Authorised push payment fraud — where a victim is manipulated into authorising a payment to an account controlled by criminals — is the dominant consumer payment fraud category in markets with real-time payment rails. The UK's mandatory reimbursement rules, active since October 2024, have fundamentally changed the commercial calculus for payment service providers. And the fraud landscape itself is being reshaped by AI-generated synthetic identities and deepfake technology that can defeat controls designed for a human-authored threat environment.
UK APP reimbursement: one year on
The UK Payment Systems Regulator's APP fraud reimbursement rules require sending and receiving payment service providers to share liability for reimbursing victims of in-scope APP fraud. The PSR set the maximum reimbursement level at £85,000 per claim. After significant industry debate about the commercial burden on smaller payment institutions, the initial £415,000 cap was reduced before implementation — but the liability principle is unchanged: PSPs that receive fraudulent payments bear shared responsibility for the loss.
The first year of mandatory reimbursement has revealed several commercial and operational realities. The liability sharing model creates incentive problems: receiving PSPs have stronger incentives to tighten onboarding and monitoring when they bear reimbursement liability, but some institutions are responding with friction that disproportionately affects legitimate customers. The PSR is now consulting on calibration of the framework, including how to address the divergence between PSP approaches to inbound payment screening.
For payment institutions operating in or entering the UK market, the operational requirement is: real-time inbound payment screening against known mule account databases and fraud intelligence networks; confirmation of payee verification before processing outbound transfers; transaction monitoring capable of identifying social engineering patterns; consumer education programmes that meet the PSR's expectations for vulnerable customer protection; and case management infrastructure that can handle reimbursement claims within the required timeframes.
Synthetic identity fraud: the onboarding vulnerability
Synthetic identity fraud — the creation of fictitious identities using combinations of real and fabricated data — is rising quickly, fuelled by generative AI. Unlike account takeover, which targets existing accounts, synthetic identity fraud creates new accounts that pass traditional KYC controls because the identity appears legitimate even though the person does not exist. The fraudster typically establishes a credit history over months before executing a bust-out attack.
AI-generated deepfakes are actively being used to defeat biometric liveness detection at onboarding — the control that was intended to prevent synthetic identities from passing video verification. Europol has specifically flagged deepfake document manipulation and impersonation as active threats to financial onboarding. The implication is that biometric verification alone is no longer a sufficient control: institutions need layered identity assurance that includes device signals, behavioural analytics during onboarding, and ongoing transaction monitoring that catches bust-out patterns before they crystallise into losses.
GCC fraud context
In the GCC, the real-time payment infrastructure — SARIE, Aani, QPay — creates the same fraud velocity problem that real-time payment rails create in any market: irrevocable transactions processed in seconds, before fraud detection systems have had time to assess the full risk. CBUAE's updated AML/CFT guidance in April 2026 specifically addresses dynamic monitoring requirements. SAMA has issued guidance on fraud prevention for open banking payment initiation services, anticipating the fraud risk that will accompany the expansion of third-party payment access.
The UAE and Saudi Arabia have seen significant increases in social engineering fraud targeting migrant worker populations — a demographic with high remittance payment activity and varying levels of digital financial literacy. Payment institutions serving this population need fraud controls calibrated for the specific social engineering patterns operating in GCC corridors, not just European or global typologies.
What payment institutions must build
Effective fraud prevention in 2026 requires a layered architecture. Pre-authorisation controls — device fingerprinting, behavioural biometrics, velocity checks and network graph analysis — catch the highest proportion of fraud before a transaction is authorised. Real-time authorisation decisioning using machine learning models trained on institution-specific patterns catches fraud that pre-authorisation controls miss. Post-authorisation monitoring using transaction monitoring rules and anomaly detection catches patterns that emerge across multiple transactions. And case management infrastructure ties the layers together, enabling investigation teams to act on alerts efficiently and document decisions in ways that satisfy regulatory audit requirements.
The institutions best positioned against the evolving fraud landscape share one structural characteristic: their fraud and compliance data is unified rather than siloed. When a device seen in a fraud case also appears in an AML alert, institutions with unified data environments detect the connection; those with separate fraud and AML systems miss it.