17th March 2026
by Payments Intelligence
Artificial intelligence is already embedded in the infrastructure that payments leaders depend on. It screens transactions, triages alerts, flags anomalies, and makes decisions at a speed and scale no human compliance team can match. AI adoption in fraud and anti-money laundering functions jumped from 49% in 2024 to 73% in 2025—a rate of implementation that, in any other context, would constitute transformation.
The problem is not that the payments sector failed to act. The problem is what the deployment figures concealed. Sixty-eight percent of organisations describe their AI as advanced and real-time adaptive. Only 19% operate at full autonomy. Thirty-one percent manually review every AI-generated decision. Against real-time transaction volumes, that model is not sustainable—and it becomes less so as criminal methods grow more sophisticated. The threat these systems face is not static. Sophisticated fraud attacks combining synthetic identities, deepfakes, and social engineering rose 180% year-on-year, according to Sumsub’s identity verification data. Generative AI-enabled fraud losses are projected to reach US$40 billion in the US alone by 2027. The adversary is scaling faster than many defensive postures across the sector.
Record investment has not resolved this. Only 23% of organisations believe their compliance programme is very effective. Seventy percent anticipate that financial crime risk will increase through 2025. Despite committing to AI at scale, that expectation has been borne out. The industry has succeeded in deployment. It is now confronted with the harder questions that deployment did not answer.
That tension is precisely what UK and European regulators have begun to formalise. In January 2026, the Treasury Select Committee concluded that the Bank of England, the FCA, and HM Treasury are exposing consumers and the wider financial system to potentially serious harm through a regulatory approach that has not kept pace with the pace of adoption. Evidence to the Committee indicated that management in financial institutions struggled to assess AI risk. The Committee argued that the lack of model explainability directly conflicted with SM&CR’s requirement for senior managers to demonstrate they understood and controlled risks within their organisations. The EU AI Act, which brings AI systems across financial services under high-risk governance obligations from August 2026, places accountability on the deployer — not the vendor. A payments firm using a third-party fraud model is the responsible party under that regulation. Procurement does not transfer the obligation.
A pressing topic emerges concerning the gap between what the payments sector has deployed and what it can demonstrably operate, govern, and account for. Not whether AI belongs in financial crime prevention. But whether payments organisations can demonstrate, to a board, a regulator, or a customer, that they understand what they have deployed, how it performs, and who is responsible when it does not.
Move faster in deploying AI, but weaker governance and oversight increase exposure to regulatory intervention and operational risk.
Set the performance benchmark, using AI at scale to detect cross-network fraud patterns and define the standard others must meet.
Face the greatest regulatory pressure to prove AI explainability and accountability while scaling fraud detection across legacy systems.
Must manage real-time decisioning at scale, where the trade-off between fraud prevention and false positives directly impacts revenue.
The scale of the problem sets the context. The 2026 Global Financial Crime Report published by Nasdaq Verafin estimates US$4.4 trillion (£3.5 trillion) in illicit funds flowed through the global financial system in 2025—a US$1.3 trillion increase from 2023, growing at a 19.2% compound annual rate and far outpacing global GDP growth of 3.6%. That figure encompasses money laundering, drug and human trafficking, fraud, terrorism financing, and proceeds from organised crime, distributed across three major regions: the Americas (US$1.6 trillion), EMEA (US$1.4 trillion), and Asia-Pacific (US$1.4 trillion). Fraud losses alone surged past half a trillion dollars, reaching US$579.4 billion globally.
The trajectory is more troubling than the current figure. Secretariat International’s Global Financial and Economic Crime Outlook 2025 projected illicit flows could reach between US$4.5 and US$6 trillion by 2030. The Nasdaq Verafin data suggests the lower bound of that projection has been reached five years early. That growth is not passive—it is being actively enabled by the same technologies the financial sector deploys in its own defence.
The chart below plots 177 countries on two axes: a composite financial crime risk score—drawing on money laundering, corruption, and organised crime data—against the World Bank’s Government Effectiveness Index. Bubble size represents GDP—the weight each economy carries in global financial flows. The inverse correlation is consistent and steep. Countries with strong institutions cluster in the top left. Fragile states dominate the bottom right.
For payments firms, the implication is direct. Cross-border transaction exposure is not uniform—it is structurally concentrated in jurisdictions where oversight is weakest and illicit flows most entrenched. High-volume remittance corridors running through Reactive Reformer and Regulatory Laggard jurisdictions pose governance risks that transaction-monitoring rules alone cannot resolve. The governance weakness is in the infrastructure, not just the transaction—and it is that deeper structural gap that determines how far AI-driven detection can reach.
The United Kingdom illustrates the domestic dimension of that global trajectory. UK Finance’s Annual Fraud Report 2025 recorded over £1.17 billion stolen across 3.13 million confirmed fraud incidents in 2024 — a 12% increase in case volume year-on-year.
Authorised push payment (APP) fraud fell marginally to £450.7 million, but unauthorised fraud rose 2% to £722 million as criminals shifted attack vectors. The first half of 2025 showed accelerating losses: £629.3 million was stolen between January and June alone, a 3% increase on the equivalent period in 2024, with confirmed case volumes rising 17%.
Remote purchase fraud cases rose 22%, investment scams increased 55%, and romance scams grew 35%. These figures do not describe a stable threat environment — they describe one in active transition, with criminal methods adapting faster than many defensive postures across the sector.
The nature of the fraud threat has materially changed. According to Sumsub’s Identity Fraud Report 2025–2026, sophisticated fraud — defined as multi-step attacks combining synthetic identities, deepfakes, social engineering, and telemetry manipulation — rose 180% year-on-year, from 10% of all identity fraud in 2024 to 28% in 2025. Deepfake fraud surged 1,100% in North America in Q1 2025 alone; synthetic identity document fraud rose 311% in the same period, as generative AI tools made high-quality forgeries widely accessible.
The frontier continues to shift. Agentic AI — systems capable of autonomously orchestrating an entire attack chain from document generation to human-like interaction — has moved from theoretical to operational. Deloitte’s Center for Financial Services projects generative AI-enabled fraud losses will reach US$40 billion (£31.4 billion) in the US alone by 2027, up from US$12.3 billion in 2023. Seventy-five percent of fraud and risk professionals now believe fraud is becoming increasingly AI-driven.
A report published by ACI Worldwide / Finextra Global Survey on Fraud and Financial Crime (January 2026, n=154), stated 98% of organisations are pursuing at least one advanced AI initiative. Generative AI leads, prioritised by 76% of firms — 19 percentage points ahead of any other approach. Agentic AI is already on the roadmap for 51%. The distance between ambition and outcome, however, is already visible at the frontier. Visa’s Scam Disruption practice — applying AI to map emerging fraud patterns across its network — identified over $1 billion in attempted fraud across 25,000 scam merchants within a year of launch. When Mastercard incorporated generative AI into its Decision Intelligence solution, fraud detection rates improved from an average of 20% to as high as 300% in some instances. Stripe’s foundation model for payments increased card testing attack detection on large businesses from 59% to 97% overnight. These are not proof-of-concept results. They are production-scale outcomes from firms that have been investing in AI enablers for years. For the majority of the sector still in earlier stages of deployment, that performance gap is the benchmark they are working towards. The human capital to close that gap exists within the sector. Evident’s AI Index for Payments found that 6.5% of the payments workforce are AI-specific roles — more than three times the equivalent density in banking at 1.8%. The constraint is not capability. It is the governance and accountability structures being built around it.
The strategic priorities beneath that headline, however, tell a different story. Securing the existing payment environment is the top priority for 42% of organisations globally. Expanding shared intelligence, which could compound sector-wide defensive capability, is the stated priority for just 13%. The threat assessment picture reflects a similar disconnect: 28% of respondents cite data privacy risks in AI training as the greatest emerging threat — ranking it above AI-enhanced fraud attacks (24%), deepfake-enabled scams (16%), and unpredictable agentic AI behaviour (10%).
The gap between what firms report and what they operate in practice reveals a structural contradiction — and understanding its origins matters. AI in payments was not adopted opportunistically. It was adopted out of operational necessity: the industry operates at enormous scale, in real time, under constant fraud pressure, where split-second decisions directly influence losses, approval rates, and customer trust. That necessity drove sustained investment in machine learning and anomaly detection well before AI governance became a board-level priority. The result is a sector that is technically advanced but in many cases still building the oversight structures around systems that have been running for years, according to Evident’s inaugural AI Index for Payments (February 2026).
The regional picture makes clear that this is not a uniform problem. MEASA leads on deployment at 72% already live; Europe leads on autonomy at 32%; and North America, despite high deployment rates, sees 46% of organisations manually reviewing all AI decisions. Three materially different operational realities sit beneath a single global number. Treating deployment volume and operational autonomy as equivalent measures of capability is a category error the sector has not yet fully addressed.
The gap between deployment and understanding operates at three distinct depths. The first is comprehension: ComplyAdvantage’s State of Financial Crime 2025, surveying 600 C-suite and senior compliance decision-makers across financial services and fintech, found that 91% of compliance professionals are willing to trade AI explainability for greater operational efficiency—yet 70% simultaneously claim to understand the regulatory oversight requirements for those same systems. A firm cannot credibly oversee a system it has chosen to make opaque. Payments are not immune to this pattern—and in some respects mirror it closely despite stronger internal structures. Evident’s AI Index for Payments (February 2026) found that only a third of payments companies publish their Responsible AI principles at all — and only two of the twelve assessed, Mastercard and PayPal, demonstrate any operational implementation beyond the published statements. The willingness to accept black-box AI and the absence of published RAI frameworks are not separate problems. They are the same problem viewed from different angles.
The second layer is accountability. The EU AI Act places legal responsibility for high-risk AI systems on the deployer, not the developer. Vendor procurement does not transfer that obligation. The ECB’s 2025 supervisory newsletter, drawing on workshops conducted with 13 significant institutions selected for their reported use of AI in credit scoring and fraud detection, found that second and third lines of defence — compliance, risk, and audit functions — carry the most significant accountability gaps. The ECB notes explicitly that these findings are based on a small sample and should not be generalised across the sector, but the governance pattern they identify is consistent with broader supervisory observations. The third layer is demonstrability: whether a firm can show a regulator, under examination, not only that it deployed AI responsibly but that it understands how the system reaches its decisions and who is accountable when it does not.
The cumulative effect of these gaps is visible in programme outcomes. Kroll’s 2025 Financial Crime Report found that 70% of organisations anticipated financial crime risk would increase through 2025 despite record AI investment — and that expectation has been borne out. Only 23% believe their compliance programme is “very effective.” The operational picture reinforces the paradox. Ninety-eight percent of firms say real-time data is critical to their compliance workflows, according to LSEG Risk Intelligence’s Operating at the Speed of Crime (2025), yet 80% report frequent delays caused by slow or outdated screening, and 75% say persistent false positives remain an unresolved operational constraint.
AI governance is a direct input to financial performance, not a secondary compliance concern. Until recently, no payments-specific benchmark existed to quantify that relationship directly. MIT CISR’s Digitally Savvy Boards: AI Update (March 2025), analysing nearly 2,800 publicly traded US companies, offers the closest available proxy — and the performance differential it identifies is difficult to dismiss. Organisations with AI-literate boards outperform industry peers by 10.9 percentage points in return on equity. Those without AI-savvy boards trail their industry average by 3.8 percentage points. The performance differential is not marginal. No payments-specific equivalent exists yet, but the directional evidence is clear: board-level AI literacy correlates directly with financial performance, and the payments sector is not exempt from that relationship. For a sector operating under sustained cost and margin pressure, the governance posture of the board has a measurable bearing on financial outcomes. Board literacy determines whether leadership can meaningfully interrogate AI investment decisions, challenge performance assumptions, and identify when a system is underdelivering. Without that capability, boards approve expenditure they cannot assess and accept risk they cannot quantify. That is not a governance nicety. It is a performance liability. Evident’s inaugural AI Index for Payments (February 2026) now provides the first payments-specific baseline — and its findings suggest the sector has stronger internal governance structures than external disclosure rates imply. Closing that gap is both a regulatory imperative and a commercial one.
The payments sector sits at the frontier of agentic AI deployment. Visa has already developed a Trusted Agent Protocol — a cryptographic framework designed to authenticate the signatures and intent signals of legitimate AI agents and distinguish them from malicious bots. Mastercard has moved further still: its Verifiable Intent framework, open-sourced in March 2026, creates a cryptographic audit trail linking consumer identity, agent instructions, and transaction outcome into a single tamper-resistant record — and on 2 March, Mastercard and Santander completed Europe’s first live end-to-end payment executed by an AI agent within a regulated banking framework.
These frontier capabilities, however, are not representative of the sector as a whole. Cross-industry evidence suggests governance structures have not kept pace with the deployment ambition that payments shares with the wider financial services landscape. EY Global’s Responsible AI Pulse Survey Wave 1 (March–April 2025, surveying 975 C-suite leaders across all major sectors) found that only a third of companies have responsible AI controls in place, despite three-quarters reporting AI is integrated across the organisation. Only 15% of boards currently receive AI-related performance metrics. If the board cannot see how models are performing, its oversight function is nominal rather than substantive. On agentic AI specifically — the model category most directly relevant to the fraud threat established in section 1.4 — EY found that 76% of organisations are either using or planning to adopt agentic AI within 12 months, yet only 56% report familiarity with the associated risks. That gap between adoption intent and risk awareness is where governance failures are most likely to originate, and where regulatory scrutiny is increasingly focused.
The financial and regulatory exposure described above is compounded by a transparency gap specific to payments. Evident’s inaugural AI Index for Payments (February 2026, n=12 major payment companies) offers the first sector-specific benchmark — and its findings tell a more nuanced story than the cross-industry data alone suggests. Payments have built stronger internal governance structures than most financial services. The problem is that ‘stronger than banking’ is not the same as ‘sufficient’.
Sixty-seven percent of payments firms have established AI governance committees—ahead of both banking (48%) and insurance (47%). But the internal picture diverges sharply from the external one. Only 33% of payments companies publish their Responsible AI principles, compared to 48% in banking. Not one payments company has disclosed enterprise-wide AI return on investment—realised or projected—against 22% of banks that already do so. Only 8% of payments CEOs have remuneration linked to AI targets.
The governance infrastructure is being built behind closed doors—partly by design. Detailed public disclosure of AI controls creates competitive and security exposure in a sector where adversaries actively probe for weaknesses. But the gap between internal structures and external transparency is one that regulators are increasingly unlikely to accept as justification. For boards still treating AI governance as an internal matter, that gap is becoming harder to sustain.
The financial consequences of inadequate AI governance are no longer theoretical. EY Global’s Responsible AI Pulse Survey Wave 2 (July–August 2025, n=975, surveying C-suite leaders across all major sectors) found that 99% of organisations surveyed reported financial losses from AI-related risks, with 64% suffering losses exceeding US$1 million and an average estimated loss of US$4.4 million. The regulatory dimension compounds the financial exposure. The EU AI Act classifies fraud detection as a high-risk AI system, with full compliance obligations taking effect from August 2026. Fines for non-compliance reach €35 million or 7% of global annual turnover — whichever is higher. Fifty-seven percent of C-suite respondents in EY’s Wave 2 survey reported negative impacts related to AI regulatory non-compliance, making it the most commonly cited risk category. The operational costs of poor AI performance — screening delays and persistent false positive volumes — amplify that exposure further at scale.
The evidence indicates AI literacy at the board level remains the exception. McKinsey’s The AI Reckoning: How Boards Can Evolve (December 2025) found that 66% of directors globally report limited to no AI knowledge, and nearly one in three say AI does not appear on board agendas. Thirty-nine percent of Fortune 100 companies disclose any form of board AI oversight. Fewer than 25% have board-approved structured AI policies in place.
The payments sector performs better than those cross-industry figures suggest — as the evidence in this report’s governance benchmarking demonstrates, internal structures are more developed than in banking or insurance. But performing better than a low baseline is not the same as being ready. The priority now is translating that internal capability into demonstrable accountability — before regulators draw their own conclusions from the silence.
The same index found that only 50% of payments companies explicitly identify AI as a critical strategic enabler in formal documents such as annual reports and investor materials — compared to 74% of banks. The governance infrastructure may exist internally. The strategic commitment is not yet fully visible externally.
The General Data Protection Regulation (GDPR) precedent is instructive: organisations that invested in governance capability early built durable, proportionate frameworks; late movers faced accelerated compliance timelines and higher implementation costs. The same dynamic applies to AI Act readiness. Boards do not need to understand model architecture. They need to know what questions to ask, what metrics to request, and what accountability they carry. That is a manageable investment with a documented return.
The EU AI Act is the most consequential AI governance framework currently in force. For payments and financial crime functions, fraud detection and credit scoring are classified as high-risk AI systems, with full compliance obligations active from August 2026. The Act places accountability on the deployer — not the vendor. A payments firm using a third-party fraud detection model is the responsible party under the regulation. The European Banking Authority’s (EBA) guidance on AI Act implications for the EU banking and payments sector confirms that deployers must monitor operations, maintain logs, and report incidents — obligations that sit with the institution, not the model provider. ECB supervisory workshops with significant institutions found that only half have dedicated AI policies in place, with oversight functions identified as carrying the most significant accountability gaps. The IAPP AI Governance Profession Report 2025 found that 77% of organisations report they are working on AI governance. The gap between working on it and demonstrating readiness to a regulator is where enforcement risk now sits.
The operational implications of the deployment gap converge on two fronts: the quality of human review inside institutions, and the extent of intelligence sharing between them.
On internal oversight, Feedzai’s 2025 AI Trends in Fraud and Financial Crime Prevention report (n=562, March–April 2025) found that 89% of banks prioritise explainability and transparency in their AI systems. That figure reflects growing recognition that human review only adds value where the reviewer understands what the model is doing and why. The current review-heavy operating model — visible in the 31% of firms that manually review every AI decision — compensates for the comprehension gap identified in section 2.3. It does not close it. A compliance analyst who cannot interpret a model’s output is not providing governance; they are introducing delay. Effective oversight requires explainability tooling and model literacy training delivered alongside deployment — not retrospectively. Organisations that defer that investment accumulate operational and regulatory exposure that compounds over time.
On cross-institutional collaboration, the intent exists at near-universal scale — 89% of fraud professionals say combatting money laundering effectively requires greater regulatory intervention, according to BioCatch’s Dark Economy Survey (June 2025, n=800). Yet operational practice falls substantially short. Only 58% of financial institutions share suspicious-account data with peers even weekly. Just 33% refer the majority of suspected cases to law enforcement. In the UK specifically, only 19% of respondents contact law enforcement in the majority of cases — despite 61% acknowledging that a single laundering case typically surfaces related activity across multiple accounts. The Economic Crime and Corporate Transparency Act (ECCTA) legal gateways and the NCA’s Data Fusion programme — a partnership with Barclays, HSBC, and Lloyds that has already demonstrated earlier mule account interception through joint analytical capability — now make structured real-time sharing operationally viable for the first time. The infrastructure for collaboration exists. The constraint is institutional practice, and the window in which voluntary adoption precedes regulatory mandate is narrowing.
The payments sector did not arrive at this moment through inaction. It arrived with urgency—deploying AI at speed, under real operational pressure, against a threat already scaling. The result is an industry that is technically sophisticated and governance-immature in the same breath. That is not a failure of intent. It is the predictable consequence of moving fast without building the accountability structures to match.
The data in this report describes a single coherent picture. Financial crime losses are rising. AI investment is at record levels. Programme effectiveness sits at 23%. Autonomous operation is achieved by 19% of firms. The leaders — Visa, Mastercard, Stripe—are operating at a higher performance level, with fraud detection outcomes that the majority of the sector has not yet reached. The gap between them and the rest is not a technology gap. It is a governance, capability, and accountability gap. The payments sector has built stronger foundations than much of financial services, but in absolute terms, those foundations are not yet sufficient for the regulatory and operational standards now being applied.
The next wave of regulatory, reputational, and operational risk will not originate from firms that failed to deploy AI. It will come from firms that deployed it without understanding it—and that are now exposed as enforcement timelines arrive, fraud losses persist, and regulators begin asking questions that headline adoption figures cannot answer. The EU AI Act compliance deadline of August 2026 is not a future planning horizon — it signals that EU regulators are already moving, and the UK is likely to follow suit.
The question for every senior leader in payments is not whether AI is in use. It is whether the organisation can demonstrate—to a board, a regulator, or a customer—that it understands what it has built, how that system performs, and who is responsible when it does not.
For TPA members, that means acting on five priorities now:
Audit the gap between deployment and operational autonomy. Establish where AI decisions are genuinely autonomous, where they depend on manual review, and whether that review adds governance value or only delay.
Build board-level AI literacy as a standing governance investment. Boards do not need to understand model architecture. They need to know what questions to ask, what metrics to request, and what accountability they carry — particularly under the EU AI Act’s deployer obligations.
Publish or prepare Responsible AI principles for external scrutiny. The transparency deficit identified in this report is a regulatory liability. Internal governance structures that remain invisible to supervisors will not satisfy the accountability expectations now being formalised.
Define measurable AI performance thresholds tied to business outcomes. Without agreed success metrics — fraud loss reduction, false positive rates, alert-to-SAR conversion — AI investment cannot be benchmarked and underperformance remains invisible until it becomes undeniable.
Engage with cross-institutional intelligence sharing mechanisms. The ECCTA legal gateways and the NCA’s Data Fusion programme have made structured real-time collaboration operationally viable. The infrastructure exists. The constraint is now institutional willingness.
Deployment established the foundation. Operational readiness is what comes next—and the organisations that treat it as a strategic priority, not a compliance exercise, will be the ones best positioned when the next wave of regulatory and criminal pressure arrives.
The Payments Association will continue to support members on AI governance readiness through its Financial Crime Working Groups. For further engagement on the themes in this report, contact [email protected]
UK merchants expect agentic commerce to grow rapidly, but uncertainty around liability, fraud, and standards is slowing readiness.
Stablecoins are moving into mainstream finance, reshaping payments, trade, and regulation as institutions explore faster, programmable settlement.
A forward-looking overview of key regulatory developments across payments, crypto and financial services, with timelines and practical implications.
You need to be logged in to do this!
