Regulatory Influencer: Fraud Prevention Breaks Out Beyond Traditional Financial Crime Controls

The scale, speed and accessibility of modern payments have fundamentally altered the risk landscape, shifting fraud from an isolated criminal activity to a systemic challenge embedded in everyday financial services. European regulators are increasingly reframing fraud as a core consumer protection challenge rather than simply a financial crime risk. 

This is not limited to one segment of the market: banks, payment institutions, electronic money (e-money) firms and investment platforms are all exposed. 

Fraud comprises a spectrum of typologies that continue to evolve alongside technological and behavioural changes. Most prevalent forms across Europe include: 

• Authorised push payment (APP) fraud.
• Social engineering and impersonation scams. 
• Phishing and smishing attacks. 
• Account takeover fraud. 
• Romance scams. 
• Artificial intelligence (AI) fraud. 

As payment journeys become more seamless and embedded, often designed to minimise friction, fraudsters are exploiting the same efficiencies to execute scams at scale, with reduced detection windows and greater cross-border reach. Several structural drivers that are involved in fraud acceleration include: 

• Mobile wallets. 
• Online banking and embedded finance. 
• The growth of instant payment infrastructures. 
• Cross-border payment capabilities. 

In parallel, consumer behaviour has shifted in ways that have inadvertently increased vulnerability. Higher reliance on digital channels, combined with varying levels of financial literacy, is creating fertile ground for manipulation. 

This has led regulators to question whether existing frameworks, traditionally focused on unauthorised transactions and security controls, are sufficient to address scams where the consumer is an active participant. 

Consumer-centric fraud controls across Europe 

Across Europe, the regulatory response to fraud in 2025/2026 reflects a clear transition from reactive supervision to more operational, preventative and consumer-centric intervention. EU member states such as Poland, Latvia, Lithuania, Croatia, Romania, Bulgaria, Slovakia and Slovenia are implementing fraud prevention frameworks nationally in line with the EU payments framework under the revised Payments Services Directive (PSD2). However, the practical supervisory emphasis is increasingly focused on whether firms can prevent scams in real time and that adequate measures are consistently in place before the loss occurs. This is demonstrated in the proposed Third Payment Services Directive (PSD3) and Payment Services Regulation (PSR), where direct liability for firms will be introduced in implementing appropriate measures to prevent fraud.

While awaiting PSD3 and PSR coming into effect, different approaches in addressing fraud are still being adopted by member states at the national level. This is evident in national-level measures such as Latvia’s 2025 fraud risk management guidelines, which move beyond standard expectations, such as transaction blocking and complaint-handling, into more operationally prescriptive areas, including how firms should approach such measures. For example, the guidance states that risks identified by a fraud risk assessment may be affected by unforeseen circumstances, but a firm must ensure that there is continuous monitoring and review of risks identified in the assessment to determine that existing risk management measures have become ineffective. 

Lithuania and Croatia, meanwhile, illustrate a common regulatory concern: the scale of consumer exposure to fraud, with authorities increasingly publishing statistics and warnings that frame fraud as a major issue. In Lithuania, according to the central bank, the value of fraudulent payment transactions has increased more than twofold from 2022 to 2025, suggesting that current measures are not proving to be effective.  

This change in approach is mirrored, and in some cases accelerated, in non-EU jurisdictions, where regulators are beginning to intervene more directly in the execution of transactions and the identification of emerging fraud risks.

In Georgia, the April 2026 amendments to strong customer authentication rules signal a notably targeted response to the growing exposure of vulnerable consumer groups to fraud. By requiring payment service providers to identify users over the age of 60 and apply enhanced, behaviour-based monitoring, the National Bank of Georgia is effectively recognising that fraud risk is not evenly distributed across the customer base. 

The ability for firms to suspend or refuse transactions based on deviations from expected behaviour, high-value thresholds or links to high-risk activity also reflects a shift towards pre-emptive intervention tailored to vulnerability profiles. This moves beyond traditional, uniform authentication standards and introduces a more granular, risk-based model where consumer protection is dynamically calibrated, acknowledging that older demographics are disproportionately targeted by social engineering and impersonation scams.

A different, but equally forward-looking, regulatory response is evident in Russia, where the Bank of Russia is embedding fraud controls into its digital ruble framework at an early stage of development. By requiring participants to assess whether transactions are conducted without genuine customer consent, including scenarios where consent is obtained through deception, the regulator is pre-emptively addressing risks that are likely to scale with digital currency adoption. This reflects an understanding that digital currencies, particularly those operating in real time or near-real time environments, may amplify existing fraud typologies, such as authorised push payment scams. The approach seeks to avoid regulatory lag by integrating fraud detection directly into the infrastructure rather than retrofitting controls once risks materialise at scale.

In Kosovo, the central bank is approaching fraud from a different angle, placing emphasis on the integrity and accessibility of financial data within an increasingly digital ecosystem. By integrating financial registries into national digital platforms and advancing the digitisation of identity verification processes, the regulatory strategy appears focused on reducing fraud risk at its source, such as inaccurate, fragmented or inaccessible data. This reflects a broader recognition that as financial services become more digital and interconnected, the reliability of underlying data becomes a critical control point. In this context, fraud prevention is about ensuring that the data used to authenticate users, assess risk and execute payments is robust, consistent and resistant to manipulation.

For Sweden, the supervisory response reflects an increasing recognition that fraud in payment services extends beyond firm-level risk management and constitutes a broader societal issue. The Financial Supervisory Authority has taken a more collaborative model, bringing firms into roundtables and structured discussions with the authority to ensure regulatory measures are informed by operational realities, while maintaining a clear focus on consumer outcomes. This approach is a more coordinated, cross-sector model of fraud mitigation, where the emphasis is placed on developing a shared understanding of fraud typologies and identifying practical solutions to address complex fraud risks.  

Regulatory themes

1. Shift from AML to fraud  

Across Europe, regulatory approaches to fraud are evolving, with an increasing emphasis on treating it as a standalone risk that requires more proactive intervention. Historically, AML controls such as KYC, transaction monitoring and suspicious activity reporting have been more developed and prescriptive, and firms have then often leveraged these systems as part of their wider fraud detection capabilities. However, this approach has not always proven to be effective at preventing consumer harm, particularly in cases of authorised fraud where transactions pass AML checks but still result in loss. This has resulted in emerging measures such as behavioural monitoring in Georgia and deception-based consent frameworks in Russia, both of which move beyond traditional financial crime definitions and focus on identifying indicators of customer manipulation rather than purely illicit fund flows. The implication is that firms are no longer assessed solely on their ability to detect suspicious transactions, but increasingly on their capacity to intervene in real time and prevent fraud from occurring, even where activity appears legitimate on the surface. 

2. Regulatory convergence at the EU level, national divergence in practice 

While EU-level reforms are driving a degree of harmonisation, the reality on the ground remains one of national divergence. Member states such as Lithuania and Poland are advancing data-led supervisory approaches and public fraud awareness, whereas others are focusing more heavily on operational controls or consumer protection disclosures. Outside the EU, jurisdictions such as Kosovo are aligning directionally with EU standards but through different regulatory tools, such as enhanced supervisory scrutiny and a focus on data quality. Firms operating cross-border must navigate a common direction of travel with locally specific expectations, requiring a more nuanced understanding of how fraud risk is interpreted and enforced in each jurisdiction.

3. Real-time payments, real-time fraud risk 

The expansion of instant payment systems across Europe has fundamentally altered the fraud risk equation. Regulators are responding by embedding controls directly into the payment flow, such as verifying the payee and applying transaction risk indicators. This is particularly relevant in emerging infrastructures such as digital currencies, with Russia demonstrating how fraud controls are being designed concurrently with the system itself. More broadly, the rise of instant payments is forcing firms to shift from retrospective detection to pre-transaction decisioning, where the ability to pause, challenge or refuse a payment in real time becomes a core regulatory expectation.

4. Liability and accountability creep 

There is becoming a more gradual reallocation of liability from consumers to firms. Regulators are increasingly challenging the long-standing assumption that fraud losses, particularly in authorised transactions, are due to customer negligence. Instead, the burden of proof is moving towards demonstrating that firms have taken all reasonable steps to prevent the fraud from occurring. This is evident in the growing emphasis on intervention capabilities, behavioural analytics and customer warning mechanisms, as well as in broader discussions around reimbursement and consumer protection. 

This transition is illustrated in the UK, where mandatory reimbursement requirements for authorised push payment fraud place direct financial liability on payment service providers. Additionally, measures such as those seen in Georgia also demonstrate this shift, where firms are expected to act on risk signals and potentially block transactions. The direction of travel suggests that failure to prevent fraud, even where the customer has technically authorised the payment, may increasingly be viewed as a control failure on the part of the institution, rather than an isolated user error.

Next steps 

The speed, irreversibility and user-initiated nature of payment services compress the window for detection to near zero, meaning that traditional, post-transaction controls are structurally insufficient. The following actions set out how firms can operationalise fraud prevention in high-risk payment environments.

Compliance and financial crime teams can: 

• Define authorised push payment fraud as a standalone risk category, separate from AML, with its own control framework and reporting lines. 
• Mandate pre-transaction intervention controls, such as alert messages clarifying payment or a page with fraud-related advice. 
• Require model explainability for real-time decisions. For example, if a payment is blocked or permitted, the team must be able to evidence the logic behind this to demonstrate to regulators. 
• Gain data from the marketing team on behavioural data or normal habits to detect unusual transactions. 

Technology and engineering teams can: 

• Layer detection models in sequence: 

1. Device intelligence (new device or VPN usage). 
2. Behavioural biometrics (typing speed or hesitation patterns). 
3. Transaction anomaly detection (the amount of the transaction or a new beneficiary). 
4. Network intelligence (known mule accounts or scam-linked IBANs). 

• Integrate confirmation of payee or IBAN name checks directly into the payment flow. 
• Design systems to support real-time inbound fraud signals, such as law enforcement alerts or industry data sharing. 

 Product and mobile app teams can: 

• Embed customer challenge questions tied to risk: 

1. “Has someone asked you to make this payment urgently?”
2. “Were you contacted via phone or social media?”

• Redesign app interfaces to detect when a person is conducting a transaction while on a phone call, which triggers an alert message confirming that the provider has not contacted the customer. 
• Introduce contextual friction for first-time payees, which contain a high value and are divergent from normal customer behaviour, such as a mandatory delay. 

Fraud operation teams can: 

• Establish 24/7 instant payment monitoring desks, not batch-based review teams. 
• Build rapid outbound contact capability where a call or SMS is pushed within minutes of a high-risk flagged transaction. 
• Maintain mule account intelligence databases and feed them back into detection systems in real time. 

Customer support teams can: 

• Train agents to identify live scam scenarios, not just post-fraud complaints. This may include training on tone of voice or body language indicators. 

Firms that fail to operationalise will increasingly struggle to meet emerging regulatory expectations around real-time prevention and consumer protection outcomes. This also extends further into the erosion of consumer trust, where customers do not believe that the firm can adequately protect them from scams. In digital payment environments, trust is directly linked to perceived safety at the point of transaction. 

From a commercial perspective, there is a direct cost impact driven by increased fraud losses, reimbursement obligations and overhead linked to dispute handling and investigations. Secondly, there is a revenue and growth impact, where weakened trust affects customer retention. 

In competitive markets where switching costs are low, trust becomes a key differentiator. 

Regulator sentiment - conclusion 

Across the examples outlined, it is clear that regulators are increasingly framing fraud through the lens of consumer harm, system integrity and trust. A consistent supervisory sentiment is that fraud is no longer viewed as an incidental by-product of financial crime, but as a core failure of how payment services are designed and delivered. 

Looking ahead, the direction of travel across Europe points towards a more interventionist, outcome-focused regulatory model. Regulators are likely to place greater emphasis on demonstrable prevention of fraud at the point of the payment, supported by real-time analytics, behavioural insights and enhanced data-sharing across firms and authorities. This is most likely to be accompanied by a continued transfer in accountability, where firms are expected to actively prevent losses before they occur. Over time, this may evolve into a more formalised expectation that fraud capabilities are embedded into payment infrastructures themselves, similar to the PSD2’s approach of embedding strong customer authentication controls. 

As payment ecosystems continue to evolve, it is important that firms prioritise a more proactive approach to improve their ability to reduce fraud exposure in practice. However, the challenge for firms lies in being able to move at the same pace as technological advancements, while simultaneously aligning controls to real-world fraud dynamics, navigating divergent national expectations and demonstrating that prevention is effectively embedded at the point of transaction.