Guardrails for growth: Building a resilient payments system

The $2.4 trillion global payments industry grew at 7 percent per year from 2018 to 2023, according to the McKinsey Global Payments Map, and is expected to continue to grow at 5 percent per year until 2028. At that point, payments will represent 35 percent of the total banking revenue pool.¹Philip Bruno, Uzayr Jeenah, Amit Gandhi, and Inês Gancho, “Global payments in 2024: Simpler interfaces, complex reality,” McKinsey, October 18, 2024. However, against this backdrop of robust growth, payments providers are also on the front lines of an increasingly risk-filled landscape.

In this article, we look at three critical risk vectors affecting the payments ecosystem—new and fast-growing forms of fraud, a worrying rise in money laundering, and the proliferation of payments rails—and examine how payments providers can address these significant and escalating threats.

Payments fraud is expanding and growing in sophistication

Given the range of fraud types, and the many organizations tracking data, it is difficult to provide exact numbers on the growth of payments fraud. It is clear, however, that losses have been growing and are widely expected to continue to do so. A Juniper Research report has forecast more than $362 billion in online payments fraud between 2023 and 2028.²Cara Malone, Combatting online payment fraud, Juniper Research, June 26, 2023. In 2024, TransUnion noted that among consumers it surveyed from 18 countries, more than half said that they had been the targets of fraud attempts.³TransUnion 2024 state of omnichannel fraud report, TransUnion, April 2, 2025. Yet another source pegs the total amount consumers lost to fraud in 2024 at just over $1 trillion.⁴Global state of scams report 2024, Global Anti-Scam Alliance and Feedzai, November 2024.

Occurrences of most types of payments fraud are increasing, including fraud stemming from synthetic ID, real-time payments, deepfake/AI-driven attacks, social engineering/phishing attacks, account takeover fraud (ATO), and check fraud (see sidebar, “Emerging fraud trends”).

Emerging fraud trends

Payments providers are contending with three especially challenging new forms of fraud, some powered by AI.

Deepfakes: Deepfakes—a kind of synthetic ID fraud—use AI to create highly convincing fake identities and transactions. Synthetic fraud ID is often utilized to establish new accounts and is sophisticated enough to bypass traditional fraud detection systems. This type of fraud has been growing rapidly, making it critical for payment providers to adopt advanced technologies and algorithms to identify and mitigate the risks.

Scams: While providers are starting to use gen AI to mitigate fraud, scammers are using the technology to stay ahead of them. Investment scams caused a higher monetary loss than any other category in 2024 in the United States (exhibit), followed by imposter scams, the most commonly reported scam category.

Fraud related to credit applications: Banks that are digitizing their lending streams sometimes experience integration problems with legacy systems and fail to record installments coming in. They can therefore mistakenly believe that an applicant has more repayment capacity than they actually do—a blind spot that fraudsters can exploit.

There are a number of drivers behind the growth in payments fraud. To start, the rapid growth and globalization of online commerce makes payments a key vector for fraudsters. Additional factors include the following:

• The increasing role of AI in fraud innovation, particularly in email, text, phone scams, and takeover attempts.
• The significant amount of personally identifiable information (PII)/account data for sale on the dark web, supported by an advanced criminal element that harvests and repackages the details for fraudulent use.
• The increasing sophistication of fraudsters, which leaves less savvy consumers increasingly susceptible to scams and ATO.
• The sensitivity of customers to friction that causes purchase disruptions. This dynamic is complicated by regulations that protect the customer and penalize financial institutions—making customers less wary and financial institutions less willing to interrupt a transaction.
• The growth of real-time payments—which have the least control and recoverability versus most fraud types.

In combating fraud, payments providers are faced with countervailing imperatives: They need to invest in advanced algorithms to better detect fraudulent activities and in digital journeys that enable internal teams to flag suspicious activities more easily. However, overindexing on fraud prevention can negatively affect customer experience (for example, with false positives that trigger unnecessary alerts) and limit revenue potential (for example, through a decline in customer satisfaction or an increase in abandoned shopping carts). Therefore, a balanced approach that combines robust fraud detection with a seamless customer experience is essential. For example, a fraud management strategy could combine performance targets tied to fraud loss rates, customer impact (decline rates), and risk/revenue appetite for fraud decisioning.

Finally, while fraud is increasing, customer expectations for being made whole are growing more demanding. Today, customers tend to feel that providers will not only protect them but also reimburse them when fraud occurs, even where they themselves have authorized a transaction. Three-quarters (77 percent) of customers in one survey said they would leave a bank that failed to refund a scam loss,⁵The human impact of fraud and financial crime on customer trust in banks, Feedzai, April 2023. while only 6 percent of financial institutions in another study reported that they intend to reimburse all scams (many on a case-by-case basis).⁶Heidi Bleau, “Canceling the scampocalypse: How to stop bank account scams in 2022,” BioCatch, 2022.

As fraud tactics evolve, stolen PII is made more available, and liability frameworks shift,⁷For example, the UK Payment Systems Regulator has established guidance for “receive side liability” in which the bank on the receiving side of some fraudulent transactions is either fully or partly responsible for reimbursing the victim. payments institutions will need to rethink their approach—not just through controls but also by involving customers in managing the risk. The following are some suggested actions:

• Ensure well-orchestrated identity verifications are in place. Most institutions have a range of identity verification technologies in place, including biometrics, behavioral analytics (such as how a user types or navigates), selfie and ID matching, 3D Secure authentication for card transactions, payee confirmation to verify recipient details, one-time passcodes (OTPs), and optical-character recognition (OCR) for document scanning. However, for these tools to be fully effective, they must operate seamlessly together. As a first step toward that integration, payments providers can use reputational data to identify suspicious activity (for example, from the onboarding process or account linkages from external accounts). The second step is to analyze links to identify connections to risk-rated fraud details. Last, payments providers can incorporate the above indicators within a score/rule set, or other assessment means, to review before money is sent.
• Build fraud solutions. Banks and other payment providers must address all angles for fighting fraud, which should include educational resources and additional product offerings for customers. Citigroup’s “Citi Verify,” for example, provides clients with bank account verifications to protect against unintended use of accounts. Solutions like this can be positioned as a stand-alone offering, integrated into customer onboarding, or as a per-transaction check (for extra verification before funds are released or services rendered). Banks can build tools in house or partner with providers in the growing fraud vendor landscape.
• Incorporate reputational data in fraud decisioning to combat first-party fraud. For bank account payments, sophisticated players track risk ratings and indicators of both source and destination banks—for example, they flag when there are high levels of fraud or return requests for certain source banks, or when money is sent to select destination banks. Card providers take a similar approach with merchant risk ratings. Reputational data also includes information a payments provider has about customers (for example, charge-backs, disputes) as well as information from third-party reputational data players such as LexisNexis or Telesign, or consortia such as Early Warning Services. Some modeling providers gather and use consortium data (by sharing clean data for various customer archetypes) to enhance the accuracy of their models and rule sets for different fraud types across geographies, helping payments providers preemptively respond to bad actors.
• Design AI/machine-learning-based fraud models to detect specific types. Most payments providers currently take a blunt, one-size-fits-all approach to fraud detection, resulting in a high number of false positives. A more effective approach is to run multiple separate models tailored to specific fraud vectors against the same set of transactions and data. Payments providers should design fraud models by product, channel, and fraud type (for example, first-party fraud, synthetic ID, account takeover) to increase the precision of modeling in separating fraudsters from the nonfraudsters. Payments providers can combine transaction monitoring with analysis of micro behaviors, confirmation of payee, consortium data, and customer challenges. AI and machine learning can play a supportive role here in identifying triggers.
• Offset false positives with “good customer” detection capabilities. Many institutions run false positive rates in the high 90s, whereas best-in-class players are in the 60s. These players are cracking the code by incorporating “good customer” scores to offset false positives and enhance customer relationships and experience. Good customer scores can be based on account activity (for example, bill pay, direct deposit, secure balances); providers can also use gen AI to spot good customers by analyzing unstructured data (for example, long payment files) and customer journey and navigation history.
• Engage customers as the first line of defense. Customers can be the weakest link—or strongest asset—in the fight against fraud. Providers can strengthen their defenses by equipping customers to recognize and respond to risks directly. The approach starts with targeted education and interventions: for example, security portals with common scam typologies, risk-based prompts during transactions, and push messaging about high-risk moments. Some providers now enable users to report suspicious content for an AI-based scam assessment. As open banking matures, customers will increasingly expect to control not just access to their data but also the guardrails around their payment activity. Institutions that help customers safely shape their own protection posture (for example, through custom limits or consent preferences)—without sacrificing experience—will be better positioned to build trust while continuing to reduce fraud losses.

AML is growing, and expectations are intensifying

Up to $2 trillion annually is laundered through the global financial system.⁸“Money laundering, proceeds of crime and the financing of terrorism,” United Nations Office on Drugs and Crime, accessed June 2025. Regulatory expectations around anti–money laundering (AML) have intensified (albeit with a potentially temporary easing in the United States), with related fines, including those tied to sanctions violations, surpassing $6 billion globally in 2023—a record high.⁹AML enforcement actions surge in 2023, Fenergo, February 22, 2024. Financial institutions and payment providers are under growing pressure to improve both detection and accountability across their compliance frameworks.

Notably, however, enhancements to AML, know your customer (KYC), and sanctions compliance systems can also be a significant growth lever and a source of resilience. Best-in-class compliance reduces friction in “clunky” customer journey areas such as onboarding, improving both customer experience and conversion rates. Strong AML/KYC systems can also provide the compliance assurance needed to enter new high-risk and heavily regulated markets, and can boost reputation and trust, attracting shareholders, customers, and partners.

Payments providers can address the threat of money laundering and AML compliance challenges by focusing on the following three themes:

• Expand the scope of KYC and due diligence across the payments ecosystem: In today’s payments arena, KYC and screening responsibilities extend to a wide range of third parties, each of which introduces different risks. These third parties include card issuers, merchant acquirers, fintechs and nonbank service providers, payments facilitators, and end merchants. Depending on their role in the value chain, organizations may be responsible for performing or validating due diligence on multiple counterparties, often with limited visibility to the underlying customer or merchant data. However, providers can still conduct transaction monitoring (for example, risk-based alert generation and investigations, suspicious activity report filing) with data that is available, while also taking steps to improve assurance that appropriate KYC measures are being conducted by counterparties. Providers can take a tiered approach to gaining assurance, ranging from requesting attestations and program documentation to conducting regular risk and compliance “ride-along” visits, and, for higher-risk cases, exercising audit rights through on-site reviews or third-party assessments.
• Enhance ongoing monitoring: Robust due diligence is only the first step. Payments organizations must also implement mechanisms for ongoing transaction monitoring wherever feasible, especially for high-risk segments. Even where direct monitoring is not possible, entities may still retain an obligation to identify red flags and report suspicious activity. As regulatory expectations expand, the industry must move from point-in-time checks toward continuous oversight and real-time intelligence sharing.
• Invest in efficiency and modernization: As financial criminals become more sophisticated, providers must modernize their capabilities to keep pace. However, despite years of investment, AML and financial crime compliance programs remain cost-intensive and often inefficient. For example, financial institutions across Europe, the Middle East, and Africa (EMEA) spent approximately $85 billion in 2023 on financial crime compliance, largely driven by specialized labor—a figure that 81 percent of EMEA financial institutions plan to reduce.¹⁰“Study reveals annual cost of financial crime compliance totals $85 billion in EMEA,” LexisNexis, March 6, 2024. And despite the investments, globally, less than 1 percent of international criminal financial flows are intercepted by law enforcement.¹¹“INTERPOL launches centre against financial crime and corruption,” INTERPOL, March 15, 2022. Payments providers will need to be more efficient as they tackle these challenges, shifting from manual, rules-based engines to AI and gen AI–driven solutions for both transaction monitoring and investigations. Leaders are using machine learning to identify complex behavioral patterns and anomalies, but broad adoption remains limited.

Proliferation of payment systems is increasing the threat ‘surface’

In an increasingly multipolar world, payments systems are growing more complex, with a dizzying array of new national, transnational, and global payment rails emerging. These include entirely new payments rails (for example, stablecoins or central bank digital currencies such as the digital euro) or crossing of domestic instant payment rails (as in India, Malaysia, and Singapore, where payments can start on one system and end on another¹²“Deep dive: Malaysia,” ACI Worldwide, accessed May 2025.). This trend is likely to continue as national authorities push for increased sovereignty and payments operators look to boost resilience.

In addition to increased localization, some governments are seeking to diversify their currency usage (for example, Chinese interest in paying for Saudi oil in renminbi¹³Charles Chang, Vishrut Rana, Zahabia Gupta, and Valerijs Rezvijs, “Saudi–China ties and renminbi-based oil trade,” S&P Global, August 20, 2024.), to reduce their dependency on external systems.

As new strategies and payment schemes emerge, traditional protection mechanisms (for example, against fraud or AML) may not always be brought along for the ride. Systems and controls built for a single domestic payment rail are now confronted with a much broader array of threats.

Looking ahead, it will be crucial for financial institutions to integrate robust, rail-agnostic risk controls and monitoring to ensure consistent security and mitigate emerging risks. These can be drawn from existing mature capabilities (for example, AML controls on wires or fraud controls on cards).

This approach leverages proven effectiveness, maintains customer trust, and assists with regulatory compliance across all payment offerings. Institutions taking this path can safeguard against vulnerabilities in new technologies while preserving the integrity of their payment systems.

Navigating payments risk in 2025

More broadly, as they navigate the evolving landscape of payments risk, banks and payment providers should adopt a proactive and strategic stance that is based on a set of imperatives that apply across the spectrum of risks:

• Embrace appropriate risk: Taking risk on customers can open new revenue pools. In the same way that better credit models help manage risk more effectively while optimizing business outcomes, being better at identifying and managing payments risk not only reduces customer friction but also provides a competitive and economic advantage.
• Diversify: Diversification can both mitigate risk and open up new growth opportunities. Payments providers can diversify transaction flows (by establishing new correspondent banking relationships and introducing alternate payment rails), currency options (supporting alternative currency-denominated goods or alternative currency settlement options), and merchant segments (through new and underserved industries). They can also explore alternative payment channels (for example, working with digital wallets in addition to standard merchant acquirers) and support new cross-border clearing mechanisms to diversify away from legacy correspondent banking networks.
• Leverage proven methods and tighten foundational enablers: To ensure a comprehensive approach to security and compliance, robust fraud protections from established systems should be integrated into new payment models. Foundational risk management practices may need to be strengthened as well; for example, establishing a clear risk appetite policy for merchants.
• Develop a journey-based approach: Improving processes for the most critical yet often cumbersome areas of the payments customer journey, such as onboarding and dispute management, can enhance customer retention and satisfaction while reducing operational risks. The more manual and clunky a process is, the more likely it is to present risks that are difficult to mitigate in an automated fashion (exhibit).

• Play offense with AI and advanced technologies: When it comes to fraud, AI is a double-edged sword, providing payments providers with a tool for counteracting scams, but also allowing fraudsters to innovate. Banks and payment providers should leverage AI and advanced technologies to better detect and prevent fraud and stay ahead of bad actors.

Greater risk is to be expected in an increasingly complex operating environment for payments. The foregoing strategies not only mitigate risks but also open up new revenue opportunities, paving the way for long-term success and growth.