Ruud Grotens, Head of Risk Solutions Consulting, Cyber Fraud and Risk Management, Bottomline
For years, regulation has been cast as the villain in the payments innovation story. But in the U.K., the reality is the opposite. Regulation is not a brake on progress in the payments revolution; rather, it’s forcing the industry to confront whether the architecture underpinning modern payments is fit for a real-time world.
From the Payment Systems Regulator’s push on authorised push payment (APP) reimbursement rules, to the introduction of the Failure to Prevent Fraud offence, policymakers are sending a clear message to institutions about how they must do more than react to fraud – they have a responsibility to prevent it, or face the consequences.
Pinpointing the critical moment for fraud prevention
Working with banks globally on fraud controls, we have seen how quickly attacks shift upstream and target the earliest points in the payment journey.
Historically, fraud controls have tended to sit downstream in the payment lifecycle, with transactions monitored once a payment message has been built and is ready for submission to the payments rail (the system or network enabling the movement of funds). In a real‑time environment that’s too late.
But modern fraud, especially with account takeover and payment redirection scams, happens upstream. Fraudsters compromise credentials, bypass multi-factor authentication, change payee details, or manipulate payment files before a transaction ever reaches the payment rail.
Recent cases reported by authorities show how fraudsters impersonate employees and request last‑minute changes to payroll account details just before payday. In several incidents, attackers successfully switched beneficiary details ahead of the payroll run, diverting wages into mule accounts before anyone realised.
Now the most critical moment for fraud prevention sits in the narrow window between payment creation and payment authorisation, and that’s where institutions must focus their controls.
Embedding real-time analytics, contextual intelligence, and dynamic risk scoring directly into payment approval workflows enables organisations to detect anomalies before payments are released.
Instead of analysing transactions after fraud has occurred, banks and businesses can intervene at the moment a payment decision is made.
This may sound like a technical adjustment, but it represents a fundamental design shift. Fraud prevention can no longer be treated as a monitoring layer sitting on top of the payments infrastructure, and must be built into the infrastructure itself.
Regulation is accelerating the evolution of the payments infrastructure
The U.K.’s evolving fraud liability framework, alongside increasing expectations around operational resilience and governance, is forcing financial institutions to reassess how payment systems are designed. Organisations that continue to rely on legacy architecture built for slower payment cycles will struggle to meet both regulatory expectations and customer trust requirements.
The migration to ISO 20022 (an international standard for electronic data exchange between financial institutions) provides a useful example of the broader payments transformation. Many institutions initially treated ISO 20022 as a compliance exercise. It was seen as a mandatory upgrade to a new messaging format, but that perspective underestimates the significance of what the standard enables.
ISO 20022 introduces structured, enriched payment data that dramatically improves the visibility institutions have over transactions. When combined with real-time payments infrastructure, that data can support more sophisticated fraud detection, better liquidity management and more efficient reconciliation processes.
Regulation is not only pushing upgrades to the payments infrastructure but also catalysing the development of the capabilities needed to secure real-time payments.
The real opportunity for payments comes in what’s next
The U.K.’s payments infrastructure was initially designed to move money, but its purpose has shifted. Organisations must now also manage risk, enable real-time decision-making, and deliver richer data across financial networks. That requires a modernised architecture built around data, intelligence, and preventative controls, rather than batch processing and retrospective monitoring.
The U.K. is well-positioned to lead the next stage of payments innovation, supported by its early investment in Faster Payments and by a regulatory environment that’s focused on fraud prevention and operational resilience. Now is the time to capitalise on these strengths, proving that smart regulation can drive better fraud prevention and a more resilient payments infrastructure.
