Fraud fight stays atop regulators’ agenda for payment firms

The fight against fraud remains top of European Union and UK regulators’ agenda for payments firms and dominated conversation at Pay360, this year’s big industry meet-up in the UK. It comes as little surprise, however, as the UK government and EU institutions have stepped up their anti-fraud efforts. That means more responsibility for fighting fraud has shifted onto payments firms, and soon, social media and big tech.  

Fraud and cybercrime comprise half of all crime in the UK, prompting the Home Office to reaffirm this week it plans to publish an expanded anti-fraud strategy and accelerate the development of data-sharing measures to “protect the public and businesses”.

“Fraud is an increasingly international enterprise run by some of the most appalling criminal gangs operating in the world today. That’s why we are determined to work with global partners to build a united front to tackle these criminal networks head-on, wherever they are based,” said UK fraud minister Lord Hanson in a statement.

The UK will also support a global anti-fraud summit sponsored by the UN Office on Drugs and Crime (UNODC) and Interpol, to take place in Vienna early in 2026.

UK approach

In 2020 the UK’s Payments Systems Regulator (PSR) pioneered its anti-scam confirmation of payee (COP) measure, which checks that the name on the account matches the intended recipient. The PSR then launched its ambitious shared liability reimbursement scheme for authorised push payment (APP) fraud in October 2024, which requires sending and receiving firms to refund fraud victims on a 50/50 basis. Six months in, early data shows the scheme is delivering, PSR staff said this week.

“We wanted to raise the incentives to catch fraud. I had conversations with firms who thought fraud was a cost of doing business,” said PSR interim managing director David Geale. The idea behind shared liability was to change the balance so firms would not simply accept fraud, but do something about it, he added.

The PSR will review the reimbursement regime at year-end and look for ways it can evolve. It intends to collect more data from firms, examine other kinds of payment frauds and potentially look at rebalancing liabilities. For example, Geale said, progress with social media has not “been as good as it could have been”.

Indeed, many payment firms speaking at the conference voiced frustration that liability rules for tech firms — set to be introduced under the Online Safety Act — were not yet in place.

Verification of payee

The European Banking Authority’s (EBA) consumer trends report published this week found payment fraud “is still the most significant issue for EU consumers”, especially APP fraud. The EU’s Payment Services Directive (PSD3) and Instant Payments Regulation (IPR) introduce many new anti-fraud measures, including verification of payee (VOP), which is similar to the UK’s COP regime. All payment firms offering Single Euro Payments Area (SEPA) payments must implement the VOP regime by October 5.

PSD3 will introduce liability on payment firms for fraud in some instances. They may be able to shift liability on to telcoms or other digital services providers, however. There are already transaction monitoring requirements in PSD2, but PSD3 allows firms to block payments they believe to be fraudulent. Firms will be obligated to conduct more customer education around frauds.

Data sharing

While regulators are seeking new ways to incentivise payment firms to reduce fraud, some remain reluctant to share data for fear of violating data privacy rules. PSD3 will allow firms to share fraud-related information about individuals who have received a payment believed to be fraudulent and remain compliant with data privacy laws. This includes sharing personal identifiers (such as names, personal ID numbers and organisation numbers), the fraudster’s preferred method of operating, and other transaction information.

Data sharing has been piloted in the UK under the National Crime Agency’s (NCA) Data Fusion public-private partnership with seven UK banks, which launched last year.

“We talk a lot about data sharing as a potential way to prevent fraud but broadly one of those data-sharing initiatives will cost money. Proposals Iʼve seen so far donʼt get enough of the industry of involved, ” said Mike Regnier, chief executive at Santander UK told the conference.

Regnier said he was happy to fund some business cases for data sharing, and suggested regulators should consider using the economic crime levy (ECL) to fund them.

Tech approaches

Firms’ application of technology to combat fraud has been patchy and their remote onboarding systems can compromised by fraudsters, said panellists during the two-day event in London. Regnier said Santander UK used artificial intelligence (AI) to detect all kinds of financial crime, including one algorithm that uses historical customer transaction data and every fraud vector known to the bank to assess all payments for fraud.

“Thatʼs led to some fairly material reduction so the amount of false positives that we have to test, and itʼs also led to a 20% increase in the number of suspect payments weʼve got,” Regnier said.

There were warnings too about criminals using AI to bypass firms’ remote onboarding systems. These are the systems used to capture potential customers’ identification verification data using biometrics and document scanning for Know Your Customer (KYC) checks.

“On the dark web you can buy [criminal] AI tools; they have playbooks on all [remote onboarding] companies. They actually have playbooks on my company and all of my competitors as well: ‘Hereʼs how we were able to beat this service. Hereʼs how we were able to access this organisation.ʼ And so you really do need to be paying attention and working as fast as the fraudsters are to adopt some of these more advanced techniques and technologies to protect against the AI threats that are happening,” said Zac Cohen, chief product officer at Trulioo.