AI Fraud: The Mills Review Exposes Financial Enablers
The UK Financial Conduct Authority’s Mills Review on AI and the future of retail financial services should not be read merely as a technology report. For consumer protection organisations, it is a warning about the next stage of industrialised financial fraud.
The Review recognises that artificial intelligence will transform retail financial services by 2030 and beyond. It also warns that AI will amplify fraud and cyber risks by making attacks faster, cheaper, more scalable and more persuasive. Deepfakes, synthetic identities and personalised social engineering are identified as key drivers of this new risk environment.
For EFRI, this is not a speculative future problem. It confirms EFRI’s long-standing position: mass online investment fraud is not merely a problem of fraudulent websites or fake brokers. It is enabled by a wider infrastructure of platforms, payment providers, banks, acquirers, card schemes, technology providers and weak supervision.
AI will not invent financial fraud. It will industrialise it.
The enforcement gap remains the real weakness
The Mills Review is right to suggest that enforcement and supervision must respond at the same level of sophistication as AI-enabled fraud.
But in Europe, this remains largely aspirational.
The uncomfortable reality is that online fraud is not new. It has existed for many years, and victims have seen little evidence that enforcement capacity has kept pace with cross-border financial crime. Mutual legal assistance requests still take months or even years. Prosecutors and courts remain under-resourced. Financial supervisors still often fail to recognise the scale and seriousness of the problem, relying on administrative fines after the damage has been done instead of public naming, early intervention and coordinated disruption of repeat enablers.
Criminal networks operate in real time. Enforcement still operates through files, jurisdictions, procedural delays and, too often, formalistic requests for documents rather than rapid intelligence-led intervention.
This gap is precisely why AI-enabled fraud cannot be addressed by enforcement rhetoric alone. Without enforceable duties, real-time data sharing and liability for all actors that enable, facilitate, amplify or monetise fraud — including payment providers, banks, acquirers, card schemes, digital platforms, telecom operators, hosting providers, identity-verification providers, technology vendors and other gatekeepers — the promise of fighting AI fraud with equally advanced supervisory tools will remain an illusion.
Fraud is an ecosystem, not a single scam website
Online investment fraud is not committed only by the visible scam website or the fake broker on the phone. It is enabled by an ecosystem: online platforms that generate victims, technology providers that support deception, payment service providers that process funds, banks that maintain accounts, card schemes that facilitate acceptance, and regulators that too often supervise each actor in isolation.
This is why the Mills Review matters. It recognises that AI-related fraud risks do not remain inside one regulated firm. They spread across firms, platforms, payment rails, identity systems, technology providers and jurisdictions.
Victims experience the fraud as one coordinated scheme, while regulators and courts too often divide it into separate technical relationships.
That is the central consumer protection issue.
Enablers cannot hide behind neutrality
If fraud risk spreads through payment rails, platforms, telecom networks, hosting infrastructure and identity systems, the relevant actors cannot credibly present themselves as passive infrastructure. If fraud is scaled through platforms, payment processors, acquirers, banks, technology providers and other gatekeepers, consumer protection cannot stop at warning consumers to be more careful.
The Mills Review should therefore also be read as a report about financial crime enablers. AI may accelerate fraud, but the decisive question remains who provides the infrastructure that allows fraud to be scaled, targeted and monetised.
Awareness is not redress. Guidance is not compensation. Scam education is not a substitute for enforceable duties on firms that enable the flow of victims, data, communications and money.
AI will make existing fraud more efficient
The Review does not claim that AI will create entirely new forms of crime. Its more important message is that AI will allow existing weaknesses to be exploited faster and at greater scale.
Criminals will be able to generate more convincing fake investment platforms, more personalised victim scripts, more realistic fake identities, more persuasive recovery-scam approaches and more effective impersonation of brokers, lawyers, compliance officers or regulators. Synthetic identities may also make onboarding abuse and mule-account structures harder to detect.
The result is not merely more fraud. It is more efficient fraud.
A recurring weakness in financial crime policy is the assumption that consumers can protect themselves if they are properly warned. That assumption is already unrealistic. In an AI-enabled fraud environment, it becomes indefensible.
Individual consumers cannot realistically detect whether an investment offer is supported by synthetic identities, manipulated reviews, fake regulatory references, AI-generated communication and a payment chain routed through regulated financial institutions.
Enablers see patterns victims cannot see
Banks, PSPs, acquirers, card schemes and platforms see patterns that individual victims cannot see. They see repeated transactions, merchant behaviour, complaints, chargebacks, account structures, transaction flows and suspicious correlations across customers.
If these firms have the data and the control points, they must also carry enforceable duties.
Payment infrastructure is not incidental to online investment fraud. It is central. Without banks, acquiring institutions, payment processors and card schemes, large-scale online investment fraud cannot be monetised at scale.
A payment firm may not have written the fake investment script. A platform may not have processed the final transaction. A telecom operator may not have designed the scam website. A hosting provider may not have spoken to the victim. But where actors repeatedly enable high-risk activity, ignore warning signs, fail to act on complaints or allow suspicious structures to continue, they become part of the enabling ecosystem.
Regulators must supervise the system, not only the firm
The Mills Review is also important because it recognises that supervision must become more system-wide. Traditional supervision is too fragmented. One regulator looks at the bank. Another looks at the payment institution. Another looks at the platform. Another looks at data protection. Criminal networks exploit the gaps between them.
Victims experience one fraud. Regulators see separate compliance files.
AI-enabled fraud will widen this gap unless regulators change their method. If criminals use AI to test, adapt and scale fraud across borders, regulators cannot rely on slow, complaint-driven, institution-by-institution supervision. They need shared intelligence, real-time pattern detection, cross-border data access and enforcement powers that follow the money.
The missing issue is compensation
The Mills Review recognises that AI-enabled finance will make questions of consent, accountability and redress more complex. It also notes that many consumers do not understand whether formal routes to recourse exist when something goes wrong. This is important.
But for fraud victims, redress cannot be reduced to better complaints handling, clearer audit trails or access to an ombudsman.
Redress must also mean compensation.
The Review does not answer the central question of who should compensate victims when AI-enabled fraud is facilitated by an ecosystem of social media, payment providers, telecom operators, hosting providers, identity-verification providers and technology vendors.
For victims, redress means getting money back. It means identifying who is responsible when regulated institutions enabled fraudulent payment flows. It means not being forced into years of individual litigation against fragmented entities across jurisdictions.
If AI-enabled fraud is systemic, redress must become systemic too.
Europe should not wait for the next wave
The Mills Review is a UK report. But the problem it describes is European and global.
Cross-border investment scams already exploit jurisdictional fragmentation. Victims may live in one country, the scam website may be hosted elsewhere, the payment processor may be licensed in another jurisdiction, the bank account may sit in a fourth country, and the beneficial owners may be hidden behind offshore structures.
AI will make this model more scalable.
Europe should not wait for the next wave of AI-enabled scams. The current EU debate on digital finance, payment services, anti-money laundering, platform responsibility and AI governance must be connected to the reality of mass consumer fraud. It must produce an adequate regulatory response and finally deliver on a basic promise: digitalisation must not be pursued at the expense of consumers.
AI is the accelerator. Enablers are the liability question.
AI is not the fraudster. It is the accelerator.
The real question is whether regulators, courts and lawmakers will continue to treat banks, payment service providers, acquirers, card schemes, platforms, telecom operators, hosting providers, identity-verification providers and technology vendors as neutral infrastructure — or whether they will finally recognise that large-scale financial fraud depends on an enabling ecosystem.
The next wave of AI-enabled financial fraud will not be stopped by asking victims to become better risk managers. It will be stopped only if regulators, courts and lawmakers impose real duties on the actors that see the patterns, control the infrastructure and profit from the flows. These duties have to be enforced. Those duties must be enforced in practice. Repeat enablers must be exposed publicly, sanctioned effectively and, where their conduct crosses the criminal threshold, prosecuted and convicted.
This is also the logic behind EFRI’s proposed model of Shared Liability for European payment fraud. In our paper Restoring Trust in European Payment Rails: A Framework for a Shared Liability Reform, EFRI argues that current liability rules misalign incentives along the payment chain and leave victims exposed, even where institutional gatekeeping failures are recurring and foreseeable. The proposed model links liability to functional control: the actors that are best placed to detect, stop and prevent fraud must also bear responsibility when one of the actors involved in the scam chain fails to do so.
Shared Liability is not about shifting all losses blindly to one actor. It is about aligning incentives across the full scam chain — sending and receiving PSPs, banks, acquirers, platforms, telecoms and other actors with relevant control points. A reimbursement anchor for victims, combined with calibrated recourse between responsible institutions, would force the ecosystem to internalise the cost of preventable fraud instead of externalising it onto consumers.
That is why the Mills Review matters beyond the UK AI debate. It confirms the factual premise of Shared Liability: financial fraud is no longer a series of isolated consumer mistakes. It is an infrastructure-enabled, data-visible and increasingly AI-accelerated risk.
EFRI’s message is clear: consumer protection must move upstream. The firms that enable, process and profit from fraudulent flows must be made responsible for the harm they help make possible.




