After joining the anti-fraud team, I noticed that blacklists are used far more extensively than they were in credit underwriting. That observation led me to reflect on the difference between a blacklist and a rule.

For readers outside the risk management field, a blacklist is a finite set of objects, such as a user ID, device fingerprint, phone number, or identity card number. Entities on the blacklist are not allowed to use the product. A rule, by contrast, is a decision function: it takes an input and produces an outcome, such as pass, reject, or review.

Mathematically, both can be expressed as indicator functions:

R(x) = 1[C(x)]

where C(x) is some condition on x, and

R(x)=1[X in B]

where B is a list.

In this sense, a blacklist is simply a special case of a general rule in which the condition is set membership. Mathematically, both are the same type of object: they map an input to a decision. In practice, however, the distinction remains useful. The term rule usually refers to non-list-like logic, while blacklist refers to list-like logic based on explicit membership. The real question, then, is not whether a blacklist is a rule, but when we should rely on list-like rules and when non-list-like rules are more appropriate.

A blacklist is like a memory of bad actors. Once a bad actor is identified, the goal is to prevent them from exploiting the product again. But this only works under two conditions: first, we can identify them reliably; second, the identifier is not easy to replace or rotate. For that reason, blacklists are most suitable for high-confidence, confirmed cases tied to relatively durable identifiers. If our confidence is low, or if the identifier can be changed easily, a blacklist may do more harm than good by blocking legitimate users while doing little to stop the bad actor in the long run.

A non-list-like rule, by contrast, captures a more general pattern of risk. Someone rejected by the rule today may not be rejected tomorrow, because the decision depends on current attributes or behavior rather than fixed membership in a list. This makes rules more suitable when the signal is weaker, more probabilistic, or tied to identifiers that can be changed easily.

In practice, however, teams often blur the boundary between the two. Low-confidence signals or easily rotated identifiers are sometimes added to blacklists, which can create high false-positive rates. Conversely, even high-confidence bad actors are sometimes handled only through dynamic rules, leaving room for repeated breaches once the pattern changes or the rule is circumvented.

The key is to match the tool to the nature of the signal. A blacklist works best when the signal is strong and the identity is durable. A rule works better when the signal is less certain or when the adversary can easily change identifiers. Although the two are mathematically similar, they play different operational roles: a blacklist acts as memory, while a rule acts as generalized reasoning. Confusing the two can either block too many good users or allow known bad actors to return.