Payment fraud has a significant impact on society. Figures from Statistics Netherlands (CBS) show that in 2025, around 10% of the population aged 15 or over had been victims of online scams and fraud, and 17% had been victims of online crime in the broader sense. The impact on victims can be significant: 21% of victims of online crime experience emotional or mental health problems, financial difficulties, or both. We therefore consider the management of external payment fraud to be an important topic, as secure and reliable payment systems are central to our public mandate, as emphasised in our Payments Strategy 2026-2028.
© Getty images
Additionally, certain types of fraud, such as bank helpdesk fraud, are often linked in Dutch investigative and judicial context to organised crime. For example, they are associated with large-scale money laundering, cybercrime, and internationally operating criminal networks.
CBS and police data show that, viewed over a longer period, there has been an increase in online fraud and scams. The combination of persistently high victim numbers, changing fraud patterns and the further digitalisation of payments system transactions prompted us to carry out an examination into the management of the risk of external payment fraud at seven banks, payment institutions and electronic money institutions.
This examination focuses specifically on situations in which a victim themselves, either unintentionally or under false pretences, initiates a payment that later turns out to be fraudulent, often referred to as non-banking fraud. Given that these types of fraud are widespread and banks are not yet required to reimburse the losses, they have the greatest impact on society. We have examined how institutions identify, assess and manage these risks, and how they monitor the effectiveness of the measures they take. Below, we set out a number of general observations from the examination to inform the sector.
The victim themselves initiates (or approves) the payment, but does so under false pretences. Examples include romance/dating scams, where a fraudster builds trust online and then asks for money, and CEO/invoice fraud, where an organisation is tricked into making a payment itself, for example based on a fake payment order or a forged invoice.
A payment is made without the account holder’s consent (an unauthorised payment transaction): it is the perpetrator who initiates the payment, for example via phishing or using (mobile) banking malware.
A victim sees an advertisement or a (fake) post on social media featuring an attractive investment opportunity (e.g. in cryptocurrency). An ‘expert’ then contacts the victim, talking them into transferring a small amount and is then shown apparent profits on a (fake) platform. The victim is then pressured into transferring more and more money. When the victim wants to withdraw the ‘profits’, they are first required to pay for taxes, insurance or release fees. Ultimately, the payment is never made and the provider disappears. In some cases a second attempt can be made (‘recovery room’), in which a seemingly different party promises to recover the money in return for an upfront fee.
A victim is told via email or in a phone call that a sum of money or crypto credit is ‘waiting for them’, for example because a wallet has allegedly been found. In order to receive it, the victim must pay an amount upfront, supposedly to cover administrative or verification costs, before the balance can be released. Once the victim has paid, they are often asked to pay additional fees because ‘one more step’ is required; ultimately, no payment is made and the provider vanishes.
We carried out our examination at organisations with a variety of business models. As the participating institutions fulfil different roles in the payment chain, findings are not directly comparable. Furthermore, the examination is exploratory in nature, and we deliberately limited its scope. The observations in this news item should therefore be read as initial sector-wide insights that provide an overview of observed practices and areas for attention. They are not intended as an exhaustive or in-depth assessment of all aspects of fraud risk management.
The examination shows that the participating institutions are paying close attention to the issue of payment fraud. We found that all institutions had dedicated staff and teams, demonstrating a high level of commitment and a clear motivation to protect victims and identify perpetrators. At the same time, it is noticeable that fraud risk management at many institutions is largely organised and structured by the departments responsible for day-to-day operations. This means working methods typically focus on alert processing, triage and follow-up. Strategic decisions, such as prioritisation, resource allocation and acting in accordance with a risk appetite for fraud, could be further strengthened. While it is encouraging that many institutions have established key risk indicators, these are not always substantiated or adhered to in practice. By gaining insight into the extent to which additional investment can help to further reduce fraud, institutions can use a cost-benefit analysis to define their risk appetite in concrete terms. One institution stood out positively in that its management approach is based on its fraud risk appetite. As a result, mitigation measures such as improvement programmes and allocating resources to alert handling were implemented under a risk-based approach.
Banks and payment institutions try to prevent fraud by detecting and blocking fraudulent transactions. In many cases, this fraud arises earlier in the chain (for example through deception of the customer) and becomes visible in the payments system. In addition, banks protect their customers by setting standard daily limits and enforcing a four-hour waiting period in the event that a customer changes them. They also issue warnings about high-risk payments and run large-scale advertising campaigns. Banks are also taking steps to prevent providing their services to fraudsters, such as straw men.
Institutions are facing a rapidly changing fraud landscape, including due to the rise of artificial intelligence. Among other things, institutions mention the rise of synthetic identities and their growing need for a wider range of data sources and features in fraud detection, which enable them to identify new and evolving fraud patterns more quickly. The institutions examined also highlighted the importance of, and the need for, efficient and structured cooperation within the chain, as is also aimed for in public-private initiatives such as the Integrated Approach to Online Fraud (Integrale Aanpak Online Fraude). Standardisation of information requests and interventions across institutions can lead to faster follow‑up of fraud signals. Such standardisation has already reached a greater level of maturity in the United Kingdom and could serve as an example.
Many institutions also point out that parties outside the financial sector, such as social media platforms, telecoms providers and web hosting firms, could make a significant contribution to preventing and combating fraud through information sharing and interventions. This topic is also discussed within the Integrated Approach to Online Fraud. Online scams often take place at an earlier stage, before a payment is processed by a bank or payment institution. This means institutions can typically only intervene once a victim has been targeted and the transaction is (almost) carried out. The Dutch Banking Association (NVB) has recently called on, among others, major social media platforms to take a more active role, for instance by taking swifter action against fake advertisements and misleading accounts. Although we recognise the importance of closer cooperation, in this exploratory examination we have focused exclusively on the role and working methods of banks and payment institutions subject to our supervision. The observations highlighted in this news item therefore relate primarily to these institutions.
During our examination, we have identified several methods that institutions use to set up and (further) develop their fraud detection systems. They position and combine business rules and machine learning applications in various ways: some use machine learning primarily for trend detection and rely on business rules to capture new developments, while others use machine learning specifically to identify new patterns and can therefore respond more quickly to changing methods. These institutions use business rules as a safeguard against types of fraud that occur over a longer period of time.
The detection model architecture opted for also varies: some institutions use specialist niche models (multiple models for different risks/segments), while others use a single, more comprehensive model.
It is also noticeable that once institutions have chosen a particular approach, they tend to stick to it. Against the backdrop of rapid developments in the fields of data analysis and artificial intelligence, we note that, in some cases, this means that only limited attention is paid to exploring new, alternative or complementary detection methods. In addition, institutions differ in the extent to which they periodically reconsider their chosen model strategies and incorporate new applications into their detection approach. In our view, periodic validation can contribute to the further development and strengthening of detection methods.
At some institutions, we have observed more advanced professionalism in the use of data, for example by expanding and refining the feature set and utilising new data points to assess fraud risk indicators, with the aim of identifying patterns more quickly. It is also noticeable that fraud detection systems are sometimes limited, partly through informal working arrangements, by the available operational capacity to handle alerts. As a result, institutions run the risk of failing to detect potentially fraudulent transactions. Although we did not find in this exploratory examination that institutions actually missed signals, we note that, at one institution, further risk appetite development and management contributed positively to the effectiveness of fraud detection and operational capacity.
Fraudsters can be very persuasive and often try to convince their victims to ignore warnings from their bank. Several banks have indicated that this makes it difficult for bank staff to prevent customers from carrying out a transaction once they have been influenced by a fraudster. Banks also stated that, in principle, they are obliged by law to process a transaction, while at the same time they have a special duty of care towards customers if there is a concrete suspicion of fraud. The examination revealed that several banks refuse potentially fraudulent transactions initiated by customers, even when the customer insists on proceeding with the transaction. Although this may initially lead to friction, customers are often very glad a few days later that the fraud was prevented. The examination thus shows that institutions take different approaches to balancing the execution of a customer’s instructions with the need to prevent customers from falling victim to fraud.
We also see that banks are trying to warn their customers in a variety of ways. For example, they send them push notifications if transactions carry a higher risk of fraud, and they frequently communicate this in updates and large-scale advertising campaigns. However, banks indicated that it is difficult to determine how effective these measures are, and we acknowledge that this is a challenge. One institution stood out for its ability to track the percentage of cases in which customers cancel transactions after receiving a push notification and a personalised warning (generated by a chatbot). Other institutions are less able to measure effectiveness.
Bank helpdesk fraud, also known as (bank) spoofing or impersonation, usually involves authorised payments: the victim, under false pretences, initiates the payment themselves. In principle, banks are not legally obliged to compensate for losses arising from such authorised transactions. Since 2021, however, (amongst others) the major banks in the Netherlands have been applying a leniency framework (coulancekader) specifically for bank helpdesk fraud. The detailed guidelines for this framework state that, as a general rule, financial losses resulting from bank helpdesk fraud will be reimbursed in full with retroactive effect from 1 January 2020, as an exception to the legal requirements. Clear conditions are also specified, including that the fraudster posed as a bank employee by misusing a name/brand and/or telephone number (spoofing), that a police report has been filed and that the victim is a private (non-business) customer.
At the same time, the same guidance notes that there are exceptions under which a bank may decide not to provide compensation under the leniency framework. This may be the case if the victim is complicit, has already received compensation in the same case, if at any point during the conversation the fraudster presented themselves as an employee of another bank, or if the victim does not sufficiently cooperate with the bank’s fraud investigation.
Under the new European legislation on payment services (PSR/PSD3) banks will be required, under certain conditions, to compensate consumers for losses resulting from bank helpdesk fraud.
The examination reveals a largely positive picture. We note that institutions take fraud seriously and are demonstrably committed to protecting customers and combating fraud. At the same time, the examination shows that institutions adopt a variety of approaches, partly depending on their role in the payment chain and the associated risk profile. They could adopt a more risk-based management approach, which could have a positive effect on further fraud reduction. With this feedback, we aim to provide institutions with guidance on how to assess their own fraud risks, considering which aspects are relevant to their role and services and what this means in terms of designing and further developing their fraud risk management framework.
In addition, we will provide the participating banks, payment institutions and electronic money institutions with individual feedback on the results of the study and their strengths and areas for improvement, and expects them to take further steps based on this. we will continue to address this topic in its ongoing supervision and, where relevant, include it in on-site inspections.
13 May 2026
News
Small and medium-sized enterprises (SMEs) account for almost half of all bank loans to businesses in the Netherlands, according to new figures being released by DNB for the first time today. However, SMEs often pay a slightly higher interest rate than other businesses.
Read more Almost half of corporate lending goes to SMEs, interest rates slightly higher
24 April 2026
News item supervision
De Nederlandsche Bank (DNB) has decided not to extend the minimum floor on the risk weights of Dutch mortgage loans of banks. The current measure was introduced in January 2022 and will expire 30 November 2026.
Read more Risk weight measure on bank mortgage loans expires
13 April 2026
News item supervision
On Thursday May 7th from 3:00-4:45 PM CET DNB will organize an online information session about fit and proper assessments.
Read more Information session about fit and proper assessments DNB – Thursday May 7th, 2026
13 April 2026
News item supervision
On 6 February 2026, the Regulatory Technical Standards (RTS) for the Active Account Requirement (AAR) (Article 7a), part of the revised European Market Infrastructure Regulation (EMIR 3), were published in the Official Journal of the European Union.
Read more Joint DNB–AFM newsletter on the first reporting under the Active Account Requirement (EMIR 3)