"It lives in where authorization thresholds sit, how much friction the customer journey can absorb before conversion drops, and which controls get deferred when prevention and growth compete for budget," said Serpil Hall, senior analyst with Datos Insights.
FedNow expansion and payments that become irreversible in seconds
As the Federal Reserve expands FedNow into higher-value transactions — with limits now reaching $10 million — the time available for fraud and anti‑money‑laundering (AML) investigations has collapsed. Transactions that once could be reviewed over hours or days now become irrevocable within seconds, forcing banks to make high‑stakes decisions before suspicious activity can be fully reviewed. Will Lawrence, CEO and co‑founder of Bretton AI, said most AML systems were designed for batch processing environments where investigators had hours or days after settlement; the architecture and workflows for real‑time payments are not built for that tempo.
Losses rise even as banks spend more
The financial calculus is shifting at the same time losses are increasing. The FBI's Internet Crime Report showed cybercrime losses in the United States exceeded $16 billion in 2024, up 33% year over year. Gartner found that 53% of financial institutions increased fraud prevention budgets by 5% or more, yet 70% of banks still reported rising fraud losses. Firms are balancing the cost of controls against customer friction, conversion losses and the operational burden of investigations.
Datos Insights research highlights a structural invisibility around those trade‑offs: 60% of financial institutions track merchant chargeback exposure but don't automatically tighten authorization controls, and only 27% apply stricter controls to high‑chargeback merchants. As Hall put it, "False declines carry no regulatory penalty and generate no fraud loss entries. They do not appear on dashboards."
Regulators are redrawing who pays
Outside the United States, regulatory moves have already begun to reallocate financial responsibility for fraud. The U.K. introduced mandatory reimbursement rules for authorized push payment fraud in 2024. The European Union's PSD3 and Payment Services Regulation reforms will extend fraud reimbursement obligations across member states and may hold online platforms financially liable when fraudulent content is not removed after notification. Hall framed those measures as more than security rules: "That is not a security regulation. It is a liability allocation mechanism," she said.
U.S. regulators have also stepped in: the OCC, Federal Reserve and FDIC issued a request for information in 2025 examining fraud risks tied to instant payment systems such as FedNow and the RTP network. Regulators, according to sources in the reporting, are increasingly scrutinizing how institutions justify customer friction imposed by fraud controls and are expected to demand stronger governance around residual risk.
How banks and vendors are adapting — and where they disagree
Responses vary. Gartner reports 62% of banks now prefer hybrid fraud‑detection models that combine supervised and unsupervised machine learning; institutions are also employing behavioral biometrics and device intelligence to reduce false positives and improve risk‑based decisions. Devesh Desai, partner for risk and regulatory at PwC U.S., said many banks are shifting away from attempting to eliminate fraud entirely and instead are "weighing the cost of incremental controls against the losses they actually prevent," factoring in customer friction, false positives and lost revenue.
Not all observers accept the notion that fraud tolerance is always strategic. Brent Philips, senior vice president and director of treasury operations at b1Bank, argued some institutions accept avoidable losses because they are unwilling to invest in prevention or lack the necessary expertise. Philips said some community banks avoid forcing customers to close compromised accounts because of customer inconvenience, despite heightened repeat fraud risk.
Vendors and compliance teams face operational strain. Lawrence of Bretton AI emphasized that the greatest challenge in real‑time environments is not detection alone but completing investigations quickly enough to make defensible decisions before reversibility windows close.
What Bretton AI, community banks, and regulators will watch
- Bretton AI and similar vendors: will need to focus on speeding the investigation workflow as much as improving detection models, since faster alerts without faster adjudication leave banks exposed.
- Community banks and b1Bank‑type institutions: will be pressured to decide whether customer convenience justifies leaving potentially compromised accounts open and to invest in prevention and expertise or accept higher losses.
- The OCC, Federal Reserve and FDIC: having requested information on instant‑payment fraud risks in 2025, will likely press for clearer governance and demonstrable rationale when banks tolerate residual risk.
The era when banks quietly absorbed fraud losses as a cost of doing business may be ending. With FedNow handling larger, instantaneous payments, rising reported losses, and regulators reallocating liability, institutions must not only reduce fraud but also document why any remaining exposure is deliberate, measured and defensible to regulators, customers and boards.




