The Payment Scam Liability: The $8 Million Cost Hidden In Your Onboarding Process

For years, financial institutions operated under a comfortable paradigm: if a customer was defrauded, the loss was theirs to bear, and compliance meant little more than following a checklist. That era is over.

At the centre of today’s fraud epidemic is the Mule Account, a critical component in illicit financial schemes. A mule account is a bank account, often opened in the name of a real, seemingly legitimate person, that is used to receive stolen funds before passing them on to criminals. The account holder may be a willing accomplice, a vulnerable individual who has been deceived into participating, or a victim whose identity has been stolen entirely. Without mule accounts, most payment fraud simply could not happen.

As 2026 approaches, regulators worldwide are holding banks directly responsible for the mule accounts they open. The UK Payment Systems Regulator (PSR), the EU’s Third Payment Services Directive (PSD3), and evolving interpretations of US Regulation E are all moving in the same direction: away from simply checking whether banks followed a process, and toward assigning them direct financial losses when fraud occurs on their watch. Previously, regulators focused on whether a bank had the right procedures in place. Now, they are focused on outcomes and holding institutions financially accountable when those outcomes fail. The question for every institution is no longer “did we follow the rules?”, it is “did we stop the fraud?”

The financial sector is undergoing a structural transition where the cost of "bad compliance" is no longer just a regulatory fine; it is a direct, repeatable operational loss on the P&L.

The Root of the Problem: How Mule Accounts Get Through

The reason mule accounts are so hard to catch comes down to how banks currently verify identity. Traditional compliance checks rely on static data (a passport number, an address, a date of birth), information that can be faked, stolen, or manufactured. A fraudster who presents convincing-looking documents passes the check and walks away with a legitimate account.

What the industry increasingly needs is cryptographic proof of identity: a mathematically verifiable confirmation that someone is genuinely who they claim to be, one that cannot be forged or replicated. The difference is significant. Checking static data is like accepting a photocopy of an ID. Cryptographic proof is like having a tamper-proof system verify that ID in real time. The first can be fooled; the second cannot.

This gap explains why two of the most costly fraud types continue to flourish:

• Authorised Push Payment (APP) fraud occurs when a victim is manipulated into willingly sending money to a criminal's account, most commonly through impersonation scams, where a fraudster poses as a bank, a utility company, a government agency, or even a trusted contact. The victim believes they are making a legitimate payment; in reality, the money goes straight to a mule account. Cryptographic proof disrupts this at the source: reduce the number of fraudulent accounts available to receive payments, and you reduce the opportunity for the fraud to succeed. A fraudster who cannot open a convincing mule account cannot complete the crime.
• Synthetic identity fraud works differently but depends on the same weakness. A criminal constructs an entirely fictitious person, combining real and invented details to pass identity checks, then spends months or years building a convincing credit history before "busting out": executing as many high-value transactions as possible before disappearing, leaving the bank with the loss. This is precisely where cryptographic verification creates a structural barrier. Unlike a passport number or home address, cryptographic identity credentials cannot be fabricated or reused. They are mathematically linked to a verified, real human being through biometric data or government-issued credentials confirmed at source. A synthetic identity, one with no real person behind it, simply cannot produce them.

In both cases, the principle is the same: prevent the mule account from being opened in the first place, and much of the fraud never happens.

New Financial Risk: The End of Liability Shields

Until recently, when a customer was defrauded through a payment transfer, the receiving bank, the one that opened the mule account, faced no financial penalty. That has changed fundamentally.

The UK Payment Systems Regulator has introduced a 50/50 liability split for APP fraud: when fraud occurs, both the bank that sent the payment and the bank that received it bear half the loss. Previously, the receiving bank had no financial exposure whatsoever. Now, every account your institution opens carries direct financial liability if it turns out to be a mule. This is not a theoretical risk; it is a structural change to how losses are distributed across the banking system.

In the European Union, PSD3 and the Instant Payments Regulation require banks to implement Verification of Payee (VoP), a real-time check confirming that the name on a payment matches the account it is being sent to. If a bank fails to catch an impersonation attempt or a name mismatch, the full cost of that fraud falls on the Payment Service Provider (PSP), the bank, or the financial technology company that processed the payment.

In the United States, the growing sophistication of synthetic identity fraud is prompting regulators to reconsider what counts as an “unauthorised” transfer under Regulation E, the federal rule governing electronic fund transfers. As fabricated identities become harder to distinguish from real ones, the defence of “the customer authorised this transfer” becomes increasingly difficult to sustain when the “customer” was a synthetic identity that the bank itself approved.

Want the full regulatory breakdown across PSR, PSD3 and Reg E, with a cost model you can take straight to the board? Download the 2026 Compliance & Liability Playbook →

Operational Hurdles: The "Honeypot" Tax

Beyond direct fraud losses, the traditional approach to compliance carries a substantial and often underestimated hidden cost, one that comes directly from how identity verification currently works.

Under today's model, companies and institutions are legally required to collect and retain large amounts of customer personal data as part of their Know Your Customer (KYC) and their Know Your Business (KYB) obligations: copies of identity documents, addresses, financial histories, and more. Because each institution collects this data independently and must hold it for regulatory audit purposes, it accumulates in large, centralised databases owned and managed by the bank itself. This creates what is sometimes called the 'centralised model', and it comes with three compounding financial burdens: 

• Data Subject Request (DSR) Inflation: Under regulations, including the General Data Protection Regulation (GDPR), the European Union’s flagship data privacy law, which also applies to any institution handling EU citizens’ data, customers have the legal right to request access to, or deletion of, their personal data. Manually processing each of these requests costs an average of $1,524 per request. At any meaningful scale, this becomes a significant and growing operational drain.
• Audit Expansion and Complexity: Demonstrating compliance with frameworks such as SOC 2 (Service Organisation Control 2, a widely recognised US standard for data security, availability, and confidentiality), GDPR, and DORA (the Digital Operational Resilience Act, the EU regulation requiring financial institutions to demonstrate they can withstand and recover from major IT disruptions) means auditing large, complex data environments. This process is expensive, time-consuming, and increasingly difficult to manage.
• The Honeypot Effect: The more Personally Identifiable Information (PII) (names, addresses, financial details, and identity documents) a bank holds in one place, the more attractive a target it becomes for cybercriminals. In financial services, the Expected Annual Loss (EAL) from a major data breach remains a persistent and growing drag on capital.

Sticking with a centralised architecture isn't just inefficient anymore; it's costing a fortune. For a mid-sized growth company managing 1.5 million records, the Cost of Inaction is estimated to be around $2.22 million annually, not in regulatory fines, but in the accumulated weight of fraud losses, data breach exposure, and compliance overhead. For a large company managing 10 million records, the Cost of Inaction is then estimated to be $7.85 M annually and above.

The Alternative: The “Mule Stopper” Framework

The strategic response emerging across the industry is a shift to a decentralised identity architecture, a model where identity is verified through mathematical proof rather than data that can be stolen or forged. The practical benefits fall into three areas:

1. Stopping fraud at the door. Verifying identity through cryptographic proof filters out synthetic identities during onboarding, before a mule account can ever be created.
2. Reducing breach exposure. Because sensitive customer data is no longer stored in a single centralised database, there is far less for a criminal to steal. Institutions using this model are estimated to be over 95% more breach-resistant than those relying on legacy databases.
3. Cutting the cost of compliance administration. Automating data access requests and audit reporting reduces cost, accelerates compliance cycles, and frees teams to focus on strategic priorities rather than administrative processing.

The question is no longer whether to act. It's how fast.

The regulatory direction is set. The financial exposure is quantifiable. The technology to address it exists and can be deployed without replacing existing infrastructure. Institutions that move early will absorb lower costs, carry less liability, and be better positioned when regulators move from guidance to enforcement.

‍

For the full cost model, the step-by-step implementation roadmap, and a competitive comparison of available solutions, download the 2026 Compliance & Liability Playbook.