Almost half of fraudulent payments in 2023 flowed through smaller banks and fintechs.
The UK’s fight against Authorised Push Payment (APP) fraud is being weakened by vulnerabilities in smaller banks and payment providers, according to research by the Royal United Services Institute (RUSI).
Published this week, the report looks at the role of money mules in APP fraud, where victims are tricked into sending money directly to criminals.
The study finds that smaller banks, challenger banks, and Banking-as-a-Service (BaaS) firms are often the first stop for stolen money. Criminals are reportedly attracted to these companies because they onboard customers faster, have smaller compliance teams and monitor transactions less strictly.
APP fraud in the UK reached £459.7m in 2023, according to UK Finance, with mule accounts playing a key role in hiding stolen funds. RUSI says smaller banks and BaaS providers often focus on speed and customer convenience over strict checks, which creates opportunities for fraud.
The report also names organised crime groups, including Nigeria’s Black Axe and Myanmar’s KK Park, as exploiting these security gaps. It warns BaaS models, where regulated firms provide infrastructure for unregulated fintech brands, can make oversight harder and tracking stolen money more difficult.
Data from the Payment Systems Regulator (PSR) supports these findings. Non-directed PSPs, smaller firms identified as top recipients of fraudulent payments, received 53% of all fraudulent transactions in 2023, despite handling just over 8% of total Faster Payments.
The FATF’s 2023 report similarly highlights criminals’ preference for using smaller institutions to launder funds. Interviews conducted for the RUSI paper confirmed digital financial institutions often have weaker onboarding controls, with compliance programmes struggling to keep pace with rapid growth.
An FCA enforcement action against Monzo earlier this year shows the risks of rapid expansion outpacing compliance. Between 2018 and 2022, the bank onboarded tens of thousands of high-risk customers despite regulatory restrictions, leading to a £21.1m fine.
“This case illustrates how lacking Monzo’s financial crime controls were. This was compounded by its inability to properly comply with the requirement not to onboard high-risk customers,” said Therese Chambers, FCA Joint Executive Director of Enforcement and Market Oversight.
A game of whack-a-mole
Once stolen funds reach mule accounts, RUSI finds that nearly 20% exit via debit cards, with other methods including inter-account transfers (11%), cash withdrawals (10%), and other channels (4%). These payments can purchase luxury goods, withdraw cash, or be used to convert into cryptocurrency, making them harder to trace.
While most focus is on Faster Payments, which account for 57% of money mule account outflows, fraudsters are increasingly likely to divert funds to alternative channels. RUSI warns of a “displacement risk”, as cracking down on one channel simply pushes funds to another, including prepaid cards, e-money accounts, or crypto wallets.
This presents challenges for compliance teams, which must monitor multiple rails. RUSI argues that effective fraud prevention requires strong controls in individual firms and improved intelligence sharing across the sector.
“While it has been known about for many years, there are signs that the number of money mules is growing,” said Kathryn Westmore, senior research fellow at RUSI.
“It is generally like a game of whack-a-mole, where you tackle it in one area and it pops up in another.”
Industry comment

Jonathan Frost, Director of Global Advisory for EMEA at BioCatch, said: “We need to move toward an environment in which banks exchange data when customers show an intent to make a payment. This is already the case in Australia, with banks performing checks to determine the level of risk as soon as the customer has filled in the account details.
“This enables them to protect customers by deflecting them from high-risk payments, or, where appropriate, blocking their payment. The real-time exchange also empowers Australian banks to identify money mules, especially those that don’t conform to the classic profile of a young adult on the lookout for fast money.”