The financial services industry is entering a decisive shift in how fraud risk is understood and absorbed. For years, institutions operated on the assumption that losses from scams largely sat with the customer, while compliance obligations were centred on process adherence.
According to Zyphe, that model is now being dismantled. Today, liability is moving firmly onto the institutions themselves, turning onboarding failures into direct financial exposure.
At the heart of this transformation is the mule account, a seemingly legitimate bank account used to receive and transfer illicit funds. Whether controlled by complicit individuals, manipulated victims or synthetic identities, these accounts underpin the majority of payment fraud schemes.
As regulators tighten expectations ahead of 2026, the emphasis is no longer on whether firms followed procedures, but whether they prevented fraud outcomes. Frameworks such as the UK’s Payment Systems Regulator rules, the EU’s PSD3, and evolving interpretations of US Regulation E are converging on a single principle: accountability. Financial institutions are now being judged on results, not intent. This marks a structural change where poor compliance is no longer just a regulatory issue but a recurring operational cost hitting the bottom line.
The root of the issue lies in how identity verification is currently conducted. Traditional onboarding relies heavily on static data such as addresses, dates of birth and identification numbers. These elements can be easily fabricated or stolen, allowing fraudsters to pass checks with convincing documentation. This weakness continues to fuel two of the most expensive fraud typologies:
Authorised Push Payment (APP) fraud and synthetic identity fraud. In APP fraud, victims are manipulated into sending money to fraudulent accounts, often believing they are dealing with trusted entities. Synthetic identity fraud, meanwhile, involves the creation of entirely fictitious personas that gradually build credibility before executing large-scale financial theft.
Both forms of fraud depend on the same vulnerability: the ability to create or access mule accounts. The emerging solution lies in cryptographic identity verification, where identity is confirmed through mathematically secure credentials rather than easily replicated data. This approach fundamentally changes the equation. Without the ability to generate a verifiable identity, fraudulent actors are unable to open accounts, effectively disrupting fraud at its source.
The financial implications of this shift are becoming increasingly clear. The introduction of a 50/50 liability split for APP fraud in the UK means receiving banks now share direct responsibility for losses, even if they were not involved in initiating the transaction. In Europe, Verification of Payee requirements under PSD3 place the burden squarely on institutions to detect mismatches in real time. Failure to do so results in full financial liability. Meanwhile, in the US, regulators are reassessing liability frameworks as synthetic identities blur the line between authorised and unauthorised transactions. Collectively, these developments remove long-standing liability shields and expose onboarding processes as a critical risk vector.
Beyond fraud losses, institutions are also grappling with the hidden costs of traditional compliance models. Centralised data storage, long considered a necessity for Know Your Customer (KYC) and Know Your Business (KYB) processes, is now creating operational strain. Handling Data Subject Requests under GDPR can cost an average of $1,524 per request, quickly escalating at scale. At the same time, maintaining compliance with frameworks such as SOC 2 and DORA requires auditing increasingly complex data environments, driving up both cost and operational burden. The accumulation of sensitive personal data also creates a significant cybersecurity risk, turning institutions into prime targets for breaches and increasing expected annual losses.
These combined pressures are forcing a rethink of identity architecture. A decentralised approach, built on cryptographic verification, is gaining traction as a more resilient alternative. By eliminating the need to store large volumes of personal data, institutions can significantly reduce breach exposure while streamlining compliance processes. More importantly, this model prevents fraudulent accounts from being created in the first place, addressing the root cause of many financial crimes.
The industry is therefore at a pivotal moment. Regulatory expectations are tightening, fraud costs are rising, and the limitations of legacy systems are becoming increasingly apparent. The technology required to address these challenges already exists, and institutions that act early stand to reduce both financial exposure and operational complexity. Those that delay risk absorbing escalating losses as liability frameworks continue to evolve.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
