2025 EBA-ECB Payment Fraud Report: Key Insights and Takeaways for Fintechs and PSPs

Topline Fraud Trends in 2024: Losses Surge to €4.2 Billion

Europe’s latest payment fraud figures are stark. According to the joint 2025 EBA-ECB report, fraud losses across the EEA totaled €4.2 billion in 2024, a 17% jump from 2023. This surge marks a sharp increase despite overall transaction fraud rates holding steady at a low ~0.002% of total payments value. The data shows fraud growth concentrated in particular instruments: credit transfers, e-money transactions, and card payments saw the largest spikes. In fact, fraud via credit transfers reached €2.5 billion (up 24% YoY), the single biggest share by value. Card payment fraud also climbed (about €1.3 billion in 2024, a 4% increase in value), though the net losses on cards were higher, as discussed later. Meanwhile, e-money and other instruments (like direct debits and ATM withdrawals) together accounted for a smaller €349 million, yet still rose 26% year-on-year.

Overall, the headline is clear: fraud losses are rising in absolute terms, even as strong authentication keeps the rate of fraud in check. Fintechs, neobanks, payment service providers (PSPs), and Banking-as-a-Service platforms should take note of where these increases are coming from, chiefly digital payment channels to target their defenses accordingly.

Remote Transactions Dominate Fraud by Volume and Value

One unmistakable insight is that remote (online) transactions are the epicenter of payment fraud. The report shows that across cards, credit transfers, and e-money, the vast majority of fraudulent transactions occur in remote channels. For example, most card fraud involves criminals using stolen card data online (card-not-present fraud), while relatively few scams exploit physical card use. Indeed, “fraud involving card payments, credit transfers and e-money transactions predominantly occurred in remote transactions”. By contrast, legitimate card usage still skews heavily to in-person payments (e.g. chip-and-pin or contactless), but those face-to-face payments see far lower fraud incidence.

Criminals are exploiting the anonymity and scale of digital channels. Remote card fraud (e.g. using stolen card credentials on e-commerce sites) remains a top modus operandi. The report notes that in most card fraud cases, fraudsters directly initiated payments using stolen details for online purchases, or via lost/stolen physical cards for contactless POS fraud. Meanwhile, authorized push payment (APP) scams, where victims are tricked into making credit transfers, now account for over half of fraudulent credit transfer value. In these scams, also called manipulation of the payer, the victim is socially engineered into sending money to an impersonator (for instance, a fraudster posing as a legitimate payee or authority). APP scams have proliferated via real-time bank transfers, contributing to credit transfers overtaking cards as the largest fraud category by value. In short, the biggest fraud losses stem from remote abuse: card-not-present fraud and online banking scams that trick users into unwittingly authorizing payments. Fintechs and digital banks must therefore treat remote transaction channels as high-risk and invest in controls (like device fingerprints, stepped-up verification, and user education) to tackle these dominant fraud vectors.

The Impact of SCA: Effective but Not Foolproof

Strong Customer Authentication (SCA), mandated under PSD2 since 2020 has clearly bolstered payment security, yet fraudsters are adept at finding gaps. The EBA-ECB analysis confirms that transactions protected by SCA are far less likely to be fraudulent than those exempt or unauthenticated, especially for card payments. For instance, an online card payment with two-factor SCA (e.g. 3-D Secure one-time code) is significantly harder to compromise. Notably, card payment fraud rates were found to be 17× higher when the payee was outside the EEA (where SCA isn’t required) compared to domestic EEA transactions. This underscores how PSD2’s SCA mandate has slashed traditional card fraud in Europe and “remains effective against the fraud types it was designed to mitigate”.

However, fraudsters are adapting their tactics to bypass or exploit SCA. The report highlights that new fraud schemes target transactions where an SCA exemption applies, or else manipulate users into authenticating fraudulent transactions. In practice, this means criminals focus on scenarios like: contactless card payments (waved through without PIN under the low-value threshold), “trusted beneficiary” transfers (where the user had pre-authorized the recipient, allowing future payments without SCA), and other PSD2 exemptions meant to streamline payments. For example, the contactless exemption has become ubiquitous, it accounted for roughly 79% of all non-SCA card transactions in 2024, and fraudsters take advantage of stolen cards by making numerous tap-and-go purchases under the limit. Likewise, scams have coerced victims into adding the fraudster’s account as a trusted payee, negating SCA on subsequent transfers. The data even shows that among credit transfer transactions that skipped SCA, those flagged as “trusted beneficiary” had some of the higher fraud rates.

Crucially, fraud persists even on SCA-authenticated payments in certain cases. Why? Because SCA primarily stops unauthorized fraud (e.g. a thief can’t use your card online without the one-time code). It is less effective against authorized fraud where the account holder is tricked. The report notes an intriguing wrinkle: for credit transfers, transactions that did undergo SCA actually showed higher fraud rates than those that didn’t. This counterintuitive finding likely reflects that banks apply SCA for higher-risk or high-value transfers, in other words, by the time SCA is invoked, the transaction itself may be inherently riskier (e.g. an urgent large transfer that could be an APP scam). In many APP fraud cases, the victim themselves completes SCA (entering their PIN or OTP) because they have been socially engineered. Thus, while SCA has raised the bar for fraudsters, it is not a panacea. Attackers now pivot to human vulnerabilities and loopholes: convincing customers to authorize bad transactions or hitting channels like contactless and cross-border payments where SCA checks fall away.

Where is SCA working? Cards and login flows show marked reduction in fraud when SCA is used, and Europe’s overall fraud rate stability is credited to broad SCA adoption. Where are the cracks? Contactless card fraud and certain remote transfers exploit SCA carve-outs. The takeaway for PSPs and fintechs is twofold: double down on SCA for vulnerable transactions (don’t overuse exemptions purely for convenience), and deploy additional layers (behavioral analytics, confirmation prompts, customer education) to catch fraud that skirts or even passes SCA.

Real-Time Payments Fuel Real-Time Fraud (SCT Inst Insights)

The rise of SEPA Instant Credit Transfers (SCT Inst) is a double-edged sword. Instant payments are becoming mainstream in Europe, by late 2024, about 16% of all SEPA credit transfer volume was real-time, up from under 10% just a few years prior. Consumers and businesses appreciate the speed, but so do fraudsters. Real-time rails mean criminals can rapidly transfer stolen funds through mule accounts and beyond the reach of recall. The joint report’s special analysis on instant payments reveals that as SCT Inst usage surged, fraud exposure also grew in tandem. In fact, the number of fraudulent instant payment transactions jumped 175% over the past couple of years, far outpacing the ~98% growth in overall instant payment volume. This indicates that fraudsters are aggressively targeting instant payments, likely because of their immediate, irrevocable nature.

On a positive note, the total value of fraud in instant payments hasn’t ballooned quite as dramatically, it rose ~59% even as instant transaction values grew 74%. In other words, fraud rates (losses as a percent of transactions) for SCT Inst have actually inched downward recently. As adoption broadens (with many more low-value instant payments), the average loss per fraud incident has slightly decreased. The data suggests that while there are more scam attempts in real-time payments, not every attempt is hitting huge values.‍

Still, the average fraudulent SCT Inst transaction is nothing to scoff at, about €1.4k, though notably lower than the ~€3.6k average for traditional credit transfer fraud, which is skewed by big-ticket APP scams. Those figures imply that classic wire transfer scams often involve larger one-off payments (think victims instructed to transfer life savings), whereas instant payment fraud may sometimes involve smaller, rapid-fire thefts.

Authorised push payment (APP) scams remain the chief menace in instant payments. The report links the uptick in average fraud size for credit transfers to the prevalence of APP scams causing “high damages per fraudulent transaction”. In the instant payment context, fraudsters may attempt more numerous heists knowing transfers settle in seconds. This puts pressure on banks and fintechs to detect and block suspect SCT Inst transactions in real time, a challenge given the narrow intervention window.

Europe’s regulators are responding with new safeguards tailored to instant payments. The recently adopted Instant Payments Regulation (EU 2024/886) will make euro instant transfers ubiquitous and safer. By October 2025, most PSPs must be capable of sending and receiving SEPA Instant payments, eliminating the remaining adoption gaps. Critically, the regulation also mandates new anti-fraud measures. A key requirement is Verification of Payee (VoP): by the same 2025 deadline, banks must implement an account name matching service for instant transfers. This means before an instant credit transfer is executed, the payer’s bank will check if the beneficiary name matches the account holder name on record, a tool to thwart impersonation scams. VoP (similar to the UK’s Confirmation of Payee) is expected to “contribute to containing fraud” in real-time payments going forward. Fintechs and neobanks should prepare to integrate such name-check APIs and adjust customer experience accordingly. Additionally, the Instant Payments Regulation pushes for rigorous screening of instant transactions against sanctions and AML criteria in real-time, further blending fraud prevention with compliance.

In sum, the growth of SCT Inst brings heightened fraud risks alongside customer benefits. Fraud teams must adapt by moving at the speed of instant payments. Tools like immediate transaction scoring, payee name verification, and the ability to pause suspicious transfers become essential. Real-time rails wait for no one, fraud defense now has to be just as real-time.

Fraud’s Intersection with AML: Compliance Implications

The 2025 fraud trends also carry serious AML/CTF implications. The dominant fraud vectors, remote scams, APP fraud, cross-border card skimming; often double as money laundering channels. When a victim is conned into sending money to a mule account, those funds typically disappear across borders or into obscure accounts within minutes, effectively laundered before the victim even knows what happened. The report underscores this cross-border element: a majority of card fraud value and a large share of credit transfer fraud involve a cross-border component, with 30% of card fraud by value flowing to recipients outside the EEA. Such international fraud paths mirror classic money laundering tactics, using foreign or offshore accounts to evade detection and recovery.

Remote impersonation scams and mule networks are blurring the line between fraud and AML. The same accounts used to receive scam proceeds are often part of wider laundering rings, moving illicit funds through multiple hops. E-money wallets and fintech accounts can be prime targets for these activities: their lighter regulatory history or faster onboarding can attract fraud proceeds that are quickly cashed out or layered through crypto exchanges. Likewise, the instant payment ecosystem can inadvertently facilitate rapid layering of funds, exploiting any gaps in AML transaction monitoring if banks are not quick enough to flag suspicious patterns. For example, if one account suddenly receives dozens of incoming instant transfers from across Europe (classic mule behavior), it’s both a fraud issue and an AML red flag for potential money mule activity.

Regulators are increasingly recognizing that fraud and money laundering risks converge in modern payment channels. The fact that 85% of credit transfer fraud losses in 2024 fell on customers (who often get no reimbursement) has prompted discussions on whether institutions are doing enough to prevent these scams in the first place. With victims bearing the brunt and stolen funds rarely recovered, watchdogs are questioning how banks’ AML programs and risk controls can be recalibrated to intercept scam-related flows. For instance, should a series of large outgoing payments by an elderly user to a new payee trigger not just fraud alerts but also AML suspicious activity indicators? Should banks delay or block transactions that fit APP fraud patterns under the banner of anti-financial-crime measures? These questions are mounting. Regulators in some jurisdictions are already pushing for better customer protection (the UK, for one, is mandating reimbursements for many APP fraud victims, pressuring banks to strengthen upfront detection). In the EU, upcoming PSD3 and PSR proposals are expected to reinforce fraud prevention obligations alongside traditional AML rules.

For fintechs and BaaS platforms, the message is that fraud prevention can no longer be siloed from AML compliance. Scams, cyber theft, and mule accounts are facilitating predicate offenses to money laundering, and supervisors will hold institutions accountable for detecting and reporting these as part of AML/CTF duties. This means transaction monitoring scenarios should incorporate known fraud patterns (e.g. rapid sequence of inbound credits followed by outbound to crypto). It also means stronger KYC and ongoing due diligence on accounts to spot red flags like identity fraud or mule behavior (impersonation is not only a fraud risk but also an AML risk if fake or complicit identities are used to open accounts). Fintechs should expect more scrutiny on how their AML controls handle fraud-related flows, and ensure their fraud analysts and AML compliance teams are sharing intelligence. Ultimately, the convergence of fraud and AML demands an aligned strategy, one that views preventing fraud losses and preventing illicit finance as two sides of the same coin.

The Liability Burden: Customers, Banks, and Shifting Regulatory Stance

An eye-opening aspect of the 2024 data is who bears the financial loss when fraud happens. Liability for fraud in Europe varies by payment type and scenario, but the report reveals a wide disparity. Overall, payment service users (PSUs), i.e. customers, shouldered a majority of fraud losses in certain instruments, especially credit transfers. In 2024, users bore about 85% of total fraud losses on credit transfers. This is largely due to the nature of APP scams: the victim technically authorizes the payment, so under current laws, they often have no automatic right to reimbursement. The banks/PSPs therefore typically do not absorb those losses (unlike unauthorized card fraud, where by law the bank usually eats the cost beyond a small excess). By contrast, for card payments in 2024, customers bore around 38% of fraud losses on average, meaning banks and card issuers ate the other ~62%, reflecting protections that indemnify customers in many card fraud cases. For direct debits and ATM withdrawals, roughly 50% of fraud losses fell on customers, whereas for e-money transactions customers bore only ~26% (perhaps due to issuer policies or smaller fraud amounts in e-money). These averages hide country-by-country differences: in some EU markets, banks reimburse nearly all card fraud, while in others customers still lose significant sums.

The imbalance for credit transfer scams is drawing regulatory attention. Billions disappearing via authorized scams with little recourse for victims is not a sustainable state of affairs. Beyond the consumer protection angle, regulators worry that if victims and society at large are eating the losses, the incentives for institutions to bolster fraud controls might be suboptimal. The report even hints that funds recovery by PSPs has gotten worse, financial losses (net of any recovered funds) grew 23% year-on-year, higher than the growth of fraudulent transactions, suggesting fewer stolen funds were clawed back in 2024. This is a red flag. It implies that once money is fraudulently transferred, it’s increasingly gone for good (likely whisked away via instant payments and laundering channels).

All this is pushing regulators to rethink liability and accountability. If banks are rarely able to retrieve funds after an APP fraud, there is mounting pressure to prevent such fraud or stop it mid-flight. We may see regulatory moves, either in law or supervisory expectations, to make institutions more responsible for scam prevention and perhaps to consider fraud risks as part of operational risk capital or AML obligations. Already, the EBA in its opinions has stressed the need for additional fraud mitigation measures in PSD3/PSR beyond what PSD2 had. It’s plausible that future rules could introduce a framework for shared liability or mandatory refunds in certain scam cases (as the UK is implementing), which would dramatically alter the cost calculus for PSPs. In any case, fintechs and neobanks should track these developments: the era of “fraud losses primarily being the customer’s problem” may be nearing an end. Forward-looking institutions are preemptively investing in stronger fraud defenses now, rather than risk regulatory penalties or forced reimbursements later.

How Fintechs and PSPs Can Reduce Fraud and AML Exposure

Amid these trends, what practical steps can fintech companies, payment processors, and banks take to protect themselves and their customers? The data calls for a proactive, intelligence-driven approach. Here are key strategies to reduce fraud and intersecting AML risk in the post-PSD2 threat landscape:

• Real-Time Behavioral Analytics: Deploy systems that analyze user behavior and transaction patterns in real time. By establishing baselines for “normal” customer behavior, anomalies can be flagged the moment they occur. For example, if a usually low-activity account suddenly initiates a high-value international transfer, real-time analytics should catch this deviation and trigger an intervention before money leaves. Modern cloud-based fraud engines and machine learning models can crunch streaming data to spot account takeovers, mule account activity, or bot-driven attacks as they unfold. The goal is to detect and stop fraud during the transaction, not hours or days later when funds are gone. Catching fraud in-flight allows institutions to block or recall transactions, dramatically improving loss recovery (versus after-the-fact detection, which usually means losses are permanent).
• Dynamic Risk Scoring & Step-Up Checks: Rigid one-size-fits-all rules are not enough. Fintechs should implement dynamic risk scoring for both customers and transactions. This means continuously updating a risk score based on factors like device reputation, geolocation, past spending patterns, and even macro indicators (e.g. a sudden surge in fraud cases linked to a certain IBAN or phone number). When a transaction’s risk score crosses a threshold, step up the friction, require SCA if it was initially exempt, ask for additional verification, or delay the payment for manual review if needed. Notably, the PSD2 SCA regime allows some flexibility (via the Transaction Risk Analysis exemption) to skip SCA for low-risk transactions. Firms should flip that on its head: use risk analysis to apply SCA or other checks for high-risk scenarios. For instance, contactless transactions are typically exempt, but if a customer does an unusual string of tap payments in a short time or in a new location, triggering a PIN entry or phone confirmation can thwart a stolen card from being run up. Governance of SCA exemptions is key: monitor how often and why your organization is not applying SCA, and ensure that decision is truly risk-based. If fraud is clustering in a certain exemption (say, trusted beneficiaries), tighten the rules (e.g. require re-authentication for unusually large “trusted” transfers).
• Cross-Border Fraud Intelligence Sharing: Given the cross-border nature of many fraud schemes, no institution can fight this alone. Fintechs and challenger banks should leverage collective intelligence, whether through industry data sharing initiatives, third-party databases of compromised accounts, or consortium analytics. For example, if a certain proxy account or card BIN is being used in scams across multiple countries, having access to a fraud intelligence feed can alert your team to emerging threats. Participate in information-sharing programs (within legal limits and GDPR compliance) to get ahead of fraud patterns that transcend borders. Consortium data on mule accounts, device fingerprints, and scam scripts can greatly enhance your detection models. In parallel, ensure your AML team is tuned into these fraud intel sources, a known mule IBAN or a blacklisted phone number should be loaded into transaction monitoring filters to auto-block payments to those destinations. Cross-border cooperation isn’t just for regulators; it’s a practical tool for fintech risk teams to stay one step ahead of international fraud rings.
• Converged Fraud + AML Monitoring: Bridge the gap between fraud prevention and AML compliance by using unified platforms and workflows. Traditional banks have often run fraud detection and AML transaction monitoring as separate silos, but modern fintechs can outperform them by integrating these functions. A unified financial crime platform can ingest transaction events once and evaluate them for both fraud risk and AML indicators simultaneously. This yields a more holistic view: for instance, a series of incoming payments that might not trigger an AML alert (if below certain thresholds) could still trigger a fraud suspicion if those senders were recent scam victims, if the systems talk to each other. Industry leaders like Flagright have championed platforms that unify AML and fraud prevention in real-time, providing a single view of risk with auditable controls and fast response capabilities. The benefit is twofold: speed (no lag from one team to the other; the same real-time rules engine can stop a fraudulent transaction and log an AML suspicious activity case in parallel) and completeness (fewer gaps for criminals to slip through in the cracks between separate systems). Fintechs should consider investing in such unified solutions that offer sub-second scoring, rules, and case escalation for both fraud and compliance needs. This not only reduces financial loss but also strengthens regulatory compliance, as auditors can see a coherent, end-to-end defense against financial crime.
• Strengthen Customer Education and Vigilance: While technology is crucial, don’t overlook the human element, many frauds (especially APP scams) succeed by tricking the customer. Consistently educate your users about common scam tactics (phishing calls, fake invoices, romance scams, etc.). Provide in-app warnings if a transfer looks suspect (e.g. “This IBAN has not been paid before, be wary of scam requests”). Some banks have started asking users to confirm an on-screen fraud warning prompt before allowing large outbound transfers. Encourage customers to use features like spend limits, geolocked card usage, and to never share OTPs. Ultimately, an alert and informed customer base is an added layer of defense. Empower your support teams to act quickly when a customer reports something suspiciousm, minutes matter with instant payments.

By combining these measures, real-time monitoring, agile risk scoring, collaborative intelligence, unified fraud/AML operations, and customer awareness, fintechs and PSPs can significantly reduce their fraud losses and related AML exposure. The goal is to create a multi-layered defense that adapts as fast as fraudsters do, across both the preventive and detective controls.

Flagright’s Perspective: Unified, Real-Time Defense in a Post-PSD2 World

It’s worth noting how these recommendations align with broader industry trends. The post-PSD2 fraud landscape is pushing financial institutions toward greater agility and integration in risk management. Flagright, as a regtech thought leader in this space, has often advocated for breaking down silos between fraud prevention and AML compliance. A unified strategy, backed by technology that can perform real-time risk assessments and provide an audit trail, is increasingly seen as best practice. For example, Flagright’s unified financial crime platform is designed to cover transaction monitoring, watchlist screening, fraud detection, case management and more in one solution. Such platforms exemplify the kind of end-to-end, real-time control that regulators and industry experts are calling for. They allow a fintech or bank to respond to threats like an APP scam by instantly scoring the transaction, referencing both fraud rules and AML red flags (like a risky beneficiary or abnormal behavior), and stopping execution while raising an alert for investigation, all in seconds. This level of responsiveness and integration was not common a decade ago, but it is rapidly becoming essential. Flagright’s approach; unifying data, applying explainable AI, and automating workflows, shows how firms can “adapt to the evolving threat landscape” without drowning in false positives or manual work.

The underlying philosophy here is that fraud and compliance teams must work hand-in-hand. In practice, that means shared tools, shared data, and coordinated responses. A case in point: imagine a scenario of suspected mule activity, the fraud team spots unusual P2P transfers on an account, and the AML team sees multiple new accounts with linked IDs sending funds to the same destination. If both teams are on a unified platform, this intelligence can be merged, and a single action (freezing the account and reporting the entities) addresses both the fraud and the laundering aspects. Unified systems also help with regulatory transparency, as everything from initial alert to investigation to SAR filing can be documented in one place. Going forward, expect regulators to increasingly favor institutions that demonstrate this kind of holistic oversight of financial crime.

In summary, fintechs and payment companies that leverage unified, real-time fraud+AML solutions will be better positioned to protect customers and satisfy regulators. Flagright is at the forefront of this shift, illustrating what’s possible when technology and smart policy converge.

Conclusion: Converging Controls for an Evolving Landscape

The EBA and ECB’s 2025 report makes one thing clear: while Europe’s stringent authentication rules have kept many traditional fraud schemes at bay, fraudsters are innovating just as fast. As instant payments go mainstream and digital transactions proliferate, banks and fintechs face an arms race against adaptive adversaries. The coming year will bring SEPA Instant payments as a standard, which also means fraud attempts will continue to evolve in real-time. To meet this challenge, institutions must converge their fraud and AML efforts into a unified, intelligence-driven defense. Siloed approaches or after-the-fact controls won’t suffice when transactions settle in seconds and scammers socially engineer their way past front-line barriers.

The path forward lies in embracing real-time, data-driven controls, from SCA on as many transactions as practical, to instant anomaly detection, to collaborative cross-bank intelligence sharing. Equally, it requires a cultural shift: fraud risk can no longer be treated as a separate realm from financial crime compliance. The most successful fintechs and PSPs will be those who break down walls between teams, leverage advanced analytics (AI, machine learning) for pattern recognition, and maintain a nimble risk framework that can adjust rules on the fly as new fraud patterns emerge. Regulators, for their part, are nudging the industry in this direction, through regulations like the Instant Payments Regulation’s VoP mandate, through PSD3 discussions on fraud liability, and through ongoing supervisory expectations that firms proactively address scam epidemics.

In the end, protecting the integrity of payments calls for an integrated approach. Firms must strive to “stay ahead of the fraud curve” by unifying people, process, and technology across fraud prevention and AML. With real-time payments becoming the norm, the ability to react in real-time or even anticipate threats via predictive analytics will distinguish the leaders in fraud and risk management. The EBA-ECB report’s data is a wake-up call, but also a roadmap: remote transactions need extra vigilance, SCA and other controls must be continually fine-tuned, and fraud controls should be as agile and cross-border as the fraudsters themselves. By heeding these lessons and investing in unified, real-time defenses, fintechs, neobanks, and PSPs can not only mitigate losses but also build trust and resilience as we move into the next phase of Europe’s digital payment era.