BioCatch Blog Channel

Browse Topics

Banking fraudsters: Why the world is holding receiving banks accountable

Written by:

Ken Palla (Guest Blog)

Banking fraudsters: Why the world is holding receiving banks accountable featured image

Receiving banks are constantly in the news these days. A receiving bank simply means that side of a financial institution that receives financial transactions (e.g. wires and faster payments) from another financial institution. The reason receiving banks are in the news is that they are the location of money mule accounts. And money mule accounts are the ‘fuel’ for facilitating fraud (unauthorized transactions by fraudsters), scams (authorized transactions induced by scammers), money laundering and more.

Until recently, all of the focus for fraud and scam losses has been on the sending bank.  In the US, Regulation E addresses how sending banks are responsible for reimbursing customers for account takeover losses.  The same is true in other countries.  Even in the UK with the initial voluntary reimbursement for Authorized Push Payment (APP) scam losses, it was the sending bank reimbursing.  The logic has been the sending bank is where the customer with the loss banks and therefore it is the sending bank’s responsibility to reimburse the customer.

Then in 2023, in the UK, the Payment Systems Regulator (PSR) announced that the new mandatory reimbursement plan for APP scams, as authorized by Parliament, would be a 50-50 split between the involved sending and receiving banks.  The logic is clear—both banks bear a level of responsibility for the customer’s APP scam loss.  The sending bank is responsible for educating the customer about scam losses and needs to have controls in place (including effective staff education) to help prevent these scams.  And the receiving bank has a responsibility because that is where the scammer was able to set up the money mule account for receiving the funds.  The PSR found, “Typically, smaller firms receive disproportionately higher rates of APP scams compared to the 14 largest banking groups in Great Britain and Northern Ireland. In 2023, they accounted for 38% of absolute APP scams received by value despite receiving just 17% of the consumer Faster Payment Scheme payments.” This was because the smaller banks and fintechs were not as good at protecting account opening and monitoring inbound transactions.

This put all receiving banks (banks and payment processors) on notice in the UK that they need effective account opening controls and transaction monitoring on inbound transactions.  Receiving banks now need to address the issue that money mule accounts exist because scammers can set up new accounts online (and easier than ever with the powerful Gen AI capabilities), at the branch and even from the bank’s own customers (maybe students needing some quick money and even long-term customers).    

In the US, Zelle—the leading peer-to-peer (P2P) payment service—announced that participating banks and credit unions must reimburse customers for certain types of impersonation scams, with full liability placed on the receiving bank.

Also in 2024, NACHA, the organization that governs the ACH network in the US, announced new requirements for banks to add controls on inbound ACH transactions.  This will become effective in 2026. NACHA CEO and President, Jane Larimer, stated, “All participants in the ACH Network have a part to play in reducing the incidence of fraud, and recovering when fraud has occurred. I applaud NACHA’s members for taking this important step of self-governance.”  

NACHA also said: “The new rules follow the flow of a credit-push payment to promote the detection of fraud from the point of origination through the point of receipt at an account at the RDFI (Receiving Depository Financial Institution).”

The new rule states:

  • RDFIs have a view of incoming transactions as well as account profile information and historic activity on Receivers’ accounts (customer at RDFI).
  • A risk-based approach to monitoring can consider factors such as transactional velocity, anomalies (e.g., SEC Code mismatch with account type), and account characteristics (e.g., age of account, average balance, etc.).  

There was also a major lawsuit against a receiving bank in the US: Studco vs 1st Advantage Federal Credit Union, with a key decision in 2025. This was a case initiated by the victim of a business email compromise scam. Studco claimed the receiving bank, the credit union, failed to perform its required security procedures according to Uniform Commercial Code (UCC) 4A. The lawsuit mentioned a number activities that allegedly failed commercially reasonable security, including the failure to notice a name mismatch on the ACH transactions.

The District Court ruled in favor of Studco. But in 2025, the Fourth District Court of Appeals found that it (UCC 4A) "protects the beneficiary's bank (the receiving bank in UCC 4A terms) from any liability when it deposits funds into the account for which a number was provided in the payment order, even if the name does not match, so long as it "does not know that the name and number refer to different persons." 

Another assessment of the appellate court decision said: “Financial institutions must remain vigilant regarding BEC scams and wire fraud schemes in which the customer is duped into voluntarily sending money to scammers, such as elder abuse and so-called "pig butchering" schemes.“ This case did, however, highlight the weaknesses of a receiving bank and is a cautionary tale. In April 2025, Studco has asked for a review of the appeal with the full Fourth Circuit Court.

Also, there was a receiving bank court case in the UK that was decided in 2025. Reuters reported: “The UK arm of Spain's Banco Santander on Tuesday won its bid to throw out a lawsuit that had alleged lenders have a duty to try and retrieve funds stolen by customers that turn out to be fraudsters.” The article went on to say the judge ruled there was “no freestanding duty upon a bank to take positive steps to unwind harm already caused to a third party" who was not its customer.

Now there is a spotlight on receiving banks!

Role of receiving banks in the future

As we look over the next 1-2 years, what are some of the possible changes involving receiving banks? Let’s take a quick tour around the world to see what might happen.

UK

On the one-year anniversary (October 2025) of the new APP scam reimbursement, the PSR will review the reimbursement program. There are two key items they may assess. First, is the £85,000 maximum limit sill appropriate for reimbursement? Second, the PSR may assess the 50-50 split between the sending and the receiving bank. David Geale, head of the PSR, told Parliament in March 2025, “I would describe the measures we put in currently as potentially blunt but necessary. We have put in a 50/50 sharing between the fraudster’s bank (receiving bank) and the victim’s bank (sending bank). Over time, I would like to think that, as we get more sophisticated in the data we collect, we could shift more of that to the fraudster’s bank, because we want people to stop banking fraudsters.”

Could the split move to 40% sending bank and 60% receiving bank?

US

FedNow, the instant payment service in the US is gaining tractions with the banks and its customers. FedNow reported its latest statistics and showed a 140% increase in payment volume in Q1 2025 to $48.6 billion.

Will FedNow follow Zelle and require reimbursement for impersonation scams? Will it include the receiving bank in any reimbursement? But FedNow has a challenge. The Federal Reserve does not control the entire FedNow payment process as Zelle does with its program.

Australia

As part of the Australian Scam Prevention Framework (approved in 2025 by Parliament), banks, telcos, and digital platforms can be liable for scam losses. In 2025, the Australian Treasury must write the specific scam controls required for banks. This will probably include scam prevention requirements for both sending and receiving banks and may include reimbursement requirements for both sending and receiving banks.

To continue the government’s focus on receiving banks, In March 2025, the Australian government, at the direction of the Minister of Finance Stephen Jones, announced: “Currently, scam victims can only raise a dispute with the Australian Financial Complaints Authority (AFCA) against the bank which sent the consumer’s funds (the sending bank). A new ministerial direction by the Assistant Treasurer will enable AFCA to investigate culpability of the receiving bank on behalf of a scam victim.”

Thailand

In April 2025, the Thai government issued a Royal Decree making financial institutions and payment providers liable for losses from ‘call centre’ scams.” During Q2 2025, the government will write the prevention and reimbursement regulations for banks. This could include reimbursement requirements for both sending and receiving banks.

Malaysia

In December 2024, Prime Minister, Anwar Ibrahim, talked about banks becoming liable to reimburse for consumer scams. Lowyat.net reported: “Prime Minister Anwar Ibrahim has expressed support for a policy that puts more responsibility on banks to protect account holders from scams. In parliament, he said that Malaysia should follow the United Kingdom’s new policy where account holders have the right to get reimbursed for money lost to scammers.”

If this becomes law, will Malaysia follow the splitting of reimbursement between the sending and receiving bank?

Brazil
In a recent blog, Biocatch’s Cassiano Cavalcanti reported: In November 2024, former Central Bank of Brazil President Roberto Campos Neto articulated a decisive shift in regulatory approach to combat the rising tide of financial fraud. "Fraud occurs because there is a receiving account," he said, signaling a fundamental reorientation in policy priorities. Cavalcanti went on to say: “This strategic recalibration reflects mounting concern among regulatory authorities regarding the central role mule accounts play in facilitating digital fraud schemes across Latin America.”

Will Brazil and other Latin American countries start to require reimbursement from receiving banks for fraud losses?

Singapore

In 2023, the Monetary Authority Singapore (MAS) started to put a serious focus on consumer scams and has been thinking about a ‘whole of ecosystem’ approach involving banks, telcos and digital platforms. One of its first ‘whole of ecosystem’ regulations is the Shared Responsibility Framework (SRF) involving banks and telco to prevent phishing attacks. If banks and telcos do not add the required controls, they could be required to reimburse for the phishing loss.

Also, The Association of Banks in Singapore banks has a discretionary goodwill payment framework for scam victims beyond the SRF.

Both of these programs involve the sending bank. But as Singapore adds more regulation, they could start to include the receiving bank.

Final thoughts

It is not an accident that receiving banks are now central to any discussion on fraud or payment scams. The spotlight on receiving banks is here to stay. This is quite important as most financial institutions around the world do not have adequate receiving bank controls for account opening and money mule management (e.g. inbound transaction anomaly detection). Yet, weak receiving bank controls is a key reason fraud and scam losses are exploding. In the US alone, the Federal Trade Commission (FTC) estimates over $150 billion in reported and unreported commercial and consumer scam losses.

With our ‘tour around the world’, we see financial regulators have realized the receiving bank is a very weak link in online fraud, scams and money laundering, and they are taking action. Maybe our next blog will be titled: “Regulators Shine Spotlight on Receiving Banks with Massive Penalties.” It is not that far-fetched, as this year, the New York State Department of Financial Services (NY DFS) fined Block (formerly Square) $40 million for “Insufficient Customer Identification Procedures and Transaction Monitoring Led to Increased Money-Laundering Risk.”
According to Banking Dive:

  • “As part of its own probe in 2022, Block discovered some 8,359 Cash App accounts ‘linked to a Russian criminal network,’ the order said.”
  • And from the DFS consent order: “Block did not prohibit opening of restricted Cash App accounts that shared attributes such as an email, phone number, device. However, the monetary limit, without the limit on the number of accounts that could be opened, did not constitute an effective control, as individuals could have created multiple restricted accounts using multiple financial instruments, thereby circumventing the transaction limits.”

As the former head of the Brazil Central Bank said, "Fraud occurs because there is a receiving account (the money mule)." PSR head, David Geale, said, “We want people to stop banking fraudsters.”

The alarm is sounding.

So, it is now time in 2025 for receiving banks to acknowledge their role in unintentionally facilitating fraud and scams and add strong money mule controls, just as sending banks have spent the past two decades strengthening their online defenses.

This article is part of a new series on receiving bank fraud and money mule controls. Read previous blogs and articles by this author here.

 

Recent Posts

How Thailand’s Royal Decree is changing financial fraud accountability Money Mules
May 05, 2025 How Thailand’s Royal Decree is changing financial fraud accountability
Read article
We don’t know who’s leading the fight against scams. That’s the problem. Social engineering scams
May 02, 2025 We don’t know who’s leading the fight against scams. That’s the problem.
Read article
India’s money mule paradox: When regulations both mandate and hinder action Money Mules
May 01, 2025 India’s money mule paradox: When regulations both mandate and hinder action
Read article