The financial system has reached an inflection point. Fraud is no longer a peripheral threat managed by compliance teams in back offices—it has become the system's own shadow economy, expanding in direct proportion to the innovation that was meant to secure it. This is the unspoken crisis now visible in the latest London Stock Exchange Group Risk Intelligence findings, and it poses an existential risk to the entire digital-first payment architecture that banks and fintechs have spent the last decade building.
The paradox is brutal. Every acceleration in banking technology—instant payments, real-time clearing, machine learning fraud detection, open banking APIs—has been shadowed by an equally sophisticated criminal ecosystem. Fraudsters do not lag behind innovation; they absorb it. They deploy the same AI that banks deploy. They understand SEPA Instant rails as intimately as the European Central Bank does. They move capital across jurisdictions faster than regulators can issue guidance. The asymmetry that once favored defenders—complexity, opacity, institutional gatekeeping—has inverted. Now, the defenders operate in public view, bound by regulation and audit trails, while criminals operate at machine speed across open infrastructure.
What makes this moment distinct is scale and penetration. Fraud in 2026 is not an anomaly committed by a criminal fringe. It is baked into the fabric of systems that process trillions daily. Payment networks designed to enable frictionless commerce have become vectors for synthetic identity schemes, account takeover attacks, and money laundering pipelines that move stolen funds across borders in seconds. For card issuers and Banking-as-a-Service platforms, this means the cost of trust—once absorbed as a line item in fraud reserves—now threatens the entire unit economics of digital banking. When a customer suffers a fraud loss, they do not blame their own security hygiene. They blame the system. They leave. They shift to cash. They migrate to a competitor. Or worse, they stop using digital payments altogether.
The LSEG report is a mirror held up to the banking world, and what it reflects is uncomfortable: the system has scaled faster than trust infrastructure has scaled. Instant payment systems like those operated across the EU under the SEPA Instant Credit Transfer standard have reduced settlement time from days to seconds, but reversibility windows have shrunk accordingly. By the time a customer realizes they have transferred funds to a mule account, the money is gone. European banking regulators now face a design problem they cannot regulate away: the faster the rails, the narrower the window for detection and reversal. The criminals have optimized for this. They move money through rapid cascades of onward transfers, each below reporting thresholds, each designed to exploit the lag between detection and intervention.
Open banking architecture, mandated by PSD2 and its successors, was meant to democratize finance and break the incumbent bank oligopoly. In principle, it has. In practice, it has also democratized fraud infrastructure. Third-party application providers can now access customer account data and initiate transactions with explicit consent—a genuine innovation. But consent is routinely harvested through phishing, social engineering, and fake authentication screens indistinguishable from genuine bank interfaces. The API is not the problem; the trust boundary is. And once that boundary dissolves, the entire architecture fails.
For card issuers and programmatic card platforms, the immediate question is operational: how do you maintain customer acquisition and retention when the fraud rate—whether measured by contested transactions, account takeover incidents, or synthetic identity infiltration—is climbing faster than your fraud detection models can keep pace? The standard answer—machine learning, behavioral analytics, biometric verification—is necessary but insufficient. These are arms-race increments. Criminals learn from every detection event and adapt. They train their own AI on your block lists. They forge biometrics. They model your velocity checks and structure their attacks to evade them. You are not ahead; you are engaged in a perpetual catch-up that costs money and erodes user experience with every friction point you add.
What the LSEG data is really telling us is that the problem has become structural, not tactical. Trust in digital payment systems depends on the reasonable belief that your transaction is irreversible only after genuine verification and that the institution you are sending money to is real. Neither assumption holds anymore. Recipient verification is trivial to circumvent. Institutions can be spoofed. And once the user has lost money, the psychological damage is permanent. They may continue to use the system for necessity—salary deposits, bill payments—but they will not trust it with discretionary transactions. They will not be early adopters of new payment services. They will not expand their digital financial footprint. Growth stalls. And in a sector built on network effects and user growth, stalled growth is death.
The regulatory response, so far, has been to deepen compliance burden. Stronger KYC, continuous monitoring, transaction monitoring rules, API security mandates, fraud reporting obligations—all necessary, all adding cost, all shifting to the edges of the system (the banks, the fintechs, the payment processors) rather than addressing the root cause, which is that instant, irreversible, pseudonymous-to-pseudonymous payment rails are inherently difficult to secure at the endpoint. You cannot regulate away the fact that a user can be socially engineered into authorizing a fraudulent transfer in seconds. You cannot mandate authentication standards that work if the user's device is already compromised. You cannot force banks to refund fraud losses without eventually pricing that loss into the margin, which means fewer people can afford financial services.
The systems that will survive this inflection point are those that rebuild trust at the application layer, not the infrastructure layer. This means moving beyond transaction-level fraud detection and toward relationship-level trust verification. It means biometric authentication that cannot be faked or stolen. It means real-time counterparty verification embedded in the payment flow itself. It means that before your money moves, you get an irreducible proof that the recipient is who they claim to be, and that proof is expensive enough to create that it deters impersonation at scale. Some of this is already emerging in embedded finance platforms that control both sides of the transaction (e.g., payment integrations within branded apps where the merchant identity is verified by the application owner). But for open banking, for interoperability, for the vision of a truly democratic financial system, the trust problem is harder to solve, and the regulatory window to solve it may be closing.
The stakes are not academic. Central banks, payment system operators, and regulators across the world are asking a single question: if people do not trust the system, will they use it? The historical answer is no. They will retreat to cash. They will use informal value transfer systems. They will lose confidence in regulated financial services altogether and migrate to jurisdictions or instruments where they perceive the risk to be lower—even if that perception is false. And once that migration begins, the entire infrastructure model collapses, because it depends on volume and velocity to function.
The LSEG report is the canary in the coal mine. It is time to rebuild trust deliberately, explicitly, and at the system design level—not as a compliance checkbox, but as the primary architecture of modern finance.
Written by the Codego Press editor — independent banking and fintech journalism powered by Codego, European banking infrastructure provider since 2012.
Sources: The Finanser / Chris Skinner's Blog · May 2026