Wise investigation highlights overlapping fraud risks for PSPs

Fraud, such as push payment fraud, presents multifaceted risks for payment service providers (“PSPs”).

One manifestation of this risk was recently illustrated by the announcement on 1 June 2026 that Belgian prosecutors have opened an investigation into Wise, the UK e-money institution (“EMI”) over potential money laundering offences and whether its accounts were used by international criminal groups. The Brussels public prosecutor’s office launched the investigation in 2025 after noticing that Wise was mentioned in hundreds of criminal files, raising concerns that its accounts may have been used to launder the proceeds of crime.

The prevalence of payment fraud cannot be understated. In the first half of 2025 alone, in the UK £629 million was stolen through fraud across over 2.1 million reported cases.¹ The impact on victims of authorised push payment (“APP”) fraud is particularly significant. In the same period, although only comprising 5% of reported cases, this fraud typology was responsible for over 40% of the value lost through fraud.² These cases can come in a variety of forms, such as:

• Impersonation scams where fraudsters pretend to be from trusted organisations in order to convince victims to make payments.
• Romance scams leading to APP fraud. For example, in December 2025, Nigel Baker was jailed for 17 years for misleading five victims and convincing them to transfer more than £900,000 in total.³ The FCA has also conducted a multi-firm review to confirm whether firms and their staff are equipped to combat these sorts of scams.⁴
• Fraudsters may also seek to extract payments through offering lucrative fake investment opportunities.

For PSPs, while many of the controls which mitigate fraud risk are common, the risks themselves are diverse and can manifest in a number of ways. For example, a push payment fraud could trigger:

• Civil claims by victims;
• Financial ombudsman complaints;
• Mandatory reimbursement claims;
• Regulatory enquiries and investigations; and
• Criminal law obligations.

In each case, the risk applies to both the sending and receiving PSP. We examine each of these below.

Civil claims

The absence of a statutory right to compensation (at least until more recently) has spurred a large number of civil claims and judgments concerning the liability of PSPs in connection with APP fraud. The likelihood of such claims succeeding is usually low:

• For claims against sending PSPs by their own customers, the Supreme Court’s judgment in Philipp v Barclays⁵ has established that it will be difficult for claimants to succeed where the claimant is an individual who has themselves instructed the payments in question.
• In the case of claims against receiving PSPs by the sending party, Santander UK PLC v CCP Graduate School⁶ illustrates that it will be difficult for a claimant to establish that any duty was owed by the receiving PSP.

In some cases, a PSP may find itself facing allegations connected to fraud allegedly perpetrated by the customer of its intermediary business customer. Such claims are also difficult for claimants since the PSP has no direct relationship with either the alleged fraudster or the victim and so establishing duty of care and causation is likely to be an uphill battle.

Despite this, fraud victims continue to pursue claims against PSPs and their representatives to seek to hold the PSPs liable for losses. This can generate significant legal costs, management distraction and operational disruption for PSPs.

Financial ombudsman complaints

Since 2019, the FOS has had jurisdiction to hear complaints against both sending and receiving PSPs concerning push payment fraud. These decisions pose heightened risks of liability for PSPs.

Unlike the courts, the FOS is not bound by the authorities such as Philipp and CCP Graduate School. Instead, the FOS makes its decision based on what it considers “fair and reasonable”.⁷ In doing so, the FOS will commonly review the PSP’s behaviour, such as whether it gave warnings or asked questions (in the case of sending PSPs) or failed to monitor account activity or freeze funds following receipt of a fraud notification (in the case of receiving PSPs).

As the FOS’ published decisions illustrate, it will in some cases uphold complaints against PSPs, meaning that PSPs cannot assume that the development of case law in this area protects them from the risk of liability.

Mandatory reimbursement

For UK domestic payments over faster payments or CHAPS, there is also the possibility of mandatory reimbursement under the Payment Systems Regulator (“PSR”)’s Specific Direction 20 (“SD20”). The SD20 regime has been designed to result in reimbursement being paid in the vast majority of cases, with only limited exceptions.

The sending and receiving PSP share 50/50 in the cost of reimbursement, and both PSPs must cooperate with one another in order to determine cases. Claim and reimbursement data is reported to the PSR, meaning that the regulator has oversight of which PSPs are outliers to their peers when it comes to preventing fraud.

Once the PSR is merged into the FCA (as is expected in the near future) this oversight may expose outlier PSPs to heightened risk of supervisory scrutiny by the FCA using its broader supervisory jurisdiction.

Regulatory enquiries and investigations

More generally, the Wise investigation is a reminder of the risk of regulatory investigations arising from the AML obligations of PSPs. Under both UK and EU anti-money laundering frameworks and the FCA’s financial crime regulatory regime, firms are expected to maintain systems and controls capable of identifying, assessing and mitigating money laundering and financial crime risk.

Where a PSP has received the alleged proceeds of a crime such as fraud, authorities will focus on whether the PSP’s controls were appropriately designed, implemented and operated, and whether governance arrangements and transaction monitoring enabled effective oversight of money laundering and financial crime risks posed by their customers.

Those money laundering and financial crime risks become more complex in the scenario set out above when a firm’s customer is itself another business that onboards and services its own customers. In these situations, the original PSP has no direct relationship with the ultimate end users generating payment activity. As a result, visibility into customer behaviour, source of funds and transaction purpose may be more limited than in a traditional direct-customer relationship. Where it elects to rely on assessments of customer risk carried out by a regulated intermediary, the original PSP must first satisfy itself that the intermediary’s processes are sufficient to mitigate its regulatory risk.

Criminal law obligations

Last – but certainly not least – since fraud is a crime, a PSP that receives funds linked to a fraud is exposed to money laundering risks. These include the risks that the PSP itself commits a money laundering offence if it does not obtain a defence against money laundering from the National Crime Agency (“NCA”), or that the PSP might breach the obligation to report suspicious activity (via SARs) to the NCA.

Much of the UK criminal AML regime is based upon knowledge, suspicion or reasonable grounds for suspicion that money laundering is taking place. What this means in practice is that PSPs should take a holistic approach to dealing with crimes, such as a fraud, which could manifest in a number of ways. For example, ensuring that the PSP’s controls for managing complaints and notifications about fraud are also informing its approach to money laundering risk and regulatory compliance:

• Due diligence on business customers should assess their business model, customer base, geographic exposure, governance arrangements and financial crime control framework. Firms should consider whether the customer's policies and procedures are commensurate with the risks presented by its products, services and customer population.
• Contractual arrangements also play an important role. Agreements should address compliance with applicable AML, sanctions and other financial crime requirements, provide appropriate audit and information rights, establish escalation and notification obligations for material compliance issues, and include suspension or termination rights where significant concerns arise.

Conclusion

Recent scrutiny of the payments sector, such as the Wise investigation, reinforces the need for PSPs to adopt a holistic approach to the multifaceted risks arising from fraud and financial crime. In increasingly layered payment ecosystems, effective control frameworks across the entire chain of activity are as important for mitigating regulatory and criminal law risk as they are for mitigating litigation risk. These risks should therefore be managed in the round by PSPs – with effective controls having the overlapping benefits of reducing both civil, criminal and regulatory risk.

^{1 UK Finance, ‘2025 Half Year Report’. Available at: https://www.ukfinance.org.uk/system/files/2025-10/Half%20Year%20Fraud%20Report%202025_0.pdf.
2 Ibid, 110,747 reported cases of APP fraud against a total of 2,092,744, responsible for £257.5m of losses against a total of £629.3m.
3 The Times, ‘Romance fraudster who stole £900,000 to fund gambling is jailed’. Available at: https://www.thetimes.com/uk/crime/article/romance-fraudster-jail-gambling-jailed-xl9rrr5gm.
4 FCA, ‘Combating romance fraud – prevention, detection and supporting victims’. Available at: https://www.fca.org.uk/publications/multi-firm-reviews/combating-romance-fraud-prevention-detection-and-supporting-victims#lf-chapter-id-next-steps.
5 [2023] UKSC 25.
6 [2025] EWHC 667 (KB).
7 FCA Handbook, DISP 3.6.1R.}