By John Rondthaler, Founder & Principal Consultant, Rondthaler Labs
The Shift Everyone’s Talking About
Reforms to financial liability for fraud cases are progressing quickly. Starting October 2024, banks in the UK are liable for reimbursing victims of authorized push payment fraud, up to £85,000. In January 2025, the CFPB clarified that when a consumer is fraudulently induced into sharing account access, the resulting transfers are unauthorized under Regulation E — meaning the financial institution bears the loss, regardless of consumer negligence. Enforcement actions against Block’s Cash App ($175 million in penalties and redress) and a federal suit against JPMorgan Chase, Bank of America, and Wells Fargo over Zelle fraud handling have reinforced the trajectory.
The Chambers 2026 Global Fintech Guide cites shifting fraud liability as one of the four primary forces reshaping the financial landscape this year. This is not a niche compliance issue. The financial system is reconfiguring who bears risk.
But the early evidence of this transformation reveals an uncomfortable truth: shifting liability has redistributed the cost of fraud. It has not meaningfully reduced it.
Compensating After the Loss Doesn’t Prevent the Loss
The UK legislation mandating reimbursement was the most aggressive global approach to fraud liability. Within the first year, reimbursement rates improved sharply — the Payment Systems Regulator reported 88% of in-scope losses returned to victims. The moral hazard concern that dominated pre-mandate industry objections was empirically refuted: only 3% of claims were rejected for insufficient consumer caution.
Fraud volume did not decrease to match. UK Finance reported that APP fraud losses fell just 2% in 2024, and most of that decline began before the mandate took effect. In the first half of 2025, losses rose 12% year over year. Criminals adapted, targeting higher-value opportunities and shifting to channels outside the mandate’s scope.
The U.S. picture is more severe. The FBI’s IC3 reported $16.6 billion in fraud losses for 2024, a 33% increase from the prior year, with $2.77 billion of that from business email compromise. The Association for Financial Professionals’ 2026 survey found that 74% of organizations experienced BEC, and that smaller firms were significantly less likely to recover losses because they lack the recovery infrastructure of larger organizations.
The industry is debating who takes on the cost. The data suggests that redistributing the cost does not reduce the fraud.
Where Fraud Actually Enters the Financial System
The data on where fraud originates is clear. According to UK Finance, 70-72% of APP fraud cases begin on online platforms, and a further 16% through telecom channels. The FBI attributes 83% of its reported losses to cyber-enabled fraud arriving through phishing, email compromise, and social engineering. Fraud overwhelmingly originates outside the financial institution’s perimeter.
I build AI and security infrastructure for small and mid-size healthcare and legal businesses. My clients are fintech’s last mile. They process payments through fintech’s rails, authenticate through fintech’s systems, and store fintech’s credentials in their password vaults. When fraud hits them, it flows through fintech’s infrastructure. The question of who pays depends on the type of fraud. The question of who defends has one answer — nobody.
A mid-market wholesaler I worked with was targeted by a business email compromise. The attacker registered an email domain one character off from a trusted vendor and had an inside source providing real invoice details. The resulting wire instruction was indistinguishable from routine business. The bank’s fraud detection looked inward, saw a valid customer instruction, and processed it. Because the wholesaler authorized the transfer — even though they were deceived into doing so — the bank bore no liability under current U.S. law. The wholesaler absorbed the entire loss.
In a separate incident, a tech-savvy partner at a small firm — someone trusted with administrative access to their own workstation — downloaded software that appeared legitimate based on credible online reviews. It was credential-stealing malware. Within hours, the attacker had harvested banking credentials from the employee’s password vault, hijacked their phone number to intercept security codes, drained bank accounts through the banking app’s own interface, and set up email forwarding rules to suppress every fraud alert. Because the credentials were fraudulently obtained and the transfers were initiated by the attacker, the bank bore the loss under Regulation E.
Two incidents. In one, the SMB paid. In the other, the bank paid. In both, fraud entered through the same undefended client endpoint, flowed through the same fintech infrastructure, and could have been prevented by the same upstream defenses that did not exist.
The Embedded Finance Paradox
This gap is architectural, and embedded finance is widening it. Over the last decade, fintech invested heavily in embedding payment rails into non-financial platforms. According to analysts cited by PYMNTS and IBS Intelligence, fraud attempts targeting embedded finance products are growing two to three times faster than fraud in traditional banking channels. Multi-party transaction chains make liability assignment difficult to determine, and fraudsters use the fragmentation to their advantage.
Fintech extended its revenue surface to the SMB endpoint. Its security posture did not follow.
The Limits of Platform Liability
The industry’s current response is to shift liability further outward. The proposed SCAM Act in the U.S. would require platforms to police fraudulent advertising. The EU’s PSD3 framework introduces platform liability for content that promotes fraud. Australia’s Scams Prevention Framework imposes duties on banks, telcos, and digital platforms alike. All necessary. None sufficient.
Even if every social media platform perfectly policed scam ads, the business email compromise that hit my wholesaler client would still have succeeded — it did not originate on a platform. Even if every telecom carrier implemented flawless SIM swap authentication, the credential-stealing malware on my other client’s endpoint would still have harvested their banking credentials. Platform and telecom accountability addresses where some fraud begins. It does not address where fraud enters the financial system — the client endpoint.
The Defense Boundary Needs to Move
The cloud computing industry solved a similar problem with the shared responsibility model: the provider secures the infrastructure, the customer secures what runs on it, and the provider gives the customer the tools to do their part. Financial services has no equivalent. There is no defined security boundary between the institution and the SMB client, no shared tooling, and no expectation that the institution has a role in hardening the client endpoint.
The component technology already exists. Abnormal Security delivers AI-powered email protection that detects business email compromise through behavioral analysis, deployed through managed service providers to exactly the kind of firms that need it. The GSMA’s SIM Swap API is commercially available and in production banking use across multiple countries. Beauceron Security embeds a security posture score directly in digital banking apps. Huntress provides endpoint detection to over 105,000 SMBs through the MSP channel.
The pieces are present. What is missing is integration into a coherent fintech offering, and the recognition that defending the client endpoint is part of the institution’s fraud prevention obligation.
This raises legitimate questions about privacy, consent, and scope that would need careful navigation. Those are real design constraints — not reasons to leave the endpoint undefended.
Telecoms eventually had to take responsibility for robocalls flowing through their networks. E-commerce platforms had to take responsibility for counterfeit goods sold through their marketplaces. Financial services is at the same inflection point. The industry is asking who should pay. The more consequential question is who should defend.
Sources
- Chambers and Partners, Fintech 2026 Global Practice Guide (March 2026)
- UK Finance, Annual Fraud Report 2025 (May 2025)
- UK Finance / BioCatch, Half-Year Fraud Report Analysis 2025 (October 2025)
- UK Finance, Half-Year Fraud Report 2025 — Primary Data (October 2025)
- UK Payment Systems Regulator, APP Scams Reimbursement Dashboard (2025)
- UK Payment Systems Regulator, Consolidated Policy Statement PS25/5 (May 2025)
- CFPB, Electronic Fund Transfers FAQs / Compliance Aid (January 2025)
- CFPB, Block Inc. (Cash App) Consent Order 2025-CFPB-0001 (January 2025)
- CFPB, Block Inc. Consent Order — Full Document (January 2025)
- CFPB, Press Release: Orders Operator of Cash App to Pay $175 Million (January 2025)
- FBI Internet Crime Complaint Center, 2024 Annual Report (April 2025)
- FBI, Press Release: Releases Annual Internet Crime Report (April 2025)
- FTC, Consumer Sentinel Network Data Book 2024 (March 2025)
- Association for Financial Professionals, 2026 Payments Fraud and Control Survey
- PYMNTS, Embedded Finance Fraud Growth Analysis (2025–2026)
- IBS Intelligence, Embedded Finance Fraud Data (2025)
- GSMA, CAMARA Open Gateway — SIM Swap API (2024–2025)
- Beauceron Security / Digital Journal, Cyber Wellness Score in Digital Banking (2025)
About Author
John (Chris) Rondthaler is a Strategic Technologist, MSP principal, and AI consultant with enterprise roots at UCLA Health System and Toyota North America. Through Rondthaler Labs and IT CloudLink LLC, he builds security and AI frameworks for the healthcare and legal SMBs most exposed to threats the big institutions designed around.
