The evolution of fraud intelligence sharing: from institutional silos to network effects

To stop fraud networks that exploit gaps between financial institutions, NICE Actimize’s Anurag Mohapatra advocates for shared intelligence. Since mule infrastructure crosses boundaries, effective fraud prevention must do the same.

For over a decade, digital payment fraud controls have relied on two pillars: device trust and payee familiarity. In 2025, both are eroding. New research from NICE Actimize, published as part of the 2026 Fraud Insights Report, indicates that fraud shifted execution to victims' own devices, with 52% of fraud now originating from recognised devices. A more concerning statistic is that 38% of fraud attempts targeted payees that the sending institution had previously observed, up from 28% in 2022. This means that mule accounts are being deliberately aged to appear legitimate, and the heavily relied-upon ‘previously observed’ or ‘known payee’ is no longer a reliable signal.

The pattern is even more pronounced in commercial payments. The share of attempted fraud directed at more-tenured payees increased by 23.6 percentage points year over year, from 35% in 2024 to 58.5% in 2025. Given higher transaction values, fraud networks are willing to invest months cultivating credible counterparties. A business banking relationship that appears established at one institution may have an established fraud history at another institution.

This challenge reflects a deeper structural issue. While the fraud prevention industry focused on stopping scams at the point of initiation by detecting account takeovers at login and creating friction at payment authorisation, fraud networks were building something else entirely. They were building infrastructure.

The receiving-side blind spot

Analysis of FinCEN Suspicious Activity Reports reveals where fraud growth concentrated in 2025. Depository institutions filed 4.1 million fraud-related SARs, an increase of 312,000 over 2024. But 93% of that growth, or 291,000 SARs, came from mule-related categories. Mule-related SARs grew 21.2% year over year compared to 0.9% growth for non-mule fraud. That's a 24.6x difference in growth rates.

The fastest-growing categories weren't scam typologies. They were infrastructure categories. Suspicious use of multiple transaction locations grew 37%, adding 342,000 SARs. Funnel accounts, which consolidate funds from multiple sources before dispersing them, grew 39%. Suspicious use of multiple accounts increased 29%. These categories represent organised, scalable operations designed to handle volume.

Mule-related activities now account for 41% of all fraud reported by depository institutions. That's 1.66 million SARs in a single year attributed to receiving-side infrastructure, not attack-side fraud.

Here's why this matters: given the explosion of mule accounts, fraudsters are no longer bottlenecked by their ability to create victims but by their ability to cash out. For financial institutions, this means that stopping one mule account has the same impact as preventing multiple scams. But that requires seeing mule account activity across institutions. A mule account flagged at one bank may already be active at three others. Without cross-institutional visibility, each bank sees only one piece of the infrastructure.

This is the problem single-institution fraud intelligence cannot solve. Your portfolio-level analytics can tell you whether a payee has been observed before at your institution. It cannot tell you whether that payee is a known mule elsewhere.

Why information sharing works

The UK has demonstrated what shared fraud intelligence can achieve when properly structured. Pay.UK's Confirmation of Payee achieved 99% coverage of Faster Payments initiators, processing more than 65 million checks monthly. MITS, the Mule Insights Tactical Solution, provides cross-industry mule network detection. The Payment Systems Regulator's APP reimbursement regime created strong operational incentives for shared intelligence, demonstrating how regulation can turn intelligence sharing into a necessary control rather than a nice-to-have.

The common thread: shared intelligence detects what isolated systems cannot. A mule account flagged at one institution becomes visible to others before fraud scales. Network effects compound as participation increases. The value isn't additive. It's multiplicative.

But infrastructure-led models embedded within unified payment schemes represent one approach. In markets with fragmented payment infrastructures or multiple independent rails, different models emerge. Vendor-led intelligence sharing fills gaps where centralised scheme operators don't exist or where fraud moves across payment contexts that individual schemes don't cover.

Three design principles for effective sharing

Regardless of approach, effective cross-institutional intelligence models share core design characteristics.

Privacy-preserving architecture: data hashing occurs at the source institution before any information enters the network. This is one-way cryptographic hashing that allows matching without exposing underlying account identifiers. Tenant isolation ensures that participants remain logically separated. One institution can't query another institution's raw data. This addresses privacy requirements while enabling cross-institutional matching.

Multi-bank confirmation: fraud tags surface only when two or more independent institutions have reported the same counterparty. This filters out isolated reports and false positives. A single institution flagging an account generates a signal. Multiple institutions flagging the same account generates actionable intelligence with high confidence.

Query-based access: instead of receiving a continuous stream of potential fraud alerts, banks query the network when evaluating specific transactions. This reverses traditional alert-based systems. Banks maintain control over when intelligence is accessed and how it integrates into decisioning workflows. Outputs are aggregated and anonymised. The network returns risk signals and metadata: account tenure on the network, average transaction amounts received, number of unique senders, and confirmed fraud tags when multi-bank thresholds are met.

These principles are moving from theory to practice. NICE Actimize's Insights Network, for example, operates as a vendor-led shared intelligence layer that demonstrates these design characteristics in production. Account identifiers are hashed at source, participants remain logically isolated, and fraud tags surface only when multiple institutions confirm the same counterparty. The model provides cross-institutional counterparty intelligence across payment contexts, enabling banks to query whether a receiving account has been flagged for fraud elsewhere in the network.

While not a new concept and with proven examples, the adoption of shared intelligence platforms by financial institutions has been cautious. Below are three primary reasons:  

1. Fragmented Coverage: fraudsters don’t respect the boundaries of payment rails; they thrive on and exploit these gaps. Many of the shared intelligence platforms have been siloed across payment rails, leading to limited adoption.
2. Real-Time Intelligence vs. Reporting Tools: many earlier information-sharing efforts functioned as reporting mechanisms rather than live decisioning tools. The lag between when a mule account was flagged at one institution and when that intelligence reached others often meant fraud had already succeeded.
3. Behavioural Context: much of the first-generation sharing models often returned yes/no answers, for example, ‘Is this account risky?’ without really explaining the behaviours that determine the risk. In tightly governed and compliance environments, such platforms didn’t add much value. 

The NICE Actimize Insights Network solves these problems by providing cross-rail intelligence across payment rails and an API-enabled query mechanism that integrates into payment flows, enabling decisions at payment authorisation and preventing fraud before funds move. Additionally, by providing explainable behavioural indicators rather than a single score or binary risk indicator, Actimize Insights Network enables fraud strategy teams to integrate risk signals into decision flows while meeting governance expectations.

The impact is measurable. Banks using Insights Network report a 68% improvement in fraud detection, identifying fraudulent counterparties an average of 70 days earlier than internal signals alone. These results demonstrate what cross-institutional intelligence can achieve when layered with existing fraud controls. But the broader point remains: no single institution, however sophisticated its internal models, can solve a problem that exists across institutional boundaries. Financial institutions have spent years optimising attack-side detection by integrating device intelligence, behavioural biometrics, and adding machine learning models to identify anomalies. While these are all necessary controls, these alone are not sufficient given the new fraud landscape.

Because while defences focused on stopping scams at initiation, fraud networks built receiving infrastructure. They recruited mules, established funnel accounts, and systematised cash-out processes. That infrastructure now accounts for 93% of fraud growth. It operates across institutions while detection remains institutionally siloed.

Shared fraud intelligence models address this structural mismatch. They extend fraud detection beyond institutional walls to the networks where mule infrastructure operates. Whether infrastructure-led through payment system operators, regulatory-backed through government frameworks, or vendor-led through intelligence sharing platforms, the principle remains consistent: some fraud problems cannot be solved in isolation.

Fraud networks don't choose between institutions. They exploit the gaps between them. The evolution from institutional silos to shared intelligence isn't about replacing internal fraud controls. It's about recognising that mule infrastructure crosses institutional boundaries, and effective fraud prevention must do the same.

About author

Anurag Mohapatra is the Director of Product Management and Fraud Strategy at NICE Actimize, and works with financial institutions to build fraud strategies that hold up against increasingly sophisticated, AI-enabled threats - From authorised push payment scams to synthetic identity fraud and deepfake-enabled attacks. With over 20+ years of experience in product management and consulting with domain expertise in financial crime and compliance.

 

About NICE Actimize

NICE Actimize is the largest and broadest provider of financial crime, risk, and compliance solutions for regional and global financial institutions, as well as government regulators. Consistently ranked as number one in the space, NICE Actimize experts apply innovative technology to protect institutions and safeguard consumers’ and investors’ assets by identifying financial crime, preventing fraud, and providing regulatory compliance. The company provides real-time, cross-channel fraud prevention, anti-money laundering detection, and trading surveillance solutions that address such concerns as payment fraud, cybercrime, sanctions monitoring, market abuse, customer due diligence, and insider trading. Find us at www.niceactimize.com, @NICE_Actimize, or Nasdaq: NICE.