A fraud detection system built in 2020 was designed around a premise that now reads as quaint. Money moved in batches. Authorization took seconds. A suspicious transaction could be held, reviewed by a human, and reversed before the funds hit the beneficiary account.
That world is gone. FedNow, Faster Payments, and TCH Real-Time Payments settle in under five seconds. The funds are final. The recipient can withdraw immediately. And the attacker now has access to AI tools that can discover, coordinate, and chain vulnerabilities at machine speed.
Bank Information Security put it plainly this week. Traditional fraud models ask whether a transaction looks suspicious. Modern attackers do not rely on suspicious transactions. They exploit systemic weaknesses upstream, in onboarding, authentication, and API integrations, so the transaction is legitimate by the time it hits the fraud engine.
The infrastructure is ahead of the defense. That is not a problem fraud ops can solve. It is a problem of architecture.
The Window That Closed
Real-time payments are fast by design. That is the feature. For fraud, it is the bug.
In a next-day ACH world, a fraud team had hours or days to reverse a payment. A confirmed scam could be clawed back before settlement. In a FedNow world, the money is gone in seconds. The settlement is irrevocable. If the bank did not stop the transaction during authorization, it is paying the claim.
American Banker's 2026 fraud research surveyed bankers on what worried them most. Real-time payments fraud, Zelle, FedNow, TCH RTP, led every category. Bankers are not reporting a new kind of fraud. They are reporting an old kind of fraud that is now impossible to reverse.
The industry response has been to push detection left. Score the customer at onboarding. Score the device at login. Score the beneficiary account before the payment is sent. The idea is that if you cannot stop the transaction in flight, you have to stop it before the customer can initiate it.
That strategy is coherent. It is also incomplete.
What the Attackers Figured Out
The phrase "AI-enhanced fraud" is doing a lot of work in industry press. Most of what it describes is scale, not sophistication. Deepfake voice for vishing. Generative models for phishing text. Synthetic identities assembled from scraped data. These are old attacks at higher volume.
The genuinely new threat is different. It is agents that can reason about application logic.
Anthropic flagged this directly in its disclosure earlier this year. Claude-based agents, running with access to documentation and code, could map application dependencies, identify authentication flows, and combine two or three legitimate API calls into an unauthorized outcome. Each individual call passed the fraud engine. The combination did not.
That is the shift. The model is not detecting fraud. It is detecting anomalous single transactions. The attacker is no longer producing anomalous single transactions.
Featurespace, ThreatMetrix, and Sardine have all released research over the past two quarters arguing that behavioral biometrics and device intelligence still work against AI-assisted attacks. That is true for some classes of attack. It is not true when the attack is a chain of API calls inside a session that has already been authenticated with a valid device and a consistent behavioral profile.
The post-transaction fraud engine was built to catch the outlier. The attacker has stopped being an outlier.
Where the Real Defense Has to Live
The conclusion most of the serious fraud teams have reached is uncomfortable for the vendors that sell detection. Post-transaction scoring is not going away. It is also not where the battle is fought any more.
Three areas are absorbing the investment.
Onboarding and identity. If the account cannot be opened fraudulently, most downstream fraud becomes harder. That is why Alloy, Persona, and Jumio have all raised or announced product pushes around document verification, liveness, and synthetic identity detection. The premise is that stopping the attacker at enrollment beats stopping them at the payment.
API-level monitoring. If an attacker is chaining legitimate calls into an unauthorized outcome, the fraud signal is in the pattern of calls, not in any one call. Runtime application security tools are being pulled into fraud ops. This is a discipline collision. Fraud teams do not usually own the API gateway. They will have to.
Authenticated session hardening. Once a session is authenticated, most systems assume the user is legitimate for the session's duration. Step-up authentication on sensitive actions, continuous risk scoring inside a session, and rate-limited API access are quietly becoming fraud controls rather than security controls. The distinction is evaporating.
The Bank Problem
Banks are caught in a liability structure that was written before any of this.
Under UK APP fraud rules that took effect in October 2024, the sending bank and the receiving bank split reimbursement 50/50 for authorized push payment scams. The theory was that both banks had a role in preventing the fraud and both should carry the cost. In practice, banks are now reimbursing customers for scams they detected and tried to block, because the regulator set the threshold for customer liability low.
The US is not far behind. Zelle has faced sustained congressional pressure to cover authorized fraud. State attorneys general are filing cases. The operating model of instant payments, immediate and irrevocable, is colliding with a consumer protection regime built around reversibility.
The bank's practical position is not flattering. It has to:
- Stop the fraud before the customer initiates the payment
- Stop the fraud during a five-second authorization window
- Reimburse the customer if the fraud gets through
- Explain to the regulator why the fraud engine missed it
Any one of those is hard. All four at once is a business model problem.
What the Vendors Are Selling
The fraud tech market is noisy. Cutting through it requires distinguishing three things.
Detection at rest. Does the vendor score customers, devices, accounts, and beneficiaries before a transaction is initiated? This is where Sardine, Alloy, Persona, and Jumio compete.
Detection in motion. Does the vendor score the transaction in flight during the authorization window? This is Featurespace, Feedzai, ThreatMetrix, and the in-house models at the large banks.
Detection after the fact. Does the vendor help reconstruct what happened and support claims, recovery, and case management? This is Hummingbird, Unit21, and the compliance-ops platforms.
Most large banks are buying all three. What they are not buying, yet, is a coherent layer that sits across all three and reasons about chains of behavior rather than single events. That is where the next round of consolidation is likely to happen. Either an existing vendor broadens horizontally, or a new entrant ships a correlation layer that consumes the outputs of the others.
The AI Asymmetry
The painful truth is that defenders and attackers now use the same tool class, and the attackers have an easier job.
An attacker has to find one path that works. A defender has to close every path. An attacker can test at scale without reputational cost. A defender has to operate without false positives. An attacker can fail silently. A defender's failures end up in the Financial Times.
AI closes the gap in some places and widens it in others. It closes the gap on obvious pattern detection. It widens the gap on logic exploitation, because models are better at reasoning about code than humans are, and the attacker gets to run the model until it wins.
Mastercard, Visa, and the major card networks have all published research on AI fraud prevention this year. The results are genuine. AI is helping catch more fraud, faster, at lower false positive rates. But the research compares the current model to the previous model, not the current model to the current attacker. The attacker's model improved too.
What To Watch
Three signals over the next six months.
Settlement finality pushback. Expect regulators in the UK, EU, and US to start asking whether irrevocable real-time settlement should have a circuit breaker. Nobody wants to slow down instant payments. Nobody wants to keep reimbursing authorized fraud. Something gives.
API security vendors moving into fraud. Runtime application security tools already detect the logic exploitation that is defeating fraud engines. The boundary between application security and fraud ops is thinner than either industry admits. Watch for acquisitions.
Bank in-sourcing. The banks that have built their own behavioral models and API monitoring layers are quietly pulling back from third-party scoring. The vendors still sell, but the strategic direction is in-house. Fraud becomes a core infrastructure capability, not an outsourced control.
Sources
- Bank Information Security: Your Fraud Detection Model Is Already Too Late to the Party
- American Banker: Fraud will remain a top problem for banks in 2026, but AI could help
- PYMNTS: Fragmented Payments Data Is Giving Fraudsters the Upper Hand
- J.P. Morgan: AI Boosting Payments Efficiency and Cutting Fraud
- Mastercard: AI is helping banks save millions by transforming payment fraud prevention
- Visa: AI solutions for fraud prevention and detection
When the rails are irrevocable and the attacker is an agent, what does "fraud detection" even mean?
Charlie Major is a Product Development Manager at Mastercard. The views and opinions expressed in Major Matters are his own and do not represent those of Mastercard.