Reviewing EU Payments, Crypto-Assets and AI-linked fraud trends: Key insights and expectations from the ESAs and ECB

RegCORE Client Alert | Banking Union, Capital Markets Union + Savings and Investment Union/EU Digital Single Market, financial services and crypto-assets

QuickTake

The recent festive season drove peak online shopping, travel bookings and charity giving, a time when fraudsters were most active – now increasingly armed with artificial intelligence (AI) to spoof voices, faces and brands at scale.Seasonal behaviours-such as last minute purchases, charity donations, travel re-bookings, and increased parcel or “missed delivery” notifications-create fertile ground for impersonation, authorised push payment (APP) style manipulation and card not present abuse. During the December-January period, firms should assume a higher baseline exposure to deepfake voice calls, spoofed merchant sites, and QR code lures, and align their staffing, monitoring thresholds and customer messaging accordingly.Show Footnote These dynamics framed the timely publication at the start of December 2025 of (i) the European Banking Authority’s (EBA) and European Central Bank’s (ECB) jointly published 2025 Payment Fraud Report (on data up to and including 2024)Available here.Show Footnote and (ii) the European Supervisory Authorities’ (ESA)Comprised of the EBA, the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).Show Footnote consumer factsheets on (a) crypto-asset-linked scamsAvailable here.Show Footnote and (b) AI-enabled financial fraudAvailable here.Show Footnote. Taken together, these publications clarify where losses are increasing, which controls are effective and how firms should calibrate real-time defences, redress and customer communications through the (next) holiday period and certainly as part of their 2026 change programmes and the forthcoming supervisory cycle.

As explored in this Client Alert, three messages are clear across the publications. First, fraud remains concentrated in remotely initiated transactions, with authorised push payment (APP) scams and card not present abuse driving losses. While strong customer authentication (SCA) materially reduces fraud, the use of exemptions and “one leg out” cross border flows are weak points requiring tighter governance and targeted rules, especially over the festive peak. Second, the speed and irreversibility of crypto-asset transactions magnify consumer harm and operational risk; firms should embed permission revocation support, rapid freeze/blacklist playbooks and register checks into onboarding and first transfer journeys. Third, AI acts as a force multiplier for impersonation and social engineering; firms must therefore harden contact centre authentication, block remote access tooling requests and deploy in journey “pause and verify” prompts aligned with the ESAs’ red flag guidance. Firms can in 2026 expect heightened supervisory scrutiny of exemption governance, cross border controls, data quality, mule account management and the provision of fair, consistent redress for APP style losses.

EBA & ECB 2025 Payment Fraud Report: what the data show

The 2025 Payment Fraud Report provides a comprehensive analysis of payment fraud data across the EU/EEA, covering up to and including 2024. The report covers credit transfers, card payments, direct debits, cash withdrawals and e-money transactions, focusing on fraud levels, typologies, the effectiveness of SCA loss allocation and geographical patterns. The findings highlight the continued prevalence of remote fraud, the positive impact of SCA and significant divergences in loss allocation across payment instruments and Member States.

Key findings in the report

1. Aggregate fraud levels and trends

• The total value of payment fraud reported for 2024 was approximately €4.2 billion, concentrated in remote transactions for credit transfers and cards. Overall fraud rates are broadly stable compared to prior years, though remote channels continue to account for a disproportionate share of losses.
• Fraud remains concentrated in remote transactions, particularly for credit transfers and card payments.
• The overall outlook for payment fraud is stable, with no significant increase in aggregate fraud rates compared to previous years.

2. Fraud typologies and channels

• Credit transfers: Over 9% of fraudulent credit transfers (by value) were initiated remotely via internet or digital devices.
• Card payments: While most card payments are non-remote, the majority of card payment fraud occurs in remote transactions, often involving stolen credentials. For non-remote card fraud, lost or stolen cards remain the primary fraud method.
• E-money: Fraud is predominantly associated with remote transactions, with "trusted beneficiaries" and "low value" exemptions being the most common reasons for SCA not being applied.

3. Impact of SCA

• SCA was applied to most electronic payments by value in 2024, covering 77% for credit transfers, 64% for card payments and 70% for e-money transactions.
• In terms of transaction volume, SCA coverage is lower for card payments (40%) and e-money (38%), largely due to the prevalence of contactless payments.
• Across payment instruments, SCA reduces fraud, most visibly for card payments. Where SCA-authenticated credit transfers show higher fraud rates, this primarily reflects SCA being applied to higher-risk or higher-value payments. Card fraud rates are around 17 times higher when the counterpart is outside the EEA, where SCA is less consistently applied.

4. Losses and liability allocation

• The distribution of fraud losses varies significantly by payment instrument. In 2024, payment service users (PSUs) bore approximately 85% of credit transfer fraud losses (EUR 2.2 billion), 38% of card payment losses and 53% of losses from direct debits and cash withdrawals. For e-money, PSUs bore only 26% of losses, with payment service providers (PSPs) absorbing the majority.
• There is substantial divergence in loss allocation across Member States, particularly for card payments, where PSU liability ranged from 12% to over 87% depending on the country.
• The high share of losses borne by PSUs, especially for credit transfers, raises questions about the effectiveness of consumer protection and redress mechanisms and may reflect divergent national interpretations of 'authorisation' and 'gross negligence'.

5. Geographical and cross-border dimensions

• Most payment transactions are domestic, but the majority of card payment fraud and a significant share of credit transfer and direct debit fraud are cross-border.
• 30% of fraudulent card payments (by value) in 2024 were related to cross-border transactions outside the EEA.
• Fraud rates are higher for cross-border transactions, particularly where SCA is not consistently applied.
• Country-level analysis reveals considerable variation in both absolute and relative fraud rates, as well as in the allocation of losses between PSUs and PSPs.

6. Data quality and methodology

• The report is based on semi-annual data from H1 2022 to H2 2024, with full EU/EEA coverage from H1 2022 onwards.
• Data is collected under the EBA Guidelines and the ECB Regulation on payments statistics, with ongoing efforts to improve data quality and address reporting inconsistencies.
• The report notes several data limitations, including incomplete submissions and methodological misclassifications as well as cautions against direct comparison with previous editions due to possible retrospective revisions.

Five messages that matter for the direction ahead

First, fraud losses are concentrated in credit transfers and cards. Total fraud in 2024 reached approximately EUR 4.2 billion, with EUR 2.5 billion from credit transfers and EUR 1.3 billion from card payments.

Second, remote channels represent the centre of gravity for fraud. In 2024, approximately 83% of fraud value occurred in remote transactions, highlighting the disproportionate risk of card not present flows.

Third, modus matters: for credit transfers, payer manipulation through – impersonation and social engineering APP type scams increased from roughly 65% to 74% by value between 2023 and 2024. As for cards, remote credentials theft dominated remote card fraud, while lost/stolen cards led non remote fraud.

Fourth, SCA works, particularly for card payments,- but exemptions and “one leg out” flows are stress points. Fraud rates are significantly higher where SCA is not mandated, such as with non-EEA acquiring, where card fraud is up to 17 times higher.

Fifth, consumers bear the brunt of push-payment fraud. In 2024, PSUs bore about 85% of credit transfer fraud losses, with significant variation across countries reflecting different interpretations of liability and redress.

The instant payments lens is instructive. As SCT Inst volumes grew ahead of the Instant Payments Regulation deadline, SCT Inst values increased by 74% compared with a 59% increase  in fraud values (rate improvement), but fraud volumes rose 175% compared with an 98% increase in transaction volumes, underscoring detection and interdiction pressure at real time speeds. Verification of Payee became mandatory for most euro area PSPs on 9 October 2025; expect 2026 supervisory reviews to scrutinise implementation quality, name matching performance and customer communications.

Beyond the headline messages, three structural themes emerge. First, cross border flows (both card and credit transfer) are disproportionately represented in fraud loss compared to their share of overall use, highlighting coordination and data sharing gaps across issuer–acquirer and PSP chains. Second, mule-account networks remain a critical enabler for APP style scams; firms should expect greater supervisory focus on mule account detection, “first payment” holds and inter PSP referral mechanisms. Third, data quality and taxonomy matter: mis tagging of exemptions, inconsistent modus classification and incomplete population of reporting fields are called out - these undermine risk based decisions and supervisory comparability and will attract second line scrutiny.

Regulatory interfaces are sharpening: the Instant Payments Regulation will reset expectations for pre execution controls and post event recovery, while PSD2/PSD3 transition and the forthcoming Payment Services Regulation will likely codify aspects of reimbursement and SCA governance. Firms should map fraud-related findings to programme backlogs spanning VoP implementation, exemption usage reviews (TRA, trusted beneficiaries, MIT), cross border rule sets and redress policy updates aligned to national interpretations of authorisation and gross negligence.

Supervisory message

The EBA and ECB will continue to monitor payment fraud trends and publish annual aggregate data. Market participants should remain vigilant, adapt their fraud prevention strategies in response to evolving attack vectors and engage with regulatory developments aimed at strengthening payment security and consumer protection across the EU/EEA.

Key takeaways from the ESAs’ factsheet on crypto-assets linked scams

The rapid expansion of crypto-assets, characterised by global accessibility, transaction speed, anonymity and the often irreversible nature of transfers, has heightened exposure to cybercrime. A new factsheet issued by the ESAs provides a comprehensive overview of the principal risks, common fraud tactics, warning signs and recommended responses for individuals and entities engaging with crypto-assets. The ESAs expect firms to review this factsheet, reflect key supervisory aspects in their operations and make it available to retail clients. There is still room for improvement among some firms in meeting the ESAs’ aspirations in that regard.

Key risks and fraud tactics

In the ESAs’ view, crypto-assets present unique vulnerabilities that expose users to a range of sophisticated scams. The factsheet identifies the following prevalent fraud types:

• Pump and Dump/Rug Pull schemes: Fraudsters promote new tokens or projects, artificially inflate their value and then sell off their holdings, leaving investors with worthless assets or disappearing entirely.
• Impersonation scams: Attackers pose as trusted contacts or service providers, soliciting sensitive information such as seed phrases or private keys to gain control of digital assets.
• Phishing: Victims receive deceptive communications (emails, messages, pop-ups) that mimic legitimate providers, prompting them to click malicious links or download malware.
• Giveaway scams: Fraudsters impersonate celebrities or brands, promising to “double” any crypto sent to them, but abscond with the funds.
• Romance investment scams: Scammers build personal relationships online, then manipulate victims into making fraudulent crypto investments.
• Ponzi schemes: Promises of high, consistent returns are used to lure investors, with payouts funded by new entrants rather than genuine profits.
• Look-alike address poisoning: Scammers send small transactions from addresses visually similar to legitimate ones, hoping victims will mistakenly send funds to the fraudulent address in future transactions.

Warning signs

The ESAs’ factsheet highlights several red flags that may indicate fraudulent activity:

• Unsolicited offers or promises of guaranteed, high and fast returns.
• Pressure to act quickly or invest immediately.
• Requests for payment via untraceable methods (cryptos, gift cards, wire transfers).
• Invitations to click on suspicious links, scan QR codes, or download unknown apps.
• Requests for private keys, seed phrases, or passwords.
• Suspicious URLs, distorted logos, or websites lacking verifiable contact details.
• Unknown or unregulated exchange platforms.
• Suspicious attachments, particularly executable or macro-enabled files.

Protective measures

To mitigate the risk of falling victim to crypto fraud, the ESAs use the factsheet to recommend the following steps to crypto-asset clients, including but not limited to retail clients:

1. Pause and verify: Do not rush into investments or share information. Independently verify the source of any communication, even if it appears official or comes from a known contact.
2. Check authorisation: Confirm whether a crypto provider is authorised in the EU via the ESMA register or consult national financial authorities for warnings or blacklists.
3. Safeguard credentials: Never share passwords, private keys, or seed phrases. Legitimate providers will not request these details.
4. Strengthen security: Use strong, unique passwords, enable multi-factor authentication and keep software and antivirus protection up to date.
5. Exercise caution with offers: Be sceptical of investment opportunities promising unusually high returns.
6. Limit information sharing: Avoid oversharing personal or investment details on social media or public forums.

Response to victimisation

If an individual suspects or confirms they have been targeted by a crypto scam, the factsheet advises:

• Immediately halt all transactions and block further contact with the scammer.
• Change passwords across all devices and platforms.
• Revoke suspicious permissions on blockchain-based agreements using trusted tools.
• Transfer remaining assets to a new, secure wallet if compromise is suspected.
• Notify the crypto-asset service provider (CASP) through official channels; while blockchain transactions are typically irreversible, providers may freeze or blacklist scam-related accounts.
• Report the incident to law enforcement and national financial supervisory authorities and alert personal networks to prevent further victimisation.
• Remain vigilant for “recovery room” scams, where fraudsters pose as authorities offering to recover lost funds for a fee.

Outlook

The factsheet underscores the importance of ongoing vigilance and education in the evolving crypto landscape. Users are encouraged to consult official resources, such as the ESMA register and national authority warnings, and to familiarise themselves with the latest fraud tactics. Proactive security measures and prompt reporting are critical to minimising losses and protecting both individual and collective interests in the digital asset ecosystem.

The factsheet also emphasises pre transaction hygiene – never sharing private keys or seed phrases, scrutinising URLs, using only official apps and verifying authorisation on the ESMA register – points that should inform in app warnings and UX friction at risky junctures.

For CASPs and platforms, the implications extend to: surfacing wallet permission dashboards and one click revocation; proactive screening and blacklisting of tainted addresses; robust phishing site takedown operations; and clear pathways for law enforcement engagement. Programmatically, align controls with EU obligations under the Transfer of Funds/crypto asset transfer “travel rule” and MiCAR authorisation requirements, including incident reporting, complaints handling and transparency over risk disclosures.

Key takeaways from the ESA’s factsheet on AI-enabled financial fraud

While online financial scams are not new, AI has enabled fraudsters to deploy more convincing and harder-to-detect schemes. Criminals now leverage AI to generate fake messages, websites and even audio or video deepfakes that convincingly mimic trusted individuals or institutions. These scams are disseminated through social media, messaging apps, emails and unsolicited calls, exposing individuals to risks including financial loss, identity theft and emotional distress.

The ESAs have jointly published a comprehensive guide outlining the principal AI-powered scam typologies, associated risks and practical steps for individuals to protect themselves in an increasingly digital financial environment. The ESAs expect firms to embed these principles or otherwise communicate them to clients, particularly retail clients.

Typologies of AI-driven scams

The ESAs use the factsheet to centralise key definitions for different typologies:

1. Impersonation and deepfake scams. Fraudsters use AI-generated voices, images, or videos to impersonate banks, public authorities, insurance distributors, IT companies, or even family members. These scams often involve urgent requests for money transfers or disclosure of sensitive information, exploiting personal details and caller ID spoofing to appear legitimate.
2. Phishing and social engineering. AI is used to craft highly convincing phishing messages and fake websites that closely mimic those of financial institutions. By analysing social media data, scammers tailor communications to individual targets, increasing the likelihood of successful credential theft and subsequent account compromise.
3. Investment and insurance scams. Fraudulent investment or insurance opportunities are promoted via AI-generated advertisements, often featuring fake celebrity endorsements. Victims are lured into transferring funds to non-existent companies or fraudulent platforms, with AI-powered bots simulating real interactions to build trust.
4. Romance scams. AI-generated fake profiles and chatbots are deployed on social media and dating platforms to establish relationships with victims. Once trust is established, the conversation shifts to financial requests or investment opportunities, frequently involving crypto-assets. Victims may suffer both financial loss and identity theft.
5. Purchase scams. Attractive deals on online marketplaces are used to entice victims into making payments outside official channels. AI is used to create convincing fake bank authentication pages and order confirmations, with chatbots providing real-time responses to queries, thereby bypassing marketplace protections and facilitating theft of banking credentials.

Warning signs

The ESAs use the factsheet to set out the following warning signs:

• Promises that seem too good to be true or urgent requests for money/personal information.
• Unexpected calls from unknown numbers, especially those mimicking trusted contacts.
• Requests to download apps, scan QR codes, or click on suspicious links.
• Payment requests via untraceable methods (crypto-assets, gift cards, wire transfers).
• Poor grammar or formatting, although AI may mask these flaws.
• Unnatural or overly fluent speech and misaligned video and audio in purported live calls (deepfakes).
• Professional-looking websites lacking verified contact details or registration information.

Protective measures

The ESAs use the factsheet to set out the following recommendations on protective measures:

• Never share personal or banking information in response to unsolicited requests.
• Pause and verify the source of any communication, especially if urgent or unexpected.
• Use known, trusted channels to confirm the identity of contacts, including the use of a pre-agreed 'safe word' with family members.
• Avoid installing remote access software or sharing your screen at the request of third parties.
• Use strong, unique passwords and enable multi-factor authentication.
• Keep software and antivirus protection up to date.
• Be cautious with investment opportunities and avoid sharing excessive personal information on social media.

Response steps if victimised

The ESAs use the factsheet to set out steps that victims should take in response to scams:

• Immediately stop any ongoing transactions and cease contact with the scammer.
• Notify your bank or financial institution via official channels to attempt to freeze or reverse transactions.
• Change passwords across all devices and online accounts.
• Report the incident to the police or relevant national financial authority and inform your personal network.
• Remain vigilant for 'recovery room' scams, where fraudsters pose as authorities offering to recover lost funds for a fee.

Outlook and implications

The increasing use of AI in online financial fraud underscores the need for heightened vigilance and robust personal security practices. As AI-driven scams become more sophisticated, individuals must remain alert to evolving tactics and adopt proactive measures to safeguard their financial and personal information. Financial institutions and market participants should continue to educate clients and adapt their fraud prevention strategies to address the growing threat landscape.

Cross-cutting actions across all publications

The respective publications set out clear expectations that respective firms will want to put in place and evidence through the next supervisory cycle and certainly before the 2026 prime holiday/scammer season. These can be summarised as the following overarching and specific actions that firms should take:

• Calibrate remote payment controls to real time holiday risk. The data confirm a consistent fraud preference for remote channels, including where legitimate usage is mainly non remote (cards); design behavioural analytics and strong warning interstitials for APP and credential theft patterns, especially on instant rails.
• Tighten SCA and exemptions. Card SCA reduces fraud materially; non SCA segments, including TRA and certain “other/out of scope” classifications, show higher rates and deserve heightened second line challenge. One leg out card flows require stricter rules and merchant engagement.
• Prioritise cross border risk. Card and credit transfer fraud are disproportionately cross border relative to use; add geo based risk multipliers and counterpart PSP collaboration to accelerate interdiction and post event recovery.
• Ready instant payments defences for VoP. With VoP mandatory for most euro area PSPs by October 2025, invest in name matching quality, explainability of mismatch responses and escalation workflows; the SCT Inst fraud volume growth vs transaction growth underscores the need for pre execution defences.
• Reexamine APP liability and redress. The high PSU loss share on credit transfers will sharpen supervisory scrutiny of gross negligence frameworks, onboarding of vulnerable customers, complaint handling and makegood practices; document decision rationales contemporaneously.
• Use the ESAs’ factsheets as your communications standard. Harmonise websites, app banners, IVR and branch collateral with the ESAs’ concise warnings, including deepfake and voice cloning cues, remote access prohibitions, registry links and crypto specific permission revocation steps.
• Governance and reporting priorities should include: 
  • Establish a board level dashboard tracking fraud by instrument, channel, exemption and cross border status, plus save rates and redress outcomes. 
  • Align EBA/ECB reporting pipelines to the latest taxonomy; remediate root causes of mis classification and incomplete fields; and evidence second line challenge of exemption usage. 
  • Refresh product oversight and governance (POG) documentation to reflect elevated remote channel risks and instant payments defences during seasonal peaks.
• Merchant acquiring and e commerce key considerations include:
  • For acquirers/PSPs, benchmark merchant category codes and cross border acquiring exposure; tighten 3 D Secure/SCA enforcement, velocity limits and refund policies for higher risk MCCs.
  • Enhance chargeback intelligence and issuer–acquirer collaboration for rapid interdiction and recovery.
• Supervisory engagement core steps to be taken should include: 
  • Pre brief senior management on expected complaint spikes and supervisory enquiries over the holiday period.
  • Maintain a playbook for rapid information sharing with counterpart PSPs and authorities in large scale scam campaigns.

Practical focus for risk, product and customer functions

Payments and cards teams should run targeted TRA reviews for remote card and e money flows, compare fraud rates by exemption to the report’s benchmarks and throttle exemption usage where outliers persist, particularly during December-January shopping peaks. Build MCC specific rules, tighten one leg out authorisation strategies and test fallback/SCA retry logic for customer experience and fraud outcomes.

Fraud operations should tune APP interdiction, including real time prompts, beneficiary risk scoring and out of pattern nudges for first time SCT Inst; measure save rates and customer comprehension of warnings. Implement mule account analytics, inbound/outbound linkage analysis and “first payment” hold policies with clear exception governance.

Compliance and legal should map redress outcomes by scenario and country, re confirm “authorised vs authenticated” interpretations and pre brief senior management on holiday period complaint spikes. Align complaints MI and root cause analysis to demonstrate fair treatment and consistency, refresh disclosures and customer warnings for seasonal risks.

Crypto asset service providers should surface seed phrase warnings contextually, provide visible links to ESMA and national registers and make “revoke approvals” and “move funds” flows first class UX. Instrument transaction monitoring for address poisoning and “dusting” patterns and coordinate promptly with exchanges and analytics providers on tainted flows.

Brand and security teams should intensify takedowns of spoofed domains and social profiles, with rapid response landing pages that reuse ESAs messaging and official contact coordinates. Expand SLA based takedown coverage to paid search adverts and app store clones.

Outlook

Looking ahead for what is in store for the 2026 supervisory cycle, the arc bends towards faster payments with stronger pre execution defences and clearer consumer outcomes. Verification of Payee became mandatory for most euro area PSPs on 9 October 2025, raising the bar for name matching quality, explainability and escalation; in 2026, supervisors are likely to test operational effectiveness and customer treatment. Firms should expect that the PSD3/Payment Services Regulation workstreams to hardwire tighter SCA governance and reporting, while national approaches to APP reimbursement and gross negligence tests face closer alignment pressures.

Under MiCAR and the crypto “travel rule”, CASPs should anticipate more intrusive incident reporting, blacklist coordination and public warning regimes. Meanwhile, AI enabled impersonation and deepfakes will continue to evolve, requiring continuous model tuning, agent training and customer education. Firms that operationalise these publications - tightening exemptions and cross border rules, uplifting mule account controls and data quality and standardising in journey warnings - will be best placed to reduce losses during seasonal spikes and to meet 2026 regulatory expectations.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business. 

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.  

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.