The Complete Guide to Payment Transactions, Payouts & Remittances

From Initiation to Settlement

A Comprehensive Technical & Regulatory Reference for Fintech Professionals

March 2026

Executive Summary
Roles & Participants in the Payment Ecosystem
Payment Transactions — Full Lifecycle
Payouts — Full Lifecycle
Remittances — Full Lifecycle
Payment Rails Deep Dive
Payment Rails Comparison Table
Correspondent Banking & SWIFT GPI
FX & Treasury
Payment Fraud Typologies
EU Regulatory Landscape
Regulatory Landscape Overview
Scheme Rules & Compliance
Failure Modes & Exception Handling
Emerging Topics
Cross-Cutting Engineering Concerns
Key Takeaways
Glossary
Further Reading & Authoritative Sources

1. Executive Summary

Money movement is the foundational capability of the global financial system, yet its inner workings remain opaque to most participants. A card tap at a coffee shop triggers a chain of cryptographic authentications, real-time fraud scoring, regulatory checks, and interbank settlements — all within 200 milliseconds. A migrant worker sending $300 home crosses multiple correspondent banks, currency conversion desks, sanctions screening systems, and last-mile mobile money networks before the funds arrive.

This guide provides a comprehensive, technically accurate walkthrough of three primary payment flows:

Payment Transactions: card-present (CP), card-not-present (CNP), and account-to-account (A2A) payments — the dominant mode for consumer and commercial commerce.
Payouts: push payments initiated by platforms — marketplaces, gig economy apps, insurance carriers, and payroll processors — disbursing funds to recipients.
Remittances: cross-border consumer transfers, typically from diaspora workers to family in emerging markets.

Each flow is examined through every lifecycle phase: initiation, authorization, fraud screening, AML/CFT compliance, KYC/KYB, clearing, settlement, FX, rail selection, and post-settlement processing including disputes and reconciliation.

The guide also covers payment rail architectures, regulatory frameworks across jurisdictions, fraud typologies, and emerging developments including ISO 20022, FedNow, open banking, and stablecoin settlement.

Who Should Read This Guide

Audience	Relevance
Payments engineers	Building or integrating payment infrastructure
Product managers	Designing payment flows and user experiences
Compliance officers	Managing AML/CFT and regulatory obligations
Risk officers	Fraud prevention and operational risk
Fintech founders and executives	Seeking deep domain fluency

2. Roles & Participants in the Payment Ecosystem

Understanding payments requires knowing who does what. The following table maps each participant to their role, regulatory status, and typical obligations.

Participant	Role	Regulated By (US/EU)	Key Obligations
Cardholder / Consumer	Initiates payment; holds account	Consumer protection law (CFPB, FCA)	Authenticate identity; bear chargeback liability for CNP fraud in some schemes
Merchant	Accepts payment for goods/services	PCI-DSS (self-assessed or audited)	PCI compliance; chargeback liability for CNP fraud; honor-all-cards rules
Issuer (Issuing Bank)	Issues card/account to cardholder; authorizes transactions	OCC/Fed/FDIC (US), ECB/NCAs (EU)	Credit risk; fraud liability for CP chip; KYC; AML monitoring; dispute resolution
Acquirer (Acquiring Bank)	Processes merchant transactions; sponsors merchants into card networks	OCC/Fed/FDIC (US), ECB/NCAs (EU)	Merchant underwriting; chargeback risk; AML for merchant activity; PCI compliance
Card Network (Visa/MC)	Sets rules; routes transactions; facilitates clearing between issuer and acquirer	Oversight by Fed/ECB (systemically important)	Scheme rules enforcement; settlement finality; fraud monitoring programs
Payment Service Provider (PSP)	Provides payment acceptance technology and services to merchants	Money transmitter (state/FinCEN) or e-money institution (EU)	AML program; KYC on merchants; transaction monitoring; data security
Payment Facilitator (PayFac)	Aggregates sub-merchants under master merchant account	Registered with card networks; MSB if transmitting funds	Sub-merchant underwriting; aggregate chargeback monitoring; enhanced KYC
Independent Sales Organization (ISO)	Resells merchant processing services on behalf of acquirer	Registered with card networks; state MSB	Agent oversight; compliance pass-through from sponsoring acquirer
Third-Party Service Provider (TPSP)	Provides outsourced services to card network participants (e.g., gateway, tokenization vault)	Audited under PCI-DSS Level 1	PCI compliance; data security; service continuity
Payment Gateway	Routes transaction data between merchant and acquirer/PSP	Typically not separately licensed; regulated via PCI-DSS	Secure transmission; tokenization; 99.99%+ uptime SLAs
Correspondent Bank	Holds nostro/vostro accounts to facilitate cross-border settlement between banks without direct relationships	National banking regulator	De-risking decisions; AML pass-through obligations; SWIFT compliance
Money Services Business (MSB)	Non-bank entity transmitting funds (includes remittance operators, FX dealers)	FinCEN (federal) + all 50 states (US); FCA/Banque de France etc. (EU)	AML program; SAR filing; Travel Rule; state licensing
Financial Intelligence Unit (FIU)	Receives and analyzes suspicious activity reports; shares intelligence with law enforcement	Government agency (FinCEN in US; FATF network globally)	Operate SAR/STR database; respond to law enforcement; publish typologies

2.1 The PayFac Model

A Payment Facilitator (PayFac) registers with card networks as a master merchant and onboards sub-merchants under its umbrella. This allows rapid merchant onboarding (minutes vs. weeks for traditional merchant accounts) by shifting underwriting risk to the PayFac. Stripe, Square, and Adyen operate PayFac models. The PayFac bears aggregate chargeback liability and must conduct ongoing sub-merchant KYB, transaction monitoring, and reserve management.

3. Payment Transactions — Full Lifecycle

A payment transaction is a pull payment initiated by or on behalf of a merchant when a consumer makes a purchase. Three primary modes exist: card-present (CP), card-not-present (CNP), and account-to-account (A2A).

Visual Flow: Card Payment Lifecycle

INITIATION → DATA CAPTURE → ROUTING → AUTHORIZATION → FRAUD SCREENING
                                                ↓                  ↓
                                         TOKENIZATION     APPROVE / DECLINE
                                                ↓                  ↓
                                        ENCRYPTION/P2PE   CLEARING (T+0 to T+1)
                                                ↓                  ↓
                                        NETWORK SWITCH    SETTLEMENT (T+1 to T+2)
                                                                   ↓
                                               POST-SETTLEMENT: DISPUTES / RECON

3.1 Initiation & Data Capture

Card-Present (CP)

In a card-present transaction, the physical card interacts with a point-of-sale (POS) terminal. Three interface modes exist:

Magnetic stripe (magstripe): The card is swiped. The magnetic stripe encodes PAN, expiry, and service code in Track 1 and Track 2 data. This is the least secure method — static data is easily skimmed. Largely deprecated in EMV-capable markets but still prevalent in some regions.
EMV chip (contact): The card is inserted. The chip and terminal engage in a cryptographic challenge-response using Application Cryptograms (ARQC). The cryptogram is unique per transaction — even if intercepted, it cannot be replayed.
NFC/contactless (tap): The card or mobile device (Apple Pay, Google Pay) communicates via near-field communication (NFC). Uses the same EMV cryptographic protocols as contact chip, transmitted wirelessly over a 4 cm range. Mobile wallets tokenize the PAN before the tap.

Definition: P2PE (Point-to-Point Encryption)

Encryption of cardholder data from the moment of capture at the POS device until decryption in a secure environment at the payment processor. Under a validated P2PE solution, the merchant’s systems never hold plaintext card data, significantly reducing PCI-DSS scope.

Card-Not-Present (CNP)

In CNP transactions (e-commerce, MOTO), the cardholder enters card details manually or via a stored payment method. Data elements collected include:

Primary Account Number (PAN): 16-digit card number (Luhn-validated)
Expiry date (MMYY)
Cardholder Verification Value 2 (CVV2/CVC2): 3-4 digit security code on card back, stored only by issuer — not merchants
Billing address (for Address Verification Service/AVS)
Device fingerprint: IP address, browser/OS metadata, timezone, language, installed fonts/plugins
Behavioral biometrics: keystroke dynamics, mouse movement patterns, session duration

Tokenization in CNP: Payment gateways and PSPs issue a token (e.g., a network token from Visa Token Service or Mastercard Digital Enablement Service) that replaces the PAN. Tokens are scoped to a specific merchant, device, or transaction type — a token stolen from one merchant is useless to another. Network tokens also carry a cryptogram for each transaction, mirroring EMV security in a CNP context.

Account-to-Account (A2A)

A2A payments bypass card networks entirely. The payer authorizes a transfer directly from their bank account to the payee’s bank account. Initiation mechanisms vary by rail:

ACH Debit (US): Merchant obtains authorization (via signed agreement, web consent, or phone recording) and submits a debit entry to their ODFI (Originating Depository Financial Institution). The ODFI sends the file to the ACH operator (Fed or EPN).
Open Banking / PSD2 API (EU/UK): Third-Party Providers (TPPs) call bank APIs to initiate payment on behalf of the user, with strong customer authentication (SCA) completing at the bank. No card data exchanged.
Real-Time Payments (RTP/FedNow): Payer’s bank sends an instant credit push to payee’s bank. These are pull-via-request-for-payment (RFP) workflows, where the merchant sends an RFP message and the customer approves.

3.2 Authorization Mechanics

Authorization is the real-time decision by the card issuer to approve or decline a transaction. The typical message flow for a card transaction takes 100–300ms end-to-end.

Message Flow

Step 1 — Terminal to Acquirer: The POS terminal formats an ISO 8583 authorization request message (0100 MTI) containing PAN, amount, merchant category code (MCC), terminal ID, and the EMV cryptogram. The message travels via TLS over a dedicated payment gateway connection to the acquirer’s processing host.
Step 2 — Acquirer to Network: The acquirer’s host validates the message format, appends the acquirer BIN, and routes to the appropriate card network (Visa, Mastercard, Amex, UnionPay) based on the card BIN range. Network selection may involve least-cost routing (LCR) where multiple networks are available (common for debit cards in Australia, EU).
Step 3 — Network to Issuer: The network’s authorization platform applies network-level rules (velocity checks, blocked merchant categories) and routes to the issuing bank’s authorization host, identified by the card BIN. If the issuer is offline, the network may stand-in process the authorization using issuer-defined floor limits.
Step 4 — Issuer Decision: The issuer’s authorization system evaluates: account status (open, frozen, closed), available balance or credit limit, fraud score, velocity rules, geographic rules, and standing instructions (e.g., block international transactions). For CNP transactions, the issuer may invoke 3DS for additional authentication. The issuer returns a response code: 00 (approved), 05 (do not honor), 51 (insufficient funds), 54 (expired card), etc.
Step 5 — Response Return Path: The response travels back through network to acquirer to terminal in the same path as the request. The terminal receives the response and either approves the transaction (printing receipt) or declines (displaying error message).

Authorization Response Codes

Code	Meaning
00	Approved
05	Do Not Honor (generic decline)
14	Invalid Card Number
51	Insufficient Funds
54	Expired Card
57	Not Permitted to Cardholder
61	Exceeds Amount Limit
65	Exceeds Frequency Limit
78	No Account Found
91	Issuer Unavailable (stand-in processing)

AVS (Address Verification Service)

AVS compares the billing address provided by the cardholder at checkout against the address on file at the issuing bank. The issuer returns an AVS result code (e.g., Y=full match, Z=zip only, N=no match). AVS does not cause a decline — it is a risk signal that the merchant’s fraud system uses to decide whether to proceed.

CVV2 Validation

CVV2 (Visa) / CVC2 (Mastercard) is a 3-digit code derived from the card’s PAN, expiry date, and a secret key held only by the issuer. The cardholder enters it at checkout; the issuer validates it in real time. A mismatch typically results in a decline or higher fraud score. Critically, CVV2 must never be stored by merchants post-authorization — this is a PCI-DSS prohibition (Requirement 3.2.1).

3DS / SCA — 3-D Secure and Strong Customer Authentication

3-D Secure (3DS) is a protocol that adds an authentication layer to CNP transactions by involving the cardholder’s issuing bank in the checkout flow. Visa calls it Visa Secure; Mastercard calls it Identity Check.

3DS 2.x (EMV 3DS): The current version passes rich context data (device fingerprint, transaction history, behavioral data) to the issuer’s Access Control Server (ACS) in a structured data packet. The ACS can frictionlessly authenticate low-risk transactions without cardholder interaction, or challenge high-risk ones with a one-time password (OTP), biometric, or push notification.

Strong Customer Authentication (SCA): PSD2 mandates SCA for electronic payment initiation in the EEA. SCA requires two of three factors: something you know (PIN/password), something you have (phone, hardware token), something you are (biometric). 3DS 2.x is the primary implementation mechanism. Exemptions exist for low-value transactions (<€30), trusted beneficiaries, corporate payments, and transaction risk analysis (TRA) where the PSP’s fraud rate is below defined thresholds.

Exemption	Condition	Liability Shift
Low value	<€30 and cumulative <€100 or 5 transactions since last SCA	Issuer
TRA ≤€100	PSP fraud rate <0.13%	PSP
TRA ≤€250	PSP fraud rate <0.06%	PSP
TRA ≤€500	PSP fraud rate <0.01%	PSP
Trusted beneficiary	Customer whitelists a payee	Issuer
Recurring fixed	Fixed-amount recurring payments to the same payee	Issuer

3.3 Fraud & Risk Screening

Rules Engines

Every PSP and acquirer operates a rules engine — a configurable set of deterministic rules that flag or block transactions based on predefined criteria. Rules include:

Velocity rules: More than 3 transactions from same PAN in 10 minutes → flag
Amount rules: Transaction >$500 at a low-risk MCC → review
Geographic rules: Card issued in Germany, IP address from Nigeria → elevated risk
BIN rules: Prepaid card in a gambling MCC → block
Time rules: Transaction at 3 AM in merchant’s local timezone → flag

ML Fraud Scoring

Rules alone miss novel fraud patterns. Machine learning models — typically gradient boosting (XGBoost, LightGBM) or neural networks — score each transaction on a 0-100 risk scale. Features include:

Transaction features: amount, currency, MCC, time of day, day of week
Cardholder history: average spend, typical geographies, usual merchants
Device features: device fingerprint, IP reputation, VPN/proxy detection
Velocity features: transactions in past 1/6/24 hours across card, device, IP
Graph features: shared device or IP across multiple accounts

Models are trained on labeled fraud/non-fraud datasets and retrained periodically. Real-time inference latency must stay under ~50ms to fit within the authorization window.

Behavioral Analytics

Behavioral biometrics analyzes how a user interacts with a device: typing rhythm, mouse movement velocity, scroll patterns, touch pressure on mobile screens. Legitimate users exhibit consistent behavioral signatures; account takeover (ATO) attackers using automated tools or unfamiliar devices show anomalous patterns. Solutions like BioCatch and NeuroID embed as JavaScript or SDK within checkout flows.

Device Fingerprinting

Device fingerprinting creates a unique identifier from browser or device attributes: user agent string, screen resolution, installed fonts, WebGL renderer, timezone, language, canvas rendering. A returning device correlated to a trusted account reduces friction; a new device triggers heightened scrutiny.

3.4 AML & Compliance

Transaction Monitoring

Financial institutions must monitor transactions for suspicious activity indicative of money laundering, terrorist financing, or other financial crimes. Transaction monitoring systems (TMS) apply rule-based and ML-based scenarios:

Structuring (Smurfing): Multiple transactions just below the $10,000 CTR threshold (e.g., $9,800, $9,500) to avoid reporting requirements.
Rapid Movement: Funds deposited and withdrawn within hours across multiple accounts or jurisdictions.
Unusual Geographic Patterns: Transactions inconsistent with customer’s stated business or residence.
High-Risk Counterparties: Transactions with entities in FATF grey-list or black-list jurisdictions.

Sanctions Screening

Every transaction and account must be screened against sanctions lists in real time at onboarding and periodically thereafter:

OFAC (US): Office of Foreign Assets Control maintains the Specially Designated Nationals (SDN) list. US persons and entities (and non-US entities transacting in USD) must not deal with SDN-listed parties. Violations carry penalties up to $1M+ per violation.
UN Security Council: Consolidated sanctions list applies globally through member state implementing legislation.
EU: Common Foreign & Security Policy (CFSP) sanctions consolidated in the EU Consolidated List. Applies to all EU-established entities and EU currency transactions.
HMT (UK): HM Treasury Financial Sanctions Notice applies post-Brexit under SAMLA 2018.

Screening must account for fuzzy name matching (transliteration variants, AKAs, aliases), entity disambiguation, and false positive management. Leading vendors include Refinitiv World-Check, Dow Jones Risk & Compliance, LexisNexis Bridger, and Accuity (LSEG).

PEP Screening

Politically Exposed Persons (PEPs) — senior government officials, their family members, and close associates — carry elevated corruption risk. Financial institutions must identify PEPs at onboarding and apply Enhanced Due Diligence (EDD). PEP status alone does not prevent a relationship; it triggers heightened monitoring and senior management approval.

Adverse Media Screening

Adverse media (negative news) screening identifies customers mentioned in news coverage of financial crime, fraud, corruption, or regulatory sanctions. Modern systems use NLP to classify news articles and extract entity mentions, enabling automated adverse media alerts.

SAR/CTR Filing

Currency Transaction Report (CTR): US BSA requirement to report cash transactions exceeding $10,000 to FinCEN within 15 days. Applies to bank deposits, withdrawals, exchanges, and transfers.
Suspicious Activity Report (SAR): Filed when a financial institution knows, suspects, or has reason to suspect that a transaction involves funds from illegal activity or is designed to evade BSA requirements. Must be filed within 30 days of detection (60 days if no suspect is identified). SAR filing is confidential — the subject must not be tipped off (“tipping off” prohibition).
Suspicious Transaction Report (STR): The EU/international equivalent of a SAR, filed with the relevant national FIU.

Travel Rule

The FATF Travel Rule (Recommendation 16) requires that wire transfers of $3,000 or more (US) or the equivalent of €1,000 (EU) carry originator and beneficiary information throughout the payment chain. This includes name, account number, and address. In the crypto context, the Travel Rule is being implemented by virtual asset service providers (VASPs) via protocols like TRISA and OpenVASP.

3.5 KYC / KYB

Know Your Customer (KYC) Tiers

Tier	Customer Type	Verification Required	Transaction Limits
Tier 0 / Lite	Anonymous / Guest	None (device-level only)	Very low limits (e.g., <$100/day)
Tier 1 / Basic	Low-risk individual	Name, DOB, address, SSN/TIN (last 4)	Moderate limits (e.g., <$1,000/month)
Tier 2 / Standard	Standard individual	Government ID document + selfie liveness check	Standard limits (e.g., up to $10,000/month)
Tier 3 / Enhanced	High-value or high-risk individual	Full biometric ID verification + source of funds + EDD interview	High limits; senior approval required
Business / KYB	Legal entity	Articles of incorporation + UBO identification (>25% ownership) + director verification + business purpose	Commercial limits; board resolution may be required

Document Verification & Liveness

Modern KYC platforms (Jumio, Onfido, Persona, Socure) use:

Document authenticity checks: font consistency, hologram detection, MRZ (machine-readable zone) validation, UV pattern inference from regular photos
Biometric matching: selfie matched against ID photo using face recognition with a liveness score
Liveness detection (PAD): distinguishes live person from photo replay attack using active challenges (blink, turn head) or passive detection of 3D depth/texture

Enhanced Due Diligence (EDD)

EDD is required for high-risk customers: PEPs, customers from high-risk jurisdictions, businesses in high-risk sectors (MSBs, casinos, arms dealers), and customers with unusual transaction patterns. EDD elements include: source of wealth documentation, source of funds for specific transactions, on-site visits for business customers, and senior management approval for onboarding.

3.6 Clearing & Settlement

Clearing

Clearing is the process of reconciling payment instructions between counterparties and computing net obligations. For card transactions:

After authorization, the merchant batches completed transactions and submits them for clearing, typically at end-of-day (batch clearing). The merchant’s acquirer submits clearing files to the card network. The network calculates net positions between each issuer-acquirer pair and produces settlement files.

In four-party card schemes, clearing and settlement are separated by the network. The network acts as a central counterparty between issuing and acquiring banks, eliminating bilateral credit risk.

Interchange

Interchange is the fee paid by the acquirer to the issuer for each transaction. It compensates the issuer for credit risk, fraud losses, and the cost of cardholder benefits (rewards programs). Interchange rates are set by card networks and vary by:

Card type: debit < credit < premium rewards < corporate
Transaction type: CP chip < CP swipe < CNP
Merchant category: grocery and utilities < general retail < specialty
Transaction amount: percentage-based + fixed per-transaction fee

In the EU, interchange for consumer card transactions is capped at 0.2% (debit) and 0.3% (credit) under the Interchange Fee Regulation (IFR). In the US, Durbin Amendment caps debit interchange at 21 cents + 0.05% for issuers with >$10B in assets.

Settlement

Settlement is the final transfer of funds between financial institutions. For card transactions:

Net settlement: The card network calculates the net position of each bank across all transactions. A bank with more credits than debits receives a net payment; the reverse owes a net amount. This reduces the number of payment flows from millions to one per bank per day.
Settlement accounts: Banks maintain accounts at the card network (or a designated settlement bank). Settlement is typically processed via Fedwire (US) or TARGET2 (EU) for final interbank transfer.
Settlement timing: Typically T+1 or T+2 days after the transaction. Merchants receive funds from their acquirer based on their contract terms (daily, next-day, or 2-day settlement), minus interchange and processing fees.

Nostro / Vostro Accounts

Definition: Nostro / Vostro

A nostro account is ‘our account held at your bank’ (from the Latin ‘ours’). A vostro account is ‘your account held at our bank’ (‘yours’). These are the same account described from opposite perspectives. In correspondent banking, banks hold nostro accounts in foreign currency at correspondent banks to facilitate cross-border settlement without real-time SWIFT transfers.

3.7 Post-Settlement

Chargebacks & Disputes

A chargeback is a reversal of a settled card transaction, initiated by the cardholder disputing a charge with their issuing bank. The chargeback process:

Cardholder dispute: Cardholder contacts issuer to dispute a transaction (fraud, non-receipt, quality dispute).
Issuer provisional credit: Issuer credits the cardholder’s account while investigating.
Chargeback filed: Issuer sends a chargeback to the acquirer via the card network with a reason code.
Acquirer representment: Acquirer (or merchant) can challenge the chargeback by presenting evidence (proof of delivery, signed receipt, 3DS authentication data).
Arbitration: If the dispute is not resolved, it is escalated to the card network for final ruling. Arbitration fees ($500+ per case) incentivize early resolution.

Common Chargeback Reason Codes

Code	Reason
Visa 10.4 / MC 4853	Card Absent (fraud): Cardholder denies participation in CNP transaction
Visa 10.5 / MC 4853	Visa Fraud Monitoring Program
Visa 13.1 / MC 4853	Merchandise/Services Not Received
Visa 13.3 / MC 4853	Not as Described or Defective Merchandise
Visa 12.6	Duplicate Processing
Visa 13.6	Credit Not Processed
MC 4807	Warning Bulletin / Blocked Account

Refunds

A refund (or credit) is a merchant-initiated reversal of a transaction. Unlike chargebacks, refunds are processed via the standard clearing flow and do not carry dispute fees. Refunds must typically be issued to the original payment method and within network-specified timeframes (e.g., up to 180 days for Visa/Mastercard).

Reconciliation

Reconciliation matches transaction records across systems to ensure no funds are lost or duplicated. Acquirers and PSPs reconcile: authorization records vs. clearing records vs. settlement bank statements. Discrepancies (‘breaks’) may arise from authorization-but-no-capture, partial settlements, or timing differences. Automated reconciliation engines flag breaks for manual review.

Tax Reporting

1099-K (US): PSPs and payment networks must file 1099-K forms for merchants receiving more than $600 in payment card transactions (threshold reduced from $20,000/200 transactions under the American Rescue Plan Act). Filed with the IRS and provided to the merchant by January 31.
W-8BEN / W-8BEN-E: Foreign persons receiving US-source payments provide W-8 forms to establish non-US status and claim treaty benefits, potentially reducing withholding tax.
DAC7 (EU): EU platforms (marketplaces) must report seller transaction data to tax authorities under the DAC7 directive, effective 2023.

4. Payouts — Full Lifecycle

Payouts are push payments where a platform or business initiates a transfer of funds to a recipient (payee). Common use cases include gig economy earnings disbursements, marketplace seller payouts, insurance claims, loan disbursements, and payroll.

Visual Flow: Payout Lifecycle

TRIGGER EVENT (earnings, claim, payroll)
           ↓
PAYEE ONBOARDING & KYC/KYB
           ↓
PAYEE BANK ACCOUNT OR CARD VERIFICATION (micro-deposit, IBAN validation, Visa/MC zero-dollar auth)
           ↓
PAYOUT INITIATION (batch or real-time API)
           ↓
FRAUD & SANCTIONS SCREENING
           ↓
RAIL SELECTION (ACH, RTP, Visa Direct, wire, mobile money)
           ↓
CLEARING & SETTLEMENT
           ↓
PAYEE RECEIPT & NOTIFICATION
           ↓
RECONCILIATION, 1099 TAX REPORTING

4.1 Payee Onboarding & Bank Account Verification

Before initiating a payout, the platform must verify the payee’s identity and bank account to prevent fraud (misdirected payouts, account takeover).

Bank Account Verification Methods

Micro-deposit verification: Two small random deposits (<$1) are sent to the stated account. The payee confirms the amounts, proving account ownership. Widely used but adds 1-3 business days of friction. Used by ACH-based systems (Plaid, Dwolla).
Instant account verification (IAV): The payee authenticates with their bank via OAuth (open banking API). The platform receives read-only access to confirm account ownership and check balance. Plaid, MX, Finicity, and Truelayer (EU/UK) provide this.
Pre-notification (prenote): A zero-dollar ACH test entry is sent before the first live transaction. Returns a notification of change (NOC) if account details have changed.
Visa/Mastercard zero-dollar auth: For card payouts (Visa Direct, Mastercard Send), a $0 authorization validates the card number and confirms it is eligible to receive funds.
IBAN validation: For EU cross-border payouts, IBAN structure validation (checksum algorithm) and BIC lookup confirm the account exists at the stated bank. SWIFT Bank Directory or local scheme directories provide BIC-to-IBAN mapping.

4.2 Payout Initiation

Payout initiation involves generating a payment instruction and submitting it to the appropriate rail. Key considerations:

Batch vs. Real-Time Payouts

Batch payouts (ACH, SEPA CT): Transactions are aggregated into a file and submitted to the clearing house at scheduled windows (multiple per day for ACH same-day). Lower cost but higher latency. Suitable for payroll, scheduled distributions.
Real-time payouts (Visa Direct, RTP, FedNow): Individual push transactions processed in near real-time (seconds). Higher cost per transaction. Suitable for on-demand gig payouts, insurance claims.

Payout Fraud Controls

Payout fraud vectors differ from payment fraud:

Account takeover (ATO): Attacker compromises payee account and changes bank details to their own account (‘bank account update fraud’).
First-party fraud: Payee claims earnings or benefits fraudulently (e.g., fake delivery completions in gig economy).
Money mule: Payee’s account is used to receive and forward fraudulent funds. Detection uses device and behavioral signals, graph analysis of payout networks.

Controls include: change velocity limits (no payout within 24 hours of bank account update), out-of-band confirmation of bank account changes, manual review for high-value first payouts, continuous monitoring of payee behavior patterns.

4.3 Rail Selection for Payouts

Rail selection for payouts depends on: geography, speed requirements, transaction limits, cost, and payee preferences.

Visa Direct / Mastercard Send: Card-based push payments. Funded by the platform and delivered to a debit card in 30 minutes to 30 seconds. Visa Direct supports 180+ countries. Transaction limits vary by card and country (typically $10,000-$50,000 per transaction). When Uber pays a driver in real-time via their debit card, Visa Direct is the rail.
RTP / FedNow (US): Bank account push payments in real time. RTP (The Clearing House) supports transactions up to $1M. FedNow (launched 2023) supports up to $500,000.
Same-Day ACH: Next-day or same-day bank account credits via NACHA rules. Lower cost than RTP. Limit of $1M per transaction (raised from $100,000 in 2022).
SEPA Instant Credit Transfer (SCT Inst): Real-time euro payments across SEPA zone. Max €100,000 per transaction. Available 24/7/365.
Mobile money (MPESA, MTN MoMo, Airtel Money): For payouts in Sub-Saharan Africa, Southeast Asia. Recipients receive funds to a mobile wallet tied to their phone number. Typically accessed via aggregator APIs (Flutterwave, Paystack, MFS Africa).

4.4 Marketplace Payout Specifics

Marketplace payouts involve additional complexity: splitting a single consumer payment into multiple payee disbursements, holding funds in escrow pending transaction completion, and managing platform fees.

Split Payments

A two-sided marketplace (e.g., Airbnb, Etsy) collects payment from a buyer and routes funds to a seller, retaining a platform fee. Implementation options:

PayFac model: Platform is the PayFac; seller funds pass through the platform’s omnibus account before payout to seller’s external account.
Marketplace-as-a-service (e.g., Stripe Connect, Adyen for Platforms): The PSP handles split payment logic natively, holding seller funds in virtual subaccounts and routing payouts on the platform’s instruction.

Escrow & Reserve Management

Platforms often hold a percentage of seller earnings in reserve (5-10%) to cover chargebacks. The reserve is released to the seller after a rolling window (e.g., 90 days after delivery). Platforms must ensure escrow accounts are appropriately structured to avoid co-mingling funds in violation of money transmission laws.

5. Remittances — Full Lifecycle

Remittances are person-to-person cross-border money transfers, typically from migrant workers to family in their home countries. The World Bank estimates $656 billion in global remittances in 2023. The G20 target is to reduce the average cost of remittances to 3% of the transaction value.

Visual Flow: Remittance Lifecycle

SENDER ONBOARDING & KYC (source country)
           ↓
SEND INTENT: Amount, destination country, recipient details
           ↓
FX RATE LOCK & FEE DISCLOSURE (CFPB/PSD2 required)
           ↓
AML / SANCTIONS SCREENING
           ↓
FUNDING: Card, bank account, cash, mobile wallet
           ↓
CROSS-BORDER TRANSFER: SWIFT, bilateral, crypto rail
           ↓
CORRESPONDENT BANK CHAIN (if applicable)
           ↓
RECEIVING PARTNER: Local bank / MTO / mobile money operator
           ↓
LAST-MILE DELIVERY: Bank credit, mobile wallet, cash pickup
           ↓
CONFIRMATION & TRACKING

5.1 Sender Onboarding

Remittance operators (MTOs) are regulated as Money Services Businesses (MSBs) in the US and Electronic Money Institutions (EMIs) or Payment Institutions (PIs) in the EU. KYC requirements are risk-tiered:

Occasional / low-value senders (<$1,000): Name, address, ID number may suffice (simplified due diligence). CFPB Remittance Rule requires disclosure of fees, exchange rate, and funds availability before each transfer.
Recurring or high-value senders: Full identity document verification, source of funds inquiry, EDD. US FinCEN Guidance FIN-2012-G002 addresses MSB KYC requirements.

5.2 FX Rate Lock & Fee Disclosure

Regulatory requirements mandate transparent fee disclosure before the sender commits:

CFPB Remittance Rule (US): Remittance transfer providers must disclose the exchange rate, all fees (including those charged by agents and recipient banks), and the exact amount to be received by the recipient, in writing before payment. A 30-minute cancellation window is mandatory.
PSD2 (EU): PSPs must disclose all charges and the exchange rate markup before execution of a cross-border payment in EU currency.

FX rate locking: The MTO either absorbs rate risk (offering a fixed rate for a window) or passes it to the sender. Large MTOs (Western Union, MoneyGram, Wise) hedge their FX exposure via forward contracts with banks, effectively pre-selling foreign currency at a known rate.

5.3 Cross-Border Transfer Mechanics

SWIFT MT103

For bank-to-bank remittances, the SWIFT MT103 (Single Customer Credit Transfer) is the standard message format. An MT103 carries: sender bank (BIC), receiver bank (BIC), amount, currency, value date, ordering customer details, beneficiary details, and charges instruction (SHA/OUR/BEN).

MT103 transit through a correspondent bank chain can add 1-5 business days and multiple fee deductions. SWIFT GPI (Global Payments Innovation) adds end-to-end tracking, fee transparency, and a same-day value guarantee (UETR tracking).

ISO 20022 Migration

SWIFT is migrating from MT to MX (ISO 20022) message formats, with the MT-to-MX coexistence period running through November 2025. ISO 20022 pacs.008 replaces MT103, carrying richer structured data: legal entity identifiers (LEIs), purpose codes, structured addresses. This enables straight-through processing (STP), improved sanctions screening (structured names vs. free text), and better reconciliation.

Bilateral & Aggregator Models

Large remittance corridors (US-Mexico, UK-India) support bilateral bank-to-bank connections maintained by major MTOs. The MTO holds pre-funded nostro accounts in the destination currency at a local bank in the receive country. When a transfer is initiated, the MTO debits its source-country account and instructs its destination-country correspondent to credit the recipient — no SWIFT needed for the cross-border leg. This model is faster and cheaper, driving rates below 1% in competitive corridors.

5.4 Last-Mile Delivery

Last-mile delivery is often the weakest link in remittance chains. Options include:

Bank credit: ACH or local real-time rail payment to recipient’s bank account. Requires recipient to be banked. Most prevalent in developed receive markets (Philippines, India).
Mobile money credit: Transfer to recipient’s M-PESA (Kenya), GCash (Philippines), or bKash (Bangladesh) wallet. Enables unbanked recipients to access funds via their mobile phone. Accounts for >50% of remittances to Sub-Saharan Africa.
Cash pickup: Recipient presents a confirmation code at an agent location (Western Union agent, local convenience store). Requires agent networks in the receive country. Increasingly used by elderly recipients and those without mobile money access.
Home delivery: Agent physically delivers cash to recipient’s address. Used in rural areas in some corridors.

Method	Requirement	Speed	Cost	Regions
Bank credit	Banked recipient	Minutes–D+1	Low	Global
Mobile money	Mobile phone + SIM	Seconds	Very Low	Africa, SEA
Cash pickup	ID at agent	Minutes	Medium	Global
Home delivery	Address access	Hours–D+1	High	Selective
Stablecoin off-ramp	Crypto wallet	Seconds	Very Low	Emerging

6. Payment Rails Deep Dive

6.1 ACH (Automated Clearing House) — US

ACH is the backbone of US bank-to-bank payments, processing ~31 billion transactions and $80 trillion annually. Operated by two ACH operators: the Federal Reserve (FedACH) and EPN (Electronic Payments Network, owned by The Clearing House). NACHA (National Automated Clearing House Association) sets the operating rules.

ACH Transaction Flow

Originator: A business or individual initiating the transaction, e.g., an employer running payroll.
ODFI (Originating Depository Financial Institution): The originator’s bank. Validates the ACH entry and submits it to the ACH operator. Bears warranty and return obligations.
ACH Operator: Sorts and routes entries to the appropriate RDFI. Processes in multiple batch windows throughout the day.
RDFI (Receiving Depository Financial Institution): The recipient’s bank. Receives the entry, posts to the account, and may return the entry if the account is closed, has insufficient funds, or authorization is revoked.

ACH Entry Types

Code	Type	Description
PPD	Prearranged Payment and Deposit	Consumer debits/credits with written authorization
CCD	Corporate Credit or Debit	Business-to-business transactions
WEB	Internet-Initiated/Mobile	Consumer debits initiated via web or mobile
TEL	Telephone-Initiated	Consumer debits authorized via telephone
IAT	International ACH Transaction	Cross-border ACH entries; triggers OFAC screening by the RDFI

ACH Return Codes

Code	Meaning
R01	Insufficient Funds — Account lacks funds; originator may retry
R02	Account Closed — Account no longer active; originator must obtain new authorization
R04	Invalid Account Number — Account number structure invalid
R07	Authorization Revoked by Customer — Consumer revoked debit authorization; originator must not retry
R10	Customer Advises Not Authorized — Consumer claims unauthorized debit; bank must comply or provide authorization evidence
R29	Corporate Customer Advises Not Authorized — Business version of R10

6.2 RTP (Real-Time Payments) — US

The Clearing House’s RTP network launched in 2017 as the first new US payment rail in 40 years. Key characteristics:

24/7/365 availability with final settlement in seconds
Credit push only — no debit pull
Transaction limit: $1,000,000 per transaction
Irrevocable — no returns after settlement (only refunds via new credit transfer)
Richer data: ISO 20022 messaging with up to 140 characters of remittance information
Request for Payment (RFP): payee sends a payment request; payer approves from their bank app
Coverage: ~75% of US demand deposit accounts (2024) through participating financial institutions

6.3 FedNow — US

The Federal Reserve’s FedNow service launched in July 2023, providing a second instant payment infrastructure in the US:

Operated by the Federal Reserve, giving community banks and credit unions direct access without intermediaries
24/7/365 availability; final settlement in seconds via Fed master accounts
Transaction limit: $500,000 per transaction (configurable by receiving institution)
ISO 20022 message standard
Participation growing — over 1,000 institutions enrolled by end of 2024
Like RTP: credit push only, irrevocable

6.4 SEPA (Single Euro Payments Area)

SEPA Credit Transfer (SCT)

Standard euro credit transfer within SEPA (36 countries). Uses IBAN+BIC addressing. Processing: D+1 business day. No transaction limit. Operated by national clearing houses interconnected via STEP2 (EBA Clearing) and local ACH equivalents.

SEPA Instant Credit Transfer (SCT Inst)

Real-time variant of SEPA CT, launched 2017. Max €100,000 per transaction, 10-second maximum processing time, 24/7/365. By 2024, over 95% of EU payment service providers are reachable. The EU Instant Payments Regulation (effective 2025) mandates all euro PSPs offer SCT Inst at no premium over standard SCT.

SEPA Direct Debit (SDD)

Two variants: SDD Core (consumer mandates) and SDD B2B (business mandates). The debtor provides a mandate authorizing the creditor to pull funds. Returns (chargebacks) are possible: 8 weeks for unauthorized transactions for consumers, up to 13 months. No equivalent to ACH’s unlimited return window in some dispute scenarios.

6.5 Faster Payments — UK

UK Faster Payments Service (FPS), operated by Pay.UK, processes bank transfers in seconds, 24/7/365. Key facts:

Launched 2008 — one of the world’s first real-time retail payment systems
Single transaction limit: £1,000,000 (bank-dependent; many banks cap lower)
Account number + sort code addressing (transitioning to CoP — Confirmation of Payee)
Paym: mobile-number-linked Faster Payments for peer-to-peer
New Payments Architecture (NPA): Pay.UK’s program to upgrade FPS infrastructure to ISO 20022 and support overlay services

6.6 SWIFT — Cross-Border Wires

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides the global messaging network connecting 11,000+ financial institutions in 200+ countries. SWIFT does not hold or move funds — it transmits standardized messages (MT or MX) instructing banks to move funds through correspondent banking relationships.

Message Type	Purpose
MT103	Cross-border customer credit transfer. Used for international wire transfers.
MT202/MT202 COV	Bank-to-bank transfers used to fund correspondent bank accounts (cover payments).
MX pacs.008	ISO 20022 equivalent of MT103, carrying richer structured data.

SWIFT GPI (Global Payments Innovation): Launched 2017, GPI adds a UETR (Unique End-to-End Transaction Reference) to every payment, enabling real-time tracking from sender to beneficiary. GPI members commit to same-day value (in local business hours) and full fee transparency. By 2023, over 4,000 banks are GPI members, carrying ~90% of SWIFT’s cross-border payment traffic.

6.7 Visa Direct & Mastercard Send

Card network push payment services enabling funds to be pushed to a debit or prepaid card in near real-time (typically 30 minutes, often seconds):

Visa Direct: Available in 180+ countries. Supports OCT (Original Credit Transaction) pushed to Visa debit/prepaid cards. Used for insurance payouts, gig payouts, P2P (Venmo, PayPal), gaming winnings.
Mastercard Send: Similar network push payment capability. Both networks charge issuers a per-transaction fee for incoming credits.

7. Payment Rails Comparison Table

Rail	Latency	Tx Limit	Reversible?	Availability	Primary Use Cases	Geographic Scope
ACH (Standard)	1-2 business days	$1M (NACHA)	Yes (return window: 2-60 days)	Batch windows (multiple/day)	Payroll, bill pay, B2B, direct deposit	US domestic
ACH (Same-Day)	Same business day	$1M (NACHA)	Yes (return window)	3 windows/day on business days	Urgent payroll, same-day bill pay	US domestic
RTP (The Clearing House)	Seconds (<30s)	$1,000,000	No (irrevocable)	24/7/365	Gig payouts, insurance, B2B, request for payment	US domestic
FedNow	Seconds	$500,000	No (irrevocable)	24/7/365	Community bank instant payments, government disbursements	US domestic
SEPA Credit Transfer (SCT)	D+1 business day	No limit	No (after settlement)	Business days (batch)	Business payments, consumer transfers, payroll in EU	36 SEPA countries (EUR only)
SEPA Instant (SCT Inst)	<10 seconds	€100,000	No (irrevocable)	24/7/365	E-commerce, P2P, real-time B2B	36 SEPA countries (EUR only)
Faster Payments (UK)	Seconds	£1M	No (irrevocable)	24/7/365	P2P, bill pay, e-commerce, SME payments	UK domestic (GBP)
SWIFT MT103 / MX pacs.008	1-5 business days	No limit (bank-set)	Conditional (recall/SWIFT GPI)	Business days (cut-off times)	International wires, corporate treasury, high-value cross-border	Global (190+ countries)
Visa Direct (OCT)	30 min typical (seconds possible)	~$10,000-50,000 (varies)	No (credit push)	24/7/365	Insurance, gig economy, gaming, P2P	180+ countries
Mastercard Send	Seconds to minutes	Varies by market	No	24/7/365	Disbursements, P2P, insurance payouts	100+ countries

8. Correspondent Banking & SWIFT GPI

8.1 Correspondent Banking

Correspondent banking is the mechanism by which banks in different countries provide services to each other to facilitate cross-border payments. Bank A in Singapore and Bank B in Nigeria may have no direct relationship. They transact through a chain of correspondent banks — intermediaries that maintain accounts in multiple currencies.

The Correspondent Chain

A typical international wire from a Singapore company to a Nigerian company might route:

Sender’s bank (DBS Singapore) → SWIFT MT103 → US Correspondent (Citibank New York) → SWIFT MT202 → Nigeria Correspondent (Standard Chartered Lagos) → Beneficiary’s bank (Zenith Bank Lagos) → Beneficiary account credit

Each hop adds: processing time (1 business day per hop typically), fees ($15-50 per correspondent), and a potential sanctions screening touchpoint.

Nostro/Vostro Account Management

Each correspondent bank in the chain holds a nostro account in the currency of the destination. Funds do not ‘travel’ — instead, the correspondent’s books are updated. The sending bank debits its nostro account at the correspondent; the correspondent credits the next bank in the chain or the beneficiary’s bank.

Liquidity management: Banks must maintain sufficient prefunded balances in nostro accounts to fund expected payment flows. Overnight, treasury teams reconcile nostro accounts (nostro reconciliation) and sweep excess balances back to maximize yield.

De-Risking

Since 2010, large US and European correspondent banks have systematically terminated correspondent relationships with banks in high-risk jurisdictions (Caribbean, Pacific islands, Central Asia, parts of Africa). The reason: the cost and liability of AML compliance for high-risk corridors outweighs the revenue. This ‘de-risking’ leaves some countries with restricted access to the global financial system, driving up the cost of remittances and limiting financial inclusion.

8.2 SWIFT GPI — Tracking & Transparency

SWIFT GPI (Global Payments Innovation) addresses the opacity and slowness of traditional correspondent banking:

UETR: Every GPI payment receives a Unique End-to-End Transaction Reference, a UUID that travels with the payment through every correspondent. This enables end-to-end tracking via the SWIFT Tracker API.
Same-day value rule: GPI member banks commit to crediting the beneficiary on the same day they receive funds (within local business hours), or to provide the reason for any delay.
Fee transparency: GPI banks disclose fees deducted at each stage, so the sender and receiver know exactly what was charged.
Payment pre-validation: SWIFT’s pre-validation service checks beneficiary account details (name, IBAN/account number, BIC) against the beneficiary bank’s records before the payment is sent, reducing reject rates.
Stop and recall: GPI enables rapid recall of mistaken or fraudulent payments, reducing the time to recall from weeks to hours in many cases.

8.3 Herstatt Risk

Definition: Herstatt Risk (Settlement Risk)

Named after the 1974 collapse of Bankhaus Herstatt, which received Deutsche Marks from counterparties in Germany but failed before making corresponding USD payments in New York, leaving counterparties with irrecoverable losses. Herstatt risk (also called FX settlement risk) arises when one leg of a currency exchange is settled but the other is not — due to time zone differences, system failures, or counterparty default. CLS (Continuous Linked Settlement) was established in 2002 to eliminate Herstatt risk by settling both legs of an FX trade simultaneously via a payment-versus-payment (PVP) mechanism across 18 currencies.

9. FX & Treasury

9.1 FX Execution

Whenever a cross-currency payment is required — a US-dollar purchase on a euro-denominated card, or a remittance from the US to Mexico — foreign exchange conversion must occur. FX execution in payments context:

Spot rate: The current interbank FX rate for immediate settlement (T+2 conventionally, though many digital platforms settle faster). Published by Reuters/Refinitiv and Bloomberg 24/5 during market hours.
Spread: The difference between the bid and ask rate. This is the primary FX revenue mechanism for MTOs and card issuers. A spread of 2-3% on a $200 remittance earns $4-6 in FX revenue.
Mark-up: A fixed or percentage markup applied to the mid-market rate. Wise (formerly TransferWise) disrupted the market by publishing the mid-market rate and charging a transparent fee, rather than embedding costs in an opaque spread.

9.2 Rate Locking

When a customer initiates a payment, they expect to know exactly how much the recipient will receive. Rate locking provides certainty:

Short-term lock (minutes): Sufficient for a typical online payment flow. The MTO assumes short-term rate movement risk.
Extended lock (hours): May be required for batch payouts. The MTO hedges using FX forwards.

9.3 FX Hedging Strategies

MTOs that lock rates for customers must hedge their resulting FX exposure:

Forward contracts: Agreement to buy or sell a specified amount of currency at a fixed rate on a future date. Matches the MTO’s payment obligation with a corresponding FX commitment.
FX options: The right (not obligation) to exchange at a fixed rate. More expensive than forwards but provides upside if rates move favorably.
Natural hedging: Matching incoming flows (customer funds) against outgoing flows (payouts) in the same currency pair, reducing the net position to be hedged.

FX treasury desks at major MTOs (Western Union, Wise, Remitly) run sophisticated hedging books, managing hundreds of currency pairs simultaneously. For illiquid pairs (e.g., USD/XOF — West African CFA franc), pre-funding is required — the MTO holds local currency on balance sheet, accepting FX risk on that balance.

9.4 FX Settlement Cut-Off Times

FX markets operate 24/5 but interbank settlement has cut-off times by time zone:

Time Zone	Cut-Off
Tokyo	15:00 JST
London	16:30 GMT
New York	16:00 EST

Correspondent bank cut-off times determine same-day value. A payment initiated after cut-off receives next-business-day value.

10. Payment Fraud Typologies

10.1 Card Testing

Card testing (also called card cracking or card validation fraud) is the process by which fraudsters validate stolen card credentials at scale before monetizing them. The attack pattern:

Step 1 — Data acquisition: Card details (PAN, expiry, CVV) are obtained from data breaches, dark web markets, or phishing. Prices range from $5 (basic card data) to $150 (full info with billing address and SSN for high-limit cards).
Step 2 — Automated testing: Bots submit hundreds or thousands of small-value authorizations ($0.01, $1.00) or zero-dollar authentications to test card validity. Targets: merchants with weak bot detection, charity donation forms, gift card purchase flows.
Step 3 — Monetization: Valid cards are used for large purchases, gift card purchases (most liquid), or resold on dark web markets at a premium.

Detection signals: Spike in low-value transactions or declines, many authorizations from the same IP/device, high decline rate on new merchant accounts, 3DS bypass patterns.

Prevention: CAPTCHA, device fingerprinting, velocity limits on micro-transactions, bot detection (Cloudflare, PerimeterX/HUMAN), CVV validation requirements, 3DS friction for anomalous transactions.

10.2 Account Takeover (ATO)

ATO occurs when an attacker gains unauthorized access to a legitimate customer account and uses it to initiate fraudulent transactions, change account details, or drain funds.

ATO Attack Vectors

Credential stuffing: Attackers use automated tools to test username/password combinations leaked from other breaches. Effective because ~65% of users reuse passwords. Defense: MFA, anomalous login detection, HIBP (Have I Been Pwned) credential monitoring.
Phishing: Victims are lured to a fake website that harvests credentials and OTPs. Increasingly sophisticated phishing kits relay credentials to real sites in real time, bypassing OTP MFA.
SIM swapping: Attacker convinces a mobile carrier to transfer the victim’s phone number to an attacker-controlled SIM, intercepting SMS OTPs. Defense: Use authenticator apps or hardware security keys (FIDO2/WebAuthn) instead of SMS OTP.
Malware / banking trojans: Malware installed on victim’s device captures credentials and session tokens. Mobile banking trojans overlay legitimate bank apps to harvest input.

Detection signals: Login from new device/location, rapid post-login password or contact change, unusual transaction patterns immediately after login, session from high-risk IP or VPN exit node.

10.3 Synthetic Identity Fraud

Synthetic identity fraud is the fastest-growing financial crime type in the US. It involves fabricating a new identity by combining real and fake personally identifiable information (PII), typically:

Real Social Security Number (often from a child, deceased person, or recent immigrant with no credit history)
Fabricated name, date of birth, and address
Constructed credit history: the synthetic identity is used to apply for secured credit cards, become an authorized user on someone else’s account, or open multiple accounts to build credit

The long game: Fraudsters ‘bust out’ — maxing out all available credit lines simultaneously and disappearing before the fraud is detected. Detection is difficult because the identity has a genuine credit history; there is no real victim to file a police report.

Detection: Machine learning models trained on identity graph features — email age, device consistency, SSN issuance state vs. stated residence, phone number type (VoIP flags synthetic), address clustering across multiple accounts.

10.4 First-Party Fraud

First-party fraud is committed by the actual account holder against the financial institution or payment ecosystem. Common patterns:

Friendly fraud: A cardholder makes a legitimate purchase, receives the goods or services, then disputes the charge as unauthorized to obtain a refund while keeping the merchandise. Online merchants bear the full chargeback loss including the chargeback fee. Estimated to account for 40-80% of all chargebacks, depending on sector.
Application fraud: Providing false information (inflated income, incorrect address) when applying for a financial product. Distinct from synthetic identity fraud in that a real person is the applicant.
Bust-out fraud: A legitimate account is established, credit is built over time, and then maximized before defaulting. Can look identical to financial distress.

Defense against friendly fraud: Robust delivery confirmation, signature requirement for high-value orders, 3DS authentication data (shifts liability to issuer for authenticated CNP transactions), compelling evidence programs under Visa Compelling Evidence 3.0 (CE3.0) allowing merchants to counter disputes with proof of prior legitimate use.

10.5 Money Mule Networks

Money mules are individuals who receive stolen funds in their bank accounts and transfer them to the criminals, taking a commission. They are often recruited via romance scams, work-from-home job scams, or social media.

Mule Typologies

Unwitting mule: Victim believes they have a legitimate job (e.g., ‘payment processor’). They receive and forward funds without understanding they are laundering money.
Knowing mule: Participant knowingly enables the scheme for financial gain.
Professional money launderer: Sophisticated operator structuring funds through multiple accounts, shell companies, and currencies.

Detection: Graph analysis identifying clusters of accounts with similar transaction patterns (receive large credit, immediately wire out), new account opening with rapid high-value activity, accounts receiving payments from known fraud typologies, device sharing across multiple accounts.

10.6 Friendly Fraud in Detail

With the rise of CNP e-commerce, friendly fraud has become a systemic problem for merchants. The dispute process is asymmetric: the issuer has an obligation to investigate on behalf of the cardholder, but the burden of proof falls on the merchant to provide compelling evidence. Key evidence types include: order confirmation emails, delivery tracking with GPS coordinates, IP address and device matching prior legitimate transactions, product usage logs (for digital goods), and 3DS authentication records.

Visa CE3.0 (effective April 2023) allows merchants to dispute fraud chargebacks by demonstrating two prior non-disputed transactions from the same cardholder at the same merchant, sharing device or IP data, to prove the cardholder was indeed the purchaser.

11. EU Regulatory Landscape

11.1 PSD2 & Strong Customer Authentication (SCA)

The revised Payment Services Directive (PSD2), effective January 2018 with SCA requirements phased in through 2021, fundamentally transformed EU payments:

Open Banking (Third-Party Provider Access)

PSD2 mandates that account-servicing payment service providers (ASPSPs — typically banks) provide API access to licensed Third-Party Providers (TPPs):

AISP (Account Information Service Provider): Licensed to access account balance and transaction data with customer consent. Used by personal finance management apps, credit assessment platforms.
PISP (Payment Initiation Service Provider): Licensed to initiate payments from customer accounts. Used by e-commerce checkout providers that bypass card networks.
CBPII (Card-Based Payment Instrument Issuer): Can check whether funds are available without initiating a transaction — used by card issuers.

SCA Technical Standards (RTS on SCA)

SCA requires two of three factors: knowledge (PIN/password), possession (phone, hardware token), inherence (biometric). The RTS specifies implementation details:

Dynamic linking: The authentication must be linked to the specific transaction amount and payee — the one-time code must be bound to these values so interception cannot redirect the payment.
Independence: The two authentication factors must be from independent channels/devices — SMS OTP on the same phone as the banking app does not fully satisfy independence requirements.
Session token: 90-day re-authentication required for AISP access even with active consent.

SCA Exemptions

Low-value payments: <€30 and cumulative <€100 or 5 transactions since last SCA.
Trusted beneficiaries: Customer whitelists a payee; subsequent payments to that payee exempt.
Recurring transactions: Fixed-amount recurring payments to the same payee — SCA only on first.
Corporate payments: Payments initiated via dedicated corporate processes with legal entity authentication.
Transaction Risk Analysis (TRA): PSPs with fraud rates below specified thresholds may apply TRA exemptions — 0.13% fraud rate allows exemption for transactions up to €100; 0.06% for €250; 0.01% for €500.

11.2 SEPA Scheme Rules

SEPA payment schemes are governed by the European Payments Council (EPC) through payment scheme rulebooks:

SCT Rulebook: Defines message formats (pacs.008 XML / ISO 20022), processing obligations, and participant responsibilities for standard credit transfers.
SCT Inst Rulebook: Same, plus 10-second processing requirement, 24/7 availability obligation, and €100,000 transaction limit.
SDD Core Rulebook: Consumer direct debit mandates, 8-week no-questions-asked reversal right, 5-day pre-notification of debits.
SDD B2B Rulebook: Business direct debit with shorter return windows and no unconditional refund right.

11.3 EBA Guidelines on Operational & Security Risk

The European Banking Authority (EBA) issues guidelines under PSD2 that all EU payment service providers must comply with:

EBA/GL/2017/17 — Security Measures: PSPs must implement logical access controls, network security, cryptographic controls, and incident management. Annual security risk assessment required.
EBA/GL/2021/03 — Major Incident Reporting: PSPs must report major operational or security incidents to their national competent authority within 4 hours of classification, with intermediate and final reports.
DORA (Digital Operational Resilience Act): Effective January 2025, DORA imposes unified ICT risk management, incident reporting, and third-party risk management requirements across all EU financial entities, including payment institutions.

The General Data Protection Regulation (GDPR) applies to all processing of EU residents’ personal data, including payment transaction data. Key implications for payment providers:

Lawful basis: Processing payment data requires a lawful basis — typically contract (necessary to execute the payment) or legal obligation (AML/CFT compliance, tax reporting).
Data minimization: PSPs must not collect more personal data than necessary for the payment purpose.
Retention limits: AML regulations may require transaction data retention for 5-10 years; GDPR requires deletion once the retention purpose expires.
Cross-border transfers: Transferring EU payment data to non-EEA countries requires adequate safeguards (Standard Contractual Clauses, adequacy decisions).
Right of erasure: Cardholders may request deletion of their data; this must be balanced against AML retention obligations (legal obligation overrides erasure right).
PSD2 explicit consent for AISP/PISP: Strong data protection requirements apply — consent must be specific, informed, and freely given; data may only be used for the specific purpose authorized.

11.5 PSD3 / PSR — The Next Generation

The European Commission published proposals for PSD3 and the Payment Services Regulation (PSR) in June 2023. Key changes relative to PSD2:

Open finance: Expanding data sharing beyond payments to include savings, investments, pensions, and insurance products.
Liability framework for APP fraud: Mandatory liability sharing between sending and receiving PSPs for authorized push payment (APP) fraud losses — aligning with the UK’s mandatory reimbursement regime.
PSR as directly applicable regulation: Unlike PSD2 (a Directive requiring national implementation), PSR will apply directly in all member states, reducing fragmentation.
Strengthened SCA: IBAN-name verification (equivalent to UK’s Confirmation of Payee) mandatory before first payment to a new beneficiary.
Non-bank PSP access to payment systems: Non-bank PSPs to have a right to access EU payment systems directly (not only through bank sponsors).

11.6 EU vs. US Regulatory Approach

Dimension	EU Approach	US Approach
Primary framework	PSD2/PSD3 (Directive/Regulation) — harmonized EU-wide rules	Fragmented: FinCEN (federal AML), state money transmitter licenses (50 states), CFPB (consumer protection), OCC (national banks)
Open banking	Mandated API access (PSD2 TPP framework)	Market-led; CFPB Section 1033 rulemaking (finalized 2024) introduces rights, but implementation voluntary
SCA / Authentication	Mandatory SCA for electronic payments (RTS)	3DS not mandated; fraud liability rules incentivize but do not require
Interchange caps	Consumer debit: 0.2%, credit: 0.3% (IFR)	Durbin Amendment caps debit for large issuers; credit interchange unregulated
Instant payments	EU Instant Payments Regulation mandates SCT Inst at no premium	FedNow/RTP voluntary; no mandate
Data protection	GDPR — comprehensive, extraterritorial	Sectoral (GLBA for finance, HIPAA for health); no federal equivalent to GDPR
AML	AMLD6 + national transposition; EBA AML guidelines	BSA/AML (FinCEN); Patriot Act; NDAA 2021 enhanced UBO requirements (CTA)
Licensing	Passportable PI/EMI license (one EU state covers all)	State-by-state MTL required; Money Transmitter Bonds; no federal license for non-banks

12. Regulatory Landscape Overview

12.1 US Regulatory Framework

Bank Secrecy Act (BSA) / AML: The primary US AML legislation, requiring financial institutions to establish AML programs, file SARs and CTRs, maintain records, and comply with FinCEN rules. FinCEN administers BSA.
USA PATRIOT Act (2001): Strengthened KYC requirements, mandated Customer Identification Programs (CIP) for banks, and expanded information-sharing between financial institutions and law enforcement (Section 314(b) voluntary sharing).
Dodd-Frank Act (2010): Established CFPB; created Durbin Amendment capping debit interchange; Section 1073 established the Remittance Transfer Rule.
CFPB Remittance Rule (Regulation E, Subpart B): Requires fee and rate disclosure before each transfer, 30-minute cancellation right, error resolution procedures, and receipts in Spanish and other languages for covered transfers.
PCI-DSS: Payment Card Industry Data Security Standard — technically a contractual requirement (not law) imposed by card networks, but effectively mandatory for any entity storing, processing, or transmitting card data. Version 4.0 effective March 2024 with enhanced requirements for customized approach and targeted risk analysis.
Corporate Transparency Act (CTA, 2024): Requires US companies to report beneficial ownership information (BOI) to FinCEN, addressing shell company opacity used in money laundering.

12.2 International Frameworks

FATF (Financial Action Task Force): Inter-governmental body setting global AML/CFT standards. 40 Recommendations and 11 Immediate Outcomes. FATF grey-listing (enhanced monitoring) and black-listing (call for action) create significant de-risking pressure on affected jurisdictions.
Basel Committee AML guidelines: The Basel Committee provides guidance to banking supervisors on managing ML/TF risks in correspondent banking and de-risking.
MiCA (Markets in Crypto-Assets Regulation, EU 2024): Regulates issuers of crypto-assets and crypto-asset service providers (CASPs) in the EU. Imposes AML, KYC, and operational requirements on stablecoin issuers and exchanges relevant to payment use cases.

13. Scheme Rules & Compliance

13.1 Visa & Mastercard Operating Rules

Card network operating regulations are binding contracts between network participants (issuers, acquirers, PSPs). Key rule areas:

Honor All Cards: Merchants accepting Visa/Mastercard must accept all Visa/Mastercard cards — they cannot selectively accept only debit or only certain product types (with some exceptions for high-value cards).
Surcharging: Card networks restrict surcharging of card transactions. Visa/Mastercard permit surcharges in markets where legally allowed (US — up to the merchant’s actual cost of acceptance, capped at 3%; prohibited in EU under IFR). Surcharge disclosure requirements must be followed.
Chargeback monitoring: Networks monitor acquirers and merchants for excessive chargeback rates. Merchants exceeding thresholds (Visa: >1% chargeback-to-transaction ratio for 2 consecutive months and >100 chargebacks; Mastercard: >1.5% or >100 chargebacks) are placed in monitoring programs subject to fines and termination.
PCI-DSS compliance: Networks require all participants to comply with PCI-DSS. Non-compliance can result in fines ($5,000-$200,000/month) and ultimately suspension from the network.
Data use restrictions: Cardholder data may only be used for the purpose for which it was collected. Selling transaction data to third parties without cardholder consent violates scheme rules.

13.2 NACHA Rules

NACHA’s operating rules govern ACH payments in the US. Key provisions:

Authorization requirements: Written, oral, or internet authorization required before originating a debit entry. Authorization must be retained for 2 years after revocation.
Unauthorized return rate: ODFIs must maintain unauthorized debit return rates below 0.5%. Exceeding this triggers NACHA investigation and potential suspension.
Account validation: Since 2022, WEB debit entries require account validation (IAV or prenote) for new or modified account numbers.
Same-Day ACH: NACHA rules governing timing, eligibility, and network fee ($0.052 per transaction) for same-day ACH.
WEB Debit Rule: Requires commercially reasonable fraud detection for internet-initiated debits; annual review required.

13.3 SWIFT Compliance Requirements

Know Your Customer (KYC): SWIFT’s KYC Registry allows banks to share standardized KYC documents with correspondent banks through a centralized platform, reducing bilateral KYC duplication.
The Wolfsberg Group: An association of 13 global banks that publishes anti-money laundering principles and guidance for correspondent banking, trade finance, and SWIFT compliance.
SWIFT Customer Security Programme (CSP): Mandatory controls that SWIFT member institutions must implement to protect their SWIFT infrastructure from cyberattack, following the 2016 Bangladesh Bank heist ($81M stolen via compromised SWIFT credentials).

14. Failure Modes & Exception Handling

14.1 Card Payment Failures

Failure Type	Cause	Resolution
Soft decline (05 Do Not Honor)	Issuer policy, temporary block, or risk score too high	Cardholder contacts issuer; merchant may retry once
Hard decline (14 Invalid Card No.)	Invalid PAN (Luhn check fail or wrong number)	Do not retry; cardholder must use different card
Expired authorization	Capture submitted more than 7-30 days after auth (varies by network)	Re-authorize before capturing
Duplicate submission	Same transaction submitted twice (system error)	De-duplicate via idempotency key; reverse duplicate
Timeout (no response)	Issuer or network unavailable within response window	Reverse the authorization; log for retry or stand-in
Stand-in processing	Issuer offline; network approves up to floor limit	Network assumes liability up to floor; reconcile when issuer reconnects
Partial authorization	Insufficient funds for full amount; issuer approves partial	Merchant accepts partial; applies split-tender for remainder or declines

14.2 ACH Returns & NOCs

ACH returns must be processed within 2 business days (administrative returns) or up to 60 calendar days (consumer unauthorized). The RDFI returns the entry with a standard R-code. The ODFI must pass the return through to the originator.

A Notification of Change (NOC) is different from a return — the payment completes but the RDFI notifies the ODFI that account details have changed (e.g., account number or routing number). The originator must update records and correct future entries within 6 banking days.

14.3 SWIFT Repair Queues

Incoming SWIFT messages that cannot be processed automatically enter a repair queue for manual intervention. Common repair reasons:

Incomplete or missing BIC/IBAN for beneficiary
Sanction screening hit requiring compliance review
Formatting errors in structured field data
Insufficient correspondent account balance
Missing mandatory ISO 20022 fields (for MX messages)

Messages in repair queues add 1+ business days to settlement. SWIFT GPI’s pre-validation service reduces repair rates by catching data issues before the payment is sent.

14.4 Reconciliation Breaks

Reconciliation breaks occur when transaction records across systems don’t match. Common causes:

Timing differences: Authorization recorded today; capture batch sent tomorrow. Records span two settlement dates.
Partial settlements: Multi-leg transactions partially settled; one leg missing from settlement file.
Fee calculation differences: Different systems apply different interchange rules or fee rounding.
Currency conversion rounding: Rounding differences in FX conversion at different decimal precisions.
Duplicate entries: Same transaction entered twice due to system retry without idempotency.

Resolution requires automated break detection with threshold rules (breaks below $0.01 may be auto-cleared), escalation workflows for large breaks, and root cause analysis to prevent recurrence.

15. Emerging Topics

15.1 ISO 20022 Global Migration

ISO 20022 is a universal financial messaging standard using XML-based message schemas with rich structured data. It is replacing legacy message formats across all major payment systems:

SWIFT: MT-to-MX coexistence period ended November 2025; all cross-border payments now use MX (pacs.008, pacs.009, etc.)
SEPA: All SEPA schemes native ISO 20022
FedNow and RTP: Native ISO 20022 from launch
UK CHAPS: Migrated to ISO 20022 in 2024
Fedwire Funds Service: Migration planned for 2025-2027

Benefits: Richer data enabling straight-through processing, improved sanctions screening (structured names rather than free text), enhanced fraud detection, better reconciliation, and interoperability across systems. Data fields include: Legal Entity Identifiers (LEIs), purpose codes, structured remittance information, and extended character sets for non-Latin scripts.

15.2 FedNow Adoption

FedNow’s July 2023 launch marked a significant expansion of US instant payment infrastructure. Key developments:

Over 1,000 financial institutions enrolled by end 2024 (out of ~10,000 US banks and credit unions)
Federal Reserve’s direct operation gives community banks and credit unions access without requiring a bank sponsor intermediary
Interoperability with RTP through a bridge arrangement allows FedNow banks to send to RTP banks and vice versa
Use cases expanding from payroll to government benefits, insurance, and B2B payments
Adoption accelerating as software providers (Jack Henry, FIS, Fiserv) integrate FedNow into core banking platforms

15.3 Central Bank Digital Currencies (CBDCs)

Over 130 countries are exploring or developing CBDCs — digital forms of central bank money. In the payments context:

Retail CBDC: Digital currency held directly by consumers and businesses at the central bank or via intermediaries. Could enable instant, final settlement without correspondent banks. Policy concerns: bank disintermediation, financial stability risk.
Wholesale CBDC: Restricted to financial institutions. Enables faster interbank settlement and could replace nostro/vostro arrangements for cross-border payments. Project mBridge (BIS Innovation Hub, 2024) demonstrated multi-CBDC cross-border payments.
US status: Fed has conducted research (Project Hamilton, MIT CBDC research) but no political consensus on issuance. The CBDC Anti-Surveillance State Act (introduced 2023) reflects Congressional resistance.
EU Digital Euro: ECB investigation phase completed 2023; preparation phase launched. Expected to complement — not replace — cash and private payment methods.

15.4 Open Banking & API Payments

Open banking, enabled by PSD2 in the EU and market-led developments in the US, is creating new payment flows that bypass card networks:

A2A (Account-to-Account) payments: PISP-initiated instant bank payments at checkout. Lower cost than cards (no interchange), irrevocable, instant settlement. Growing in the UK (Open Banking payments exceeded 14 million monthly in 2023) and Netherlands, Poland, and Germany.
Variable Recurring Payments (VRP): A PSD2/open banking overlay service allowing consumers to give sweeping mandates to trusted third parties to make recurring A2A payments on their behalf — more flexible than direct debit mandates.
Request to Pay (RTP overlay): A payer requests a payment from a payee via a messaging layer built on instant payment rails. UK’s Pay.UK Request to Pay service launched 2021.

15.5 Stablecoin Settlement Rails

Stablecoins — crypto-assets pegged to fiat currencies — are increasingly explored as cross-border settlement infrastructure:

USDC / USDT: USD-pegged stablecoins used for cross-border B2B settlements, particularly in corridors where correspondent banking is expensive or restricted. Settlement in seconds on blockchain rails (Ethereum, Solana, Stellar).
Use case: A US company pays a supplier in Nigeria: USD → USDC → transfer on-chain in seconds → USDC → NGN via local off-ramp. Eliminates multi-day SWIFT chain and correspondent fees.
Regulatory status: EU MiCA regulates stablecoin issuers. US: GENIUS Act (Stablecoin Bill, 2024) advancing through Congress. Regulatory clarity remains the key adoption hurdle for institutional use.
Risks: Smart contract vulnerabilities, custody risk, liquidity risk during depegging events (UST/LUNA collapse 2022), regulatory uncertainty.

16. Cross-Cutting Engineering Concerns

16.1 Idempotency

In distributed payment systems, network failures may cause a request to be delivered once, twice, or not at all. Without idempotency controls, a retry can result in duplicate charges or double payouts. Idempotency key pattern:

Client generates a unique idempotency key (UUID) for each logical operation
The key is included in the API request header
Server stores the key and its result; subsequent requests with the same key return the stored result without re-executing
Keys expire after a defined period (24-48 hours)

All major payment APIs (Stripe, Braintree, Adyen) require idempotency keys for payment operations. This is non-negotiable for production payment systems.

16.2 Double-Entry Ledger Design

Every financial system must implement double-entry bookkeeping: every debit has a corresponding credit. Violating this principle creates unexplained ledger imbalances (‘breaks’).

Ledger entries: Each transaction produces at minimum two ledger entries: a debit to one account and a credit to another. Total debits must always equal total credits across all accounts.
Immutable append-only ledger: Correction of errors is done via reversal entries (a new entry offsetting the original), never by modifying existing records. This ensures an unambiguous audit trail.
Account types: Asset accounts (bank accounts, receivables), liability accounts (customer deposits, merchant reserves), revenue accounts (fees, interest), and equity accounts. The accounting equation (Assets = Liabilities + Equity) must hold at all times.

16.3 Audit Trails

Payment systems must maintain complete, tamper-evident audit trails for regulatory compliance (AML data retention: typically 5-10 years) and dispute resolution. Requirements:

Every state change to a transaction must be logged with timestamp, actor (user, system), action, before and after state
Logs must be write-once / append-only; no deletion or modification permitted
Logs must be replicated across multiple data centers for availability
Access to logs must be restricted (IAM controls) and itself logged
Audit log integrity should be verified (cryptographic hashing of log chains)

16.4 Operational Resilience

Payment systems are critical infrastructure. Operational resilience requirements:

RTO/RPO: Recovery Time Objective (how quickly after failure) and Recovery Point Objective (maximum data loss) must be defined and tested. For real-time payment rails, RTO < 1 hour is typically required.
Circuit breakers: When downstream services (issuer host, card network) are degraded, circuit breakers prevent cascading failures by failing fast and returning graceful errors.
Graceful degradation: If a non-critical component fails (e.g., real-time fraud scoring), the system should fall back to static rules rather than rejecting all transactions.
Chaos engineering: Proactively inject failures in non-production environments to test resilience. Netflix’s Chaos Monkey approach applied to payment systems.
DORA (EU, 2025) mandates operational resilience testing including threat-led penetration testing (TLPT) and ICT third-party risk management for financial entities.

16.5 Data Residency & Sovereignty

Many jurisdictions impose data residency requirements on payment transaction data:

India: RBI Storage of Payment System Data circular (2018) mandates all payment data related to Indian customers be stored only in India. Affects global PSPs (Visa, Mastercard, Stripe) operating in India.
Russia: Federal Law 242-FZ requires personal data of Russian citizens stored in Russia.
EU (GDPR): Not a residency mandate per se, but cross-border transfers to non-adequate countries require safeguards.
China: Cybersecurity Law and PIPL mandate data localization for certain categories of data.

Implementation implications: Multi-region architecture with data partitioning by geography, separate encryption key management per region, compliance with access restrictions (e.g., EU data not accessible to US-based personnel without legal basis).

17. Key Takeaways

#	Core Principle
1	Every payment touches multiple regulated entities — understanding each participant’s role is foundational to designing compliant systems.
2	Authorization and settlement are different events — authorized funds may never be captured; unsettled funds create risk.
3	Rail selection is not arbitrary — speed, cost, reversibility, geography, and use case requirements all constrain the optimal choice.
4	AML/CFT is a continuous obligation — not a one-time check at onboarding. Transaction monitoring must be ongoing.
5	Fraud and compliance are not the same discipline — fraud is about financial loss to the institution; AML is about criminal activity in the financial system. Both require dedicated programs.
6	SCA/3DS shifts liability — successful 3DS authentication shifts chargeback liability from the acquirer/merchant to the issuer in CNP transactions.
7	ISO 20022 is the future — all major payment rails are migrating. New systems should be built natively on ISO 20022.
8	Idempotency is mandatory — any payment API must implement idempotency keys to prevent duplicate transactions.
9	Audit trails must be immutable — logging is not enough; logs must be write-once, replicated, and access-controlled.
10	De-risking is a structural problem — correspondent banking access is not guaranteed; payment providers must maintain diversified correspondent relationships.

18. Glossary

Term	Definition
ACH	Automated Clearing House — the US interbank electronic payment network governed by NACHA.
AISP	Account Information Service Provider — a PSD2-licensed entity that accesses bank account data with customer consent.
AML	Anti-Money Laundering — regulations and processes to detect and prevent the laundering of criminal proceeds through the financial system.
ARQC	Authorization Request Cryptogram — a transaction-unique cryptogram generated by an EMV chip card proving card presence.
ATO	Account Takeover — unauthorized access to a customer’s account by an attacker.
AVS	Address Verification Service — a fraud tool comparing billing address elements against issuer records for CNP transactions.
BIC	Bank Identifier Code — an 8 or 11-character code identifying a financial institution in SWIFT messages (also called SWIFT code).
BSA	Bank Secrecy Act — the primary US AML legislation administered by FinCEN.
CBDC	Central Bank Digital Currency — digital money issued directly by a central bank.
CFT	Countering the Financing of Terrorism — measures to prevent terrorist organizations from accessing financial resources.
CNP	Card-Not-Present — a transaction where the physical card is not used at a terminal (e.g., e-commerce, phone orders).
CTA	Corporate Transparency Act — US law requiring beneficial ownership reporting to FinCEN.
CTR	Currency Transaction Report — a BSA-required report for cash transactions exceeding $10,000.
CVV2/CVC2	Card Verification Value / Code — a 3-4 digit security code on a card, known only to the issuer.
DORA	Digital Operational Resilience Act — EU regulation mandating ICT risk management for financial entities, effective January 2025.
EDD	Enhanced Due Diligence — heightened KYC procedures applied to high-risk customers (PEPs, high-risk jurisdictions).
EMV	Europay, Mastercard, Visa — the global standard for chip-based payment cards and terminals.
FATF	Financial Action Task Force — the inter-governmental body setting global AML/CFT standards.
FinCEN	Financial Crimes Enforcement Network — the US Treasury bureau administering BSA and collecting SARs.
FPS	Faster Payments Service — the UK’s real-time bank payment infrastructure.
GPI	Global Payments Innovation — SWIFT’s enhanced service for cross-border payments with tracking and same-day value guarantee.
IBAN	International Bank Account Number — a standardized account number format used in SEPA and many international transfers.
IAT	International ACH Transaction — an ACH entry involving a cross-border component, triggering OFAC screening at the RDFI.
ISO 20022	The international standard for financial messaging, using XML schemas with rich structured data fields.
KYB	Know Your Business — due diligence processes for onboarding business customers, including UBO identification.
KYC	Know Your Customer — identity verification and due diligence for individual customers.
MCC	Merchant Category Code — a 4-digit code classifying a merchant’s business type, used in interchange rate determination and fraud rules.
MNPI	Material Non-Public Information — information about a publicly traded company that is not yet public and would affect its stock price.
MSB	Money Services Business — a non-bank entity engaged in currency exchange, money transmission, or check cashing, regulated by FinCEN and states.
MT103	SWIFT message type for a single customer credit transfer (cross-border wire).
MTO	Money Transfer Operator — a non-bank entity providing international money transfer services.
NFC	Near-Field Communication — the wireless technology enabling contactless card and mobile payments.
NOC	Notification of Change — an ACH message from the RDFI notifying the ODFI that account details have changed.
OCT	Original Credit Transaction — a Visa Direct push payment crediting funds to a debit or prepaid card.
ODFI	Originating Depository Financial Institution — the bank that initiates an ACH entry on behalf of an originator.
OFAC	Office of Foreign Assets Control — the US Treasury bureau administering sanctions against foreign countries and individuals.
P2PE	Point-to-Point Encryption — encryption of card data from terminal to secure decryption environment, reducing PCI-DSS scope.
PAN	Primary Account Number — the 16-digit card number.
PayFac	Payment Facilitator — an entity that aggregates sub-merchants under a master merchant account.
PCI-DSS	Payment Card Industry Data Security Standard — the security standard for entities storing, processing, or transmitting card data.
PEP	Politically Exposed Person — a senior government official or their close associate, subject to enhanced due diligence.
PISP	Payment Initiation Service Provider — a PSD2-licensed entity that initiates payments from a customer’s bank account.
PSP	Payment Service Provider — a broad term for entities providing payment acceptance and processing services to merchants.
PSD2	Payment Services Directive 2 — the EU directive mandating open banking API access and strong customer authentication.
RDFI	Receiving Depository Financial Institution — the bank receiving an ACH entry on behalf of the recipient.
RTP	Real-Time Payments — The Clearing House’s instant payment network in the US.
SAR	Suspicious Activity Report — a confidential report filed with FinCEN when a financial institution suspects money laundering or other financial crime.
SCA	Strong Customer Authentication — PSD2-mandated two-factor authentication for electronic payments in the EU.
SCT	SEPA Credit Transfer — the standard euro credit transfer scheme.
SCT Inst	SEPA Instant Credit Transfer — the real-time variant of SEPA CT, settling in under 10 seconds.
SEPA	Single Euro Payments Area — a 36-country zone for harmonized euro payments.
SWIFT	Society for Worldwide Interbank Financial Telecommunication — the global messaging network for financial institutions.
TMS	Transaction Monitoring System — software that monitors payment transactions for suspicious activity patterns.
Travel Rule	FATF Recommendation 16 requiring originator and beneficiary information to travel with wire transfers above threshold.
UBO	Ultimate Beneficial Owner — the natural person who ultimately owns or controls a legal entity.
UETR	Unique End-to-End Transaction Reference — a UUID assigned to each SWIFT GPI payment for tracking.
VRP	Variable Recurring Payments — open banking mandate type allowing flexible recurring A2A payments.

19. Further Reading & Authoritative Sources

International Organizations

BIS (Bank for International Settlements): bis.org — CPMI publications on payment systems, fast payment systems, CBDC research, and FX settlement risk.
FSB (Financial Stability Board): fsb.org — Cross-border payments roadmap, stablecoin regulation, and NBFI oversight.
FATF (Financial Action Task Force): fatf-gafi.org — 40 Recommendations, guidance on virtual assets, Travel Rule implementation, and mutual evaluation reports.
World Bank Remittances: worldbank.org/remittances — Remittance Prices Worldwide database and remittance cost statistics.

US Regulatory Agencies

FinCEN: fincen.gov — BSA requirements, SAR filing guidance, advisories, and NSBA/AML guidance.
Federal Reserve: federalreserve.gov — FedNow documentation, Fedwire rules, payment system reports.
CFPB: consumerfinance.gov — Remittance Transfer Rule (Regulation E Subpart B), open banking Section 1033 rules.
OCC: occ.gov — Bank technology guidance, fintech licensing, BSA/AML supervisory guidance.

EU Regulatory Bodies

EBA (European Banking Authority): eba.europa.eu — PSD2 technical standards, AML/CFT guidelines, DORA implementation standards.
ECB (European Central Bank): ecb.europa.eu — Digital euro research, SEPA statistics, payment system oversight.
European Payments Council: europeanpaymentscouncil.eu — SEPA scheme rulebooks, implementation guidelines.

Industry Standards Bodies

SWIFT: swift.com — MT/MX message standards, GPI documentation, KYC Registry.
NACHA: nacha.org — ACH operating rules, same-day ACH rules, WEB debit rule.
PCI SSC (Payment Card Industry Security Standards Council): pcisecuritystandards.org — PCI-DSS, PA-DSS, P2PE, tokenization standards.
EMVCo: emvco.com — EMV chip specifications, 3-D Secure (EMV 3DS) specifications, tokenization.

Key Publications

BIS CPMI: ‘Fast Payments — Enhancing the Speed and Availability of Retail Payments’ (2016)
BIS CPMI: ‘Enhancing Cross-Border Payments’ — G20 Roadmap (2020-ongoing)
Federal Reserve: ‘Strategies for Improving the U.S. Payment System’ (FedPayments Improvement)
FATF: ‘Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers’ (2021)
World Bank: ‘Remittances Prices Worldwide’ — Quarterly database of remittance costs by corridor
EBA: ‘Guidelines on the Security of Internet Payments’ and ‘Guidelines on Fraud Reporting under PSD2’