Evidence is mounting that graphs are an excellent use case for cybersecurity in financial services. Why? Because the activity and sensor data collected across cyber systems naturally expose a set of interactions best modelled as graphs, rather than in traditional relational database formats. In addition to monitoring individual behaviours, graph-based approaches—made famous through their application in social networks—can also surface when networks of bad actors are attempting to subvert and penetrate defences, giving security teams a more comprehensive view of emerging threats.
The Capitec experience
A real-world example of a bank putting these ideas into practice is Capitec, which uses an in-memory graph database on AWS and graph-based features in its production fraud detection pipeline.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
South Africa’s fastest-growing retail bank and largest digital bank, Capitec serves over 25 million clients as of 2025. The bank offers simple, low-cost transactional and digital banking services, aiming to make banking accessible to all. However, fraud is a growing challenge in the country, with 2024 figures showing an 86% increase in ‘card-not-present’ cases.
For the past two years, using graph technology, Capitec has been leveraging relationship-based insights to tackle cybercrime. The bank transforms transaction data into connected fraud graphs, generates graph-based features, and feeds those features into a specialised internal fraud scoring pipeline, which has now reached production status.
The result is a graph-based fraud detection system capable of identifying high-degree connections and hidden fraud patterns. The production version uses 27 graph and 23 tabular features, down from an initial 195 graph features—including centrality and community-based signals—and processes over 3.5 million records per day in roughly two hours.
That’s security at scale. Derick Schmidt, the organisation’s Head of Product, estimates the tool has achieved a false positive rate of only 2.1%—with the graph-based approach having proven so successful at helping fight suspicious behaviour, it now runs seven live anti-fraud graphs, with plans for more.
Relationships matter in the fraud problem space
According to the data science team at Capitec, fraud in banking is increasingly sophisticated, often involving networks of accounts, devices, and identities. The bank’s experience has confirmed that traditional, rule-based systems struggle to detect these coordinated schemes.
Instead, knowledge graphs, which enable organisations to map relationships among entities such as customers, accounts, transactions, and devices, and to uncover intricate, networked fraud patterns, have become a powerful tool. As Schmidt puts it, “The answer is graph. It’s the hidden fraud connections that you can discover here that’s very important: after all, if you can find a pattern, you can weed out quite a few of the scammers at once.”
The bank’s interest in a graph-based approach arose from two main challenges. First, fraud was highly networked: small, distributed transactions across linked accounts often escaped conventional detection.
Second, speed is critical in cases like credit or debit card fraud; delaying detection even by a few hours could translate into substantial losses. What that means in a business context is that spotting a suspicious transaction alone may be insufficient. Examining the surrounding network—shared beneficiaries, repeated routes, tightly connected communities, or accounts a few hops from known fraud—can reveal critical patterns.
Capitec says to respond at speed and scale, it needed a way to represent payment relationships, explore multi-hop connections efficiently, and convert graph patterns into features for production-grade fraud scoring. Fortunately, the bank has found that graphs offer the ability to connect data points and visualise relationships in near real-time, enabling analysts to see the bigger picture. As Jan Ehlers, Data Scientist and Data Engineer on the project, notes: “When you look two hops or more, that is where you really get more information and you can actually see common fraudsters between different clusters.”
Proof in the cyber pudding
Two years on from what began as an experimental ‘try it and see’ start, Capitec’s knowledge graph has evolved to integrate multiple data sources, including transaction histories, customer profiles, device IDs, and public watchlists.
By linking these entities, investigators could identify suspicious patterns that traditional systems would miss. Early graph analyses, for example, revealed networks involving up to nine linked accounts sharing devices or phone numbers, which would have been virtually impossible to track with conventional methods.
The graph-based system also allowed analysts to curate alerts and workflows effectively. Instead of overwhelming investigators with hundreds of disconnected transactions, the graph-based internal anti-fraud tool highlights only the most relevant nodes, reducing false positives and improving investigative focus.
In practice, this meant analysts could detect up to 50% more suspicious activity compared with the legacy system, while investigation time fell by 30–40%. One key insight the team emphasises is the importance of tool curation and context awareness. Capitec found that overloading the system with too many detection parameters or automated scripts—effectively, too many tools—could introduce confusion and lead to misfires.
As a result, limiting the graph’s automated triggers to the minimum set necessary for each investigation, while breaking down complex cases into smaller, manageable sub-tasks, has improved both precision and efficiency. Now, analysts can monitor a smaller subset of high-risk accounts and devices, aggregating results before escalating cases for action. This approach mirrors the least-privilege principle used in IT security, which only ever grants the access needed to complete a task.
I think it’s important to note how important rapid response is in this context. Schmidt states that because the graph software he’s using runs in memory, it’s fast and highly performant.
A knowledge graph cybersecurity approach in banking has also improved proactive threat detection. By modelling relationships dynamically, analysts can identify emerging fraud rings before significant losses occur. Patterns connecting devices, accounts, and IP addresses enabled investigators to anticipate coordinated withdrawal schemes or suspicious account linkages, rather than simply reacting after the fact. The graph could also encode policies, such as limiting actions across certain accounts, helping the team maintain operational control while automating low-risk monitoring.
The team has stressed that technology alone isn’t enough. Domain expertise is crucial; analysts need to work closely with engineers to constantly refine and fine-tune the relationships and alerts the system models, ensuring it stays ahead of emerging threats.
As a result, the bank’s knowledge graph has evolved into a living tool, constantly evolving to reflect new fraud patterns and ensuring that high-value investigations are efficiently prioritised. And there are real metrics to show the value here, with faster detection, more accurate targeting of high-risk activities, and a reduced operational load for fraud teams.
Time to see if this could work for you?
By connecting disparate data points, visualising networks, and curating both tools and context, organisations like Capitec, and other financial services firms and banks concerned about the rise in fraud, can mount an effective, proactive defence against even the most sophisticated schemes.
For banking institutions facing increasingly complex threats, knowledge graphs are an essential tool for protecting revenue and customer trust. Certainly, something worth looking into?
Marko Budiselic is Co-Founder & CTO of Memgraph
