Third-Party Fraud: Definition and Use in Compliance

What is Third-Party Fraud?

Third-party fraud is financial crime committed by an external perpetrator using a real person's identity, credentials, or account access without that person's consent. The legitimate account holder is the victim; the criminal is the "third party" acting between the institution and the customer.

The four most common forms are:

• Identity theft: Stolen personal data (name, Social Security number, date of birth, address) used to open new credit lines or deposit accounts the victim never applied for.
• Account takeover: An existing account hijacked through credential theft, phishing, SIM swapping, or social engineering. Once inside, the criminal drains funds or routes stolen money through the account to the next destination.
• Card fraud: Payment credentials stolen through data breaches, skimming devices, or dark web markets, then used for unauthorized card-not-present purchases.
• Check fraud: Forged, counterfeit, or stolen checks drawn against a victim's account.

Distinguishing third-party fraud from first-party fraud is the first task in any investigation. First-party means the account holder is the perpetrator; third-party means they're the victim. That classification drives SAR narrative language, customer contact decisions, and whether reimbursement rules apply.

By volume, third-party fraud dominates reported financial crime. The Federal Trade Commission's Consumer Sentinel Network Data Book 2023 recorded over 1 million identity theft reports in the United States. Identity theft was the most reported fraud category that year. UK Finance's Annual Fraud Report 2024 put unauthorized fraud losses at £1.17 billion for the UK, with third-party typologies accounting for the majority of incidents by count.

Beyond direct losses, each incident generates investigation costs, SAR filing obligations, customer remediation expenses, and potential regulatory scrutiny. Banks that track end-to-end incident costs consistently put the total at 3x to 5x the face value of the fraud itself.

How is Third-Party Fraud used in practice?

Fraud and compliance teams deal with third-party fraud at three distinct points: onboarding, account management, and transaction processing. Each stage requires different controls.

At onboarding, Customer Due Diligence (CDD) is the primary gate. Identity documents go through optical character recognition and cross-checking against credit bureau records, death registers, and fraud consortium databases. Liveness detection catches photo-based impersonation. Fraudsters presenting stolen documents aim to pass all checks simultaneously, which is why layered verification, rather than any single control, is the standard approach.

Post-onboarding, behavioral change is the main signal. Transaction monitoring looks for accounts deviating from their own established patterns: dormant accounts receiving large wire transfers, multiple card-not-present purchases in rapid succession from a new device, or a new payee added moments before a large outbound transfer. These patterns don't confirm fraud on their own, but they trigger investigation queues.

When a case opens, the investigator's first question is classification: victim or perpetrator? Third-party fraud means the account holder didn't authorize the activity. First-party fraud means they did. A money mule is a third category. Getting this right shapes everything, from the SAR narrative to the decision of whether to alert the customer.

Once third-party fraud is confirmed, standard procedure is an account freeze, a Suspicious Activity Report (SAR) filing, and a same-day recall request to the receiving bank. Fund recall through domestic payment schemes works reasonably well within the first few hours. After 24 hours, recovery rates drop sharply. After 72 hours, recovery is rare. Speed of detection is the single biggest variable in net loss outcomes.

Third-Party Fraud in regulatory context

Regulators treat third-party fraud as both a consumer protection issue and an AML/CFT issue. Both frameworks apply simultaneously, and they impose different obligations.

In the United States, the Bank Secrecy Act requires financial institutions to file a SAR for transactions of $5,000 or more involving a known suspect, or $25,000 or more even without a suspect. Third-party fraud schemes consistently clear these thresholds. FinCEN's BSA compliance resources specify that SAR filings for fraud-related activity should describe the victim's relationship to the account, the fraud method, and any remediation steps taken. Filings in identity theft and elder financial exploitation categories feed directly into law enforcement investigations.

In the UK, the Financial Conduct Authority holds banks accountable under the Payment Services Regulations 2017. When a customer reports an unauthorized transaction, the bank must refund within one business day unless it can demonstrate gross negligence by the customer. The Payment Systems Regulator reinforced this distinction in its 2023 reimbursement model, formally separating "unauthorized fraud" from authorized push payment fraud, which falls under a separate set of rules.

In the EU, PSD2's Strong Customer Authentication requirements were designed specifically to reduce account takeover and card-not-present third-party fraud. Institutions with weak SCA fallback flows carry higher chargeback liability.

Across all major jurisdictions, third-party fraud is a predicate offense for money laundering under FATF Recommendation 3, which requires member jurisdictions to criminalize the laundering of proceeds from fraud. When stolen funds move through the financial system, the banks processing those flows face potential AML enforcement. That's why supervisors treat SAR timelines and fund recall procedures as regulatory obligations rather than optional operational choices.

Common challenges and how to address them

The identity verification gap is hardest to close at onboarding. Stolen credentials pass standard document checks. AI-generated synthetic videos now defeat basic liveness detection systems. The response is layering: consortium negative data as a second-pass filter after document verification, behavioral signals captured during the application session (typing cadence, device fingerprint, browser environment), and enhanced review for high-risk profiles such as high-limit credit applications from applicants with thin or recently opened bureau histories.

The behavioral baseline problem hits post-onboarding. A patient fraudster will age the account, make a few small legitimate-looking transactions, and execute the fraud weeks later. Standard velocity rules miss this entirely. Longer lookback windows and peer group comparisons, measuring an account's behavior against similar accounts opened at the same time, catch these patterns more reliably than point-in-time thresholds.

Alert volumes drain investigation capacity. Traditional rule-based systems routinely produce false positive rates above 90%, meaning analysts spend most of their time clearing legitimate transactions. Recalibrating thresholds using confirmed historical fraud labels and adding pre-filter signals such as IP risk scores and device reputation typically reduces alert volume without increasing missed fraud.

The mule account gap is a systemic problem no single institution can solve independently. In most third-party fraud schemes, stolen funds move through one or more money mule accounts before exiting the banking system. Detecting fraud at the originating bank doesn't recover funds if the receiving bank doesn't freeze them in time. Inter-bank fraud intelligence sharing programs, such as the UK's Mule Insights Tactical Exchange, have enabled faster cross-institution fund freezing than institutions operating in isolation.

SCA fallback exploitation is a growing attack vector. Fraudsters target backup authentication flows specifically because those paths tend to have weaker controls than primary SCA. Regular penetration testing of all fallback flows, including SMS OTP intercepts and push notification handling, closes these gaps before attackers map them.

Related terms and concepts

Third-party fraud sits within a broader taxonomy that investigators must navigate precisely. The terms overlap but carry distinct legal and operational implications.

Synthetic identity fraud is the most common point of confusion. In synthetic fraud, the criminal constructs a fake identity from mixed real and fabricated data. Third-party fraud uses a real, existing person's identity without modification. Detection approaches differ: synthetic identities age in credit bureau systems for months before a bust-out event, while third-party fraud typically triggers victim complaints within days of the fraudulent transaction.

Authorized Push Payment (APP) fraud is legally distinct, though often conflated with third-party fraud in practice. In APP fraud, the victim is deceived into authorizing the payment. The transaction is technically authorized, which takes it outside the "unauthorized fraud" rules that govern most third-party fraud reimbursement frameworks. UK regulators treat the two as separate categories with separate reimbursement regimes.

Account takeover is a subset of third-party fraud. Every ATO is third-party fraud, since the criminal is external and acts without the account holder's consent. Third-party fraud extends further to include new account fraud opened with a stolen identity, unauthorized card usage, and check fraud. Not every third-party fraud event involves an existing account.

Money mule accounts appear in nearly every third-party fraud case. Once stolen, funds move through one or more mule accounts for layering before final extraction. Identifying and freezing the mule layer quickly is how banks limit net losses after a fraud event.

First-party fraud is the direct counterpart. Third-party fraud victims deserve reimbursement, support, and law enforcement referral on their behalf. First-party perpetrators warrant account termination, a SAR naming them as the subject, and potential referral for prosecution. Accurate classification at the investigation stage separates the two outcomes, and getting it wrong in either direction carries real cost.