of deployment, at a zero percent false positive rate. Signals such as network continuity, application consistency, and device copy confirmation allow the system to distinguish a legitimate upgrade from a new device presented by a fraudster. That distinction eliminates unnecessary friction for customers who simply bought a new phone, while continuing scrutiny for those who warrant it.
Combining device and behavioral intelligence
Device intelligence answers a structural question: Can this environment be trusted? Behavioral intelligence answers an intentional one: Can this person be trusted? The value of holding both is that the questions are inseparable in practice, even when each appears to have been answered individually.
Consider agentic AI: A malicious agent operating through a legitimate device on a clean network will pass every device-layer check. The device is genuine. The environment is unmodified. The network is familiar. There is nothing in the device signal to challenge. What gives the agent away is its behavior: the absence of the micro-hesitations, navigation variability, and cognitive friction that characterize a human operating a banking application. Device intelligence gets you to the door. Behavioral intelligence tells you whether a person walked through it.
The same dynamic plays out with “the peddler” mule persona, the account holder who’s sold access to their account and device to a criminal network. The device is known, the credentials are correct, the operating environment raises no flags, but the person now in control interacts with the application differently from the person who set it up. Typing patterns shift, navigation preferences change, and mouse behavior reflects someone unfamiliar with an account they did not open. Device intelligence confirms the hardware's continuity. Behavioral intelligence detects discontinuity between human operators.
For deepfake-assisted access, the combination is equally decisive. DeviceIQai identifies device-layer signals associated with synthetic sessions, including emulator environments, virtual cameras, desktop GPUs, and deepfake-enabling applications installed on the device. Behavioral intelligence then validates whether the interaction patterns in the session match those of a genuine user or exhibit the synthetic movement and unnatural hesitation characteristic of an AI-driven session. Neither layer alone reaches the same conclusion as both together.
BioCatch is the only fraud prevention provider that operates across both dimensions natively, within a single platform and SDK. The device intelligence and the behavioral intelligence share the same session data, network insights, and real-time decisioning infrastructure. That integration is a structural advantage that single-layer solutions built on either dimension alone cannot replicate.
The network no single institution can build alone
Beyond the session, the BioCatch network amplifies what device and behavioral intelligence can see. DeviceIQ finds devices used for fraud are 12.5 times more likely to show signs of identity evasion than legitimate user devices across a BioCatch network that now includes more than 1.7 billion profiled devices. When a device carries a risk history from one institution, that signal travels with it.
Criminal campaigns rarely stop at a single bank. A device used to open a mule account at one institution may appear the following day at another, presenting as entirely new. Without network-level visibility, the second bank has no way of knowing what it’s dealing with. With network-level visibility, the risk arrives flagged before any action has been taken, before any fraud has been confirmed, and before any loss has occurred.
The BioCatch network is built exclusively on financial institution signals, without the cross-industry noise that dilutes broader network-level approaches. The fraud intelligence it surfaces is specific to banking contexts, which makes its signals more actionable and its precision more refined.
The regulatory case for getting this right
The commercial argument for combined device and behavioral intelligence is compelling on its own terms. The regulatory argument is becoming equally hard to ignore.
PSD3 and the EU’s Instant Payments Regulation place explicit obligations on payment service providers regarding transaction monitoring, fraud detection, and payee identity verification. Strong Customer Authentication requirements under PSD2, carried forward and strengthened under PSD3, require institutions to demonstrate not just that authentication occurred, but that it was genuinely robust. A device-only approach to SCA, relying on possession as the sole factor, leaves a gap of which regulators and fraudsters alike are increasingly. Persistent device identity, combined with behavioural inherence, supports two of the three SCA factors within a single integrated capability. That is not a compliance convenience. It is a substantive improvement in authentication quality that regulators are asking for.
The EU Anti-Money Laundering Regulation, which comes into force progressively from 2027, raises the bar on customer due diligence, transaction monitoring, and the detection of suspicious activity across the full account lifecycle. Mule accounts are at the heart of the money-laundering infrastructure that AMLR is designed to disrupt. Institutions that cannot demonstrate continuous, behavioral-level monitoring of accounts, not just at onboarding but through every subsequent session, will find it increasingly difficult to satisfy supervisory expectations. Device intelligence that confirms who is accessing an account, combined with behavioral intelligence that confirms whether the person behind the device is the genuine account holder, is the kind of layered control the regulation is designed to incentivise.
In the UK, the Payment Systems Regulator’s reimbursement framework for authorised push payment fraud has already restructured the commercial calculus around mule detection. Receiving banks bear up to 50% of scam losses flowing through accounts they hold. That liability is inseparable from the device and behavioral signals that could have identified those accounts earlier. NAB’s decision to raise mule risk to its executive financial crime risk committee was shaped in part by watching the PSR framework take effect in the UK and anticipating its likely adoption elsewhere. That anticipation has since proven well-founded, with several jurisdictions actively considering comparable frameworks.
Taken together, PSD3, the Instant Payments Regulation, AMLR, and PSR reimbursement liability are converging on the same institutional requirement: that banks demonstrate continuous, layered, evidence-based controls that operate across the full digital journey.
Precision starts before the session begins.
The other blogs in this series have explored how precision in account opening, account takeover, scam detection, and mule detection translates into fewer losses, lower operational costs, and better customer outcomes. Each of those capabilities depends, to some degree, on the quality of the foundation beneath them.
That foundation is the combination of device and behavioral intelligence working together from the moment an app loads. When the device layer is unreliable, every signal built on top of it inherits that uncertainty. When it is precise, every downstream decision benefits. When behavioral intelligence is layered on top of that precision, the system gains the ability to detect not just environmental anomalies but intentional ones: the human signal that distinguishes a genuine customer from the operator behind a fraudster’s clean device.
The attack surface has moved. The controls that will meet it are the ones that understand not just what is connecting, but also who is in control.
Key takeaways:
- Device intelligence and behavioral intelligence answer different questions. Device intelligence tells you what is connecting. Behavioral intelligence tells you who is in control. Holding both natively, within a single platform, is what separates precision from probability.
- Legacy device controls were built to recognize devices, not to validate whether they can be trusted. That distinction has become critical as the attack surface has moved.
- Agentic AI, deepfake access, and mule account takeover all produce device signals that appear legitimate. Behavioral intelligence reveals the anomalies that device-layer checks cannot see.
- DeviceIQ identifies close to 60% of genuine device upgrades within two weeks of deployment, at a zero percent false-positive rate, eliminating the friction that costs banks $600,000 to $800,000 per year for every million upgrading customers.
- Fraud devices are 12.5 times more likely to show signs of identity evasion across the BioCatch network of more than 1.7 billion profiled devices. That cross-institution visibility is unavailable to any single bank operating alone.
- Agentic AI is present in approximately one in every 950 banking sessions and rising. The combination of DeviceIQai device signals and BioCatch behavioral intelligence is the only approach that simultaneously addresses both the environmental and intentional dimensions of that threat.
- Consolidating fraud, device, and authentication SDKs into the BioCatch Align SDK has delivered savings of $1 million to $10 million or more per year, turning a security investment into a platform efficiency gain.
