The Identity Layer

The payments industry has poured resources into faster, more granular risk models—500+ attributes evaluated in milliseconds, machine‑learning‑driven scoring, and advanced authentication like 3DS 2.x. Yet the most critical decision—who the customer actually is—remains isolated in four parallel identity checks: issuer onboarding, issuer authorization, acquirer merchant underwriting, and acquirer checkout. Because ISO 8583 messages lack fields for device fingerprints, behavioral cues, and merchant‑specific context, each party operates on a partial view, creating a structural seam that fraudsters exploit. This disconnect explains why global card fraud, already $33.4 billion in 2024, is projected to climb to $41 billion by 2030.

A stark illustration is the surge in mule accounts. In the UK, the new PSR rule forces banks that host mule accounts to share financial liability, prompting $173 million (≈$216 million) in reimbursements for 269,000 claims in its first year. Mule accounts typically pass KYC because they are opened with genuine documents, only to be repurposed for illicit transfers. The problem is not the lack of data—Cifas holds millions of flagged accounts—but the optional, fragmented reporting that leaves each institution blind to others’ findings. Real‑time cross‑institution checks could dramatically reduce these losses.

The same identity‑layer fracture underpins synthetic‑identity fraud, transaction laundering, and the recent BaaS enforcement wave. Synthetic identities, built from real SSNs paired with fabricated names, generate $20‑30 billion in annual losses despite official filings showing only $182 million. Transaction laundering lets merchants masquerade under approved MCC codes while shifting to high‑risk goods, slipping through acquirer underwriting. BaaS providers and sponsor banks each own a slice of the onboarding telemetry but lack visibility into the other’s decisions, creating accountability gaps. To stem the tide, the industry must adopt a shared identity ledger, standardize data fields in authorization messages, and enforce real‑time reporting across issuers, acquirers, and networks.