US$104bn was lost to fraud in Europe according to Nasdaq-Verafin’s inaugural European Financial Crime Report published in Q2 2025, which regionalised its earlier pioneering Global Financial Crime Report 2024 that showed US$485bn was lost the previous year amidst a tidal wave of US$3.1trn in illicit funds flowing through the world’s financial system. This emanates from money laundering to drug or human trafficking, through to specific fraud losses. Fraud creates a loss, reputational and compliance risk for corporate treasuries.

“Cyber fraud is a huge beast,” says Royston Da Costa, Assistant Treasurer at Ferguson, the largest distributor of water and air specialisation products and services in the commercial and residential North American construction sector. “However, I don’t think you tame it solely with ‘fraud by design’ initiatives, such as the sharing of federated data, or the EU’s Instant Payments Regulation (IPR) Verification of Payee (VOP) payment pre-validation rules, which are in effect since 9^th October 2025 [for outbound transactions; receiving instant transactions with VOP has been mandatory since January –Ed.].

“These initiatives can help. But corporates mustn’t think overlay services can solve the fraud problem for them. They have to make themselves unattractive to criminals by making themselves hard to target and not a ‘low hanging’ fruit.”

“Don’t rely on partners exclusively,” adds Da Costa. “It’s best to approach it by improving your own processes, as ultimately it is still down to you the corporate to mitigate any fraud, compliance and other associated risks. My other advice is to get:

• Cyber insurance: that will give you cover, but also help you identify your internal weaknesses, your ‘crown jewels’ that need protecting, plus think about how you should respond if the worst happens, train staff, run test scenarios, and so on.

• Cybersecurity software: is admittedly usually an IT issue. But our treasury teams are specialists in the payments processing chain, so we can definitely help here with our expertise – and should.”

Speaking at Sibos 2025 on 1^st October on an instant payments conference panel in Frankfurt, Germany, Dalbir Sahota, Head of Trusted Payments Products at LSEG Risk Intelligence, said he is a strong advocate for the “fraud prevention by design” approach on push payments and indeed elsewhere because “we’ve seen an explosion of scams [among our clients] … and a 4000% increase in phishing.”

“I was also pleased to see the Financial Action Task Force make a transparency update to its FATF Recommendation 16 this year that will increase the safety and security of cross-border payments,” he added, during the wide-ranging recent Sibos 2025 debate. Measures are therefore underway to fight the rising tide of fraud, but will they be enough?

Data sharing to feed AI models in fightback

Artificial intelligence (AI) has helped criminals crunch the data and find new vulnerabilities to increase threat vectors. However, the technology can also be used in a ‘fraud prevention by design-led’ fight back – allied to Da Costa’s recommendation that a corporate’s own house is kept in order, this could be helpful. Built-in mitigation measures designed by collectivised banking partners can be created to help the battle against fraud.

This is evident in Swift’s federated data AI offering that seeks to share anonymised data and create a joined up early and unified financial institution defence. So far, 13 FIs have participated in a Swift global pilot involving ten million test transactions that doubled real-time fraud detection rates. The effort is helped by the use of privacy enhancing technologies (PET) that feed a federated learning AI model that detects anomalies from a bigger, shared data lake. This is much more cost and performance effective than relying on a single FI dataset. The banks could help their corporate clients with this offering.

EBA Clearing’s Fraud Pattern and Anomaly Detection (FPAD) solution suite has a similar anti-fraud and data sharing aim to Swift’s offering. Its traditional pattern-spotting behavioural software is to the fore on large, collectivised payment flows. It has many FI participants in Europe because it is integrated into EBA Clearing’s pan-European RT1 (instant payments service) and STEP2 (mass payments processing engine). It helps payment service providers (PSPs) on the continent to cut fraud and meet compliance requirements, such as those outlined in the EU Instant Payments Regulation (IPR) Verification of Payee (VOP) payment pre-validation rules, where it has a specific module to deal with this.

EU IPR VOP deadline

The specific FPAD Verification of Payee (VOP) solution from EBA Clearing, which allows PSPs to check if a beneficiary’s name matches their account number before a payment is initiated is a vital tool – one among many on offer – in an instant payments era where real-time processing of payments and data is now the norm. Having VOP functionality is a requirement for all European PSPs, including banks, that must provide it to all consumers and corporates on standard and instant SEPA Credit Transfers (SCTs) in the eurozone from 9^th October onwards. It’s an instance where a partner can help protect the end user by design.

But a corporate can opt out of the IPR VOP stipulations on bulk payments – not single payments, which are mandatory. Many have avoided the stipulation on bulk files, so far, because they want to keep the alignment of their enterprise resource planning (ERP), treasury management (TMS) and other systems intact, to retain the straight through processing (STP) efficiencies treasurers want without any undue friction.

Corporate considerations for IPR VOP bulks

”If corporates opt-in they will need to adapt their internal processes to handle the different EU IPR VOP responses,” explains Erwin Kulk, Head of Service Development and Management, EBA Clearing, while pointing to the options of:

• ‘match’,

• ‘close match’

• ‘no match’,

• or ‘no answer possible’.

“Corporates will have to use this information accordingly in their bulk procedures,” continues Kulk. “Opting in will have fraud prevention by design benefits. But it takes a lot to digest the data, which is why many corporates are waiting. Standardised processes for handling VOP feedback aren’t in place for most corporate systems and channels yet.”

“The opt-out provides a viable alternative for many, especially if their PSPs offer the possibility to validate the beneficiary account ahead of the payment initiation and with more than just the name check [giving extra functionality –Ed.].

The Euro Banking Association recently spoke to Citi, Deutsche Bank and BPCE Payment Services about this issue of implementing VOP for bulks and the associated pain points and challenges of instant payment VOP. I’d encourage all corporates to take a look and consider the appropriate course for them.”

An upfront pre pre-stage check ensuring full matching compliance before a bulk file starts a run might be helpful – and could work operationally. However, in this scenario a corporate is somewhat decoupling VOP and payments processing, which is against the spirit of the regulation to offer holistic anti-fraud protection.

The alternative of a contractual instruction to stop or run a file based on the VOP findings, without any dialogue functionality in place yet may not appeal, as it disrupts STP. But in a real-time world – where no EU IPR VOP conversational framework yet exists – it might have to work this way for now and it is compliant. It’s an option for now, at least until a standardised ‘best practice’ way evolves for corporates to either opt-in or out on VOP bulk processing with full clarity.

The initial focus on consumers and PSP adherence has left the corporate customer somewhat exposed and reticent about buying into the anti-fraud design properties of the EU IPR VOP rules until it can be proved it won’t disrupt existing bulk systems. Banks, such as db and BNP-P, have produced guides to try and help their corporate clients through this minefield.

Designing the future

Identity and pre-validation checks on all payments around the world will only increase in the future, so multinational corporates (MNCs) will have to grasp this anti-fraud nettle sooner or later. The EU IPR VOP is a harbinger of things to come globally in this regard, so can be useful for internal training purposes.

Digital currencies, such as stablecoins spanning to include central bank iterations (CBDCs), may further help security and ‘pre-crime’ safeguards in an increasingly digitised world as well.

However, fraud prevention is an arms race, so constant review and revision is necessary in the ongoing war between the fraudster and the protector.

Federated data solutions on AI-led fightbacks, as in the case of Swift, or collectivised data sharing as on the FPAD solution that seeks to provide network insights, show what might be done collaboratively by providers fighting together against the rising tide of fraud. Regulators have a role too as the EU IPR VOP stipulations show.

It is time to co-operate to stop FI operations, including treasuries, drowning in a sea of criminality and unnecessary extra cost and risk. “I welcome this co-operation,” says Da Costa. “The best way to battle cyber criminals in an AI era is to share data, like the bad actors do, but in an anonymised, safe way.”

EBA Clearing’s Kulk agrees, commenting that: “It takes a network to beat a network [of fraudsters].”

Designing the fight back starts here. However, just remember that corporates cannot fully outsource the responsibility to overlay services. As Da Costa advises, you should use partners where it is helpful. But, ultimately, corporates must still take responsibility for themselves.