The financial services industry is entering a new era where the cost of fraud is no longer absorbed by customers but increasingly sits squarely with financial institutions themselves. For years, banks operated under a relatively comfortable assumption: as long as compliance processes were followed, liability for fraud losses remained limited.
According to Zyphe, that model is rapidly disappearing. Today, the rise of payment scams—particularly those involving mule accounts—is forcing a fundamental rethink of how onboarding, compliance and accountability are managed across the FinTech ecosystem.
At the heart of this shift is the mule account, a key enabler of modern financial crime. These accounts, often opened under legitimate or semi-legitimate identities, act as conduits for stolen funds. Whether the account holder is complicit, manipulated, or entirely unaware, the result is the same: fraudsters gain a channel to move illicit money. Without mule accounts, many forms of payment fraud would struggle to scale. This growing dependency has made mule account detection a central priority for regulators worldwide.
As regulatory frameworks evolve, the focus has moved decisively from process to outcome. Authorities such as the UK Payment Systems Regulator, alongside incoming EU rules under PSD3 and shifting interpretations of US Regulation E, are placing direct financial responsibility on institutions that fail to prevent fraud. The key question for banks is no longer whether compliance steps were followed, but whether fraud was actually stopped. This marks a structural transformation in financial risk, where ineffective compliance now translates directly into measurable losses on the balance sheet.
A significant part of the problem lies in how identity verification is currently conducted. Traditional onboarding relies heavily on static data such as passports, addresses and dates of birth—information that can be stolen, fabricated or manipulated. Fraudsters exploiting these weaknesses can successfully open accounts that appear legitimate on the surface. The industry is therefore beginning to pivot towards more robust approaches, particularly cryptographic identity verification, which provides mathematically verifiable proof of identity. Unlike static credentials, these proofs cannot be easily forged or reused, offering a stronger defence against both mule account creation and broader fraud risks.
This vulnerability is especially evident in two of the most prevalent fraud typologies. Authorised Push Payment (APP) fraud relies on social engineering, where victims are persuaded to transfer funds willingly to fraudulent accounts. Meanwhile, synthetic identity fraud involves the creation of entirely fictitious personas that pass onboarding checks and build credit histories before executing large-scale fraud. Both depend on weaknesses in identity verification, and both can be significantly reduced by preventing fraudulent accounts from being opened in the first place.
Recent regulatory changes are reinforcing this urgency. In the UK, new rules mandating a 50/50 liability split for APP fraud mean that receiving banks—previously shielded from losses—now share financial responsibility. Across the EU, requirements such as Verification of Payee are designed to ensure payment accuracy, with liability falling on institutions that fail to detect discrepancies. In the US, regulators are increasingly scrutinising whether synthetic identity fraud should be treated as unauthorised activity, further eroding traditional defences used by banks.
Beyond fraud losses, institutions are also grappling with the operational burden of compliance. The current centralised model of data collection requires banks to store vast amounts of personally identifiable information, creating both cost and risk. Data Subject Requests under GDPR can cost over $1,500 per request, while audits for frameworks such as SOC 2, GDPR and DORA add further complexity. At the same time, these large data repositories act as prime targets for cybercriminals, increasing the likelihood and impact of breaches.
The financial implications are substantial. A mid-sized institution managing 1.5 million records may face annual costs of around $2.22m from fraud exposure, compliance overhead and data risk. For larger organisations handling 10 million records, this figure can exceed $7.85m annually. These costs are not hypothetical penalties but ongoing operational burdens tied to outdated compliance models.
In response, a new approach is gaining traction: decentralised identity frameworks that rely on cryptographic verification rather than centralised data storage. This model offers several advantages, including the ability to block fraudulent identities at the onboarding stage, significantly reduce breach exposure, and streamline compliance processes through automation. By minimising the amount of sensitive data stored centrally, institutions can also lower their attractiveness as targets for cyberattacks.
The direction of travel is clear. Regulators are tightening expectations, financial exposure is becoming more direct, and the technology required to address these challenges is already available. For financial institutions, the decision is no longer whether change is necessary, but how quickly it can be implemented to mitigate risk and remain competitive in an increasingly accountable landscape.
Find the story also on RegTech Analyst.
Copyright © 2026 FinTech Global
