Device monitoring

Overview

Solaris has introduced device monitoring as an additional layer of fraud prevention. Partners are required to collect device fingerprints from their (potential) customers' devices using the Seon SDK and then submit them to Solaris when calling certain API endpoints. Solaris will analyze the provided fingerprints when performing Customer Due Diligence checks and notify you of any suspected fraud using the PERSON_CHANGED webhook.

This guide explains how to implement the Seon SDK in your solution (regardless of platform) to collect device fingerprints and when to provide them to Solaris.

Device monitoring flow

Here is the flow for integrating device monitoring into your solution:

  1. Implement a GDPR compliant cookie consent and ensure that the Seon SDK is not initialized until the user gives their consent.
  2. Implement the Seon SDK in your solution such that it initializes whenever the customer starts the app.
  3. Prior to calling any of the Solaris API endpoints that require device monitoring, generate a device fingerprint on the customer's device using the Seon SDK as described below.
  4. When calling one of the Solaris API endpoints that requires device monitoring, provide the Base64-encoded fingerprint obtained from Seon as the device_data property in the API request body.
  5. Solaris will analyze the device fingerprint while conducting its Customer Due Diligence checks.
    • If Solaris detects any suspected fraud, you will receive a notification on the PERSON_CHANGED webhook. If you receive this webhook notification, call the GET Retrieve a person endpoint. Parse the response for the value of customer_vetting_status, which contains more information about the suspicious activity.

Follow these steps to integrate the Seon SDK into your solution:

Step 1: Install SDK of your choice

Depending on which platform(s) your solution is built on, follow the instructions below to set up the Seon SDK:

Step 2: Collect GDPR cookie consent

In accordance with the GDPR, you must display a disclaimer and collect your customer's consent to your GDPR cookie notice (that customers must accept) regarding the collection of their device data before you create any device fingerprints.

note
  • You must treat device monitoring as an essential cookie in your GDPR disclaimer (i.e., your customer cannot opt out of it if they wish to use your solution).
  • You may not create a device fingerprint without collecting your customer's consent first.
  • You must collect this consent before creating a person resource for the customer.
Note

For existing customers onboarded prior to implementation of this feature, please check the appendix for instructions.

Display the following text to the customer in the modal:

"By clicking [Accept], you also consent to [insert Partner name] collecting information from your device on your browser, traffic data, location data and other device-related information, including the session ID, and transmitting such to Solaris along with your email address, name and phone number. Solaris may add additional data and use a service provider to perform fraud prevention and anti-money laundering checks. This is essential for a secure provision of the banking services that you are requesting by Solaris; therefore you cannot proceed without consent. You can withdraw your consent at any time by email to [insert Partner email], but without consent you will not be able to continue using Solaris' services. Please find further information in our privacy policy [add link to the privacy policy of Partner]."

"Mit Klick auf [Zustimmen] willigen Sie zugleich ein, dass wir Informationen von Ihrem Endgerät über Ihren Browser, Verkehrsdaten, Standortdaten und andere gerätebezogene Informationen, einschließlich der Session-ID, abrufen und diese zusammen mit Ihrer E-Mail-Adresse, Ihrem Namen und Ihrer Telefonnummer an Solaris übermitteln. Solaris wird diese Daten ggf. um weitere Daten anreichern und mithilfe eines Dienstleisters einer Überprüfung zur Betrugsprävention und Geldwäschebekämpfung unterziehen. Dies ist für eine sichere Bereitstellung der Bankdienstleistungen von Solaris zwingend erforderlich; ohne Ihre Einwilligung können Sie daher nicht fortfahren. Sie können Ihre Zustimmung jederzeit per E-Mail an [...] mit Wirkung für die Zukunft widerrufen, jedoch können Sie die Leistungen von Solaris ohne Einwilligung nicht weiter nutzen. Weitergehende Informationen finden Sie in unserer Datenschutzerklärung [Link zur Datenschutzerklärung hinzufügen]."

POST Create user consent for device monitoring

This endpoint records consent from the given person (specified in the request URL) to collect device fingerprints on their registered device. Each consent is tied to a specific device.

Request URL

Copy
Copied
POST /v1/persons/{person_id}/device_consents

Response example:

The API returns an id, which your solution must use as the device_consent_id as described below.

Copy
Copied
[
  {
    "id": "17a7389adaf83145770d8e6c00a398ddcon",
    "person_id": "e2bbc86268e9a4667861b73f31dba03bcper",
    "created_at": "2021-06-25T09:44:25.000Z"
  }
]

Click here to view the full API reference.

Cookie consent storage guidelines

  • The device_consent_id must not be stored on your backend, but rather on the user's device (i.e., as a cookie).
  • You must reuse the device_consent_id on the same device. Generating a new device_consent_id requires an explicit request for the user's consent.
  • When the user reinstalls the app, they must give their consent again, and you must create a new device_consent_id.
  • When the user gets a new device, they must give their consent again, and you must create a new device_consent_id.
  • The device_consent_id is not bound to a device from device binding, These occur independently of each other.

Step 3: Initialize Seon SDK on app launch

Your solution must launch the Seon SDK whenever a user accesses your solution, and it must set a session ID (UUID format) that identifies the beginning and end of a user session for the SDK.

Use the device_consent_id returned by the POST Create user consent for device monitoring endpoint as the session ID.

See the code samples below for each platform:

KotlinSwiftWeb (Typescript)
Copy
Copied
val deviceConsentId = "ID from the consent for this device"
val seon = SeonBuilder()
    .withContext(applicationContext)
    .withSessionId(deviceConsentId)
    .build()
Copy
Copied
let deviceConsentId = "ID from the consent for this device"
let seon = SeonFingerprint()
seon.sessionId = deviceConsentId
Copy
Copied
const deviceConsentId = "ID from the consent for this device"
seon.config({
    host: "deviceinf.com",
    session_id: deviceConsentId,
    audio_fingerprint: true,
    canvas_fingerprint: true,
    webgl_fingerprint: true
})

Step 4: Get device fingerprint from Seon SDK

Prior to calling any of the API endpoints described above, generate a device fingerprint on the user's device.

Code samples:

KotlinSwiftWeb (Typescript)
Copy
Copied
val deviceData = seon.fingerprintBase64
Copy
Copied
let deviceData = seon.fingerprintBase64()
Copy
Copied
const deviceData = seon.getBase64Session()

You will receive a Base64-encoded string from the SDK:

Web;7d2cf82ae5774e5293e4c020d2381217dcon;jVl14emA+OcyALb9F+CMFg==;NU7aFh0jdzM15wj8hQtqbA5LbzEFWDI1bUwZf/zbau0P2MIEUE+LsifBKvxjCYNUyz647bpSjnQ6Tu8IK22sxFlTGEFaHKBigzmP8Nc8FvVSWKzslmSWTFJM5AYc+EGTZLprlcdrLldsZLS5PpHfPMmvtqCXVTnGhYV7GvutI1w5/67yK7pCQDxDicKjqlMg1naMiwCuqP1U1lUtf+lTdmJ1T1lXMPARffTn4XAr66vUxN++sy7qytkdcOeCsaxZnLspUEvqu+2ILHF8pOJFG7gYC11rqWOyHG3Ns1E1dZ57ybrgGTKfctFOdx2IMXnz1/i/pDC5QokRr2BTIZZ/9Tj+xXzWpzNwHtRWWK5VEufyVRPyMXQdmry7UYKrouAzlLCYSMv7GcPwOZz+gDjCkrNia7/DGBBFLOvtlufDztPpvkH2jmN32/oJHl1Qu6zpxG3Lyl8RNdyukuNYfiPw0ECoXsXObwQc7Ja8R+V5S7QZeV1VV9aavlH1+Xl9v0OlOJ1XujO7izWESMIfzAuaL6ACYhdkmkC3kicjOWUjaY3OJYrrXxQ+MScnJOQ9neMRWij7YqNxP8F259zVjqqyaL6hN8EZU/pi+cZUVkfFvMYT5ugE9JXjkFfyy4UQeSmNRjDXRzu40LyweqUns8u3GOIFzfZ9eVOv+q7OV+RpVLOJLz1Za8RPIh3UKltCzOTmO8OpDz2aGoqNdL4zAaLl4EKRoarEiSG9K2/GoyHchi6xdHYA6DqQg5xQM4s50RUySGwWLxBB3ZlMpZpdZAVBrLSyl1SWqYTosdyURtiiX0So+kdik5XJ5Vsh0v75rNP5Yrv3t5/u94wx51zKlpDH8Uiap7kP0eibRmmN196kxMcOf8Q50JM1Yt8cJiawTWdGHzGRcNtEkpon5VLp/kwDU+4IPwlW976hKsom0PTB/EVxo5CWuL6kPiaEWUrWOL7BZ2jkuebHT2jBAJuFBaeac7IYnrAMoLgfY33Vs3EtVk8H12iDX3O9JmGsDGXP0/vBx0uFEgrTt6HjwabWGRHpPPPCorSrjfuySwKlnZtp1KkeNrOso8K8DBW6e+6j1YYaxTjBUZSLl1qgzd1dpz85vB/trWdyS3i+APHw/AsP/Y4cmu/CFZqpe1Sgye1+YNP3Hs3LpxJKM3prnAoaCmrHp5aUKo5KdicAnilBTzBAV2zGBWHrBwWLWHl+RDQpncyWD2/ZCswxtXbQAhlmVD7FvBXnT0Yyg5gaFo5GVBcURzBYtwbdl3+6sqKtR3XC22GBw0OOqZ9/QvMHmCO/K89rEjfLEaVX4eKhrdzjxOwOxmE5lXrLqfscV90Yo9Uj1awvpF5TL5vW85asT2iVHYjZ1JsQ5oLp3VUfIAqTNmpcjRk763hMsTUIrn3VfpLkGajZbtxD2FuNNMoRZQBfiOAxPUDFmspxWagNSbmUZ8FqPX/6asQIJIyvAk4cvzgV9OjzdkoEcFP2OGjFnddZtLmBh9BZDWtS3VOL98lp+cH/JAn8pDab2l6zIwHRccePbuBcGZZgU39FOVpI+sbHZJ6QEhiUA8SdT7SLcTf4P1tBbdN5+dpjaWfTph1cgZyW8EsAIFc81vR6tBqSSpxmS164ADWZW+PYz4b4SRVklT3Cs2tJ/TTMM240pnkNJUd3G/0PbBGVPea5+XUs1bF5cT0fiHWA032Dm87biMEU89fdPkvnSlIsN/MbLT2kj2tPZqhOrqTxCg26jimd+2kNdZ2fwvT8JQfO0hVidnPDPLXH5aA6T6+bKqfpvJE6USAif8fPQ0rW4+315LKH5wG8Qj0omO2Ynii0IE6cR0lAGrtoLsXMf3kDqFms+Z2h79pYQrnhUSntZ3tjt3pwgejJ8ZKXdN7kYWT8UiQnLnkfLJnh1e8a4UURe7GU9UwnqqFXeHrstb8XXxiIX7syFG5iLdN9IExi5BefYnAikCTU+ssMWnnhppX6jFV43u+KEaa1/7AqibMc3Kt+kUxHlQsAo2TCg+u/39rsgNs5eWym7YptvBCN6L4Q4QRoKNFo8CJerS4dTxksD2zeGL4BLIsvMbcm6rlHrKCR5PeWRiFpK8QwwaOyiTGL5NN2Xl6F0M4vf5gnWikZTrppv7bLUYZhrU1uGiv968ZGEq+A7w2oLvbZS7l+DZuN4rPF5SzPWq94jC1NiYjaPrGyTQIISRiBLXil5puqCobYHAIeVQzHBgki3/N+Pwk4iCrxf3pqnUSNmtrmvphmo9Vp3xAaPSFsUYfIyOPiO5gcNUoGQ1kHZ3Yoksqh6U1hRCzlkMSbX6kzDYUNEgc47t2AKxLM5IpYCWAv+uefNAAb/4+f7Qh4sMqtXHc5lGK3GN8ABTIVeFphtJg36Y6xg8OTrBR5ItS/tdy6zyfTLfZFocRbfjsLfoiCeHJO0sEZIWgHsu80FVZmo4G84N6zNZkdjnFDZkgRYP9OSqMbPCXyb5Xj1H6g67rNjtY67B3613uGJ0pHCQpl0Lmz2apUMq9EVRz5tZT+RA8sCRcK4mkBEWzdC7ngI5+dfX2dEqu157rsc0yU4OWNElLWC3F1TXOsB2/n1+LBHpjKLIMok2afui1H9+eof1zLAba4hrnYEFI4WjvEAvcsyPI/eONNdxk7liVNNaD7j6vvwYKOxTZoriKwvGxeNApC+Z8xQ8HpnEaRIUqb2Eh1SfpyDta8J1dXnRF1HTq2pOvfitomb701g0diB7+StEpCxiRLCx3TEJcroqBiCE3szXdc9VSVyfklkHmbJE33CY8tGm1YEvaXAY7a5yWLHWHzqQvNuZkQ1DNbJAkP9dt1t8Fv3njG2lXFmAOJkZwpvm9qEHZTmuUmflIMhu9nMsgZd5VMjalTmHqZdy7zmnAz8LhYiUDMbPDNOd4UTehvTanDEBBYTJB6CYv6QnBYwuAPsZwRnZdHbpl6lIXStmgsxV3DLtKAUy8eoqCdDOMyep9L4ArSWEJstEBNkZ5zgk7bOspvF1V8HrhFzJCiwR7WC+GHJTHLH1S8FfmHFTXJHecvq6tpMncaJFbo4jSfm9ozBAVAAN2mCn/yBbmX9tPmXdGEsTSpdp6vVWKEdHZ1rjCqmgDENxh75H5uT9DeZ0mAKwkP5Ai+bN3hT0y1XGE44b/aJ7PEObogYAioej/Z690zKx+fHxP50juTgt+UIQ+l/mpcYnbcYe4lkXrqGpwxFU8OrRzzfJX/s90VVlzrQVAPNW/mvYkt+MqSVwI1EP62faXlXnDqbmVFUmMGeoquP58cwqSBaNL/oi2Rg7GVvdvus+i2Qpm1SHtnPVUhTwWFigiWw/T2ZZeUs4nk+Q/xOFa/

For iOS, the prefix will be iOS; and for Android, the prefix will be Android;.

You must generate and supply this string as the value of device_data for all of the API endpoints that require device monitoring (listed in the next section).

Actions that require device monitoring

Prior to calling any of the following API endpoints, you must generate a device fingerprint on the customer's device:

How to test device monitoring

You can use the following mock session IDs on testing environments to initialize the Seon SDK and trigger suspicious or non-suspicious behavior responses.

Session IDMocked behaviorcustomer_vetting_status value
179ac83968ab42f79e960c1753a4078fdconNo suspicious behavior detectedNO_MATCH
8ed57aeb750a4b44a4186e0d29826a04dconSuspicious behavior detectedPOTENTIAL_MATCH

Further reading: Seon SDK documentation

If you'd like to read more about the Seon SDK and how it works, check the following links:

Appendix I: Handling consent for customers onboarded prior to device monitoring rollout

You have two options for how to handle customers onboarded prior to the implementation of this feature:

  • Provide them with a grace period of thirty (30) days after logging in for the first time since implementation to consent to device monitoring (on any device).
  • Deny them access to the frontend unless they consent to device monitoring.

For the first option, you must implement a separate GDPR disclaimer modal with the option to accept, reject, or defer a decision on device monitoring.

If the customer rejects device monitoring:

If the customer defers their decision on consenting to device monitoring:

  • You must inform them that without consent, the customer relationship will be terminated with immediate effect after a thirty (30) days period.
    • Please note that this will occur 30 days after the date when you inform the customer.
  • After thirty (30) days, if the customer still has not consented, then you must block the frontend for the customer and initiate an account closure request for their account using the reason CUSTOMER_WISH.