Buy Now Pay Later (BNPL) crossed USD 560 billion in global GMV in 2025, growing 13.7% year over year (fintech industry data, 2025). Fraud is scaling faster than the rails. Synthetic identity fraud cases jumped 60% in 2024 per Experian's 2024 Global Identity and Fraud Report, BNPL disputes rose 17% in the same year, and 80% of Q1 2025 new account fraud cases were linked to synthetic identities. The BNPL fraud prevention market itself grew from USD 3.99 billion to USD 4.95 billion in a single year, a measure of how much capital merchants and providers are now committing to defense.
This guide explains why BNPL is structurally more fraud-prone than card payments, the four attack patterns that drive most losses, the regulatory shifts in the UK and US, and how Juspay Hyperswitch reduces fraud exposure through multi-stage checks and unified rule configuration.
Why BNPL Is Structurally More Fraud-Prone Than Cards
BNPL fraud differs from card fraud in three important ways, and each one widens the attack surface.
Soft credit checks at onboarding. Most BNPL providers run thin-file checks that approve users in under 30 seconds. Compared to a traditional credit card application, the verification bar is dramatically lower. This is by design, BNPL's value proposition is friction-free credit, but it lets fraudsters with stolen or synthesized identities open accounts at scale.
Provider holds the loss. BNPL providers function simultaneously as lender and payment guarantor. When fraud succeeds, the provider is on the hook for the merchandise (paid to the merchant) and the unrecoverable loan. Card networks split fraud liability between issuer, acquirer, and merchant; BNPL providers carry it alone.
Account-takeover blast radius. Once a fraudster takes over a legitimate BNPL account, they can spend up to the user's pre-approved credit line across hundreds of merchants, immediately. Unlike a card, where each issuer enforces transaction-level limits, BNPL accounts often have a single pooled credit line that drains in minutes.
The combined effect: synthetic identity fraud is now the fastest-growing attack vector against BNPL, with estimated losses exceeding USD 35 billion globally per industry research. Juniper Research projects BNPL transaction volume will reach USD 334 billion in 2024 alone, multiplying the absolute dollar exposure each year.
The Four BNPL Fraud Patterns Merchants See Most
| Fraud Type | What It Is | Detection Difficulty | Typical Loss Profile |
| Synthetic identity | Combines real + fabricated PII (real SSN, fake name) to open accounts | High (passes most KYC) | Large, slow burn over 6 to 18 months before first default |
| Account takeover (ATO) | Fraudster gains access to legitimate BNPL account via credential stuffing or phishing | Medium (sudden behavior shift) | Fast, high value, can drain entire credit line in hours |
| First-party (friendly) fraud | Real customer disputes a legitimate purchase to keep merchandise without paying | Low to medium (post-fact) | Steady, dispute-driven, hard to recover even when proven |
| Stolen identity / new account fraud | Fraudster uses entirely real but stolen PII to open a new BNPL account | Medium (depends on KYC depth) | Single-burst, large transactions, abandons account |
Synthetic identity attacks are the hardest to stop because the synthesized identity has no prior bad history to flag. Fraudsters often "season" an identity for months, paying small purchases on time to build a positive record, before triggering a large bust-out where they max out the credit line and disappear. In Q1 2025, more than 365,000 identity theft cases were reported, and 80% were linked to synthetic identities used in new account fraud.
What's at Stake: The Real Cost of BNPL Fraud
Direct fraud losses are only the visible cost. The full economic impact across the BNPL ecosystem looks like this:
| Cost Layer | Who Bears It | Magnitude |
| Direct fraud loss | BNPL provider primarily; merchants on first-party fraud | Industry-wide losses in tens of billions annually |
| Chargeback fees | Merchant | USD 15 to USD 50 per dispute, plus operational time |
| Increased KYC and underwriting cost | BNPL provider, passed to merchant via fees | 0.2 to 0.5% of GMV in expanded controls |
| False positive declines | Merchant (lost revenue) | Roughly 1 to 5% of legitimate transactions blocked |
| Reputation and customer trust | Merchant | Hard to quantify, hard to recover |
| Regulatory fines (UK from 2026) | BNPL provider | Up to 4% of global revenue under FCA rules |
For a merchant doing USD 100M in BNPL volume, a 3% chargeback rate is USD 3M in disputed transactions, of which typically 60 to 80% go against the merchant after representment.
The Regulatory Reset: UK and US Diverging in 2025-2026
Two of the largest BNPL markets are taking opposite regulatory paths.
United Kingdom: The UK announced a comprehensive BNPL regulatory regime on 19 May 2025, with rules taking effect mid-2026. Third-party BNPL lenders (Klarna, Clearpay, and others operating in the UK) will require full FCA authorization, must comply with the Consumer Duty, perform creditworthiness assessments, and adhere to strengthened rules on arrears and forbearance. The new regime is expected to deliver additional protections to more than 10 million UK BNPL users (UK government announcement, May 2025).
United States: The CFPB withdrew its 2024 BNPL interpretive rule on 12 May 2025 and confirmed on 20 June 2025 that no replacement federal rule will be issued, citing procedural defects and misalignment with BNPL's structure. The US therefore has no unified federal BNPL regime; consumer protection varies state-by-state, with California, New York, and Massachusetts leading on disclosure requirements.
The practical effect: merchants operating BNPL in both regions must build dual compliance pathways. UK flows now require richer KYC, affordability checks, and forbearance procedures; US flows operate under a patchwork that continues to favor BNPL providers.
The Six-Layer Fraud Defense Stack for BNPL
Effective BNPL fraud defense is layered. No single signal stops the full range of attacks, but combining six layers in a single decision pipeline reduces fraud loss by 60 to 80% versus single-layer defenses, per industry benchmarks.
Layer 1: Identity Verification and KYC
The first line of defense. Document verification (passport, driver's license), liveness checks (selfie matching against ID), and database lookups against synthetic identity indicators (newly issued SSN, mismatched name and address history, thin credit file with anomalous patterns).
Layer 2: Device and Behavioral Fingerprinting
Device fingerprinting captures over 100 signals (IP, user-agent, fonts, canvas, language, time zone) to identify whether the device has been seen before, including for known fraudulent accounts. Behavioral biometrics adds keystroke cadence, mouse movement, and form-fill timing, all of which differ measurably between humans and bots and between legitimate users and account takeovers.
Layer 3: Velocity and Network Rules
Hard rules on the rate of activity. Number of accounts created from a single device or IP per hour, frequency of high-value purchases on a young account, repeated address-of-shipping changes. Velocity rules catch most bust-out attempts because the attacker rushes to extract value before the seasoning effect wears off.
Layer 4: 3D Secure and Strong Customer Authentication
For BNPL transactions that involve a card-funded leg (e.g., the deposit on a "Pay-in-4" plan), EMV 3DS 2.2 authentication shifts liability to the issuer in most cases and adds an issuer-side fraud check. The EU PSD2 SCA framework requires 3DS for most online card transactions; merchants outside the EU should still enable it because the auth-rate uplift typically exceeds the friction cost.
Layer 5: Machine Learning Risk Scoring
Real-time ML models combine the prior layers (identity, device, behavior, velocity, transaction features) into a single risk score. Modern fraud platforms generate scores in under 100ms and update continuously as new fraud patterns emerge. This is the layer that catches synthetic identity bust-outs because it can detect the subtle pattern shifts that rules miss.
Layer 6: Post-Transaction Monitoring
Even an approved transaction is not closed. Continuous monitoring of repayment behavior, address changes, and transaction patterns can flag a fraud attempt mid-cycle and freeze further authorization before the full credit line is drained.
How Juspay Hyperswitch Helps Merchants Operationalize BNPL Fraud Defense
Juspay Hyperswitch is an open-source payment orchestrator that exposes one unified API for 300+ processors and payment methods, including BNPL providers and fraud risk management (FRM) systems. For a merchant defending against BNPL fraud, the value is consolidating six defense layers and multiple BNPL providers into a single configuration plane.
Multi-Stage Fraud Checks Built Into the Payment Flow
Juspay Hyperswitch's FRM module supports five distinct fraud check stages, each invoked at a different point in the transaction lifecycle:
| Stage | When It Runs | Typical Use |
| Sale | Pre-authorization | High-level account and device risk scoring before reserving credit |
| Checkout | At checkout submission | Velocity rules, device fingerprint, address verification |
| Transaction | During authorization | ML risk score, 3DS decision, BIN-level rules |
| Fulfillment | Pre-shipment | Final review for high-risk orders flagged for manual decision |
| RecordReturn | Post-return | Track return abuse patterns to feed back into risk scoring |
Each stage can call a different FRM provider or combine providers. A merchant can run a quick velocity check at Checkout and a full ML risk score from Signifyd at Transaction, all within one orchestrated flow.
Native Connectors for Major FRM and BNPL Providers
Juspay Hyperswitch ships with built-in connectors for the leading FRM platforms used in BNPL fraud defense:
| FRM Connector | Specialization |
| Signifyd | Decisioning engine with full chargeback guarantee on covered orders |
| Riskified | E-commerce-focused ML platform with chargeback protection |
| Cybersource Decision Manager | Visa-owned platform with deep card network signal access |
On the BNPL side, Juspay Hyperswitch supports Klarna, Affirm, Afterpay/Clearpay, Alma, Flexiti, PayBright, Walley, Atome, Breadpay, and Payjustnow as direct connectors, with additional BNPL access via Adyen and Stripe. Configuration is per-country and per-currency, declared in the deployment configuration. Adding a new BNPL provider in a new market is a Control Center change rather than an engineering project.
Unified Rule Configuration
Fraud rules in Juspay Hyperswitch are written once in the Control Center and applied across every payment method, including BNPL. A merchant can write a rule like:
IF payment_method == "pay_later"
AND amount > 500
AND customer_account_age_days < 30
AND device_fingerprint_seen_before == false
THEN fraud_check = "strict"
AND require_3ds = trueThis rule fires across Klarna, Affirm, Afterpay, and any other BNPL connector without per-provider duplication.
Implementation Checklist: Hardening BNPL Fraud Defense in 2026
For a merchant building or upgrading BNPL fraud defense, the practical sequence:
- Layer device fingerprinting and behavioral biometrics into checkout. Before any other change, this gives you 30-50% lift in attack visibility with no merchant-side rule logic.
- Configure velocity rules for the top 5 fraud patterns. Account creation rate per device, BNPL transactions per IP per hour, address change frequency, repeated declines, and bust-out signals.
- Add 3DS 2.2 to the card-funded leg of every BNPL transaction. PSD2-compliant where required; opt-in elsewhere for the auth-rate uplift.
- Integrate at least one ML-based FRM provider. Signifyd, Riskified, or Cybersource Decision Manager. Run it in shadow mode for 4 weeks to tune thresholds before going live.
- Add multi-stage fraud checks via orchestrator. Use Sale, Checkout, Transaction, Fulfillment hooks to layer the cost of fraud checking against transaction value.
- Build the post-transaction monitoring loop. Feed dispute outcomes back into the ML model. The single biggest improvement in fraud loss rate comes from closing this feedback loop.
For UK operations, plan FCA authorization and Consumer Duty compliance for the mid-2026 deadline. For US operations, monitor state-level developments (California's BNPL disclosure rules in particular) and align with the relevant state-level consumer protection statutes.
Frequently Asked Questions
What is BNPL fraud? BNPL fraud is any illegal exploitation of Buy Now Pay Later services to obtain goods, money, or personal data without intent to repay. The most common patterns are synthetic identity fraud (fabricated identities passing soft credit checks), account takeover, first-party (friendly) fraud where legitimate customers dispute valid purchases, and stolen identity new-account fraud. BNPL providers typically bear most of the direct loss because they function as both lender and payment guarantor.
Why is BNPL more fraud-prone than card payments? Three structural reasons. First, BNPL providers run soft credit checks at onboarding for fast approval, lowering the barrier for fraudsters. Second, the BNPL provider holds the full fraud loss rather than splitting it across an issuer-acquirer-merchant chain. Third, account takeover on BNPL drains a single pooled credit line across hundreds of merchants instantly, unlike a card where each issuer enforces transaction-level limits.
What is synthetic identity fraud and why is it growing 60% per year? Synthetic identity fraud combines real personal information (often a child's or deceased person's SSN) with fabricated names and addresses to create an identity with no prior credit history. Soft credit checks pass these identities easily. Fraudsters then "season" the identity with small on-time BNPL purchases for months before executing a bust-out where they max out the credit line. Experian's 2024 data shows a 60% year-over-year increase in cases, and 80% of Q1 2025 new account fraud was linked to synthetic identities.
Who pays for BNPL fraud losses? The BNPL provider absorbs most direct fraud loss because they function as both lender and payment guarantor. Merchants typically pay for first-party (friendly) fraud chargebacks plus increased provider fees passed through to cover rising fraud costs. Industry-wide, the BNPL fraud prevention market itself grew from USD 3.99B to USD 4.95B between 2024 and 2025.
Are BNPL transactions subject to 3D Secure? Yes, when a card is used to fund the BNPL plan (e.g., the down payment on a "Pay-in-4" plan or any card-on-file repayment). The card leg follows the same 3DS 2.2 rules as a regular card transaction. The BNPL credit decision itself is a separate underwriting flow run by the BNPL provider, not a 3DS check. Merchants should enable 3DS on every card-funded BNPL leg to shift fraud liability to the issuer.
How is the UK regulating BNPL in 2026? The UK FCA will bring BNPL into full regulation by mid-2026 under rules announced 19 May 2025. Third-party BNPL lenders will need FCA authorization, must perform creditworthiness assessments, comply with the Consumer Duty, and follow strengthened arrears and forbearance rules. The regime is expected to apply to over 10 million UK BNPL users.
What BNPL providers can a merchant integrate through Juspay Hyperswitch? Juspay Hyperswitch supports Klarna, Affirm, Afterpay/Clearpay, Alma, Flexiti, PayBright, Walley, Atome, Breadpay, and Payjustnow as native BNPL connectors, with additional access through Adyen and Stripe. All integrate via a single unified Payments API. Merchants can also configure FRM providers Signifyd, Riskified, and Cybersource Decision Manager for fraud checks at five different transaction stages.
The Bottom Line
BNPL is no longer a fast-growth experiment in the margins of payments. With USD 560 billion in 2025 GMV and 380+ million users globally, it is mainstream consumer credit, and fraud organizations are scaling defenses to match. Synthetic identity attacks have grown 60% in a year, dispute volumes are up 17%, and the UK is bringing the entire category under FCA oversight in 2026. Merchants who treat BNPL fraud as an afterthought will lose disproportionate share of revenue to chargebacks and false positives.
The defense playbook is clear: layered controls, multi-stage fraud checks, ML-driven scoring, and a unified configuration surface across BNPL providers. Juspay Hyperswitch makes the orchestration of those layers a configuration concern rather than a multi-quarter engineering program, with 10+ BNPL connectors, 3 FRM providers, and centralized 3DS handling behind one API.
Get started at app.hyperswitch.io or read the API reference. For self-hosting, the GitHub repository is Apache 2.0 licensed.
