By Hannah Ibberson
Fraud risk management has entered a new phase. As fraud and scams grow more sophisticated, banks have invested heavily in technology to strengthen controls and detect suspicious activity. While these investments remain essential, technology alone is no longer sufficient.
The central challenge is no longer simply building stronger controls. It is building a fraud risk management structure that can adapt at the same speed as evolving criminal tactics. To do so, banks must move beyond a model in which employees merely monitor technology and toward one in which human judgment and technology operate in deliberate partnership.
This paper proposes a shift toward a human‑centered fraud policy framework — one that recognizes that fraud prevention and detection depend on understanding human behavior, emotional vulnerability and decision‑making under pressure. This human-centered approach recognizes the nature and behavioral realities of both employees and customers when developing controls.
The limits of system‑centric fraud programs
Most fraud programs are designed around systems, controls, thresholds and loss metrics. These elements are measurable, auditable and scalable, providing banks with a sense of security that they can prevent, detect and mitigate fraud losses. However, fraudsters rarely defeat banks by outsmarting algorithms alone. Instead, they exploit human factors such as fear, urgency, trust, authority bias and social manipulation, leveraging scams to defraud consumers.
Scams succeed because they are fundamentally psychological. Fraudsters befriend victims, manufacture crises and create cognitive overload that suppresses rational thinking. In these moments, customers often believe they are acting independently, when in reality they are being carefully guided. Scams allow criminals the opportunity to bypass controls and thresholds by placing the actual transaction in the hands of the consumer. They also expose consumer security, allowing criminals to attack the account directly. In this environment, policies that focus exclusively on transaction risk — without accounting for human vulnerability — leave a critical gap in fraud defense.
Reframing the core policy question
Traditional fraud policy often asks: “Is this transaction risky?”
A more effective and protective question is: “Is this customer in a psychologically vulnerable situation?”
Certain circumstances consistently correlate with elevated scam risk, including:
- First‑time or unusual payment behavior
- Urgent or time‑pressured requests
- Sudden changes to beneficiaries or payment instructions
- High‑value transfers tied to emotionally charged narratives (investment opportunities, romance, family emergencies or authority‑based demands)
Frontline employees may observe subtle behavioral cues that systems cannot detect, such as whispering, signs of coaching, reluctance to answer basic questions, refusal of assistance or remaining on the phone with a third party during the interaction. These signals often indicate that a customer is being manipulated.
Translating behavioral signals into policy action
A human‑centered fraud policy must clearly define what happens when behavioral risk indicators appear. When a customer seems distressed, coached or emotionally compromised, the policy should both authorize and require specific interventions[1].
Examples include:
- Risk‑based friction and cooling‑off periods to interrupt scam momentum and restore reflective thinking.
- Delays of 24 to 72 hours for first‑time wires, new payees, crypto transactions, or high‑risk investment transfers, calibrated to transaction value and risk level.
- Mandatory escalation pathways when employees observe coaching indicators or refusal to provide transaction context.
These controls are only effective if employees feel empowered to use them. Many existing policies unintentionally discourage intervention by prioritizing speed, throughput, or penalizing false positives. When frontline staff believe that slowing a transaction may harm their performance metrics, they are more likely to proceed even when something feels wrong.
A well‑designed policy explicitly grants employees permission — and responsibility — to pause, question and escalate suspicious transactions without fear of reprisal.
Aligning incentives with fraud prevention outcomes
An honest review of employee performance metrics often reveals why human‑technology synergy breaks down. In many call centers and branches, success is defined by speed and efficiency: average handle time, after‑call work, first call resolution ), average speed of answer, customer satisfaction, net promoter Score, utilization and cost per contact.
These metrics are designed to optimize throughput, not fraud prevention. Customers experiencing scams frequently require longer interactions and repeated engagement — outcomes that negatively impact traditional KPIs. As a result, employees are implicitly conditioned to prioritize quick completion over deeper inquiry.
Human‑centered fraud policy requires a recalibration of incentives, such as:
- Recognizing and rewarding identified and prevented fraud.
- Tracking successful scam disengagements and customer safety outcomes.
- Classifying fraud‑related calls differently from routine service interactions.
- Valuing high‑quality referrals and escalations to fraud teams.
Leadership should view missed scams as more damaging than delayed legitimate transactions. False positives are recoverable. False negatives often are not.
Equipping employees with clear guidance
Policy must provide practical guidance on how to engage customers when fraud risk is behavioral rather than transactional. This includes:
- When to ask probing questions and how to do so without blame or confrontation
- How to recognize common coaching indicators and scam narratives
- Clear scripts for sensitive engagement when customers resist assistance
- Defined documentation and escalation requirements
For example, a policy may require an employee to initiate a specific engagement protocol if a customer appears to be under instruction or refuses to explain the purpose of a payment.
Designing customer education that works
Generic warnings such as “This transaction may be risky” rarely change behavior. Effective fraud prevention relies on contextual, psychologically relevant messaging that mirrors real scam tactics. In practice, a discussion with the customer is far more effective than warnings and statements.
Understanding human factors requires us to allow time for recognition of a scam or fraud in the customer’s eyes. Therefore, procedures need to recognize the value of listening to the customer and asking questions. These techniques allow banks to lead customers to their conclusions on the event, their security and the bank’s actions.
Examples of topics to help direct the consumer’s conversation include:
- Explaining that scammers often instruct victims not to tell anyone
- Highlighting claims of law enforcement involvement or urgent secrecy
- Normalizing hesitation and verification as smart and responsible actions
Policies should define when these prompts appear, which transaction types trigger enhanced warnings, when transfers should be slowed versus blocked and how customer acknowledgment is recorded across digital and human channels.
Strengthening regulatory and consumer protection alignment
Regulators increasingly expect banks to demonstrate proactive scam prevention, risk‑based friction and a clear duty‑of‑care orientation. Policies that incorporate behavioral indicators, intervention justification, documentation standards and override rationale improve both consumer outcomes and regulatory defensibility.
Fraudsters exploit psychology more effectively than technology. Banks that continue to design fraud policy around systems alone will remain vulnerable at the human edge of the transaction. By aligning technology, employee judgment, incentives and customer education around real human behavior, banks can move from a system‑centric model to a human‑centric fraud policy — one that prevents harm, protects customers, and builds lasting trust.
Hannah Ibberson is program manager, fraud risk management, American Bankers Association.
[1] Actions that are taken to mitigate reasonable fraud risks will still require compliance with regulation. It is recommended that your compliance group approve of any steps taken, that your account holder agreement reflect the actions, that the actions are based on risk-based triggers, that the actions are applied consistently, that the actions are documented and that the actions are communicated to customers, unless otherwise restricted.
