Payment Risk Operations Maturity Benchmark Report

Riskscenter analytical report
Payment Risk Operations Maturity Benchmark Report

2026 Mid-Year Edition: the latest available regulatory and industry data, interpreted through an operational payment-risk and fraud-control lens.

PublishedJuly 2026
Data cut-off30 June 2026
CoverageEEA, United Kingdom and United States
MethodRegulatory and industry data plus Riskscenter analysis

Payment-fraud statistics are often presented as a single story: losses rise, controls improve, criminals adapt and the industry invests more. The reality is less linear. The same year can show a stable fraud rate, a sharp increase in absolute losses, more successful prevention and a growing number of victims. A payment instrument can have the largest total value of fraud while maintaining one of the lowest fraud rates. Another instrument can generate millions of cases with a much smaller average loss per incident.

These differences matter because operational decisions are made at transaction level, not at headline level. A fraud team must decide which data to collect, which rules to apply, when to require additional authentication, when to stop a payment, how to review merchants and how to connect later outcomes with the original decision. Public statistics provide essential context, but they do not directly measure the quality of those internal controls.

This Riskscenter report combines the latest regulatory, industry and public-source information available by 30 June 2026 with a practical assessment of what the figures mean for payment companies, financial institutions, merchants and fraud-control teams. The reference periods differ by source. European payment data mainly cover 2024, UK Finance reports full-year 2025 results, and the latest US consumer-reporting figures cover 2025. Every chart therefore states its own period and methodology.

How to read this report. No third-party chart design has been reproduced. Riskscenter has rebuilt each visual from published source values. Official statistics, Riskscenter calculations and practitioner observations are separated throughout the report. Operational observations are directional and should not be interpreted as statistically representative of the entire global payments market.

Executive summary: ten conclusions for payment-risk leaders

€4.2bnreported value of fraudulent payments in the EEA during 2024
£1.28bnUK payment-fraud losses reported for 2025
3.78mconfirmed UK unauthorised card-fraud cases in 2025
$15.9bnfraud losses reported to the FTC for 2025
1

Low fraud rates can still produce large losses

A rate of a few thousandths of a percent may look reassuring, but a very large payment base converts a small rate into billions of euros. Percentage performance and financial exposure must always be reviewed together.

2

Payment instruments have different risk economics

Credit transfers produce the highest fraud value in the EEA and the highest average fraudulent transaction. Cards produce far more cases, but the average fraudulent card payment is much smaller.

3

Attack volume is becoming an operational problem

UK card-fraud cases more than doubled between 2016 and 2025 while total losses remained close to the same level. Fraud teams must absorb greater event volume even when the average financial loss declines.

4

Authentication works, but it does not remove manipulation

Strong customer authentication remains effective against unauthorised fraud. Criminals increasingly respond by manipulating the payer, stealing one-time codes or moving activity toward channels and geographies where controls are weaker.

5

Cross-border exposure is disproportionate

Most card payments are domestic, yet about 70% of card-payment fraud is linked to cross-border transactions. A relatively small part of the flow can therefore create a much larger part of the risk.

6

Consumer manipulation begins before payment

FTC reports show how social media, impersonation and investment propositions create losses before a payment system sees the transaction. Transaction monitoring is necessary, but it operates late in the fraud chain.

7

Published statistics rarely measure false declines

Official loss data rarely show legitimate customers blocked, cases delayed in review, transactions excluded because of missing fields or merchants that changed their activity after onboarding.

8

More rules do not automatically mean stronger control

A large ruleset can still leave part of the flow unprotected, duplicate the same signal or operate on poor data. Control quality depends on coverage, evidence, ownership and measured outcomes.

9

Feedback quality determines long-term performance

Chargebacks, confirmed fraud, customer complaints and manual-review outcomes must be connected to the original transaction decision. Without that connection, the system cannot learn which controls work.

10

Maturity is an operating model, not a technology purchase

The strongest organisations align data, rules, merchant oversight, human decisions, reporting and change governance. A new model or platform cannot compensate for weaknesses across the rest of that operating model.

What the latest published data shows

The first part of the benchmark focuses on observable outcomes: reported fraud value, transaction rates, average incident size, authentication coverage, geography, case volume and consumer-reported losses. The figures should not be compressed into one universal fraud indicator. They describe different markets, instruments and reporting systems.

Chart 1 · EEA · 2024

Fraud value by payment instrument

€4.2bn
€0€0.5bn€1.0bn€1.5bn€2.0bn€2.5bn Credit transfersCard paymentsCash withdrawalsDirect debitsE-money Credit transfers: €2.516 billion Card payments: €1.294 billion Cash withdrawals: €135.7 million Direct debits: €112.1 million E-money: €101.9 million €2.516bn€1.294bn€135.7m€112.1m€101.9m

Credit transfers accounted for roughly three-fifths of the value represented by the five reported instrument categories, while card payments accounted for almost one-third. The remaining instruments were much smaller in absolute value, although this does not mean their fraud patterns are operationally unimportant. Direct-debit fraud, for example, rose sharply from €36 million in 2023 to €112 million in 2024.

Operational interpretation: absolute loss value is essential for capital exposure and prioritisation, but it should not be used alone to compare the effectiveness of controls across payment instruments.
Source: European Banking Authority and European Central Bank, 2025 Report on Payment Fraud. Reference period: January–December 2024. Published: December 2025. Presentation: Riskscenter visualisation of published aggregate values. The official total is rounded to €4.2 billion; instrument values shown above use the report’s detailed table.
Chart 2 · EEA · 2024

Fraud as a share of payment value

Overall: 0.002%
0%0.01%0.02%0.03%0.04% Card paymentsE-moneyCash withdrawalsCredit transfersDirect debits Card payments: 0.033% E-money: 0.018% Cash withdrawals: 0.010% Credit transfers: 0.001% Direct debits: 0.001% 0.033%0.018%0.010%0.001%0.001%

The ranking changes when fraud is measured relative to the total value processed through each instrument. Card payments show the highest rate in value terms, followed by e-money and cash withdrawals. Credit transfers generate the highest absolute fraud value, but their enormous legitimate payment base produces a much lower relative rate.

This is why a payment-risk metrics dashboard should separate total exposure, fraud rate, transaction count and average case value. One number cannot explain whether a business faces concentrated high-value attacks, large-scale low-value attacks or both.

Operational interpretation: use absolute value to understand financial impact and relative rates to compare exposure across different payment populations. Neither measure is sufficient by itself.
Source: EBA and ECB, 2025 Report on Payment Fraud. Reference period: 2024. Published: December 2025. Rates represent fraud value as a share of the total value of transactions for each instrument.
Chart 3 · EEA · 2024

Average value of one fraudulent transaction

€2,155
€0€500€1,000€1,500€2,000 Credit transfer: €2,155 Direct debit: €1,516 Cash withdrawal: €363 E-money: €105 Card payment: €76 €2,155€1,516€363€105€76 Credit transferDirect debitCash withdrawalE-moneyCard payment

The average fraudulent credit transfer was more than 28 times the average fraudulent card payment. This difference reflects both instrument design and criminal strategy. Credit-transfer fraud often requires manipulation of a particular payer and can produce a large single loss. Card fraud can be executed at scale using compromised credentials, creating many smaller attempts and a much heavier operational event load.

Operational interpretation: a control strategy for cards should be designed for speed, repetition and broad coverage. A credit-transfer strategy needs strong protection against payer manipulation, beneficiary risk and high-severity individual events.
Source: EBA and ECB, 2025 Report on Payment Fraud. Reference period: 2024. Published: December 2025. Values are average fraudulent transaction amounts by instrument.
Chart 4 · EEA · 2024

Strong customer authentication coverage

Value vs volume
0%20%40%60%80%100% Credit transfers by value: 77% Credit transfers by volume: 71% Card payments by value: 64% Card payments by volume: 40% E-money by value: about 70% E-money by volume: 38% 77%71%64%40%≈70%38% Credit transfersCard paymentsE-money Share by valueShare by transaction volume

Strong customer authentication was applied to most electronically initiated credit transfers by both value and volume. For cards and e-money, the share authenticated by transaction count was lower than the share by value. This pattern is partly explained by permitted exemptions and the high number of contactless, transport and other low-friction transactions.

The data should not be interpreted as a target requiring every transaction to use the same authentication path. A mature control framework measures the fraud performance of each exemption, the quality of transaction-risk analysis and the behaviour of segments that bypass a full challenge.

Operational interpretation: authentication coverage is a control input, not a final outcome. Teams should measure which transactions are exempted, why they are exempted and whether those populations produce disproportionate fraud.
Source: EBA and ECB, 2025 Report on Payment Fraud, charts on SCA use. Reference period: 2024. Published: December 2025. Values are rounded as presented in the report.
Chart 5 · EEA · 2022–2024 pattern

Domestic card flow versus cross-border card fraud

7× higher rate
All card transactions by volumeFraudulent card transactions Domestic share: approximately 80% Cross-border share: approximately 20% Domestic fraud share: approximately 30% Cross-border fraud share: approximately 70% ≈80% domestic≈20%≈30%≈70% cross-border DomesticCross-border

Around four-fifths of card payments by volume were domestic, but approximately 70% of card-payment fraud was connected with cross-border transactions. The report also found that the cross-border card fraud rate in 2024 was more than seven times the domestic rate. Transactions involving a non-EEA counterparty were particularly exposed, partly because strong customer authentication may be inconsistent or absent.

Operational interpretation: geography should not be treated as a simple country blacklist. The relevant analysis includes issuer, acquirer, merchant, customer, authentication responsibility, one-leg-out exposure and the reliability of cross-border cooperation.
Source: EBA and ECB, 2025 Report on Payment Fraud, geographical analysis. Reference period: patterns observed across 2022–2024; the seven-times comparison relates to 2024. Published: December 2025.
Chart 6 · United Kingdom · 2016–2025

Card-fraud cases rose faster than losses

3.78m cases
£0m£200m£400m£600m£800m01m2m3m4m 2016 losses: £618.1m2017 losses: £565.4m2018 losses: £671.4m2019 losses: £620.6m2020 losses: £574.2m2021 losses: £524.5m2022 losses: £556.3m2023 losses: £551.3m2024 losses: £592.5m2025 losses: £594.9m 2016201720182019202020212022202320242025 Losses, £mConfirmed cases

UK card-fraud losses were £618.1 million in 2016 and £594.9 million in 2025. Over the same period, confirmed cases increased from 1.82 million to 3.78 million. The pattern is therefore not a simple rise in average financial severity. It is a shift toward far more attacks and a lower average loss per case.

Remote purchase fraud was a major contributor. In 2025 it generated £423.5 million of losses and the number of cases increased by 13%. UK Finance reports that average remote-purchase case value fell from £300 in 2016 to £132 in 2025. The burden moves toward detection throughput, customer communication, dispute processing and high-volume investigation.

Operational interpretation: fraud strategy must measure workload as well as losses. A control may reduce average case value while the organisation still faces more alerts, more affected cards, more customer contacts and more downstream disputes.
Source: UK Finance Annual Fraud Report 2026. Reference period: calendar years 2016–2025. Published: June 2026. Bars show gross card-fraud losses; the line shows confirmed cases where a loss occurred.
Chart 7 · United States · 2024–2025

Fraud reports and reported consumer losses

$15.9bn
Number of fraud reportsReported losses 2024: 2,600,678 fraud reports 2025: approximately 3 million fraud reports 2024 reported losses: $12.537 billion 2025 reported losses: $15.9 billion 2.60m3.00m$12.54bn$15.9bn 2024202520242025

The FTC received approximately three million fraud reports in 2025, compared with 2.60 million in 2024. Reported losses increased from $12.54 billion to $15.9 billion. These figures are not payment-industry loss statistics: they are based on unverified reports submitted by consumers and data contributors to the Consumer Sentinel Network. They nevertheless provide important evidence about the scale of manipulation that takes place before or around a payment.

$7.9bn investment scams

Investment-related schemes generated the largest reported loss category in 2025, demonstrating the severity of payments that victims are persuaded to authorise voluntarily.

Social-media scams: $2.1bn

Nearly 30% of people who reported losing money said the scam began on social media. More than half of the reported social-media losses were linked to investment scams.

Operational interpretation: transaction monitoring sees the payment after trust has already been manipulated. Effective prevention also requires beneficiary analysis, behavioural change detection, customer warnings and coordination with online platforms and telecommunications providers.
Sources: Federal Trade Commission, Consumer Sentinel Network Data Book 2024; FTC testimony on 2025 fraud reporting; and the FTC 2026 social-media scam data spotlight. Published: March 2025, March 2026 and April 2026, respectively. Limitation: reports are unverified and are not based on a representative consumer survey.

What published statistics cannot see

Published fraud statistics are indispensable, but they focus primarily on completed outcomes: fraud value, case volume, payment instrument, geography, authentication and liability. They rarely explain whether a company’s internal control system made a good decision at the moment it processed a transaction.

Two businesses can report the same fraud rate while operating at very different levels of control maturity. One may evaluate every transaction, preserve complete decision evidence and monitor false declines. The other may exclude a channel from assessment, treat missing data as safe and only discover losses through chargebacks months later. The headline rate alone cannot distinguish them.

Riskscenter practitioner framework: seven invisible measures

Official fraudoutcomes Legitimate paymentsincorrectly declined Transactions skipped becauserequired data was missing Manual-review casesleft unresolved Controls applied to onlypart of the payment flow Merchant behaviour changesafter onboarding Temporary controls that remainactive without review Chargebacks not linked tothe original decision

These hidden measures are not secondary. False declines affect revenue and customer trust. Missing data can create an unprotected population. Unresolved review queues can turn a technically approved process into a failed customer journey. Merchant drift changes the risk profile after the initial assessment. Weak outcome feedback prevents the company from understanding whether a rule, model or analyst decision was correct.

A mature organisation therefore maintains two views at the same time. The first is an external outcome view: fraud, disputes, losses and customer harm. The second is an internal decision-quality view: coverage, evidence, action, explanation, review time and later validation. The article on monitoring an anti-fraud system after launch explains why post-launch control must examine both dimensions rather than watching only headline losses.

Seven recurring payment-control gaps

The following gaps are based on Riskscenter practitioner analysis of payment-risk, fraud-control and merchant-review work. They are recurring operational patterns, not percentages from a statistical sample. Their value lies in identifying the mechanisms through which apparently reasonable controls fail.

1. Incomplete transaction coverage

A rule may protect card payments in the main checkout but exclude retries, mobile flows, direct integrations, payouts or one merchant route. Teams often discuss rule quality without first proving that the rule sees the complete population it is intended to control.

2. Unsafe treatment of missing data

When a field is absent, the system may silently substitute a neutral value. The transaction then appears safer than it is. Missing device, customer-history or merchant information should be visible and should trigger a defined fallback action.

3. Rules without measurable objectives

A rule is frequently introduced after an incident and remains active indefinitely. Without a documented target, owner and expected effect, the team cannot determine whether it reduces fraud, duplicates another control or creates excessive legitimate declines.

4. Decisions without sufficient explanation

An analyst or automated model may produce an action without preserving the evidence that caused it. The organisation can see that a payment was declined, but cannot reliably explain which signals mattered or whether the same reasoning should be used again.

5. No merchant reassessment after change

The initial merchant review may be thorough, but the business model, geography, products, marketing channels and transaction behaviour can change later. Without event-driven reassessment, the company continues applying controls designed for an outdated profile.

6. Weak feedback from disputes and fraud

Chargebacks and confirmed losses may be handled in a separate system from transaction decisions. When the link is missing, the team cannot test which rules fired, which evidence was available and why the original decision failed.

7. Changes without outcome validation

A threshold or model version is deployed and initial technical checks pass. Weeks later, no one verifies whether fraud, approval, review workload and customer complaints moved as expected. The change becomes permanent without proof of effectiveness.

These gaps interact. Incomplete coverage creates missing outcomes. Missing outcomes weaken feedback. Weak feedback allows ineffective rules to survive. Poor change governance then makes the system harder to understand with every new control. An independent review should therefore examine the full decision chain rather than testing individual rules in isolation. Riskscenter has described this approach in what an independent payment-risk audit should examine.

The Riskscenter payment-risk maturity model

Control maturity is not defined by the number of tools, rules or employees. It is defined by the organisation’s ability to understand its payment flow, make proportionate decisions, explain those decisions and improve them from reliable evidence. The Riskscenter model uses four levels across six operating dimensions.

Level 1Reactive

Controls are added after incidents. Data coverage is uncertain, ownership is fragmented and success is judged mainly by whether losses stop temporarily.

Level 2Controlled

Core flows are documented, mandatory controls exist and responsibilities are clearer, but measurement and feedback remain limited.

Level 3Measured

Decision quality, false declines, review outcomes and merchant changes are monitored. Controls have owners, targets and scheduled review.

Level 4Adaptive

Data, automated decisions, human judgement and outcome feedback form a continuous cycle. Changes are tested, segmented and rapidly corrected.

DimensionReactiveControlledMeasuredAdaptive
Data coverageImportant fields and channels are missing or not known.Core transaction fields are defined and basic completeness checks exist.Coverage and missing-data rates are measured by channel and segment.Data quality affects decisions dynamically and failures trigger controlled fallback actions.
Rules and decisionsRules accumulate after incidents and overlap.Rules have basic documentation and approval.Each control has an objective, owner, performance measures and review date.Rules, scores and authentication actions are continuously tested against outcomes and customer impact.
Merchant oversightRisk is assessed mainly during onboarding.Periodic merchant review exists for higher-risk segments.Behavioural change and agreed triggers initiate reassessment.Merchant risk profiles update continuously and control intensity changes with evidence.
Manual reviewAnalysts work from incomplete cases and inconsistent judgement.Queues, procedures and escalation paths are documented.Decision quality, handling time, reversals and analyst consistency are measured.Human decisions feed models and rules, while automation prioritises cases by expected value.
Reporting and feedbackLosses and chargebacks are reviewed separately from original decisions.Regular dashboards show core fraud and approval outcomes.Outcomes are linked to rules, scores, merchants and analyst decisions.Feedback is timely enough to change controls before losses become a delayed pattern.
Change governanceEmergency changes are common and poorly recorded.Testing, approval and rollback procedures are established.Expected impact and post-change validation are mandatory.Changes use controlled experiments, segment limits and automated monitoring of unintended effects.

Progress is rarely uniform. A company may have advanced transaction technology but remain reactive in merchant oversight or manual-review governance. The purpose of the model is not to produce a single flattering score. It is to identify the weakest dimension that limits the reliability of the entire control system.

Operational benchmark questions

The following questions can be used as a first internal benchmark. A “yes” should require evidence, not confidence. The organisation should be able to show the relevant report, configuration, decision record or review result.

Can the company identify every payment flow to which each major control applies?
Are missing fields measured separately from fields containing a legitimate empty or zero value?
Does every material rule have a documented objective, owner and review date?
Can an analyst explain why a score or automated action reached its final result?
Are chargebacks and confirmed fraud connected to the original transaction decision?
Is manual-review quality measured in addition to queue volume and handling time?
Do merchant behaviour changes trigger reassessment before a scheduled annual review?
Can the team separate fraud declines from issuer, authentication and technical failures?
Are temporary controls automatically reviewed or expired after a defined period?
Does every significant change have a rollback plan and post-change validation window?
Are false declines measured by segment rather than estimated from the overall approval rate?
Can management see both financial exposure and operational workload created by fraud?

A negative answer does not automatically indicate a failed programme. It identifies where management lacks evidence. The next step is to determine whether the gap creates material exposure, customer harm or an inability to govern future changes.

Priorities for the next twelve months

The official data point to three simultaneous pressures: high-value manipulation, high-volume card attacks and growing fraud that begins outside the payment environment. The following priorities are designed for the second half of 2026 through the first half of 2027.

1

Prove complete decision coverage

Map every transaction, authentication, payout, retry and merchant route to the controls that evaluate it. Reconcile technical flow counts with risk-engine counts. Treat any unexplained difference as a control gap until proven otherwise.

2

Make missing data an explicit risk state

Record why information is absent, measure the affected population and define a proportionate fallback. A missing device identifier or merchant attribute should never become an invisible neutral value.

3

Connect payment decisions with later outcomes

Create a durable link between the original event, rule results, score, authentication, analyst action, chargeback and confirmed fraud outcome. This connection is the foundation for testing control effectiveness.

4

Measure legitimate customer impact

Monitor declines, challenge completion, repeated attempts, complaints and abandonment by segment. A lower fraud rate is not automatically an improvement if it is produced by indiscriminate customer rejection.

5

Strengthen cross-border segmentation

Review one-leg-out transactions, counterpart locations, issuer-acquirer combinations and authentication responsibility. Avoid broad geography rules that treat every international customer as equally risky.

6

Build event-driven merchant reassessment

Define triggers for changes in geography, ticket size, product mix, refund patterns, dispute levels, websites and marketing channels. Reassessment should begin when the risk profile changes, not only when the calendar says a review is due.

7

Control every system change as a risk decision

Require an expected effect, affected population, test evidence, owner, rollback method and validation period. Monitor fraud, approval, review volume and customer harm after deployment.

8

Prepare teams for manipulation-led fraud

Combine transaction evidence with beneficiary, device, behavioural and customer-contact signals. Train analysts to recognise cases where the payer technically authorised the transaction but did so under deception.

Methodology, sources and limitations

This report is a Riskscenter analytical publication, not a representative market survey. Its quantitative sections use official and industry data published by the EBA, ECB, UK Finance and the US Federal Trade Commission. Riskscenter selected, recalculated where clearly stated, and visualised the source values for operational interpretation.

European payment-fraud data
The EBA-ECB dataset is based on payment-fraud reporting under the revised Payment Services Directive and covers the European Economic Area. The 2025 report analyses six half-year periods from the first half of 2022 through the second half of 2024. Definitions and reporting quality can vary, and the report itself identifies exclusions, corrections and confidentiality limitations affecting certain country-level data. This Riskscenter report therefore uses aggregate instrument-level figures and clearly labelled approximate shares where the official text provides rounded descriptions.
UK Finance fraud data
UK Finance compiles data reported by member financial providers, card issuers and card-payment acquirers. A confirmed case refers to a card or account defrauded, not necessarily a unique person. The ten-year card series is useful for comparing attack volume and loss value, but it should not be treated as a direct estimate of all fraud experienced by UK consumers or merchants outside the contributing population.
Federal Trade Commission consumer reports
Consumer Sentinel data are based on unverified reports submitted by consumers and contributing organisations. They are not based on a representative survey and do not measure the complete incidence of fraud. The figures are used here to illustrate reported consumer harm and fraud-origination channels, not to compare directly with EEA or UK payment-industry loss data.
Riskscenter practitioner analysis
The control gaps, maturity model, benchmark questions and priorities reflect Riskscenter professional analysis of payment-risk, fraud-control, merchant-monitoring and operational decision practices. They are qualitative frameworks. No market percentage is assigned to an observation unless a published external dataset supports it.

Currency values are not converted across euros, pounds and US dollars because the underlying datasets describe different markets and purposes. Figures should not be added together. Apparent differences may result from reporting scope, fraud definitions, payment mix, reimbursement rules and data-collection methods rather than control performance alone.

Conclusion: maturity begins with evidence

The latest data do not support a simple conclusion that payment fraud is either improving or worsening. Strong authentication has reduced important unauthorised fraud risks, but manipulation-led fraud continues to grow. Card attacks are becoming more numerous and lower in average value. Cross-border activity remains disproportionately exposed. Consumer losses increasingly begin in digital environments before the payment is initiated.

For payment companies, the practical question is not whether the market headline is positive or negative. It is whether their own controls cover the complete flow, use reliable data, preserve explainable evidence and learn from outcomes quickly enough. A mature framework connects merchant risk, transaction decisions, manual judgement, disputes, customer impact and controlled system change.

Organisations that need an independent assessment of these capabilities can review the Riskscenter approach to a payment-risk and fraud-control audit. The objective is not to produce a generic compliance checklist, but to identify where real payment decisions, data flows and operating practices create avoidable exposure.

  • Contact Us

    Contact Us

    We’ll find the right solution for your business.

    Contact us

  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Centr Plus 22 Ltd

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.