Who is responsible? Closing the accountability gap in financial fraud prevention

• by Bhavya Mitra and Priyal Advani
• May 5, 2026
• 6 min

Financial fraud persists because accountability is fragmented across banks, telecom providers, digital platforms, and regulators. This blog, last in a three-part series, argues for shared liability, victim-centered grievance management systems, real-time intelligence sharing, and behaviorally informed safeguards. Together, these can embed protection directly into digital transactions, rather than relying solely on consumer vigilance.

Financial fraud is a systemic problem being addressed by individual solutions. Across most markets, the response to a scam victim is to report it to the bank, file a police complaint, submit evidence to a regulator, and hope. Meanwhile, the fraud operation that targeted that victim is already processing the next call, the next transfer, and the next cash-out.  

Fraud ecosystems have been deliberately engineered to move faster than the institutions designed to stop them. Banks and regulators need to move beyond better awareness campaigns or faster forms of grievance management to close this gap. It requires a fundamental redesign of accountability and understanding of who is responsible for what and when in the transaction chain.  

The blind spots across the ecosystem  

The accountability gap is not located in a single institution. Rather, it runs across the entire ecosystem, where each actor’s blind spot enables the next fraud.  

Banks are positioned closest to the transaction, which should make them the most effective line of defense. Yet most fraud detection systems are calibrated to identify unauthorized transactions, such as credential theft, account takeover, and card skimming. Authorized push payment (APP) fraud is another type of fraud in a completely different category, where the victim is manipulated into initiating a payment themselves. APP bypasses most conventional controls.  MSC’s Mind the Gap report found that more than 60% of fraud victims across India, Bangladesh, and Kenya did not know what grievance mechanisms existed. 48% of victims who attempted to report were dismissed for their inability to furnish evidence. 

Existing grievance resolution systems are largely designed around what the institution needs and not what the victim can provide. MSC’s consumer protection research in India has consistently documented this gap across the financial services lifecycle. We have traced the cycle from transparency of product terms at onboarding, to the accessibility of recourse channels post-harm. Our customer protection in the Indian digital financial services series mapped specific failure points related to recourse and transparency that leave customers without an effective remedy when things go wrong.  

In India specifically, the Prevention of Money Laundering Act (PMLA) creates a structural paralysis, as banks cannot freeze suspected mule accounts without authorization from the court or law enforcement. This creates a legally mandated delay that fraudsters systematically exploit. The IBA Working Group has proposed that banks be granted enhanced authority to place temporary holds on suspected mule accounts before formal orders arrive, which is a necessary regulatory design reform that remains pending.  

Fraud is also rampant in the telecom sector. Caller ID spoofing, SIM swaps, and the leasing of backend numbers to route fraudulent calls are all examples of vulnerabilities at the telecom layer. The UK’s Ofcom interventions show that these are solvable. Regulators can impose mandatory blocking of international calls that fake domestic numbers, block invalid caller IDs, and ban leasing backend numbers used to hijack calls. Although these are technical controls with measurable impact, most jurisdictions have not implemented them.  

Digital platforms, such as social media, messaging apps, and digital marketplaces, are another source of most scams. Yet, platform accountability for fraud from their infrastructure remains largely voluntary. Recorded Future’s 2024 Payment Fraud Report identified nearly 1,200 scam domains linked to fraudulent merchant accounts and nearly 11,000 e-commerce domains infected by Magecart skimmers. This is a threefold increase from 2023. Takedown times for fraudulent pages are measured in days, while scam operations are measured in hours.  

MSC’s Building trust through design report adds another perspective. Deceptive interface design, which comprises manipulative consent flows, hidden fees, and guilt-tripping prompts, erodes user agency and creates conditions for external fraud to thrive. Regulatory accountability must extend to the design layer, not only to obviously illegal content.  

Even where consumers know how to report, the system often fails them. MSC’s TRUST framework identifies the precise dimensions in which most grievance systems fail. Transparency suffers when consumers do not understand the terms they agreed to. Consumers lose recourse when complaint channels close, require multiple steps, or operate in a language they do not speak. They face information asymmetry at every point, which undermines their ability to understand what happened. Security investments fall behind. And once fraud occurs, timeliness matters most, yet procedural compliance systematically sacrifices it. 

What effective accountability looks like  

Three jurisdictions have moved furthest towards a systemic accountability model. Their approaches converge on the common principle that fraud prevention is a shared responsibility across the transaction chain, not a consumer obligation.  

Since October 2024, payment service providers in the UK must reimburse APP fraud victims more than USD 100,000, with costs split between sending and receiving banks. The one-year assessment showed that reimbursement alone is insufficient, as it simply compensates victims but fails to break the criminal business model. The more impactful interventions have been at the telecom layer, such as caller ID blocks, filters for invalid numbers, and requirements for operators to verify business customers. 

In Australia, the Scams Prevention Framework was passed in early 2025. It requires banks, telcos, and digital platforms to implement defined controls or bear liability for losses, with penalties of more than USD 35 million or 30% of turnover during the breach period. It includes digital platforms as designated entities and becomes the first framework to formally extend accountability to the channels where scams originate.  

Singapore’s Shared Responsibility Framework, effective December 2024, allocates liability in a defined sequence. In it, liability falls first on the financial institution, then on the telecom operator, and finally on the consumer. This can occur only if both institutions have fulfilled their obligations. This waterfall model establishes clear, predictable accountability for each actor and upholds the principle that consumers should not bear losses when institutions have failed in their duties.  

What behaviorally informed prevention actually requires  

Accountability frameworks set the incentive structure. But institutions and regulators must make different design decisions to build the actual prevention architecture. 

• Contextual friction, not generic warnings: Transaction-level interventions, such as cooling-off periods for high-risk payments, purpose prompts, and real-time behavioral flags, are demonstrably more effective than warning messages delivered at onboarding. India’s NPCI removed P2P UPI collect requests, a concrete example of friction designed into the system.  

• Cross-institutional intelligence sharing: Mule account registries, cross-bank fraud signals, and real-time data sharing between banks, telcos, and platforms turn individual detection into network-level prevention. India’s MuleHunter.AI at the RBI Innovation Hub is an early example of this direction.  

• SupTech and RegTech investment: MSC’s SupTech data maturity framework finds that one-third of regulators still rely on manual submissions, and fewer than 10% of smaller jurisdictions have full data standardization. The limiting factor is data quality. Many authorities validate data manually. Regulators cannot supervise what they cannot measure. Fraud cannot be detected if reporting systems lag transactions by weeks.  

• Capability-building as a regulatory obligation: Financial literacy must shift from a CSR activity to a mandatory, measurable output. To address this, MSC’s PTE Framework offers a practical model for how phygital capability delivery driven by teachable moments can be designed, contextualized, and evaluated across diverse user segments. 

• Victim-centered grievance design: Regulators can use the MSC TRUST framework to redesign grievance resolution systems to build solutions from the victim’s perspective. These should be accessible in local languages, multi-channel, credible, and be able to initiate protective holds without a court order.  

The way forward 

Fraud today is institutionally tolerated due to design fragmentation: Banks are responsible for transactions, telcos are responsible for calls, platforms are responsible for content, and regulators are responsible for their own sectors. In the space between those silos, fraud operations run freely.  

The evidence from the UK, Australia, and Singapore, and from MSC’s field research across Asia, Africa, and the Pacific, proves that institutions must design protection into the transaction rather than just bolt it on. It also requires a grievance management system built for the person who has just been deceived, not for the institution that manages its liability. 

The fraud supply chain is end-to-end, and the protection system that counters it must reflect this reality. 

This is Blog 3 of a three-part MSC series on fraud supply chains. Blog 1 examined why ordinary people fall for fraud. Blog 2 examined how fraud operations are industrialized and monetized.