A fraud leader at a Buy Now, Pay Later (BNPL) company spent two years building a program around a well-understood risk profile: synthetic identities at onboarding and installment abuse downstream. The team settled and the metrics looked clean.
Then the product team shipped a spending wallet and cross-border payouts. The fraud stack and the coverage map stayed the same, but the company changed, and so did its fraud. Many fintech and payments companies find themselves in this position today, with fraud coverage calibrated for a business that no longer exists.
One Product Launch Away from a Coverage Gap
Fraud programs are often built around what a company does at a specific point in time. They reflect the products in the market, the customer flows in production and the transaction types being processed, shaping everything from rules to vendor choices and team structure. The status quo holds, at least for a while. But as product roadmaps accelerate, fraud programs struggle to keep pace, and what once felt stable starts to drift out of alignment.
Fintech companies rarely stand still: payment service providers (PSPs) expand into payouts and merchant float, BNPL providers introduce cards and wallet balances and digital banks support broader ecosystems. With each step, the fraud surface shifts. Risks tied to stored-value or payout rails begin to resemble account takeover and cash-out patterns, often involving mule accounts and surface at different points in the customer journey, with signals that require a different approach to detection.
The shift is already visible in the numbers. BNPL transaction values are projected to grow from $334 billion in 2024 to $687 billion by 2028. Much of the growth is driven by adjacent services rather than the original pay-in-four model, bringing new fraud dynamics with them. Yet internally, many companies still operate with the same labels, structures and coverage they started with, leaving the fraud stack focused on a product the business has already outgrown.
Fraud Follows the Money, Not the Fraud Stack
Fraudsters map where value accumulates and where controls are thinnest, and a new product creates both conditions simultaneously: the surface is live before coverage has followed.
Synthetic identity fraud is built for exactly this window. Identities seeded at onboarding go dormant, build behavioral history and wait for something worth taking, like a credit line or a payout rail that didn’t exist at signup. When a BNPL provider adds a wallet or a lender issues a card, the wait is over. The identity that passed onboarding cleanly now has an account worth taking over — and account takeover is a threat most lending and payments fraud programs were never built to catch.
Financial accounts now account for 32% of all ATO breaches globally, and they are the most commonly cited threat vector among fraud and AML leaders, reported by 26% of respondents in SEON’s 2026 Fraud & AML Leaders Report. By the time it surfaces at payout, the trail leads all the way back to onboarding. The signals were always there, each living in a separate system with no thread connecting them. The value moved, the fraud followed and the coverage never caught up.
Why the Stack Doesn’t Automatically Follow
Detection is built around events and fires at the moment, not across the journey. What happened at onboarding stays at onboarding, disconnected from what happens at login, the transaction layer and payout. Each system makes its decision with the information available to it, which is rarely the full picture. When a new product ships, the program waits for the first loss before writing a rule or evaluating a vendor. By then, the fraud has already found its pattern.
This reactivity also shapes where investment lands. In payments, 46% of AI budget goes to transaction monitoring — the stage with the most visibility, but the narrowest window into what came before it. A model trained on that data learns to recognize fraud at the point of transaction with increasing precision, but the synthetic identity that passed onboarding weeks ago and is now cashing out through a new wallet is entirely outside its field of view. The coverage gap and the AI blind spot share the same root cause: a fraud program built around the product that launched, not the one that just shipped.
What a Lifecycle-Aware Fraud Program Actually Looks Like
A lifecycle-aware fraud program is scoped around the customer relationship rather than the products that are already live, from first signal to last transaction, regardless of which product the customer is using at any given time.
In practice, this means that signals collected at onboarding remain accessible well beyond the initial decision. Identity and device data continue to inform decisions as the customer logs in, transacts and moves money, with the thread running the full length of the customer relationship in real time rather than being reconstructed after a loss.
Continuity across stages brings different patterns into focus. An identity that appeared legitimate at signup may later show subtle inconsistencies, then reappear when value is withdrawn through a product that did not exist months earlier. Viewed in isolation, each step may seem low risk. Viewed together, they form a sequence that is far more indicative.
AI delivers value when trained on this connected view. Models built on lifecycle data can identify patterns that stage-limited rules are not designed to capture. Simultaneously, fraud controls need to keep pace with product changes. When a new feature goes live, coverage for the new surface should be adjustable by the fraud team without relying on external cycles. Teams that update controls alongside product releases are better positioned to respond early, before issues scale. The fraud program evolves with the business and reflects how customers actually interact with it over time.
Fraud Coverage Is a Roadmap Decision
Digital payments is in an era of genuine growth. New products are launched faster, and the way value moves continues to evolve, each product decision shifting how money can be stored, accessed or moved, while quietly redrawing the fraud surface alongside it.
The companies that stay ahead treat fraud coverage as part of the product conversation. Every new surface is protected from day one. Every expansion planned with the risk it creates is already in scope. Those who get this right protect their growth at the same pace they create it.
