You would not be allowed if not for legitimate interest.
Websites A and B buy fraud prevention service FPS, website A flags user x as fraudulent, how should FPS flag user x as high risk for website B if consent from user x was required?
Legitimate interest literally allows FPS to track users, build cross-service profiles, process and store their data in case FPS needs that data sometime in the future. Under legitimate interest response to query "What's the ratio of disputed transactions for this user?" is perfectly legal trigger to put all that data to use, even though it is for all intents and purposes indistinguishable from pre-GDPR tracking.
Websites A and B buy fraud prevention service FPS, website A flags user x as fraudulent, how should FPS flag user x as high risk for website B if consent from user x was required?
Legitimate interest literally allows FPS to track users, build cross-service profiles, process and store their data in case FPS needs that data sometime in the future. Under legitimate interest response to query "What's the ratio of disputed transactions for this user?" is perfectly legal trigger to put all that data to use, even though it is for all intents and purposes indistinguishable from pre-GDPR tracking.