.png)
In Part 1, we looked at the mechanics of a payment: who's involved, what happens, and how security works. That's the foundation.
But knowing how payments work and knowing how to make money from them are two very different things.
This time, we're answering three questions that hit where decisions actually get made: in the boardroom, in the risk committee, and on the P&L.
Because it is. Every fraud decision you make creates a new problem somewhere else.
Here's the core tension every payments team lives with: you want to approve as many good transactions as possible and stop as many fraudulent ones as possible. Those two goals pull in opposite directions.
Loosen the controls, and revenue goes up , but so does fraud exposure. Tighten them, and fraud drops, but so does your conversion rate, because you've just declined a lot of real customers.
That last one has a name: false positives. Legitimate transactions wrongly declined. And they're not harmless. Every false positive is lost revenue today and customer churn tomorrow, because most customers don't think "great fraud controls" when their card is declined. They think "I'll use a different provider next time."
Most banks respond to rising fraud by tightening controls, which means declining more real customers and losing revenue in the process. Revolut took the opposite approach: invest in intelligence, not restriction.
In 2019, Revolut built Sherlock, a machine learning–based card fraud prevention system that evaluates every transaction in under 50 milliseconds. Rather than applying blanket rules, the system learns from user behaviour flagging only transactions with genuine anomalies. After deployment, Revolut reported a massive reduction in card fraud levels, specifically tackling e-commerce payments, card cloning, and card theft (Best Practice AI).
They didn't stop there. In 2024, Revolut launched an AI-powered scam detection feature that intervenes at the point of payment rather than blocking outright. Since launch, Revolut observed a 30% reduction in fraud losses resulting from card scams linked to investment fraud (Finextra).
The result? By 2024, Revolut's AI-based fraud detection system had prevented scams worth over €550 million, while supporting a 30% reduction in fraud losses related to card scams (AI Expert Network).
The lesson: The winners in fraud management aren't the companies with the strictest controls. They're the ones who've figured out how to be permissive and safe at the same time. That's not a technology question. That's a strategy question.
Why this matters for your business: Fraud management isn't a technical problem you solve once. It's a strategic trade-off you manage continuously. And the cost of getting it wrong isn't just fraud losses, it's the revenue you're silently declining, every day.
The real question isn't how to eliminate fraud. It's: where is the line between acceptable fraud and unacceptable friction, and who in your company gets to draw it?
It's the most important number in payments that most executives never define.
Risk appetite is the amount of risk your company is willing to accept in exchange for growth. Every fraud rule, every approval threshold, every liability decision sits somewhere on this spectrum.
At one end: low risk appetite. Play it safe. Decline more. Keep fraud losses down. But live with more false positives, more lost customers, and thinner top-line growth.
At the other end: high risk appetite. Capture as much revenue as possible. Approve more, create less friction. But absorb more fraud, more chargebacks, and the risk of crossing scheme thresholds or triggering regulatory attention.
Most companies operate somewhere in the middle, but very few have actually defined where.
Wirecard is the textbook case of what happens when risk, compliance, and governance aren't taken seriously at the top. When it collapsed in June 2020, the first DAX 30 company ever to file for insolvency, the estimated economic damage was at least €30 billion (Quartr).
What's striking isn't just the fraud itself, but the governance gap behind it. Until early 2019, Wirecard's board did not choose to create dedicated committees for audit, risk, and compliance. The size of the compliance team was about 0.4 percent of the workforce in 2019. HSBC, by comparison, had 2.6 percent (Oxford Law Blogs.)
Less than half a percent of the workforce is dedicated to compliance, at a regulated payments company. That isn't a "risk appetite." That's the absence of one.
The outcome: The share price collapsed by 98% within days. The CEO was arrested. The COO went on the run and remains at large. Investors (from pension funds to retail shareholders) lost everything. And the ripple effects went far beyond one company: Germany overhauled its financial supervision system, the EU tightened audit and oversight rules across the bloc, and every payments company operating in Europe now lives under a stricter regulatory lens because of decisions Wirecard's leadership didn't make.
The lesson: Risk appetite isn't an abstract concept. When it's left undefined, the market defines it for you, usually at the worst possible moment.
Why this matters for your business: If your risk appetite isn't explicit, it's being set accidentally, by whoever configured your fraud tool, or by the default settings of your PSP. That's a strategic decision being made by a platform, not by you.
The real question isn't how strict your controls should be. It's: does the person running your fraud strategy know what the business is willing to lose, and what it's not?
Because regulation isn't a compliance cost. It's a competitive boundary, and your competitors are already using it.
Regulation in payments exists to protect consumers, maintain financial stability, and create a level playing field across banks, fintechs, merchants, and providers. Frameworks like PSD2 and the emerging Payment Services Regulation don't just set rules, they reshape what's possible.
PSD2 is why Strong Customer Authentication became mandatory. It's why open banking exists, giving licensed third parties access to account data, with consent. It's why new business models have been able to launch on top of the banking infrastructure.
Beyond the payments industry itself, other frameworks have direct impact too: data protection, operational resilience, and financial infrastructure standards.
While most financial institutions treated PSD2 as a compliance obligation, Klarna treated it as a strategic opening. In March 2019, Klarna launched its own Open Banking Platform, enabling access to more than 4,300 European banks through a single API in line with PSD2.
Before that launch, Klarna had already been proving the model at scale: its XS2A payment initiation solution transferred over 10 billion Euros in volumes and completed over 100 million transactions in 2018 alone (Klarna).
Then, in 2022, Klarna spun that capability into a standalone product, Klarna Kosma, and opened it up to banks, merchants, and fintechs. The platform covers 15,000 banks across 24 countries (TechCrunch), directly competing with Visa-owned Tink and Plaid.
The same regulation that added compliance cost for lagging banks became a full product category for a prepared one.
Why this matters for your business: Companies treating regulation as a box to tick are playing defence. Companies treating it as a strategic signal are playing offence. The same framework that adds friction for a lagging competitor can unlock an entire product line for a prepared one.
The real question isn't are you compliant. It's: is your regulatory posture defensive or competitive, and do you know the difference?
Mechanics tell you how payments work. Business impact tells you what they cost, and what they can earn you.
The difference between a team that loses revenue to false declines and a team that turns regulation into a product line isn't better technology. It's better questions, asked earlier, by people who understand what they're looking at.
That's the whole point of this series. Payment expertise is your competitive advantage.
The PaymentGenes Academy Foundation Course is built for the teams who know that payments is a growth lever.
.png)
.png)
.png)
.png)