All Docs
FeaturesagentOS Direct DebitUpdated March 13, 2026

Fraud & Threshold Alert System

Fraud & Threshold Alert System

Overview

The Direct Debit service includes a built-in configurable alert engine that continuously monitors for suspicious or unusual activity across all organisations. When a configured threshold is breached, the system creates a persistent alert record and notifies the relevant recipients by email — giving letting agents early visibility of potential fraud, unusual collection volumes, or reserve shortfalls.

How Threshold Evaluation Works

An Inngest scheduled job runs every 15 minutes and evaluates all active thresholds across all organisations. This evaluation is fully automated — no manual trigger is required.

When the job detects a breach:

  1. An alert record is written to the database, capturing:
    • type — the threshold type that was breached (see below)
    • severity — the severity level of the breach
    • currentValue — the observed value at the time of evaluation
    • threshold — the configured limit that was breached
    • orgId — the organisation the alert belongs to
    • timestamp — when the breach was detected
  2. An email notification is dispatched to all configured recipients for that organisation.

Alert Threshold Types

MANDATE_CREATION_RATE

Tracks how many new DD mandates are created within a rolling time window.

  • Purpose: Detect abnormally high mandate creation activity that may indicate automated abuse or a compromised integration.
  • Example threshold: More than 5 mandates per hour.

DAILY_COLLECTION_AMOUNT

Tracks the total GBP value of new DD collections submitted within the current calendar day.

  • Purpose: Flag unusually high single-day collection volumes.
  • Example threshold: More than £50,000 collected in one day.

WEEKLY_COLLECTION_AMOUNT

Tracks the total GBP value of new DD collections submitted within the current calendar week.

  • Purpose: Identify sustained elevated collection activity across a week.
  • Example threshold: More than £200,000 collected in one week.

CLAWBACK_RESERVE_MINIMUM

Monitors the balance of the clawback reserve held in the Griffin DD holding account.

  • Purpose: Ensure the reserve never falls below the minimum required to cover potential clawback reversals.
  • Example threshold: Reserve drops below £2,500.

Alert Lifecycle

Every alert moves through the following states:

Active → Acknowledged → Resolved
StateMeaning
ActiveThreshold breach detected; no action has been taken.
AcknowledgedA user has acknowledged they are aware of the alert.
ResolvedThe underlying condition has been addressed or closed out.

Alerts can be acknowledged and resolved via the API. See the API Reference for endpoint details.

Configuration

Thresholds and notification settings are configured per organisation. Each letting agent can define:

  • The threshold value for each alert type they want to monitor.
  • The list of email addresses that should receive breach notifications.

Organisations that have not configured a given threshold type will not generate alerts for that type.

Email Notifications

When a threshold is breached, an email is automatically sent to all configured recipients for the affected organisation. The notification includes the alert type, the observed value, the configured threshold, and the time the breach was detected.

Multi-Tenancy

All alerts are strictly scoped to the organisation (orgId) that owns them. One organisation's alert configuration and alert history is never visible to another organisation.