The FBI IC3 2024 report reveals record $16.6B in cybercrime losses. Learn how KYC prefill, KYB, and KYP help financial institutions cut fraud, protect payments, and meet rising regulatory expectations.
If you work in financial crime, you probably felt the tremor when the FBI published its latest Internet Crime Complaint Center (IC3) numbers. Reported losses hit a record $16.6 billion for 2024, with more than 859,000 complaints and older adults suffering the heaviest damage. The letter opening the report doesn’t mince words: fraud is driving the bulk of the losses, ransomware continues to dog critical infrastructure, and those over 60 both submitted the most complaints and lost the most money.
Pull on any one thread and the picture gets even sharper. “Cryptocurrency” isn’t a crime type, but as a descriptor across crimes it’s mentioned in 149,686 complaints and tied to $9.32 billion in losses. Business email compromise (BEC) alone accounts for $2.77 billion in losses. And the Bureau’s Recovery Asset Team (RAT) is now freezing fraudulent funds in both domestic and international rails—66% of attempted recoveries succeeded in 2024, with $469.1 million frozen domestically and $92.5 million internationally.
This isn’t just an American story. The top destinations for fraudulent wires include Hong Kong, Vietnam, Mexico, the Philippines, India, and China—an atlas of cross-border money movements that complicate every recovery.
Now layer in the regulatory drumbeat. In July 2025 the UK FCA fined Barclays £42 million for failings in financial crime risk management, highlighting a lack of robust controls in key relationships. Days earlier, Monzo was hit with a £21,091,300 penalty for inadequate anti-financial-crime systems and controls—findings that included opening accounts for high-risk customers despite a prohibition. Lithuania’s central bank levied a €3.5 million fine on Revolut after a routine inspection found deficiencies in monitoring relationships and operations. Dutch prosecutors, meanwhile, are taking Rabobank to court over longstanding AML failings tied to poor customer vetting.
And while law enforcement strains to hold the line—LockBit disrupted, thousands of ransomware decryption keys shared since 2022, and an estimated $800 million in payments avoided—attackers keep testing the gates. FinCEN’s analysis of fentanyl-linked illicit finance found $1.4 billion in suspicious transactions reported across 1,246 BSA filings in 2024 alone.
The through-line is simple: identity is the new perimeter, and it’s leaking. KYC, KYB, and KYP aren’t box-ticking extras; they’re the scaffolding that keeps the whole structure from listing to one side. The question for leaders isn’t whether to strengthen identity assurance—it’s how to design it so it flexes with real-world risk without strangling customer experience.
Mini-summary: The FBI’s 2024 numbers confirm rising losses and sophisticated tactics, regulators are moving from guidance to penalties, and geopolitical payment corridors complicate recoveries. The stakes now sit squarely at the intersection of identity, onboarding, and payments.
If you search the 2024 IC3 report for patterns you can act on, four stand out.
1) The losses are concentrated in a handful of high-impact categories
· Investment fraud: $6.57B in losses. Many schemes now use crypto rails and polished social engineering to pull victims into “pig-butchering” setups that look legitimate until the exit.
· BEC: $2.77B in losses. The dollar-for-dollar damage leader inside the payments stack, because it weaponizes trust between real businesses.
· Personal data breach & tech support scams: Each above $1.45B, often overlapping with identity theft, remote takeover, and mule recruitment.
· “Cryptocurrency” as a cross-cutting descriptor: $9.32B—pointing to the medium many fraudsters choose to move or mask value.
2) Age is a major risk signal
People 60+ filed 147,127 complaints and reported $4.885B in losses in 2024, with 7,500 individuals losing over $100,000 and an $83,000 average loss for those high-loss complainants. Crypto is not just for the young; the largest reporting age cohort for crypto-linked complaints is over 60, with more than 33,000 complaints and $2.84B in losses.
3) The fraud factory is professionalized
· Call centers continue to drive mass-victim scams, with Tech/Customer Support and Government Impersonation as two major categories; FBI-CBI collaboration led to 215+ arrests in 2024 across 11 joint operations.
· RAT’s Financial Fraud Kill Chain is now a normalized playbooks for freezing wires rapidly, and the team’s remit expanded to international flows in April 2024.
4) Recovery is never guaranteed, so prevention has to carry more weight
Even with a high success rate, the RAT stats underline a hard truth: by the time funds move across borders or into crypto ecosystems, the friction to pull them back increases steeply.
Now, translate those patterns into the KYC/KYB/KYP world:
KYC (Know Your Customer)
The spike in investment-style scams and tech support fraud suggests that identity proofing at onboarding isn’t enough. You need an evolving picture of who the customer is, what devices and phone numbers they use, and how those signals change over time. Persistent identifiers (e.g., subscriber data elements) and prefill can reduce keying errors and spot inconsistencies early—say, a phone number that can’t be tied to the asserted identity or a device with a thin history trying to open high-limit accounts.
KYB (Know Your Business)
BEC and mule networks thrive on businesses that are real on paper but risky in behavior. A business that exists in a registry may still be a poor match for the pays, gets paid, and who-controls-what patterns you expect. KYB should resolve the legal name/registration number to authoritative sources, validate directors/PSCs, and correlate operating footprint with stated activity. That expectation aligns with the UK’s tightening of identity verification for company directors and PSCs: Companies House begins a phased rollout of mandatory identity verification from 18 November 2025, with a 12-month transition.
KYP (Know Your Payer/Payee)
Payment origination and receipt are where confidence becomes cash. BEC almost always includes a “just-in-time” account change or payee detail swap; ongoing payee verification with independent account ownership checks can blunt the impact.
1. Onboarding truth: Can we prefill a customer’s identity data from trusted sources (e.g., telco or government) to reduce manual input and catch mismatches in near real time?
2. Behavioral coherence: Do we maintain an ongoing, risk-sensitive profile of customer behavior—logins, device changes, phone SIM swaps, and unusual payment patterns—so that authentication can tighten when signals drift?
3. Document reality check: Are documents treated as one signal among many, with fraud-resistant capture and liveness that defends against face swaps and screen replays?
4. KYB depth: Do we resolve to a legal entity identifier or registration, confirm directorships/PSCs, and monitor for changes that might elevate risk (e.g., frequent officer turnover, dormant trading activity with large inbound payments)?
5. KYP at the edge: Before a first-time payment, do we verify account ownership and run the payee against watchlists, known mule patterns, and velocity rules across our network?
6. Crypto context: For flows touching crypto, do we screen counterparties (exchanges, wallets) and apply travel-rule-aligned data sharing, while paying attention to on/off-ramp risks highlighted by IC3’s $9.32B crypto-linked loss descriptor?
7. Elder-sensitive controls: Are we flagging patterns that often hurt older users—high-pressure support calls, remote access, repeated ATM/crypto kiosk transactions—and routing those sessions to higher friction or human review? The $4.885B in losses among those 60+ isn’t a statistic; it’s a design requirement.
8. BEC muscle memory: Is our operations team trained to trigger the Financial Fraud Kill Chain immediately when a BEC is suspected—collecting the exact data banks and the FBI need to freeze funds?
9. Threat-informed roadmaps: Are we feeding intel like ransomware variant trends (e.g., Akira, LockBit, RansomHub, FOG, PLAY) into tabletop exercises, third-party reviews, and continuity planning?
Regulators are saying out loud what many boards already suspect: if you scale fast without scalable controls, you inherit risk. The FCA’s July actions against Barclays and Monzo underline that message. The Bank of Lithuania fine against Revolut shows what a “routine inspection” can surface when monitoring and relationship oversight lag. And the scheduled Companies House identity checks will tighten the data supply for KYB across the UK, making it easier to tell a real trading business from a shell.
At the same time, FinCEN’s fentanyl trend analysis reminds us that illicit finance is adaptive. The $1.4B flagged in 2024 BSA filings isn’t only a law-enforcement number—it’s a pointer to where bank and fintech controls should stand tighter watch over specific counterparties and trade corridors.
Mini-summary: The FBI data identifies where losses concentrate, who is most vulnerable, and which operational levers work. Map those insights directly to KYC/KYB/KYP—designing for ongoing verification, not just onboarding—and you’ll cut materially into the loss curve while staying aligned with the regulatory climate.
Let’s turn the dials from strategy to execution. The principle is perpetual vigilance. The operating model is layered controls that adapt based on risk, with smart automation to absorb scale.
Start with prefill. When you prefill identity fields from trusted data—think telco subscriber records, government data services where available, or robust credit bureau files—you remove fat-finger risk and surface inconsistencies early. A user who claims a certain name, address, and date of birth, but who presents a phone number never tied to that identity, is signaling caution. Prefill is not a silver bullet; it’s a first alignment check that makes the rest of identity proofing more reliable.
Blend signals. Documents still matter, but only as one signal. Liveness should detect replayed faces and screen-to-camera spoofs. Device and network telemetry should spot anomalies like freshly virtualized devices, high-risk ASNs, or VPNs that hop per session. Where SIM swaps are a vector for account takeover or two-factor bypass, ask whether you can detect recent SIM change events and apply step-up authentication accordingly. (IC3 tracks SIM swap complaints—982 in 2024—but the tactic’s downstream impact is broader than complaint counts alone.)
Keep it alive. The FBI report’s five-year view shows more than 4.2 million complaints totaling $50.5 billion in losses since 2020. That backdrop argues for dynamic KYC refresh keyed to risk triggers—name/address changes, abnormal device churn, or a shift in the user’s payment network graph.
Resolve to the ground truth. Start from the legal name and registration number, resolve against the authoritative registry (Companies House in the UK, state registries in the US, national registries in the EU), and then enrich: directors, PSCs, trading names, known addresses, sanctions/adverse media. The UK’s staged rollout of mandatory identity verification for directors and PSCs beginning 18 November 2025 will lift the overall data quality. That’s good for everyone—fewer “ghost” companies and cleaner matching during screening.
Look beyond the registry. Real businesses leave operational footprints: websites with real staff, tax records, payments consistent with industry norms, suppliers and customers that make sense in the network graph. If a supposed “logistics” firm takes in many micro-credits and quickly forwards them to unrelated personal accounts, it looks more like a mule hub than a carrier. Cases like Rabobank’s court proceedings over years-long AML failings show how customer vetting can become a systemic issue if KYB and ongoing monitoring aren’t in sync.
Track changes. A seemingly ordinary company that suddenly adds high-risk directors, changes control, or shifts to unusual trade corridors deserves a re-risk. That’s the living heart of KYB—treat corporate identity as a moving target, not a static record.
Before the first payment. Payee verification reduces BEC exposure by confirming that the destination account truly belongs to the intended counterparty. Combine account name/number checks, sanction screening, and known-mule heuristics (e.g., newly opened accounts receiving a flurry of large credits, then fanning out).
When the alarm rings. If something slips through and a wire goes out, your operations team needs a bias for action—kick off the Financial Fraud Kill Chain immediately, capture all payment metadata, and coordinate with the receiving bank. The FBI’s RAT metrics and case examples—like a $955,060 real-estate wire recovered in Denver—show that minutes matter.
Crypto edges. With $9.3B in crypto-linked losses referenced across crimes in 2024, on- and off-ramp monitoring is table stakes. Screen VASPs, understand chain analysis outputs in context, and put brakes on patterns like repeated small card buys of crypto followed by high-risk transfers.
Proof of principle in the wild
· Operation Level Up demonstrates the value of timely victim outreach and proactive flags. The FBI notified 4,323 victims of crypto investment fraud; 76% didn’t know they were being scammed, and the estimated savings hit $285.6 million. That’s what prevention and early-warning look like at scale.
· On the ransomware front, IC3 tracked 67 new variants in 2024, and takedowns like Warzone RAT show the upstream pressure being applied. But resilient operations come from assuming compromise, segmenting crown jewels, and validating backups—because variant names may change faster than your change-control board can meet.
Designing the operating model
People: Train frontline teams on red-flag patterns for elder exploitation, BEC scripts, and crypto cash-out behaviors. Build a “call 911” playbook for funds-at-risk moments.
Process: Embed risk-based refresh into KYC and KYB. Calibrate transaction monitoring to emphasize first-time payments, beneficiary changes, and corridor shifts. Give operations easy rails to escalate to law enforcement with complete metadata.
Technology:
· KYC Prefill: Pull authoritative data to populate forms and highlight mismatches; bind device and phone identity to the profile as early as possible.
· KYB Resolution: Verify legal entities via name/number; reconcile directors/PSCs; continuously monitor registry changes and adverse signals.
· KYP Guardrails: Verify payees in real time; block or pause anomalies; trigger kill-chain workflows when needed.
These aren’t product pitches. They’re patterns that line up with what the FBI data and recent enforcement actions are telling us.
Mini-summary: Treat identity as living data and payments as the moment of truth. Prefill shrinks attack surface, KYB ties you to authoritative records, and KYP protects money in motion. Design your playbooks so prevention, detection, and recovery reinforce each other.
[a nice format for this].
Scenario 1: A retail bank with rising first-party fraud and mule activity
· Pain: New accounts look fine at onboarding but quickly route funds to a spread of personal accounts. BEC-style beneficiary changes show up right before month-end.
· Move: Use KYC prefill to confirm the asserted identity against telco data; link device fingerprints and subscriber tenure. Assign a higher starting risk to short-tenure devices and recent SIM changes. Lock payouts until a payee verification passes for first-time beneficiaries.
· Outcome: Lower false positives because good customers sail through prefilled flows; fewer mule accounts because the identity-to-device-to-behavior chain has to line up before withdrawals.
Scenario 2: A payments fintech expanding to SMB acquiring
· Pain: KYB is viewed as a sign-off step; the backlog grows, analysts rubber-stamp. The first chargebacks arrive, then card-present fraud.
· Move: Resolve every merchant to a legal entity with a verified registration number. Map directors and PSCs; screen them; watch for changes. Build a rule that boosts risk when trading activity and MCC don’t match known peer patterns.
· Outcome: Risk drops at the portfolio level; onboarding SLAs hold because automation handles the easy cases while analysts focus on the ambiguous ones.
Scenario 3: A digital bank with elder-customer growth
· Pain: Tech support scams are driving remote-access takeovers. Crypto kiosk withdrawals spike after “toll” or “grandparent” scam calls.
· Move: Detect remote-access tool signatures and match with age-sensitive customer cohorts. When present, step up to a human confirmation or a branch visit before large-value cash or ATM-to-crypto flows. Use transaction education nudges and scripted questions proven to break scam scripts.
· Why: In 2024, those 60+ reported $982M in tech support losses and $1.83B in investment losses—patterns worth designing specific guardrails around.
Scenario 4: Corporate banking and BEC
· Pain: A legitimate vendor emails a changed account; AP pays, the vendor never sees the funds.
· Move: Introduce a “trust but verify” rule: first-time or changed vendor accounts require an out-of-band confirmation to a pre-registered number, not to the email in the change request. Automate account-name match checks for inbound invoices. When a suspected BEC hits after payment, trigger the Financial Fraud Kill Chain with all wire metadata in a ready-to-send packet.
· Why it works: RAT data shows freezes are often possible if you move fast—2,651 domestic cases with $469.1M frozen in 2024.
Scenario 5: Cross-border risk management under regulatory scrutiny
· Pain: Regulators point to gaps in transaction monitoring and business-relationship oversight—exactly what triggered the fines at Revolut and the FCA actions on Barclays/Monzo.
· Move: Calibrate cross-border rules using Trade+Risk pairs: corridor risk (e.g., wire destinations the IC3 flags frequently) plus business model risk (e.g., high-risk MSB, thin-file directors). Tune alerting so high-risk flows get more context and lower latency.
· Outcome: You walk into exams with evidence: live KYB data, payee-verification hit rates, and a clear narrative linking your controls to real-world threats.
Mini-summary: Your blueprint is clear—map the FBI’s threat picture to concrete control choices. Right-size friction, instrument the edges, and write down your playbooks so operations can act in minutes, not hours.
Where leadership goes from here
The data and the headlines won’t let identity slip back to the sidelines. Directors and PSCs in the UK will soon face mandatory identity verification through Companies House. FinCEN points to $1.4B in fentanyl-linked suspicious transactions as a reminder that this isn’t just about fraud losses; it’s about how illicit economies move money. The FBI shows recoveries are possible and takedowns are real, but prevention is still cheaper—for your customers and your balance sheet.
If you lead KYC/KYB/KYP, here’s a short leadership checklist you can use in your next steering meeting:
· Decide on your identity data backbone. What sources will you trust for KYC prefill? Where are the legal constraints, and how will you explain the value to customers?
· Set your refresh triggers. Which signals (device, SIM, address, director changes, corridor shifts) will upgrade friction dynamically?
· Tighten KYB resolution. Are directors and PSCs verified? Are you set to ingest Companies House identity-verified data as it becomes available?
· Move KYP closer to the payment. Is account ownership checked for first-time and changed beneficiaries? Can ops trigger the kill chain without hunting for a playbook?
· Measure what matters. Loss per account, mule-account attrition time, first-time payee block rate, kill-chain initiation time, elder-customer scam intercepts.
You can run a safer, smoother program without turning every journey into a gauntlet. The trick is to let risk decide the friction. Good customers appreciate a system that gets them through faster and guards their money harder when it counts.