Adopted in 2016 and effective since 25 May 2018, the GDPR has profoundly transformed the way companies collect, process and secure personal data.

Its objectives:

• Strengthen the rights of European citizens.
• To make companies more accountable in their use of data.
• To harmonise rules within the European Union.

For the anti-fraud sector, the impact is significant: the detection of anomalies and suspicious behaviour relies on the analysis of many types of personal data (identity, payment methods, transaction history, etc.). The GDPR therefore requires a balance between security, performance and respect for individual freedoms.

2. A legacy of innovation and security with our historic CNIL authorisation

Long before the GDPR came into force, Oneytrust had already adopted this approach to compliance.

In fact, we benefited from a historic agreement (FIA-NET in 2005 and Oney Tech in 2013) with the CNIL, authorising the pooling of our customers’ data, mainly in the e-commerce sector, subject to guarantees of privacy. Oneytrust has thus become the only French player to benefit from such extensive experience in data sharing, spanning more than 20 years.

This authorisation, developed in collaboration with the supervisory authority, has made it possible to:

• To significantly streamline the journey time for customers already known in our database,
• To identify anomalies and fraud trends more effectively by relying on velocity and using our fraud experts to make decisions,
• To protect both consumers and merchants,
• while ensuring a high level of personal data security.

This expertise was even cited by the CNIL in its 2021 White Paper, proof of the added value and pioneering nature of our approach.

3. A stronger internal GDPR culture

The implementation of the GDPR marked a new stage: beyond technical measures, we focused on fostering an internal culture of compliance.

At Oneytrust, every employee plays a role in data protection, thanks in particular to:

• mandatory annual training,
• regular awareness campaigns and monthly newsletters,
• the systematic involvement of our Data Protection Officer (DPO) and compliance team in our projects,
• the implementation of a data protection impact assessment on all our projects that have a structural impact on personal data,
• a continuous improvement process to adapt our practices to regulatory changes.

This collective effort means that compliance is not only perceived as a legal and regulatory issue by our teams, but more as a shared value in our daily work, by design, and acts as a differentiating factor for Oneytrust in a landscape of anti-fraud players, many of whom are based outside Europe.

4. Enhanced security thanks to our membership of a major banking group

Our membership of the BPCE group, France’s second-largest banking group, imposes particularly high standards in terms of security and compliance. Banking institutions are subject not only to horizontal regulations but also to numerous sector-specific regulations due to the critical nature of their activities.

This is reflected in particular by Oneytrust’s active participation in the Oney group’s DPO community, where we share best practices and regulatory monitoring, the implementation and execution of ongoing internal controls (quarterly, half-yearly, annual) that require the commitment of all our teams, and the integration of banking standards into our contractual processes (GDPR annexes, security clauses). All this is coupled with advanced technical measures: regular security tests, data flow security, etc.

Oneytrust’s commitments reinforce the robustness of our systems and the trust placed in us by our customers, placing compliance by design at the heart of our decision-making processes and projects.

5. Data protection: a key lever in the fight against fraud

Trust is the cornerstone of the fight against fraud. Consumers and businesses alike must be assured that their data is protected, even in the most sensitive contexts.

At Oneytrust, we consider compliance with the GDPR to be a strategic weapon. We see it as an opportunity: an opportunity to legitimise our role as a trusted intermediary, to ensure that the fight against fraud is conducted in a manner that respects individual freedoms and privacy, while also preparing for the future.

Indeed, with the proliferation of artificial intelligence applications, new challenges are emerging. In order to counter the increasingly widespread use of AI by fraudsters, it has become essential for those involved in the fight against fraud to increase their use of AI. This allows us to remain adaptable and effective in the face of these new fraud trends.

However, AI makes extensive use of data, particularly personal data, and requires continuous development of protection and compliance measures. This is why the CNIL (the French supervisory authority responsible for enforcing the GDPR) has already published several series of recommendations on the proper handling of personal data when using AI. These are new challenges that need to be fully taken into account by those involved in the fight against fraud!

In conclusion, for more than 25 years, Oneytrust has placed data protection at the heart of its anti-fraud measures. The GDPR should not be seen as a constraint, but rather as an opportunity to strengthen trust, protect our customers and guarantee ever more effective and responsible solutions.

In a context marked by the rise of artificial intelligence, this requirement has never been more essential. It guides our daily commitment: combining security, performance and respect for fundamental rights. Please do not hesitate to contact us if you have any questions about the security of our fraud prevention processes and solutions, including the protection of personal data!

The post GDPR and fraud prevention: a historic and strategic commitment for Oneytrust appeared first on Oneytrust.

It all starts with fake advertisements on a reputable marketplace, offering an educational game (story box) called MERLIN at a slightly discounted price compared to the competition. The buyer, enticed, places an order. But behind this transaction lies a well-oiled mechanism: the fraudster uses the customer’s details and a stolen bank card to purchase the product from a legitimate retailer – one of our partners specialising in childcare products.

The result: the customer receives their product, convinced they have got a good deal. But the retailer faces a bank dispute and will never be paid.

Rapid detection, immediate response

Thanks to a sudden spike in sales of this product, our models detected an anomaly: our analysts were immediately alerted. Expert rules were put in place for our teams in less than four hours! Less than 12 hours after detection, the network was neutralised. This efficiency is based on the synergy between our Data department and our Investigations unit.

• Investigators analysed weak signals to reconstruct the modus operandi.
• Data analysts transformed these insights into enhanced security rules capable of blocking future attempts and monitoring network developments.

In-depth investigation: knowing your enemy

The story does not end there. Our experts continued their investigation to gain an in-depth understanding of how the network operated:

• Four ‘professional’ shops were identified on the marketplace, all registered under different company names – identity theft.
• Active since March 2024, they generated hundreds of orders, exclusively for educational games.
• The fraud network manipulated the platform’s algorithms to push his products to the top of search results, notably by offering lower prices than others.

The result: a few hundred pounds in damages, but thousands of pounds in fraud prevented. Enhanced security rules, seasoned investigators, and fraudulent shops closed. A healthier marketplace.

The return of the Merlin network

In February 2025, the network returned, more cunning than ever. This time, it targeted two other partners via a new marketplace, with different products: small electrical appliances. The cat-and-mouse game lasted until May 2025, with the opening of fake shops, changes in products and targeted retailers.

This new round required:

• Constant monitoring,
• Regular updates to security rules,
• Ongoing training for our investigators,
• And above all, close collaboration with our merchant partners, who are fully committed to this fight.

How can you protect yourself against triangular fraud?

Here are the key levers for anticipating and blocking this type of fraud:

1. User awareness: Inform buyers and sellers about warning signs: prices that are too low, suspicious contacts, unusual payment requests.
2. Identity verification: Strengthen controls on platforms: supporting documents, cross-checks, etc.
3. Transaction monitoring: Implement analysis tools to detect abnormal behaviour and weak signals.

Triangular fraud is a growing threat. But with the right tools, constant vigilance and active collaboration between all e-commerce players, it can be effectively contained.

The post MERLIN Network: the comeback! appeared first on Oneytrust.

a) Security and protection of citizens

The primary purpose of digital identity is protection. Users whose identities are stolen suffer dramatic consequences: loans taken out in their name, administrative disputes, damaged online reputations. Having a robust digital identity based on reliable technical and behavioural signals helps limit these risks.

b) Trust and fluidity of exchanges

For a company, accepting a new customer involves a risk. Digital identity provides the necessary elements to establish a trust score: is this a real, consistent person who has been active for a long time? This trust then facilitates exchanges, reduces friction (simplified KYC, smooth user journey) and improves the customer experience.

c) Sovereignty and independence

Today, proving one’s identity online often involves major private players (connection via Google, Apple or Facebook). However, delegating this strategic function to a few companies poses a problem of sovereignty. European states are seeking to regain control in order to avoid excessive dependence and guarantee data protection.

d) Inclusion and equal access

Digital identity must not become a factor of exclusion. People who are digitally excluded (the elderly, rural areas, vulnerable populations) must have access to simple and accessible solutions. Equity requires an inclusive design of these tools.

2. Future prospects

By 2030, digital identity could undergo three major developments:

Increased standardisation: adoption of international standards enabling seamless recognition between countries and services.

Biometric integration: enhanced association with biometric fingerprints (voice, face, fingerprint) to further secure access.

Enhanced user control: emergence of solutions where users decide which elements of their identity to share, depending on the context (e.g. proving they are of legal age without revealing their date of birth).

In a nutshell…

Digital identity is no longer a technical curiosity. It has become the beating heart of digital societies. It protects, streamlines and empowers, but also raises questions about surveillance and sovereignty.

By understanding it, decision-makers and citizens have an essential lever for navigating a world where the virtual and the real are inseparable. Ultimately, digital identity is the identity card of the digital age: intangible but decisive, invisible but unavoidable.

The post Digital identity: the new identity card for the digital age – Part 2 appeared first on Oneytrust.

1 . Defining digital identity:

Unlike civil identity, which is established and certified by the state, digital identity takes many forms. It is based on four main dimensions:

• Declarative data: surname, first name, email address, telephone number, address. This information is provided voluntarily, but can be misused/“imitated”.
• Technical fingerprints: each connected device generates a unique signature (IP address, configuration, sensors, time zones, cookies). These signals, invisible to the naked eye, become valuable clues for recognising a user.
• Behaviour: typing speed, connection times, location, frequency of service use. These elements are more difficult to falsify and constitute a behavioural signature that is almost biometric.
• Social and economic interactions: history of contact, payment and browsing data use. This data builds a coherent narrative… or, conversely, reveals inconsistencies typical of fraudulent events.

2. An identity in flux

Unlike a national identity card, which is fixed at the time of issue, digital identity is dynamic. Every connection, every payment, every interaction enriches this digital portrait. This dynamic provides robustness – it is difficult to simulate a consistent digital life over time – but also raises ethical questions:

How much data should be collected without infringing on privacy?

How can we ensure that users retain control over their digital identity?

What safeguards should be put in place to prevent widespread surveillance?

The GDPR in Europe and the concept of ‘self-sovereign identity’ attempt to provide answers. But the balance between security, fluidity and respect for individual freedoms remains fragile.

3. Why has this concept become so important?

Two major trends explain its growing importance. .

• Widespread digitalisation: smartphones have become our universal access point. From public services to healthcare, everything is now digital. Initiatives such as France Identité and the European eIDAS 2.0 regulation aim to create digital identities that are recognised at national and supranational level.
• A boom in 100% web-based crime: identity fraud is skyrocketing. The concept of ‘synthetic identity’ illustrates this trend. Fraudsters assemble pieces of real and invented data to create fake profiles capable of fooling traditional controls.

In this context, the ability to assess the credibility of a digital identity is becoming strategic for banks, insurers, retailers and also for governments.

In a nutshell…

Digital identity is constantly evolving: shaped by our usage, regulated by legislation, scrutinised for its security and commercial value. But this dynamic is not without its challenges. In the second part, we will address the multiple issues it raises – security, trust, sovereignty, inclusion – and the prospects that could redefine our relationship with identity by 2030.

The post Digital identity: the new identity card for the digital age – Part 1 appeared first on Oneytrust.

Triangular fraud is a complex and ingenious method of fraud that combines elements of real and synthetic identities to create a network of fraudulent transactions. This type of fraud relies on the interaction between three parties: the fraudster, the legitimate seller and the unwitting consumer, in order to divert resources discreetly and effectively.

How triangular fraud works:

The triangular fraud process can generally be broken down into four steps:

1. Creation of multiple identities: fraudsters begin by creating synthetic identities by combining real and fictitious information from real customer information received during purchases on their website. This allows them to generate credible buyer profiles that can interact with sellers without arousing suspicion.
2. Ordering products: using these identities, fraudsters place orders with legitimate sellers. Payment is often made with stolen or misused credit cards.
3. Reshipping products: the purchased products are shipped to intermediate addresses or directly to the ‘real customer’ depending on the method used. At this stage, fraudsters may also sell the stolen products to real buyers via online platforms at a reduced price.
4. Cash-out: Fraudsters cash out payments from genuine buyers, while the original seller remains unpaid or faces a chargeback.

Why is triangular fraud effective?

Triangular fraud is particularly effective because of its networked approach, which allows fraudsters to separate the elements of the transaction. The initial seller believes they are interacting with a legitimate buyer, while the final buyer thinks they are getting a product at a bargain price. This separation makes detection difficult, as individual transactions may appear legitimate because the information used is real, long-standing and sometimes even shows healthy activity. Traditional security rules are unable to detect these weak signals of fraud.

The MERLIN network

At Oneytrust, we are constantly detecting new fraudulent schemes. One of the most telling recent cases is that of a network we have named ‘Merlin’ because it used products from this brand to carry out its attacks. Detected in June 2024, this network perfectly illustrates the complexity and evolution of today’s threats.

It all started with an alert about unusual purchases: a sharp increase in orders for Merlin educational games, worth less than £100, from a partner specialising in childcare products. This sudden spike immediately caught our attention.

Our experts quickly spotted similarities between the orders, suggesting the existence of an organised network. However, certain elements were puzzling: the digital identities appeared reliable, and some profiles even belonged to real customers – but with a different email address. This was a clear sign of identity theft, which is rare for such small amounts.

To remove any doubt, we contacted the customers concerned. All confirmed their identity… but denied having made these purchases. The fraud was now certain. A thorough discussion with one of them revealed the key: he had indeed purchased the product, but on an online marketplace, not from our partner. The evidence provided enabled us to identify the fraudulent shop and understand the modus operandi: a triangular fraud.

Once the pattern had been established, our analysts listed the common signals associated with suspicious orders and created specific security rules. Thanks to these targeted actions, reinforced by direct checks with customers, we were able to block transactions linked to this network. The result: in less than 12 hours, the ‘Merlin’ network was neutralised.

This case shows how essential the responsiveness and expertise of our teams are in stopping new fraud networks as soon as they emerge. And the story of ‘Merlin’ is only just beginning… we will tell you more very soon.

The post MERLIN network: anatomy of a triangular fraud appeared first on Oneytrust.

1) Why AI has become essential in the fight against fraud

The boom in language models and content generation tools has lowered the barriers to fraud: flawless phishing emails, carefully crafted fake profiles, synthetic identities that are more difficult to detect, industrialisation of fraud scenarios, reusable attack scripts. Static controls are no longer sufficient. We need systems that are capable of learning, detecting weak signals, and continuously evolving. AI is not a gadget: it is essential for detecting anomalies, linking scattered events, and responding in real time without hindering legitimate processes.

2) Oneytrust’s AI toolkit

Over the years, Oneytrust has built a range of scores to analyse digital events, identify fraud patterns and prioritise actions. Our scores aggregate more than 200 signals and are based on a shared database covering more than 15 million consumers, authorised by the CNIL (French Data Protection Authority) in 2013 — well before the GDPR.
Beyond fraud at a given moment, we observe velocity: how a user, payment method, device (phone, PC, etc.) or email address behaves over time. This intelligent memory makes it possible to streamline the journey of good customers (controlled reuse of acquired trust) and tighten the noose on risks (accumulation of clues, inconsistencies, anomalies). Our rule engines remain adaptive: we add, adjust and remove rules as trends evolve, to keep pace with changing attacks without compromising the customer experience.

3) Humans + AI: augmented expertise, not automated

AI identifies, humans understand. Our investigators and fraud experts play a particularly crucial role in challenging alerts, contextualising cases, and revealing emerging patterns that models have not yet learned (low volumes, ambiguous signals, attacker innovations). This feedback loop feeds the models, improves the rules, and ensures an explainable decision. In particularly sensitive situations, human arbitration protects the customer relationship, avoids false positives, and maintains trust.

4) A strategy to acculturate our employees to Generative AI

As soon as ChatGPT was released in 2022, we quickly decided to train our teams in the use of generative AI to increase speed, operational efficiency and quality on non-sensitive tasks: writing, summarising, analysis assistance, preparing deliverables, etc. As part of the BPCE Group, we have access to the secure MAIA portal, which allows our employees to access reference models (e.g. GPT-4o, Mistral, Gemini) in a safe and ethical environment. In our training courses and with the help of our Generative AI Ambassadors, we emphasise the importance of maintaining a critical perspective on the results generated by AI (systematic verification, non-disclosure of sensitive information, traceability of uses): the aim is to accelerate useful production, not to automate indiscriminately.

5) Governance & compliance: already prepared for the AI Act!

Because many of our customers are regulated (banks, fintechs, e-merchants), we have long since implemented the safeguards expected by sector regulators: model documentation, decision logging and auditability, data quality, continuous monitoring, and human supervision. The AI Act, which has just come into force, reinforces these requirements: we anticipated this framework and are aligning our work with the BPCE Group’s compliance approach. In concrete terms, this means: system mapping, model risk management, periodic controls, proportionate explainability and team acculturation. Our ambition is to meet deadlines without slowing down useful innovation.

In conclusion, let us consider that the fight against fraud is a movement, not something static. AI enables earlier detection, better explanation and faster action — provided it is governed, complemented by humans and integrated without disrupting the user experience. At Oneytrust, it is this winning trio — high-performance models, committed experts and solid compliance — that transforms a shifting threat into a sustainable competitive advantage.

Would you like to learn more about the expertise of our models, which combine more than 200 types of data and velocities, and benefit from Oneytrust’s Data Consortium with more than 15 million digital identities to secure your customer journeys without losing conversions? Contact us.

The post AI at Oneytrust: technology at the heart of our DNA! appeared first on Oneytrust.