Zarelva Methodology · v1.0

Account takeover is not a
transaction problem.
It's an investigation problem.

ZAIS™ is an RBI-implemented, globally structured fraud investigation methodology designed to support multi-jurisdictional regulatory environments including PSD2/SCA and MAS TRM.

42 deterministic signals 6 detection domains 3 investigation playbooks RBI-primary · globally structured Explainable decisions
42
Deterministic signals
6
Detection domains
3
Investigation playbooks
5
Maturity dimensions
10
High-confidence combos

The Problem

Why ATO investigations fail at most NBFCs

Most digital lenders have alerts. Very few have a structured way to investigate, explain, and defend what happened.

🔇
Signals fire, nothing connects them
Individual alerts exist for device drift, SIM change, velocity. But there's no framework connecting them into an attack chain. Analysts see 47 alerts, not one ATO event.
Coverage gap
📊
No explainability for decisions made
Regulators ask: "Why did you block this customer?" The answer is a model score. No signal breakdown, no weight rationale, no audit-ready narrative. That's a regulatory liability.
Regulatory risk
🗂️
Evidence can't be replayed later
A customer disputes a block 3 months later. The analyst who closed the case is gone. The evidence is in a spreadsheet on their laptop. You cannot defend what you cannot reconstruct.
Evidence gap
📐
Investigation quality is unmeasured
Nobody knows if Case A was investigated as thoroughly as Case B. There's no quality standard, no completeness scoring, no consistency check. You find out the quality was bad when a regulator tells you.
Quality gap

How ZAIS Works

From ATO event to defensible decision

ZAIS structures the full journey — detection, investigation, explainability, evidence, and regulatory mapping — as a connected methodology, not isolated tools.

ZAIS-100
Signal Library
40 signals across 6 domains fire against telemetry in real-time or batch
ZAIS-200
Investigation Playbooks
Signal combinations trigger specific playbooks with step-by-step execution protocols
ZAIS-300
Explainability
Every decision produces a structured narrative: which signals fired, at what weight, why
ZAIS-400
Evidence & Forensics
SHA-256 sealed manifests, immutable case timeline, replayable decision record
ZAIS-500
RBI Regulatory Mapping
Every control maps to specific RBI requirements — audit-ready at all times
ZAIS-600
Quality Scoring
Standardised investigation quality metrics across evidence, timeliness, completeness

ZAIS-100

Signal Library — 42 deterministic signals

Every signal has a defined data type, risk weight, trigger condition, and RBI alignment. No black boxes.

Showing all 42 signals across 6 domains


Attack Graph

How a SIM Swap ATO unfolds

ZAIS reconstructs the full attack chain from triggered signals — giving investigators and regulators a single narrative of what happened, in order.

📡
Initial Access
SIM Swap / Telecom Profile Change
SIG-NET-006 · w=0.96
🔑
Credential Compromise
Password Reset on New Unrecognised Device
SIG-AUTH-002 · w=0.82
📱
Device Anomaly
Hardware Fingerprint Drift + Behavioural Deviation
SIG-DEV-001 + SIG-BIO-003 · w=0.85/0.68
🏦
Monetisation Setup
Limit Increase → New Beneficiary → Probe Transfer
SIG-TRX-008 + SIG-TRX-001 + SIG-TRX-005 · w=0.87/0.79/0.84
💸
Execution
Dormant Account Awakens — High-Value Transfer
SIG-TRX-007 · w=0.95 · Balance drain detected
🐟
Post-Compromise
Mule Transfer · Beneficiary Removed to Cover Trail
SIG-TRX-003 + SIG-TRX-010 · w=0.88/0.79

This attack chain is reconstructed automatically from triggered signals — not written manually by an analyst. Every node maps to a ZAIS signal with defined weight and RBI alignment.


ZAIS-200

Investigation Playbooks

Three attack vectors. Each has a specific signal combination, a step-by-step execution protocol, and defined KPIs. Not guidelines — protocols.

03
PB-03 · SIM Swap
Telecom Interception & Network Compromise
Triggered by SIG-NET-006 + SIG-TRX-007/009. Covers automated interdiction, OOB verification bypassing the compromised SIM, and cryptographic evidence sealing.
T+0: Telecom metadata pull — IMSI/ICCID vs historical
T+2min: Automated account containment + session invalidation
T+12min: OOB identity verification (bypass SMS entirely)
T+24h: SHA-256 forensic capture + RBI burden-of-proof package
04
PB-04 · Device Malware / RAT
Device-Level Exploitation — Malware, RAT, Overlay, Repackaged APK
Triggered by SIG-DEV-003/004/007/005. Covers device state triage, immediate transaction rollback, forensic APK and process capture, and OOB-only verification because any in-app challenge is visible to the attacker.
T+0–3min: Device telemetry pull — APK hash, process list, RAT signatures, screen recording API state
T+3–10min: Transaction rollback + full session revocation + account freeze. No in-app or SMS OTP — attacker sees both.
T+30min: Forensic capture — SHA-256 sealed process list, certificate chain, network connections, accessibility grants
T+4h: OOB verification via alternate device (FIDO2) or video KYC — never via compromised device
T+24–72h: Device remediation verified (factory reset + fresh install + attestation) before any account restoration
05
PB-05 · Session Hijack
Session Token Theft & Proxy-Assisted Account Takeover
Triggered by SIG-SES-001/005/002 + SIG-NET-005/007. Covers full token chain reconstruction — where was the token issued, how was it stolen, and where was it replayed — plus OOB step-up and attacker infrastructure blocking.
T+0–2min: Session state snapshot — issuance context vs current IP/device/geo delta captured
T+2–8min: Full token revocation across all sessions + all channels. No in-session step-up — attacker is in the session.
T+5–45min: Forensic token provenance chain — issuance → transit → reuse — MITM and proxy infrastructure mapped and sealed
T+10min+: OOB step-up via FIDO2 on registered device or email OTP to verified secondary channel
T+24h: Attacker ASN/IP range blocklisted. Signal library updated with new proxy fingerprint.

ZAIS-500

Global Regulatory Alignment

ZAIS is RBI-primary, globally structured. Every control maps to a global control family first — then to jurisdiction-specific requirements as overlays. RBI is fully mapped. PSD2/SCA and MAS TRM overlays are framework-ready.

🇮🇳
RBI
Implemented
Digital Payment Security Controls · Limited Liability · FIU-IND
🇪🇺
PSD2 / SCA
Architecture Defined
Art. 97 SCA · RTS on SCA & CSC · TRA exemptions · EBA fraud reporting
🇸🇬
MAS TRM
Architecture Defined
TRM 2021 · Monitoring & incident response · Audit trail · Board reporting
🇬🇧
UK APP Fraud
Planned
PSR reimbursement scheme · Pay.UK · Gross negligence standard · Burden of proof
🇺🇸
US Governance
Planned
OCC · CFPB · FFIEC · FTC · NACHA · Card network fraud guidance
Global Control Families — ZAIS-G100 to ZAIS-G500

Every ZAIS signal maps to one of five global control families. Jurisdictions map to these families as overlays — not the other way around. This means adding a new regulator never requires rebuilding the signal library.

ZAIS-G101
Identity & Authentication Controls
Covers AUTH and BEHAVIORAL signals. Maps to: RBI MFA requirements · PSD2 SCA inherence/possession/knowledge · MAS IAM controls.
RBI ✓ PSD2 arch MAS arch
ZAIS-G201
Device & Session Integrity Controls
Covers DEVICE, NETWORK, SESSION signals. Maps to: RBI device integrity · PSD2 possession element + TRA · MAS endpoint & session security.
RBI ✓ PSD2 arch MAS arch
ZAIS-G301
Transaction Monitoring & Fraud Detection
Covers TRANSACTIONAL signals. Maps to: RBI velocity & AML rules · PSD2 TRA thresholds (€100/€250/€500) · MAS transaction monitoring.
RBI ✓ PSD2 arch MAS arch UK ~
ZAIS-G401
Investigation, Evidence & Explainability
Covers playbooks, SHA-256 manifests, decision replay. Answers: RBI limited liability · UK APP gross negligence standard · MAS audit trail requirements.
RBI ✓ MAS arch UK ~
ZAIS-G501
Governance, Liability & Regulatory Assurance
Covers maturity scoring, quality assurance, regulatory reporting. Maps to: RBI board oversight · MAS TRM governance · PSD2 fraud reporting to EBA.
RBI ✓ PSD2 arch MAS arch
RBI Mapping Detail — ZAIS-610

Specific RBI requirement to ZAIS control mapping. PSD2 and MAS detail mapping available on request.

RBI Requirement ZAIS Control Global Family Signals
Device & IP anomaly detection (Digital Payment Security Controls) ZAIS-G201 Device & Network Domain ZAIS-G201 SIG-DEV-001 → 008, SIG-NET-001 → 008
Velocity monitoring for suspicious transaction patterns ZAIS-G301 Transactional Domain ZAIS-G301 SIG-TRX-001, 002, 005, 006, 007, 008
Behavioural biometrics for account activity monitoring ZAIS-G101 Behavioural Domain ZAIS-G101 SIG-BIO-001 → 006
Customer limited liability — burden of proof on institution ZAIS-G401 Forensic Evidence Model ZAIS-G401 All signals — sealed in SHA-256 manifest
SIM swap / telecom profile change monitoring ZAIS-G201 SIM Swap trigger (PB-03) ZAIS-G201 SIG-NET-006 (primary), SIG-AUTH-001 (secondary)
Explainability of AI/ML fraud decisions ZAIS-G401 Explainability Narrative ZAIS-G401 All — signal weights documented per decision

Note on Architecture Defined status: PSD2/SCA and MAS TRM overlays are structurally mapped to ZAIS global control families. Architecture Defined status means the structural mapping to ZAIS global control families is confirmed. Article-level citation mapping is built during client engagement for the specific regulatory profile — this is always implementation-specific. This is the correct sequencing — jurisdiction overlays are always implementation-specific.


ZAIS-ATO Maturity Index

Where does your platform stand?

The ZAIS Maturity Assessment measures your current ATO controls across 5 dimensions and shows exactly where the gaps are. These are illustrative scores — your assessment will reflect your actual setup.

Detection
Signal coverage vs ZAIS-100
Investigation
Playbook adherence + quality
Explainability
Decision narrative quality
Forensics
Evidence sealing + replay
Governance
RBI mapping + audit trail

Scores above are illustrative — typical NBFC baseline. Your actual maturity assessment will produce real scores from your setup.


Run a ZAIS ATO Maturity Assessment

How mature is your ATO investigation capability?

Zarelva reviews your current ATO detection, investigation, and explainability controls against the ZAIS standard — and gives you a maturity score, control gap list, and remediation roadmap.

Delivered in 10 working days · Fixed fee · NDA before any data is shared

Book a Discovery Call → Start with a $599 Snapshot
You receive
ATO maturity score across 5 dimensions · Top 20 control gaps · Remediation roadmap
How it works
Review of current controls against ZAIS standard · No production access · CSV exports only
Who it's for
Digital lenders · NBFCs · BNPL platforms · Fintechs processing ₹5Cr+ monthly