Real Time Payments & Instant Payment Risks

Introduction: The Newest Rail and Its Unforgiving Characteristics

Real-time payments are the newest entrant in the organizational disbursement landscape, and they arrive with a risk profile that finance and treasury functions have not fully absorbed. The operational appeal is straightforward and genuine: funds move in seconds, settlement is final, and the rails operate around the clock every day of the year. For time-sensitive vendor payments, emergency disbursements, and counterparties who place high value on payment certainty, real-time payments offer capabilities that no prior payment method could match.

The risk implication is equally straightforward and considerably less discussed: everything that makes real-time payments operationally attractive makes them extraordinarily unforgiving when a payment goes wrong.

Wire transfers are irrevocable — but they process during banking hours, through a human-mediated authorization workflow that provides at least some opportunity for pause. ACH operates on a batch cycle that creates detection windows between submission and settlement. Checks travel through a physical and electronic clearing chain that takes days.

Real-time payments offer none of these natural control intervals. A payment instruction submitted at 2:00 a.m. on a Saturday settles in the recipient's account within seconds. There is no batch window, no clearing delay, no banking-hours constraint, and — in virtually all implementations — no recall mechanism once settlement has occurred.

The organizations most at risk from real-time payment fraud are not those that have deliberately adopted the rails and built control frameworks around them. They are the organizations that have adopted real-time payments for their operational benefits without conducting a corresponding risk assessment — or that have not yet adopted them, but whose vendors, banks and counterparties are increasingly assuming they will.

How Real-Time Payments Work

Real-time payments in the United States operate on two primary networks: the RTP® network operated by The Clearing House, which launched in 2017 and has steadily expanded its participating financial institution base, and FedNow®, the Federal Reserve's real-time payment service, which launched in July 2023. Both networks operate on the same fundamental principle — immediate, final settlement of payment instructions — but differ in institutional participation, transaction limits and certain operational features.

The transaction model differs from both ACH and wire in important respects. When an organization initiates a real-time payment, the instruction is transmitted through its financial institution to the relevant network, which routes it to the receiving financial institution and effects settlement in near-real time — typically within seconds. Both the sending and receiving institutions confirm the transaction simultaneously. There is no batch aggregation, no deferred settlement, no float.

Current transaction limits on the RTP network are set at $1 million per transaction, a ceiling that has been raised progressively since the network's launch and that covers a significant range of business-to-business payment use cases. FedNow's transaction limits vary by participating institution but are similarly structured for business payment volumes. Both networks are expanding institutional participation and transaction capabilities, with broad adoption across the U.S. banking system an explicit policy objective of both operators.

The message standard underlying both networks is ISO 20022, a rich financial messaging format that carries substantially more data than the ACH or wire message formats it is gradually displacing. ISO 20022's data richness supports more detailed remittance information, enhanced compliance screening, and more sophisticated fraud detection — but only if the receiving and sending systems are built to use it. Many organizations are receiving the richer data without yet having the analytics infrastructure to exploit it.

Real-time-payment use cases in organizational disbursements currently include emergency vendor payments, time-sensitive supply chain disbursements, same-day payroll for certain workforce categories, insurance claim payments and payments to counterparties in time-critical transactions. As institutional participation expands and transaction limits rise, the use case set is widening.

The Finality Problem

The characteristic that defines real-time payment risk — as it defines wire transfer risk, but more acutely — is finality. Real-time payments settle immediately and irrevocably. There is no return mechanism equivalent to ACH's return window. There is no stop-payment option once the instruction is submitted. There is no clearing delay during which a fraud detection system can flag a suspicious transaction before it settles.

This finality is not an incidental feature of the technology — it is the technology's core value proposition. Immediate finality is what gives the recipient certainty that the funds have arrived and cannot be recalled. It is what makes real-time payments useful for time-sensitive transactions. And it is precisely what makes a misdirected or fraudulent real-time payment so consequential.

• With ACH, an organization that identifies a fraudulent or erroneous payment within the return window can initiate a return entry and recover the funds — imperfectly, subject to counterparty cooperation, but through a defined mechanism.

• With checks, stop-payment orders and UCC return rights provide at least a framework for recovery.

With real-time payments, none of these mechanisms exist.

Recovery after a fraudulent real-time payment depends entirely on the same conditions that make wire fraud recovery unreliable: the willingness of the receiving institution to freeze funds, the willingness of the recipient to return them, or law enforcement action that may be too slow to prevent dissipation.

The practical consequence is that real-time payment fraud that is not prevented before execution is, in the overwhelming majority of cases, not recovered after it.

How Real-Time Payments Are Exploited

Real-time payment fraud follows patterns recognizable from other payment methods — but the compressed timeline eliminates the detection and intervention opportunities those methods provide.

Authorized Push Payment Fraud

Authorized push payment (APP) fraud is the dominant fraud threat in real-time payment environments globally, and it is the category that regulators in the United Kingdom — where faster payments have operated since 2008, and APP fraud losses are extensively documented — have identified as the defining fraud challenge of real-time payment systems.

In APP fraud, the victim is manipulated into authorizing and initiating a real-time payment to a fraudulent account. The payment is technically authorized — the victim initiated it — which distinguishes APP fraud from unauthorized payment fraud and creates significant complications for loss recovery, because the payment instruction was not fraudulent on its face.

The manipulation takes several forms in organizational contexts. Vendor impersonation — a variant of the BEC attack pattern — directs a finance employee to initiate a real-time payment to a fraudulent account under the belief that they are paying a legitimate vendor for a legitimate obligation. Executive impersonation induces an authorized payment to a controlled account under the guise of a legitimate business instruction. Invoice fraud presents a fraudulent invoice with real-time payment instructions in place of the legitimate vendor's banking details.

The critical difference from the same attacks in an ACH or wire context is the timeline. A BEC attack targeting an ACH payment operates against a process that has natural delays — batch submission, settlement windows, bank review — during which a suspicious instruction might be identified. A BEC attack targeting a real-time payment operates against a process that completes in seconds. If the fraudulent instruction reaches payment initiation, recovery is not a realistic outcome.

Account Takeover Targeting Real-Time Payment Initiation

Account takeover — the compromise of credentials used to access banking or treasury management platforms — is a high-consequence attack vector for any payment method. In the real-time payment context, its consequences are more severe because the attacker who gains platform access can initiate payments that settle before the account holder is aware of the compromise.

With ACH, an attacker who gains origination platform access initiates payments that enter the batch cycle and settle the following business day — providing a detection window, however narrow. With real-time payments, the settlement occurs within the same session. An account takeover executed at 3:00 a.m. on a weekend produces settled, irrecoverable losses before the organization's security team arrives for the Monday morning shift.

The attack vectors for real-time payment platform takeover are the same as for ACH and wire platforms — phishing, credential stuffing, session hijacking, malware — but the consequence of a successful attack is more immediate and less recoverable.

Request for Payment Fraud

Real-time payment networks support a Request for Payment (RFP) message type — a standardized electronic request from a payee to a payer, asking the payer to initiate a real-time payment. The RFP model is intended to streamline the invoicing and payment process by embedding payment initiation directly into the invoice workflow.

The fraud risk is that fraudulent RFP messages — generated by attackers impersonating legitimate vendors or creditors — can be submitted to payment platforms that process them with insufficient scrutiny. An AP function that has configured its real-time payment platform to process RFP messages with automated or minimally supervised approval is potentially exposed to fraudulent payment requests that are authorized and settled before human review occurs.

RFP fraud is an emerging rather than mature threat in the U.S. market, but the pattern is well established in markets where RFP functionality has been available longer. As RFP adoption expands with growing RTP and FedNow participation, the fraud pattern will follow.

Mule Account Networks

Real-time payment fraud is frequently designed around mule account networks — chains of accounts, often held by recruited or unwitting individuals, through which fraudulently obtained funds are moved and layered before being extracted. The speed of real-time payments is specifically advantageous to mule network operations: funds received in a real-time payment can be forwarded to the next account in the chain within seconds, making the layering process faster and the recovery window correspondingly narrower.

Organized fraud networks operating mule account infrastructure specifically target real-time payment rails because the combination of immediate settlement and rapid forwarding capability compresses the effective recovery window to near zero. By the time a fraudulent real-time payment is reported, the funds have typically moved through multiple accounts and been converted to a form — cash, cryptocurrency, foreign wire — that law enforcement cannot rapidly reach.

The Regulatory Landscape: Evolving and Uneven

Real-time payments in the United States operate in a regulatory environment that is still developing relative to the maturity of the technology. Unlike ACH, which is governed by Nacha's detailed Operating Rules with explicit originator obligations and enforcement mechanisms, real-time payment networks currently operate under frameworks that place significant responsibility on participating financial institutions without imposing the same level of codified originator obligation.

The United Kingdom's experience is instructive. The Payment Systems Regulator introduced mandatory reimbursement requirements for Authorized Push Payment (APP) fraud losses in October 2024, requiring payment service providers to reimburse victims of authorized push payment fraud up to £85,000 per claim. This regulatory development — the most significant consumer and business protection measure in real-time payment fraud globally — reflects years of documented APP fraud losses and sustained regulatory pressure on the payments industry to bear more of the cost of fraud that its infrastructure enables.

U.S. regulators have not yet moved to equivalent mandatory reimbursement requirements for real-time payment APP fraud, but the U.K. experience is closely watched and the trajectory of regulatory attention — from the CFPB, from banking regulators, and from Congress — is toward greater accountability for institutions and networks. Organizations that are building real-time payment programs now are building them in a regulatory environment that is likely to become more demanding, not less.

The Bank Secrecy Act and OFAC compliance obligations that apply to wire transfers apply equally to real-time payments — real-time settlement does not suspend AML or sanctions screening requirements, and participating financial institutions are required to conduct screening. The practical challenge is that real-time settlement timelines compress the screening window. Financial institutions have addressed this through pre-screening and rules-based filtering, but the tension between compliance thoroughness and settlement speed is an ongoing operational challenge for the banking system's real-time payment infrastructure.

The Speed-Control Tradeoff: The Core Risk Management Challenge

The fundamental risk management challenge presented by real-time payments is that the operational characteristics that make them valuable are in direct tension with the control characteristics that make payments safe.

Payment controls — dual authorization, supervisory review, anomaly detection, compliance screening — all require time. A dual authorization workflow in which a second approver must review and confirm a payment instruction before release requires that the second approver be available, that they review the instruction with sufficient care to identify problems, and that the system enforce the hold until approval is received. None of these requirements is burdensome for a wire transfer that processes during business hours against a same-day or next-day timeline. All of them become operationally complex for a payment rail that operates at all hours and settles in seconds.

Organizations that implement real-time payments without adapting their control frameworks to the rail's characteristics — that apply the same approval workflows, the same monitoring cadences, the same anomaly detection thresholds that they use for ACH — are not running a real-time payment control program. They are running an ACH control program on a real-time rail, and the gaps between what those controls were designed to catch and what real-time settlement requires will be exploited.

The adaptation required is not primarily technological. It is procedural and policy-based: defining which payment types and amounts are eligible for real-time payment, establishing pre-authorization controls that front-load the verification that other payment methods can perform during their settlement cycles, and building monitoring cadences appropriate to a payment rail that does not pause overnight or on weekends.

Systemic and Concentration Risk

Beyond individual transaction fraud, real-time payment infrastructure introduces a systemic risk dimension that is less visible in individual incident analysis but material to enterprise risk assessment.

The 24/7/365 operating model means that real-time payment fraud can occur at any hour, including hours when organizational monitoring and response capacity is minimal. A fraud incident that occurs at 11:00 p.m. on a Sunday may not be identified until Monday morning — by which time the funds have been moved, converted, and placed beyond practical recovery. The always-on characteristic of the rail requires a monitoring posture that matches it, which most organizations have not yet built.

Concentration of real-time payment volume through a single banking relationship or platform creates a single point of failure. A platform outage, a security incident at the financial institution, or a network disruption affecting the RTP or FedNow infrastructure can simultaneously affect all an organization's real-time payment activity — with no batch backup available if real-time payment has become the primary rail for time-sensitive disbursements.

The ISO 20022 data standard that underlies both RTP and FedNow creates interoperability across a broad institutional network — which is its purpose — but also means that vulnerabilities in message handling or data parsing could, in principle, affect multiple institutions simultaneously. This systemic dimension is managed at the network level by The Clearing House and the Federal Reserve, but it is part of the risk landscape that enterprise risk management should acknowledge.

What the International Experience Reveals

The United States is not the first major economy to operate a real-time payment infrastructure, and the experience of earlier adopters provides a preview of the fraud landscape that U.S. organizations are entering.

The United Kingdom's Faster Payments Service has operated since 2008. UK Finance's annual fraud reports have consistently documented APP fraud as the fastest-growing and most costly category of payment fraud — losses reached £459 million in 2023, with business payment fraud representing a significant share. The pattern is clear: as real-time payment adoption has grown, APP fraud losses have grown proportionally, because the fraud ecosystem adapts to the payment infrastructure.

India's Unified Payments Interface (UPI), which processes billions of real-time transactions monthly, has documented a corresponding fraud evolution — with social engineering attacks specifically designed around UPI's request and payment flows. Brazil's PIX instant payment system, launched in 2020 and now one of the world's highest-volume real-time payment networks, has generated significant fraud losses concentrated in social engineering and account takeover, prompting the Banco Central do Brasil to impose transaction limits and monitoring requirements.

The consistent international lesson is that real-time payment fraud is not a novel or unpredictable problem — it is a predictable evolution of fraud patterns already present in the payment ecosystem, accelerated and amplified by the settlement speed and finality that real-time rails provide. Organizations entering the real-time payment environment in the United States are not facing an unknown risk. They are facing a documented risk whose shape and magnitude have been established by the experience of every market that preceded them.

Conclusion: The Rail That Rewards Preparation

Real-time payments are not inherently more fraudulent than other payment methods. The same social engineering, account takeover, and authorization manipulation attacks that target ACH, wire, and check payments also target real-time payments. What is different is the consequence of a successful attack and the window available to prevent one.

The organizations that will manage real-time payment risk effectively are those that treat the rail's speed as a design constraint on their control architecture rather than an operational feature to be accommodated. Pre-authorization controls — vendor verification, payment instruction authentication, dual approval workflows that complete before submission rather than after — are not optional enhancements for real-time payment programs. They are the only controls available, because post-authorization controls operate after the money is gone.

The compressed control window is real-time payments' defining risk characteristic. Closing it before it is exploited is the defining challenge for the finance and treasury functions that govern these disbursements.