Payment Risk Operations Maturity Benchmark Report
2026 Mid-Year Edition: the latest available regulatory and industry data, interpreted through an operational payment-risk and fraud-control lens.
Payment-fraud statistics are often presented as a single story: losses rise, controls improve, criminals adapt and the industry invests more. The reality is less linear. The same year can show a stable fraud rate, a sharp increase in absolute losses, more successful prevention and a growing number of victims. A payment instrument can have the largest total value of fraud while maintaining one of the lowest fraud rates. Another instrument can generate millions of cases with a much smaller average loss per incident.
These differences matter because operational decisions are made at transaction level, not at headline level. A fraud team must decide which data to collect, which rules to apply, when to require additional authentication, when to stop a payment, how to review merchants and how to connect later outcomes with the original decision. Public statistics provide essential context, but they do not directly measure the quality of those internal controls.
This Riskscenter report combines the latest regulatory, industry and public-source information available by 30 June 2026 with a practical assessment of what the figures mean for payment companies, financial institutions, merchants and fraud-control teams. The reference periods differ by source. European payment data mainly cover 2024, UK Finance reports full-year 2025 results, and the latest US consumer-reporting figures cover 2025. Every chart therefore states its own period and methodology.
Executive summary: ten conclusions for payment-risk leaders
Low fraud rates can still produce large losses
A rate of a few thousandths of a percent may look reassuring, but a very large payment base converts a small rate into billions of euros. Percentage performance and financial exposure must always be reviewed together.
Payment instruments have different risk economics
Credit transfers produce the highest fraud value in the EEA and the highest average fraudulent transaction. Cards produce far more cases, but the average fraudulent card payment is much smaller.
Attack volume is becoming an operational problem
UK card-fraud cases more than doubled between 2016 and 2025 while total losses remained close to the same level. Fraud teams must absorb greater event volume even when the average financial loss declines.
Authentication works, but it does not remove manipulation
Strong customer authentication remains effective against unauthorised fraud. Criminals increasingly respond by manipulating the payer, stealing one-time codes or moving activity toward channels and geographies where controls are weaker.
Cross-border exposure is disproportionate
Most card payments are domestic, yet about 70% of card-payment fraud is linked to cross-border transactions. A relatively small part of the flow can therefore create a much larger part of the risk.
Consumer manipulation begins before payment
FTC reports show how social media, impersonation and investment propositions create losses before a payment system sees the transaction. Transaction monitoring is necessary, but it operates late in the fraud chain.
Published statistics rarely measure false declines
Official loss data rarely show legitimate customers blocked, cases delayed in review, transactions excluded because of missing fields or merchants that changed their activity after onboarding.
More rules do not automatically mean stronger control
A large ruleset can still leave part of the flow unprotected, duplicate the same signal or operate on poor data. Control quality depends on coverage, evidence, ownership and measured outcomes.
Feedback quality determines long-term performance
Chargebacks, confirmed fraud, customer complaints and manual-review outcomes must be connected to the original transaction decision. Without that connection, the system cannot learn which controls work.
Maturity is an operating model, not a technology purchase
The strongest organisations align data, rules, merchant oversight, human decisions, reporting and change governance. A new model or platform cannot compensate for weaknesses across the rest of that operating model.
What the latest published data shows
The first part of the benchmark focuses on observable outcomes: reported fraud value, transaction rates, average incident size, authentication coverage, geography, case volume and consumer-reported losses. The figures should not be compressed into one universal fraud indicator. They describe different markets, instruments and reporting systems.
Fraud value by payment instrument
Credit transfers accounted for roughly three-fifths of the value represented by the five reported instrument categories, while card payments accounted for almost one-third. The remaining instruments were much smaller in absolute value, although this does not mean their fraud patterns are operationally unimportant. Direct-debit fraud, for example, rose sharply from €36 million in 2023 to €112 million in 2024.
Fraud as a share of payment value
The ranking changes when fraud is measured relative to the total value processed through each instrument. Card payments show the highest rate in value terms, followed by e-money and cash withdrawals. Credit transfers generate the highest absolute fraud value, but their enormous legitimate payment base produces a much lower relative rate.
This is why a payment-risk metrics dashboard should separate total exposure, fraud rate, transaction count and average case value. One number cannot explain whether a business faces concentrated high-value attacks, large-scale low-value attacks or both.
Average value of one fraudulent transaction
The average fraudulent credit transfer was more than 28 times the average fraudulent card payment. This difference reflects both instrument design and criminal strategy. Credit-transfer fraud often requires manipulation of a particular payer and can produce a large single loss. Card fraud can be executed at scale using compromised credentials, creating many smaller attempts and a much heavier operational event load.
Strong customer authentication coverage
Strong customer authentication was applied to most electronically initiated credit transfers by both value and volume. For cards and e-money, the share authenticated by transaction count was lower than the share by value. This pattern is partly explained by permitted exemptions and the high number of contactless, transport and other low-friction transactions.
The data should not be interpreted as a target requiring every transaction to use the same authentication path. A mature control framework measures the fraud performance of each exemption, the quality of transaction-risk analysis and the behaviour of segments that bypass a full challenge.
Domestic card flow versus cross-border card fraud
Around four-fifths of card payments by volume were domestic, but approximately 70% of card-payment fraud was connected with cross-border transactions. The report also found that the cross-border card fraud rate in 2024 was more than seven times the domestic rate. Transactions involving a non-EEA counterparty were particularly exposed, partly because strong customer authentication may be inconsistent or absent.
Card-fraud cases rose faster than losses
UK card-fraud losses were £618.1 million in 2016 and £594.9 million in 2025. Over the same period, confirmed cases increased from 1.82 million to 3.78 million. The pattern is therefore not a simple rise in average financial severity. It is a shift toward far more attacks and a lower average loss per case.
Remote purchase fraud was a major contributor. In 2025 it generated £423.5 million of losses and the number of cases increased by 13%. UK Finance reports that average remote-purchase case value fell from £300 in 2016 to £132 in 2025. The burden moves toward detection throughput, customer communication, dispute processing and high-volume investigation.
Fraud reports and reported consumer losses
The FTC received approximately three million fraud reports in 2025, compared with 2.60 million in 2024. Reported losses increased from $12.54 billion to $15.9 billion. These figures are not payment-industry loss statistics: they are based on unverified reports submitted by consumers and data contributors to the Consumer Sentinel Network. They nevertheless provide important evidence about the scale of manipulation that takes place before or around a payment.
$7.9bn investment scams
Investment-related schemes generated the largest reported loss category in 2025, demonstrating the severity of payments that victims are persuaded to authorise voluntarily.
Social-media scams: $2.1bn
Nearly 30% of people who reported losing money said the scam began on social media. More than half of the reported social-media losses were linked to investment scams.
What published statistics cannot see
Published fraud statistics are indispensable, but they focus primarily on completed outcomes: fraud value, case volume, payment instrument, geography, authentication and liability. They rarely explain whether a company’s internal control system made a good decision at the moment it processed a transaction.
Two businesses can report the same fraud rate while operating at very different levels of control maturity. One may evaluate every transaction, preserve complete decision evidence and monitor false declines. The other may exclude a channel from assessment, treat missing data as safe and only discover losses through chargebacks months later. The headline rate alone cannot distinguish them.
Riskscenter practitioner framework: seven invisible measures
These hidden measures are not secondary. False declines affect revenue and customer trust. Missing data can create an unprotected population. Unresolved review queues can turn a technically approved process into a failed customer journey. Merchant drift changes the risk profile after the initial assessment. Weak outcome feedback prevents the company from understanding whether a rule, model or analyst decision was correct.
A mature organisation therefore maintains two views at the same time. The first is an external outcome view: fraud, disputes, losses and customer harm. The second is an internal decision-quality view: coverage, evidence, action, explanation, review time and later validation. The article on monitoring an anti-fraud system after launch explains why post-launch control must examine both dimensions rather than watching only headline losses.
Seven recurring payment-control gaps
The following gaps are based on Riskscenter practitioner analysis of payment-risk, fraud-control and merchant-review work. They are recurring operational patterns, not percentages from a statistical sample. Their value lies in identifying the mechanisms through which apparently reasonable controls fail.
1. Incomplete transaction coverage
A rule may protect card payments in the main checkout but exclude retries, mobile flows, direct integrations, payouts or one merchant route. Teams often discuss rule quality without first proving that the rule sees the complete population it is intended to control.
2. Unsafe treatment of missing data
When a field is absent, the system may silently substitute a neutral value. The transaction then appears safer than it is. Missing device, customer-history or merchant information should be visible and should trigger a defined fallback action.
3. Rules without measurable objectives
A rule is frequently introduced after an incident and remains active indefinitely. Without a documented target, owner and expected effect, the team cannot determine whether it reduces fraud, duplicates another control or creates excessive legitimate declines.
4. Decisions without sufficient explanation
An analyst or automated model may produce an action without preserving the evidence that caused it. The organisation can see that a payment was declined, but cannot reliably explain which signals mattered or whether the same reasoning should be used again.
5. No merchant reassessment after change
The initial merchant review may be thorough, but the business model, geography, products, marketing channels and transaction behaviour can change later. Without event-driven reassessment, the company continues applying controls designed for an outdated profile.
6. Weak feedback from disputes and fraud
Chargebacks and confirmed losses may be handled in a separate system from transaction decisions. When the link is missing, the team cannot test which rules fired, which evidence was available and why the original decision failed.
7. Changes without outcome validation
A threshold or model version is deployed and initial technical checks pass. Weeks later, no one verifies whether fraud, approval, review workload and customer complaints moved as expected. The change becomes permanent without proof of effectiveness.
These gaps interact. Incomplete coverage creates missing outcomes. Missing outcomes weaken feedback. Weak feedback allows ineffective rules to survive. Poor change governance then makes the system harder to understand with every new control. An independent review should therefore examine the full decision chain rather than testing individual rules in isolation. Riskscenter has described this approach in what an independent payment-risk audit should examine.
The Riskscenter payment-risk maturity model
Control maturity is not defined by the number of tools, rules or employees. It is defined by the organisation’s ability to understand its payment flow, make proportionate decisions, explain those decisions and improve them from reliable evidence. The Riskscenter model uses four levels across six operating dimensions.
Controls are added after incidents. Data coverage is uncertain, ownership is fragmented and success is judged mainly by whether losses stop temporarily.
Core flows are documented, mandatory controls exist and responsibilities are clearer, but measurement and feedback remain limited.
Decision quality, false declines, review outcomes and merchant changes are monitored. Controls have owners, targets and scheduled review.
Data, automated decisions, human judgement and outcome feedback form a continuous cycle. Changes are tested, segmented and rapidly corrected.
| Dimension | Reactive | Controlled | Measured | Adaptive |
|---|---|---|---|---|
| Data coverage | Important fields and channels are missing or not known. | Core transaction fields are defined and basic completeness checks exist. | Coverage and missing-data rates are measured by channel and segment. | Data quality affects decisions dynamically and failures trigger controlled fallback actions. |
| Rules and decisions | Rules accumulate after incidents and overlap. | Rules have basic documentation and approval. | Each control has an objective, owner, performance measures and review date. | Rules, scores and authentication actions are continuously tested against outcomes and customer impact. |
| Merchant oversight | Risk is assessed mainly during onboarding. | Periodic merchant review exists for higher-risk segments. | Behavioural change and agreed triggers initiate reassessment. | Merchant risk profiles update continuously and control intensity changes with evidence. |
| Manual review | Analysts work from incomplete cases and inconsistent judgement. | Queues, procedures and escalation paths are documented. | Decision quality, handling time, reversals and analyst consistency are measured. | Human decisions feed models and rules, while automation prioritises cases by expected value. |
| Reporting and feedback | Losses and chargebacks are reviewed separately from original decisions. | Regular dashboards show core fraud and approval outcomes. | Outcomes are linked to rules, scores, merchants and analyst decisions. | Feedback is timely enough to change controls before losses become a delayed pattern. |
| Change governance | Emergency changes are common and poorly recorded. | Testing, approval and rollback procedures are established. | Expected impact and post-change validation are mandatory. | Changes use controlled experiments, segment limits and automated monitoring of unintended effects. |
Progress is rarely uniform. A company may have advanced transaction technology but remain reactive in merchant oversight or manual-review governance. The purpose of the model is not to produce a single flattering score. It is to identify the weakest dimension that limits the reliability of the entire control system.
Operational benchmark questions
The following questions can be used as a first internal benchmark. A “yes” should require evidence, not confidence. The organisation should be able to show the relevant report, configuration, decision record or review result.
A negative answer does not automatically indicate a failed programme. It identifies where management lacks evidence. The next step is to determine whether the gap creates material exposure, customer harm or an inability to govern future changes.
Priorities for the next twelve months
The official data point to three simultaneous pressures: high-value manipulation, high-volume card attacks and growing fraud that begins outside the payment environment. The following priorities are designed for the second half of 2026 through the first half of 2027.
Prove complete decision coverage
Map every transaction, authentication, payout, retry and merchant route to the controls that evaluate it. Reconcile technical flow counts with risk-engine counts. Treat any unexplained difference as a control gap until proven otherwise.
Make missing data an explicit risk state
Record why information is absent, measure the affected population and define a proportionate fallback. A missing device identifier or merchant attribute should never become an invisible neutral value.
Connect payment decisions with later outcomes
Create a durable link between the original event, rule results, score, authentication, analyst action, chargeback and confirmed fraud outcome. This connection is the foundation for testing control effectiveness.
Measure legitimate customer impact
Monitor declines, challenge completion, repeated attempts, complaints and abandonment by segment. A lower fraud rate is not automatically an improvement if it is produced by indiscriminate customer rejection.
Strengthen cross-border segmentation
Review one-leg-out transactions, counterpart locations, issuer-acquirer combinations and authentication responsibility. Avoid broad geography rules that treat every international customer as equally risky.
Build event-driven merchant reassessment
Define triggers for changes in geography, ticket size, product mix, refund patterns, dispute levels, websites and marketing channels. Reassessment should begin when the risk profile changes, not only when the calendar says a review is due.
Control every system change as a risk decision
Require an expected effect, affected population, test evidence, owner, rollback method and validation period. Monitor fraud, approval, review volume and customer harm after deployment.
Prepare teams for manipulation-led fraud
Combine transaction evidence with beneficiary, device, behavioural and customer-contact signals. Train analysts to recognise cases where the payer technically authorised the transaction but did so under deception.
Methodology, sources and limitations
This report is a Riskscenter analytical publication, not a representative market survey. Its quantitative sections use official and industry data published by the EBA, ECB, UK Finance and the US Federal Trade Commission. Riskscenter selected, recalculated where clearly stated, and visualised the source values for operational interpretation.
European payment-fraud data
UK Finance fraud data
Federal Trade Commission consumer reports
Riskscenter practitioner analysis
Currency values are not converted across euros, pounds and US dollars because the underlying datasets describe different markets and purposes. Figures should not be added together. Apparent differences may result from reporting scope, fraud definitions, payment mix, reimbursement rules and data-collection methods rather than control performance alone.
Conclusion: maturity begins with evidence
The latest data do not support a simple conclusion that payment fraud is either improving or worsening. Strong authentication has reduced important unauthorised fraud risks, but manipulation-led fraud continues to grow. Card attacks are becoming more numerous and lower in average value. Cross-border activity remains disproportionately exposed. Consumer losses increasingly begin in digital environments before the payment is initiated.
For payment companies, the practical question is not whether the market headline is positive or negative. It is whether their own controls cover the complete flow, use reliable data, preserve explainable evidence and learn from outcomes quickly enough. A mature framework connects merchant risk, transaction decisions, manual judgement, disputes, customer impact and controlled system change.
Organisations that need an independent assessment of these capabilities can review the Riskscenter approach to a payment-risk and fraud-control audit. The objective is not to produce a generic compliance checklist, but to identify where real payment decisions, data flows and operating practices create avoidable exposure.