The fraud tax that's
quietly killing fintech margins
— and what no one reports
Fraud rates in fintech grew 156% year-over-year in 2024. In Mexico, identity theft fraud jumped 77% in a single year — and financial institutions reimbursed just 1.4% of affected users. The great fintech opportunity is real. So is the great fintech liability. And the two are connected in ways most platforms would rather not discuss publicly.
There is a number that does not appear in any fintech pitch deck, any Series B memo, or any investor relations call. It does not appear in the beautifully designed annual report showing user growth, NPS improvement, and revenue per active customer. The number is the real cost of fraud — not the fraud that is detected and blocked, which gets reported as evidence of the platform's effectiveness. The fraud that gets through. The fraud that is absorbed as a cost of doing business, averaged into the unit economics, and quietly subsidized by the capital that was raised to grow the company. In Mexico alone, financial fraud losses reached approximately MX$14.5 billion in 2024 — roughly US$760 million — according to CONDUSEF. Identity theft and banking data theft were the primary causes in nearly 40% of cases. And financial institutions reimbursed just 1.4% of affected users. That's not a statistic about fraud. It's a statistic about who pays for it — and it isn't the platform.
The fintech that does not have a real-time fraud detection architecture is not just accepting risk — it is actively transferring that risk to its customers, its investors, and eventually its regulators. The moment regulators start asking specific questions about reimbursement rates and detection gaps, the platform discovers that "we have a fraud team" is not the same answer as "we have a fraud architecture."
The four angles of the same problem
Fintech fraud is not one problem with one solution. It is four interconnected problems that look different from the outside but share the same root: platforms that grew faster than their operational and security infrastructure, financed by capital that had no patience for the "boring" work of risk architecture. Understanding each angle is how you understand why the aggregate numbers are so large — and why the opportunity to fix it is equally large.
Angle 1: The opacity problem — what doesn't get reported
CONDUSEF data represents what gets formally reported. Industry experts in Mexico consistently estimate that only 10% to 20% of actual digital financial fraud reaches formal complaint channels. The rest is absorbed silently: the user who doesn't know they can complain, the small transaction that isn't worth the friction of reporting, the business that writes off the loss rather than document the incident. Mexico experienced a 324% increase in account takeover attacks between end of 2024 and early 2026, according to BioCatch — making it the highest-growth fraud target in all of Latin America, significantly ahead of Colombia's 188% increase. That escalation also came with a 234% increase in fraud involving remote-access tools and a 150% rise in social engineering attacks. The published loss numbers are the floor, not the ceiling.
The opacity extends to the fintechs themselves. NuBank does not publish Mexico-specific fraud loss data. Clip, Kueski, and Konfío do not disclose their fraud rates. Three Mexican financial institutions were sanctioned by the U.S. Treasury in June 2025 for facilitating money laundering — a risk that emerges precisely from the absence of real-time monitoring at the operational level. CONDUSEF reported a 155% year-over-year jump in mobile banking fraud complaints in one quarter alone. When the reported data jumps that fast, the unreported data is moving faster.
Angle 2: The consumer trap — who really pays
Here is the part that users rarely understand: when a fintech gives you a credit card with minimal verification, a wallet with instant activation, or a buy-now-pay-later product with no underwriting friction — that generosity is not philanthropy. It is a calculated bet on your behavior at scale, partially subsidized by venture capital. The fraud losses that result from that approach are built into the unit economics as a cost of acquisition. When the fraud exceeds the model's assumptions, it becomes a solvency question disguised as a risk management one.
NuBank — the largest neobank in Latin America with over 100 million customers — reported a credit loss provision of US$1.4 billion in 2023, driven in part by aggressive expansion into riskier credit segments. Its cost of risk reached 6.1% of its portfolio. Nu Mexico does not break out local fraud and credit loss data. The 1.4% reimbursement rate CONDUSEF documented for all Mexican financial institutions means that when something goes wrong — when the account is taken over, when the transaction is fraudulent — the customer absorbs 98.6% of the cost. That is not a fraud prevention strategy. It is a cost transfer strategy. The platforms that will win long-term are the ones that invert that ratio — not because regulators force them to, but because trust is the only asset in financial services that cannot be rebuilt quickly once it's gone.
The user who gets defrauded and isn't reimbursed does not become a churned customer in the platform's analytics. They become an active detractor, a regulatory complaint, and eventually a data point in the investigation that the fintech's compliance team will wish they had addressed operationally, not reactively.
Angle 3: The technical debt trap — AI as experiment, not architecture
The financial sector now represents 27% of all data breaches globally — the highest of any industry, up from 19% in 2022. Fintech breaches average US$5.9 million per incident. Crypto platforms lost over $7 billion to hacks between 2022 and 2024 alone. And 41.8% of fintech breaches originate from third-party vendors — the APIs, the payment processors, the KYC providers — not from the fintech's core system directly.
The response most platforms have is to add an AI fraud detection tool. Sometimes several. Each one trained on different data, monitoring different signals, producing alerts that no one has a process to act on systematically. That is not a fraud architecture. That is a fraud archaeology project — discovering what happened after the fact, at cost. Real fraud detection runs in real time, on clean data, with a model that is continuously updated on new fraud patterns, with a decision engine that can act — block, flag, escalate — in the time between transaction initiation and settlement. Deloitte's Center for Financial Services estimated that by 2027, advances in generative AI will cost banks an estimated $40 billion in AI-driven fraud. That number reflects what happens when attackers have access to the same tools as defenders, but defenders haven't built the architecture to use those tools operationally.
The platform that added a fraud AI model on top of fragmented identity data, inconsistent transaction schemas, and an operations team that doesn't have a defined process for acting on model outputs is not more protected. It has more expensive dashboards and the same gaps.
Angle 4: The capital trap — what happens when the subsidy ends
Mexico's fintech sector attracted US$865 million in venture capital in 2024 — representing 74% of all VC deployed in Mexico that year. That concentration is both a signal of confidence and a structural risk. When the capital that subsidizes customer acquisition, absorbs fraud losses, and funds the "path to profitability" deck at slide 18 becomes more selective — as it already has globally, with total fintech investment hitting a seven-year low of $95.6 billion in 2024 — the math of fintech economics becomes merciless.
Global Authorized Push Payment (APP) fraud — where users are manipulated into approving fraudulent transactions — is projected to surge from US$150 billion in 2017 to US$250 trillion by 2027 according to LSEG. APP fraud is particularly dangerous for fintechs because it targets the user, not the platform's systems. The user approves the transaction. The platform has no technical obligation to reimburse. The loss appears in the user's account, not the platform's fraud ledger. That is the fraud that will most efficiently extract value from fintechs that built acquisition machines but not operational defense systems — because when it scales, it scales silently, through user behavior, not system breach.
The fintech that treats fraud prevention as a compliance checkbox and AI as a marketing feature is not building a financial institution. It is building a growing liability with a beautiful interface. The ones that will still be operating at scale in 2030 are building the operational and technical infrastructure now — while they still have the capital to do it deliberately rather than the urgency to do it reactively.
The opportunity that the fraud conversation obscures
Here is what gets lost in the fraud narrative: the opportunity side of these numbers is enormous. Visa's data shows that adaptive technology can reduce phishing losses by up to 90%. The WEF survey found that fintechs using AI effectively reported 74% higher profitability and 75% reduced costs. The 86% of banks investing in new fraud prevention technology are not doing so reluctantly — they're doing it because the ROI on well-implemented fraud architecture is among the highest in the entire technology investment portfolio.
Fintechs currently hold just 3% of the global banking and insurance revenue pool in a $13 trillion market. Mexico's payments and remittances segment is projected to grow 76% by 2027. Digital payments grew from 29% to 46% of Mexican adults in five years. The unbanked population — 23% of Mexican adults — represents an addressable market that no traditional bank has served effectively. That opportunity is real, accessible, and not going away.
But capturing it requires something the first era of fintech consistently underinvested in: the operational trust that comes from protecting customers at the level the product promises. A fintech that tells users their money is safe, processes their transactions instantly, and reimbursed 1.4% of fraud losses has a trust gap that compounds over time. The users who stay despite that experience are the ones with no better option. The users who leave are the ones with choice. And the market that the fintech is trying to expand into — lower-income adults, the informally employed, small businesses — are precisely the users most likely to never return after one bad experience.
"Most fintechs today are user acquisition machines financed by capital, trying to become profitable financial institutions afterward. That 'afterward' is where most of them fail — especially when they are just burning money and calling fraud losses 'cost of growth.'"— Jorge Mercado · #JMCoach · CNBV-regulated fintech executive
What the architecture of a trustworthy fintech actually looks like
This is where the conversation has to become concrete. Saying "invest in fraud prevention" or "use AI responsibly" is not advice — it's a caption. The specific things that separate a fintech with a fraud architecture from a fintech with fraud awareness are operational decisions, not technology purchases.
Real-time decision intelligence — not retrospective dashboards
Fraud happens in milliseconds. The transaction is initiated, the authorization is requested, the settlement occurs — and if the fraud detection ran a batch job overnight, the money is already gone. A real fraud architecture makes decisions in the authorization gap: between transaction initiation and settlement, the model evaluates the transaction against behavioral signals, device fingerprints, velocity patterns, geographic anomalies and account history, and it acts — approves, blocks, or flags for step-up authentication — before the transaction completes. That requires clean data flowing from every touchpoint in real time, a model that is continuously retrained on the platform's actual fraud patterns (not generic benchmarks), and a decision engine with defined escalation paths that the operations team actually follows. It is not a product. It is a process that a product enables.
Predictive risk — not reactive rules
Rules-based fraud detection fails against novel attack patterns by definition: it can only block what it has seen before. The 156% year-over-year growth in fintech fraud rates and the 324% increase in account takeovers in Mexico are evidence that attackers are operating faster than rules can be written. Predictive models that learn from behavioral signals — how a user typically navigates the app, how long they spend on each screen, what devices they use, from where, at what times — can detect account takeovers and social engineering attacks before a transaction is even initiated. BioCatch, which documented Mexico's ATO explosion, builds exactly this type of behavioral biometrics. The architecture principle is simple: model the normal so precisely that the abnormal is immediately visible, even when the abnormal is technically within the user's own account credentials.
AI with a defined role — not AI as a silo experiment
The WEF survey of 240 fintech firms found that among those using AI effectively, 83% reported improved customer experience and 74% reported higher profitability. The key word is "effectively." In practice, the fintechs that got those results deployed AI on top of defined processes, clean data, and clear ownership of the model's outputs. The ones that got the opposite results deployed AI as a standalone capability — a model that generates alerts no one acts on, a scoring system that isn't connected to the authorization decision, a recommendation engine that runs on stale data and produces personalization that's six months behind the customer's actual behavior. AI in fintech is not a product category. It is a force multiplier for the operational quality that already exists. If the operations are fragmented, AI fragments them faster. If the operations are coherent, AI scales them exponentially.
Security from the first line of code — not the last layer of defense
With 41.8% of fintech breaches originating from third-party vendors, the security perimeter of a fintech is not its own systems — it is every API it calls, every SDK it embeds, every data processor it contracts. A security architecture that is designed from the start — with vendor risk assessment, API governance, data classification, access control by role and by data sensitivity, and continuous monitoring of all integration points — costs dramatically less than a security response after a breach. The IBM Cost of a Data Breach Report 2025 documented that organizations with extensive AI in security operations shortened breach times by 80 days and reduced average breach costs by $1.9 million. That number is available to fintechs that build the architecture. It is unavailable to fintechs that add security tools on top of an architecture that was never designed with security as a principle.
The fintech built securely from the start does not look different from the outside. The difference is entirely internal: in how decisions are made, how data flows, how models are governed, and how the team responds when something goes wrong. That internal difference is what separates a €460 million fraud loss (UK, 2023) from a 90% reduction in phishing losses (Visa, adaptive technology). Same threat. Different architecture.
Can you tell me, in real time, what your current fraud rate is by product, channel and customer segment? Not last month's number from the analytics team — the number right now, as transactions are being processed. If retrieving that requires a data pull, the fraud architecture is not operational.
When a fraud event occurs, what is the defined process from detection to resolution — including who contacts the customer, within what timeframe, and what the reimbursement criteria are? If the answer varies by which team member is on shift, it is a culture, not a process.
How does your fraud model learn from new attack patterns? Not "we update it periodically" — specifically, who owns model retraining, on what schedule, triggered by what criteria, reviewed by whom. If no one has a complete answer, the model is drifting.
What percentage of your fraud detection triggers are acted on within the authorization window — before settlement? For most fintechs, the honest answer to this question reveals that most of their fraud detection is retrospective, not preventive. That's where the $760 million in Mexico goes.
The fintech fraud problem is not a technology problem. The technology to solve it exists, is commercially available, and is documented to work. Visa's 90% phishing loss reduction is real. AI-driven behavioral biometrics that detect account takeovers before the first unauthorized transaction is real. Real-time decision engines that run in the authorization gap are real. They are not being used at scale in Mexico's fintech market because building them requires something that does not appear in a growth deck: operational discipline, process clarity, and the willingness to invest in the infrastructure before it is urgently needed.
The fintechs that build that infrastructure now — while they have capital, while the regulatory pressure is building but not yet acute, while the trust gap is recoverable — will be the ones that capture the actual fintech opportunity. The $13 trillion banking and insurance market. The 23% of unbanked Mexican adults. The $66 billion annual remittance corridor. The 76% growth in payments and remittances projected through 2027.
That opportunity does not go to the fastest grower. It goes to the platform that users trust with their money when something goes wrong — and that gets them their money back.
Sources: CONDUSEF Mexico 2024–2025 · BioCatch / Mexico Business News April 2026 · Sumsub Fraud Intelligence Report 2024 · Fintechmagazine.com July 2025 (ComplyAdvantage, NVIDIA, UK Finance, Visa, Mastercard, LSEG data) · Alloy State of Fraud Benchmark Report 2024–2025 · SecurityScorecard 2025 · Deloitte Center for Financial Services 2024 · IBM Cost of a Data Breach Report 2025 · WEF "Future of Global Fintech" 2025 (Cambridge Centre for Alternative Finance) · BCG / QED Investors 2025 · Finnovista Fintech Radar Mexico 2024 · Mobile Time Latinoamérica 2026 (Jumio / Samer Atassi) · FTC Consumer Fraud Report 2024 · Kroll 2024 Financial Sector Breach Report · NuBank Annual Report 2023 · CNBV · BNamericas CONDUSEF data.
Certified Professional Coach · CTO · Enterprise Architecture · C-Level
CNBV-regulated fintech · PCI-DSS · KYC · Face-ID · AWS Bedrock + Anthropic + MCP in production
Fraud architecture · Real-time risk · AI in financial services · Regulated sectors Mexico & LATAM
twitter.com/JormerMx · linkedin.com/in/mxjormer · jmcoach-mx.blogspot.com
No hay comentarios.:
Publicar un comentario
Nota: sólo los miembros de este blog pueden publicar comentarios.