Zarelva Standard · Draft v0.2 for practitioner review

The decision layer for the emergency outflow lock.

When a device or identity is compromised, the decisive interval is the gap between compromise and the first fraudulent debit — seconds to minutes. ZEOL™ defines when to lock, what to lock, for how long, and why. Money leaving the account can be restricted. Money entering it never is.

Deterministic & explainable Zero PII in payloads Fail-closed on confirmed malware Full lock lifecycle & audit
25
Signals in library v2.0
6
Named attack patterns
8
Lockable outbound rails
5
Always-allow inbound rails
4
Governed release paths

The core principle

The outflow asymmetry

A control that can block a salary credit will never survive its first false positive. A control that pauses outbound transfers for thirty minutes while identity is re-verified usually will. Every ZEOL action is built on this distinction.

Outgoing — restrictable, scoped by severity
SOFTUPI Sendsoft + emergency
SOFTCard Not Presentsoft + emergency
SOFTIMPS Outsoft + emergency
HARDNEFT Outemergency only
HARDRTGS Outemergency only
HARDInternational Cardemergency only
HARDATM Withdrawalemergency only
HARDWallet Spendemergency only
A soft lock restricts only the highest-velocity rails — the ones a fraudster reaches for first. An emergency lock restricts all eight.
Incoming — never restricted, under any lock
OPENSalary Credit
OPENRefunds
OPENIncoming UPI
OPENInterest Credit
OPENAccount Deposits
This asymmetry is what makes an emergency lock deployable in production, not just defensible on paper. The customer's money keeps arriving; only its exit is paused.

Why this standard exists

Existing controls fail in three predictable ways

Too late
Disputes, chargebacks, and complaint processes begin after the money has left. In UPI-speed fraud, the loss is complete before the victim has unlocked their phone.
Post-facto
Too blunt
Full account freezes block salary credits, refunds, and incoming transfers along with the fraud. One false positive on a payday and the control gets switched off institution-wide.
Indiscriminate
Too passive
A risk score delivered to a dashboard nobody is watching at 2 a.m. is not a control. Detection without a governed, automatic, reversible response is observation.
Non-operative

Architecture & trust boundary

ZEOL consumes signals. It does not generate them.

Signal collection stays where it is technically and legally feasible — the bank's own app, the bank's transaction layer, the telco identity layer. The bank remains the data fiduciary; ZEOL is a decisioning component that sees signal identifiers and opaque session references only.

01 · SOURCE
Bank app SDK
Device integrity, permission posture, overlay & remote-access indicators — collected inside the bank's own application.
02 · SOURCE
Transaction systems
Beneficiary risk, amount deviation, velocity — the bank's existing transaction context.
03 · SOURCE
Telco / identity feeds
SIM-change events and identity signals from where they genuinely originate.
04 · DECIDE
ZEOL /assess
Deterministic decision: action, lock scope, TTL, release paths, full explanation. Versioned policy + library.
05 · ENFORCE
Bank rail controls
The bank's existing control plane enforces the lock. ZEOL never touches a payment rail.
No customer PII crosses the boundary. Payloads carry signal IDs, checkpoint labels, and bank-side correlation references. Nothing else.
Enforcement stays with the bank. ZEOL emits a recommended action and a lock object. The rails, and the liability model around them, are untouched.
No consumer-app detection claims. Stock mobile operating systems do not let a third-party consumer app reliably observe trojans, SIM swaps, or foreign overlays. Any architecture premised on that capability is premised on one that does not exist.

Signal Library v2.0.0

25 deterministic signals, versioned as data

Every assessment records the exact library and policy version that produced it — a weight change is a new version and can never silently alter decisions on in-flight traffic. POC weights are design estimates; deploying institutions recalibrate against their own confirmed-fraud data.


Named attack patterns

Combinations decide. Sums only set the floor.

Known attack shapes are matched as patterns, because signals seen together carry far more meaning than their additive sum. "Matched PAT-ATO-2" is a statement a fraud analyst, a customer-service script, and an ombudsman response can all be built on. A list of weight increments is not.

Note the deliberate escalation between PAT-ATO-1 and PAT-ATO-2: remote control plus overlay is a probable scam session — a reversible soft lock. Add a notification listener and the attacker can read OTPs, meaning transactions complete with no further victim interaction. The standard escalates to a full outflow lock at exactly that point.


Interactive

Run the decision model

This is the actual v0.2 decision logic — additive baseline, pattern matching, and the split critical overrides — running in your browser. Load a scenario or toggle signals yourself.

Decision
ALLOW
Risk score0 / 100

Synthetic decision logic for demonstration. No data leaves this page. Weights are uncalibrated design estimates — see Limitations.


Lock lifecycle

A lock is not a boolean

It is a state machine with an owner, a clock, and a paper trail. This lifecycle — not the scoring — is what makes the standard consumable by a bank: who can lift a lock, after what verification, with what evidence.

01
CREATED → ACTIVE
Lock created from an assessment
Scope, TTL, and permitted release paths are fixed at creation and written to the audit trail alongside the matched patterns that justified it.
02
ACTIVE · governed release
Release requires a permitted path
Every release attempt — permitted or denied — is an audit event with actor and evidence references. Denied attempts are evidence too.
03
RELEASED / EXPIRED
Soft locks self-release on TTL
30-minute default. If no escalating signals arrive, the lock opens on its own — false positives cost the customer half an hour, not a branch visit.
04
ESCALATED
Emergency locks never silently open
24-hour default TTL. On expiry without verified release, the case escalates to fraud operations. A hard lock's failure mode is a human review, never an open gate.
Release path matrix
Release pathSoft lockEmergency lockRationale
CUSTOMER_REAUTH — in-app strong re-authYesNoIf the device is compromised, re-authentication happens on the compromised device. It can never be sufficient to lift an emergency lock — this single rule closes the most obvious attacker workaround.
VERIFIED_CHANNEL — call-back / video verificationYesYesIdentity confirmed outside the compromised channel.
BRANCH_VERIFICATION — in personYesThe strongest path, reserved for the strongest lock.
FRAUD_OPS_OVERRIDE — analyst, dual controlYesYesInstitutional override with named actor and evidence reference in the audit trail.

Fail-closed, with judgement

Critical overrides, split by evidence quality

Not all "critical" signals carry equal evidence. The standard's answer to false-positive economics: an emergency lock whose most common trigger is a legitimate SIM upgrade will be switched off by the bank within a quarter.

ClassSignalsAloneWith any second signal
Standalone critical — signature-confirmed malwareTROJAN_01 MAL_01EMERGENCY LOCKEMERGENCY LOCK
Corroborated critical — strong but FP-prone (emulator heuristics misfire on OEM builds; SIM flags fire on legitimate upgrades)EMU_01 SIM_01SOFT LOCK + step-upEMERGENCY LOCK

Stated plainly

Limitations & non-claims

Credibility is the product. What this standard does not claim:

Weights are uncalibrated. The additive layer is a design scaffold pending institution-specific calibration against labelled fraud outcomes. The pattern and override layers carry the decision until that calibration exists.
No efficacy percentages are claimed. Fraud-loss reduction for an undeployed control cannot be honestly estimated. Adopters should be sceptical of any vendor who claims otherwise.
Detection is out of scope. ZEOL is only as good as the signals a deploying institution can genuinely produce. It does not confer detection capabilities the platform does not have.
Coverage is partial by design. Authorised-push-payment frauds where the victim willingly transfers from a clean device — investment scams, romance scams — largely fall outside compromise-triggered locking.
Persistence is the institution's. The standard specifies the state machine and audit contract. Durable storage, high availability, and dual-control workflows belong to the deploying bank.

Practitioner review · Pilot conversations

Reviewing outflow controls at a bank, NBFC, or PSP?

ZEOL v0.2 is open for practitioner review. The reference engine, API contract, and full specification are available for evaluation, and the framework maps onto your existing signal sources — not ours.