Anti-fraud strategies for SEPA payments

Anti-fraud for SEPA is a different game from card fraud. The signals are different, the tooling is different, the windows are different. Here is what mature operators actually do.

The three fraud archetypes

• Mandate fraud: bad actor uses an IBAN they don’t own. Detected via Confirmation of Payee, behavioural mismatch, and first-debit caps.
• Friendly fraud: the legitimate accountholder pays, receives, then files an 8-week refund. Detected via velocity of refunds per IBAN, descriptor clarity, and dispute pattern.
• Account takeover: someone hijacks the customer’s account and changes the IBAN to siphon outgoing payments. Detected via change-velocity alerts and step-up authentication on payout-method changes.

Signal layers worth investing in

• IBAN reputation. Black/grey/white-list scoring of the IBAN itself, fed by industry data and your own dispute history.
• IBAN-name match. CoP where the SEPA country supports it; soft signals where it doesn’t.
• Behavioural signals. Typing cadence, copy-paste detection on IBAN fields, time-on-form. Bots fail these hard.
• Device fingerprint. Same device, multiple IBANs in a short window is a strong negative signal.
• Velocity controls. N attempts per IBAN per day, N IBANs per device per week. Tune per use case.

Policy patterns that work

• The first-debit cap. Never collect the largest amount first. New mandates pay a small amount, age 7–14 days, then unlock larger collections.
• The cool-down on changes. A change of payout IBAN triggers a 24-hour hold and a verified email re-confirmation.
• The dispute-velocity circuit-breaker. If the same IBAN appears in three refund events across the network within 90 days, it becomes ineligible automatically.

What "good" looks like

• Net SDD refund rate < 0.3%.
• Mandate-fraud rate (R-codes MD01/MD07) < 0.1%.
• Account-takeover detection rate (caught before payout) > 95%.
• Manual review queue < 0.5% of inbound mandates.