Why Onboarding Failures Now Drive Fraud Losses

The financial services industry is facing a fundamental realignment of risk, where the burden of fraud losses is shifting decisively away from customers and onto the institutions themselves. For decades, banks relied on the assumption that adherence to standard compliance protocols was sufficient to limit liability. However, according to analysis by Zyphe, this model is collapsing under the weight of sophisticated payment scams and the widespread use of "mule accounts," forcing a reckoning on how onboarding and accountability are managed across the FinTech ecosystem.

Background and Context

At the centre of this shift is the mule account—a critical infrastructure for modern financial crime. These accounts, frequently opened using legitimate or semi-legitimate identities, serve as conduits for moving stolen funds. Whether the account holder is complicit, manipulated, or unaware, the utility of these accounts to fraudsters is the same: they provide a channel to launder illicit money. Without access to mule accounts, many forms of large-scale payment fraud would be operationally difficult to execute, making their detection a priority for regulators globally.

Key Figures and Entities

Regulatory frameworks are evolving rapidly, moving the focus from procedural compliance to actual outcomes. Authorities such as the UK Payment Systems Regulator, alongside incoming EU rules under PSD3 and shifting interpretations of US Regulation E, are placing direct financial responsibility on institutions that fail to prevent fraud. The central question for banks is no longer whether the correct paperwork was filed, but whether the crime was effectively stopped.

Legal and Financial Mechanisms

The industry's vulnerability is most acute in two prevalent fraud typologies: Authorised Push Payment (APP) fraud and synthetic identity fraud. APP scams rely on social engineering to convince victims to transfer funds willingly, while synthetic identity fraud involves creating fictitious personas to build credit histories before executing fraud. Both exploit weaknesses in traditional identity verification, which relies on static data—passports, addresses, and dates of birth—that can be stolen or fabricated. In response, the sector is pivoting toward cryptographic identity verification, which offers mathematically verifiable proof of identity that cannot be easily forged. This change is accelerated by new UK rules mandating a 50/50 liability split for APP fraud, meaning receiving banks now share the financial burden.

International Implications and Policy Response

The operational costs of maintaining the status quo are becoming unsustainable. The current centralised model of data collection forces banks to store vast amounts of personally identifiable information, creating attractive targets for cybercriminals and increasing regulatory burdens. Frameworks such as GDPR, SOC 2, and DORA impose strict audit requirements, with Data Subject Requests under GDPR alone costing upwards of $1,500 per request. Financial analysis indicates that a mid-sized institution managing 1.5 million records faces annual costs of approximately $2.22 million from fraud exposure and compliance overhead, while larger organisations handling 10 million records may see costs exceed $7.85 million.

Sources

This report draws on analysis by Zyphe, reporting by RegTech Analyst, and regulatory guidance from the UK Payment Systems Regulator and the European Commission.