Fraud and Scams - Go After the Money

Insights
Written By Saiesha Pitroda

By Dr. Kimmo Soramäki

I spoke last month at the IIF-FSB Summit on Fraud and Scams in Washington, a closed-door roundtable bringing together central banks, treasury officials, financial regulators, and the heads of fraud operations at some of the world's largest banks. The session I participated in was on redress, recovery, liability, and the regulatory perimeter. Here is the argument I made.

The world is wired to go after the criminals. Victims want us to go after the money.

Most countries deal with fraud and scams by going after the criminal. We investigate. We prosecute. We enforce. That is important work. But if you talk to victims, they will tell you something different. They want someone to go after the money and get it back to them.

I am talking specifically about authorised push payment fraud: scams where the victim is manipulated into making the payment themselves. This is the category that existing fraud controls were not designed for, because the payment is authorised by the account holder. It is also the category where redress matters most, because the amounts are often life savings for the individual, but too small for law enforcement to prioritise.

And this problem is getting worse before it gets better. What we are dealing with is transnational organised crime. The UN Office on Drugs and Crime estimates over 300,000 people are held in scam compounds across Southeast Asia alone, generating tens of billions of dollars annually. Generative AI in the hands of these networks will change the economics of this crime fundamentally: convincing deepfakes, personalised social engineering scaled across languages and cultures, and manipulation of victims at an industrial scale. The defences we have today were not built for what is coming.

Right now, in most jurisdictions, approximately 99.5 per cent of scam proceeds flow freely through the financial system. We publish what are essentially annual autopsies: the FTC reported $12.5 billion lost in 2024 in the United States alone. But the money is gone. Going after it requires a fundamentally new capability. It requires speed, because funds move in seconds. It requires visibility across institutions because a mule chain spans many banks. And it requires infrastructure, because you cannot do this with phone calls and emails.

And there is a further point. Going after the money also helps you go after the criminals that matter. Those whose disruption would have the biggest impact are the ultimate beneficiaries, not the foot soldiers processing transactions. But you cannot expect good results from sending out the sniffer dogs days or weeks after the crime. The same infrastructure that traces funds for recovery also reveals the networks behind them, in real time.


Five lessons from 60+ jurisdictions

FNA is now in conversation with more than 60 jurisdictions on building a national fraud coordination infrastructure. Here is what we have learned.

  1. Start with the plumbing, not the liability framework. The jurisdictions that have moved fastest did not begin by allocating blame between sending and receiving banks. They started by building the ability to see where the money went. Malaysia is, as of today, the first jurisdiction with a fully automated, real-time cross-institutional fraud tracing capability operating at a national scale: 48 institutions, more than 20 payment rails. Once you can see where the money went, the liability conversation becomes tractable. Without that visibility, it is an argument in the dark.

  2. The results are concrete, and speed is everything. Malaysia's fund freeze rate increased from half a per cent to over twenty times that baseline. Cases reported promptly now achieve 100 per cent freezing rates. Investigation time dropped from days to 30 minutes, and recently to as little as 10 minutes for the fastest cases. Malaysia is the most mature deployment, but it is not the only one. Indonesia is expected to go live this quarter, with two more countries later this year.

  3. This is a cost reduction, not a cost. Investigation time per case dropped by 70 per cent. For large banks, shared infrastructure eliminates duplicated effort. For smaller banks, it provides a baseline capability they could never build alone. When participation is mandated by the supervisor, the competitive concern disappears: all institutions participate on equal terms. The infrastructure pays for itself.

  4. Frame it as payments infrastructure, not data sharing. Every jurisdiction that built this had the same initial conversation: who goes first, who shares what, and what about privacy. The answer was to frame it as payments infrastructure. Bank Negara Malaysia used its existing authority over PayNet. Banks did not "share data." They reported into infrastructure they already participated in. The legal and competitive objections evaporated.

  5. The gap is architectural, not legal. In most jurisdictions, the legal basis to share fraud intelligence already exists. What is missing is the infrastructure to act on it. By the time a report reaches the financial intelligence unit through existing channels, the money has been gone for days. The answer is not to reform that process. It is to build a new capability alongside it, one that operates at the speed of the payment system rather than at the speed of a compliance report.

Three takeaways

First, build domestic infrastructure before anything else. We cannot share fraud intelligence across borders if we cannot see fraud across our own banks, and we cannot fairly assign liability without the cross-institutional record that shows who knew what, and when. The infrastructure comes first. Liability and cross-border follow from it.

Second, move from permission to obligation. In every jurisdiction that has moved, the turning point was when the regulator established a requirement that institutions must contribute to shared infrastructure. The UK, Australia, and Singapore have all crossed this line. Permission is not the bottleneck. Expectation is.

Third, set operating procedures for speed. How fast must data be contributed? How fast must a freeze recommendation be acted upon? In Malaysia, the answer is minutes. If you build the infrastructure but leave the procedures at the speed of a compliance report, you have solved the wrong problem.

There are people who lost their savings this morning. The question is whether we can get it back to them today. If we don't, it's lost.

Saiesha Pitroda
Next

Summary Payment Systems Broadcast #28: Operationalizing the EU’s Article 75