Payment fraud on the rise: Regulator pushing various initiatives to support clients and industry

In one of its latest reports,¹ the European Banking Authority (EBA) has highlighted a surge in impersonation fraud and sophisticated online and social scams, often leveraging new payment methods such as instant payments. As instant payments become widely available, the EBA reports that, back in 2022, fraud rates for instant credit transfers were on average 10 times higher than for regular credit transfers. With the rise of social media and advanced scamming techniques, banks are increasingly confronted with a type of fraud called Authorized Push Payments (APP).

Limitations of current market anti-fraud practices

Today, most fraud prevention mechanisms are built on the assumption that a fraudster would take over the account or payment instrument (e.g., credit card, online banking) of a client. Thus, current practices focus on identifying whether the person initiating a transaction is indeed the customer of the bank. To do so, Payment Service Providers (PSPs) often check the location of the payer, the digital signature of the device used, and the amount and pattern of initiated transactions to detect potential fraud. With APP scams, the difficulty lies in the fact that the payer is tricked into initiating a payment to the wrong beneficiary. In this model, it is the actual client performing the payment, reducing the effectiveness of current detection mechanisms. When combined with the 10-second speed of instant payments transactions, it creates a perfect environment for fraudsters to thrive.

In response, EU authorities have launched a series of regulatory initiatives aimed at bolstering the security of payment systems and at strengthening the protection of EU payment users.

Regulatory initiatives for enhancing security

The new Instant Payments Regulation (IPR), which went into effect last January, introduced two critical measures to combat payment fraud. The first is the obligation for PSPs to perform daily sanctions screening of all customer accounts against EU sanctions. This measure is designed to potentially block all suspicious accounts even before any transaction can be initiated from/to these accounts, reducing the risk of fraudulent activities. While this practice was not entirely new to the market, PSPs still have to upgrade their monitoring systems to allow daily screening, including weekends, and to put in place operational measures and safeguards to take necessary actions over weekends and bank holidays. Although this mechanism was supposed to replace transaction monitoring for instant payments and allow faster processing, PSPs must comply with more than just EU sanctions, and it remains a market practice to perform transaction screening for other purposes (such as checking US sanctions lists or preventing fraud).

In addition, the IPR introduced the concept of Verification of Payee (VOP), often called the "IBAN-Name check" service. This concept, which already existed in certain local markets like the Netherlands, and the UK under the name of Confirmation of Payee, is designed to prevent fraud by ensuring that funds are transferred to the intended recipient. This new mandatory (and free to use) service will apply to all credit transfers by 9 October 2025. PSPs are required to offer to retail and corporate clients a mechanism that verifies the coherence between the payee’s IBAN and name. If the details do not match, the PSP must inform the customer, indicating whether the details are "not a match" or a "close match." This measure aims to reduce the risk of social engineering and fraudulent transactions by providing an additional layer of verification before funds are transferred. 

However, many banks are concerned that the October deadline may be too tight. For instance, third parties looking to provide routing and/or verification mechanisms for the VOP “scheme” (a set of rules and guidelines for implementation), have noted that the scheme was only recently published on the European Payments Council’s website. This limited timeframe poses challenges for compliance with the requirements. Selecting and implementing a third-party solution is a time-consuming process that necessitates thorough due diligence, as well as functional and technical testing. It is crucial to identify a solution provider that offers a seamless integration experience – often through APIs – and can be easily embedded into payment channels. This approach is essential for creating a distinctive customer experience and gaining a competitive edge in the market.

Alignment with the wider EU regulatory framework 

In addition to these two new requirements, EU regulators are also driving the update of the second Payment Services Directive (PSD2) and are about to adopt, probably by the end of 2025, a new EU Regulation that will apply across the EEA as the new Payment Services Regulation (PSR). The final text is not yet voted on, but the current draft and various consultations emphasize the qualification of payment fraud and the protection of EU customers suffering from it.

The PSR expands on the concept of fraud, particularly focusing on cases of impersonation. It introduces measures to address gross negligence and expand on the obligation to put in place strong transaction monitoring systems. PSPs will also be required to run training and awareness campaigns on fraud trends and risks, targeting both customers and employees. These campaigns aim to educate stakeholders on the latest fraud tactics and provide practical advice on how to avoid falling victim to scams. By raising awareness and improving knowledge of fraud prevention techniques, the regulation aims to empower customers to protect themselves against fraud.

Complementary to spreading awareness, the EU recognizes that sophisticated prevention measures also need to be taken, and will introduce a new concept of Fraud Data Sharing for this purpose. The PSR establishes a legal basis for PSPs and Electronic Communication Service Providers (ECSPs) (e.g., mobile operators, broadband companies, etc.) to start sharing information related to fraud cases. This includes details such as names, phone numbers, email addresses, and modus operandi, which will be shared on a platform set up by the European Banking Authority, compliant with personal data protection rules. This collaborative approach aims to enhance fraud detection and prevention by enabling PSPs and ECSPs to pool their resources and share intelligence on emerging threats. The regulation also outlines the responsibilities of each party in the event of a data breach or fraud incident, ensuring accountability across the payment ecosystem.

The call to action for businesses

Over the next few years, the regulatory initiatives outlined above will have significant operational and technological impacts on both back- and front-end systems for PSPs. While some of these measures can be implemented quickly, such as training, customer education, and awareness campaigns, others, such as the verification of payee mechanism or advanced transaction and behavior monitoring tools, will involve greater complexity and resource allocation to deploy – and should therefore be anticipated. All these initiatives will only be effective if the entire payment ecosystem plays its part and if its players take strong measures to develop new solutions and increase collaboration by proactively reporting fraud cases and fraud data to their peers.

While machine learning is already widely used in transaction analysis and monitoring, the use of artificial intelligence will help PSPs fight back against increasingly complex fraud techniques where fraudsters use AI-generated voices, pictures of identification documents, and even video. By identifying patterns and anomalies, these technologies enhance fraud detection capabilities and facilitate faster responses to emerging threats.

In parallel, cross-sector collaboration between PSPs and ECSPs is a step in the right direction, but further efforts are needed to foster collaboration across the financial ecosystem. This includes working with law enforcement agencies, regulatory bodies, and other stakeholders to develop a comprehensive fraud prevention approach. While the private sector has its role to play, local governments and supervisory authorities will also have to support players in the financial industry.

As the regulatory environment continues to evolve, businesses must proactively embrace innovation in fraud management. Going beyond the minimum compliance is key and will require a review of the customer experience – the customer journey – to integrate increased fraud prevention mechanisms. Firms that invest in next-generation fraud prevention solutions, leverage AI-driven transaction monitoring, and foster a culture of security awareness will not only protect themselves but also gain a competitive edge in the digital economy.