TL;DR: AFASA is pushing Philippine banks toward real-time fraud detection, stronger authentication, and fund-recovery workflows, while Sumsub reports a 180% year-on-year rise in multi-step coordinated fraud globally and a 61% rise in deepfake attacks in the Philippines in 2025. The governance challenge is no longer detection alone, but whether transaction monitoring can intervene fast enough to stop suspicious activity before settlement.
At a glance
What this is: This is Sumsub’s launch of an AFASA fraud management bundle for Philippine financial institutions, built around hybrid transaction monitoring, dynamic risk scoring, and real-time intervention.
Why it matters: It matters because fraud monitoring is increasingly part of identity governance, transaction control, and recovery operations across human, NHI, and automation-heavy payment flows.
By the numbers:
- Sumsub’s Identity Fraud Report 2025-2026 recorded a 180% year-on-year increase in multi-step coordinated fraud globally.
- In the Philippines, deepfake attacks grew 61% year on year in 2025.
👉 Read Sumsub’s analysis of AFASA fraud monitoring and fund recovery controls
Context
AFASA fraud monitoring sits at the point where identity assurance, transaction controls, and recovery operations overlap. When scams move through digital channels in real time, traditional after-the-fact case handling is too slow to protect funds or support compliance obligations.
The practical problem is not just spotting suspicious behaviour. Banks need a decisioning model that can separate clear fraud from ambiguous activity quickly enough to hold, reject, or route transactions before settlement, while still preserving enough flexibility for internal risk policy and customer experience.
Key questions
A: Banks should map fraud controls to the last reversible point in each payment flow, then use rules for clear abuse and scored review for ambiguous activity. The monitoring stack has to produce a decision while the transaction is still actionable. If the system only finds fraud after settlement, it has shifted from prevention to recovery.
Q: Why do hybrid fraud controls work better than a single detection layer?
A: Hybrid controls work because fraud signals are uneven. Some cases are obvious and should be blocked immediately, while others require contextual scoring across identity, device, and transaction behaviour. A single layer either overblocks legitimate payments or misses coordinated fraud. The best model combines deterministic action with risk-based escalation.
Q: What do security teams get wrong about real-time fraud detection?
A: Teams often treat real-time detection as a reporting problem rather than a control problem. The real issue is whether the institution can hold, reject, or route a transaction while it is still reversible. Detection without intervention is only evidence collection. Fraud programmes should be measured by the speed and consistency of their decisioning.
Q: Who is accountable when transaction monitoring decisions affect customer funds?
A: Accountability should sit with the institution that owns the payment flow, but decision rights need to be explicit across fraud, operations, and compliance. Each control path should define who can hold a transfer, who can approve release, and who can trigger recovery. Without named ownership, real-time monitoring becomes operationally ambiguous.
How it works in practice
Hybrid transaction monitoring and risk scoring
A hybrid transaction monitoring model combines deterministic rules with dynamic scoring. The rules handle clear indicators such as blacklist matches, bot-like activity, or abnormal access patterns, while the scoring layer evaluates behaviour, transaction anomalies, and contextual inconsistencies. That combination matters because fraud is no longer always binary. Many schemes begin with weak signals that only become actionable when aggregated across identity, device, and transaction context. A single-layer system tends to overblock legitimate activity or underreact to coordinated fraud. Practical implication: design monitoring so hard rules handle obvious abuse and scoring handles ambiguous cases that need review or step-up verification.
Practical implication: separate clear-stop conditions from risk-scored review paths so obvious fraud can be halted without flattening legitimate traffic.
Real-time intervention before settlement
The key technical requirement is timing. If a suspicious transaction is only discovered after settlement, the institution has lost the easiest containment point and moved into recovery mode. AFASA-oriented monitoring therefore has to act on outgoing transfers and incoming funds differently, with prevention logic for one side and recovery logic for the other. This creates a workflow problem as much as a detection problem, because decisions must be available at the moment the transaction is still reversible. Practical implication: map every monitored payment flow to its last controllable decision point and test whether the system can still intervene there.
Practical implication: verify that detection, review, and hold actions occur before the last reversible step in each transaction path.
Device intelligence and contextual authentication signals
Fraud detection becomes stronger when transaction behaviour is paired with device and identity context. Device intelligence can help expose compromised access, automation, or inconsistencies between the customer profile and the session characteristics. That matters because many scams succeed by borrowing legitimacy from a real account while changing the surrounding execution context. KYC and KYB data improve the quality of the score, but only if the decisioning model uses them consistently across monitoring and case handling. Practical implication: connect identity, device, and transaction evidence so investigators can see whether the session context matches the account history.
Practical implication: fuse identity and device signals into the same case record so investigators can judge whether the session context is credible.
NHI Mgmt Group analysis
Real-time fraud governance is becoming an identity problem, not only a payments problem. AFASA pushes institutions to decide whether a transaction is ordinary, suspicious, or recoverable while the money is still moving. That shifts fraud control into the same operational space as identity assurance, privileged access, and step-up verification. The practitioner conclusion is clear: fraud response now depends on how fast identity and transaction signals can be joined.
Hybrid decisioning is the right model for mixed-confidence fraud signals. Rule-based controls still matter for strong indicators such as blacklist hits or automated activity, but they cannot cover the full range of coordinated fraud. Dynamic scoring adds the missing middle ground, where contextual inconsistency is real but not yet decisive. The practitioner conclusion is to treat deterministic blocking and risk scoring as complementary control classes, not substitutes.
AFASA is accelerating the move from detection after the fact to intervention before finality. That is a material governance shift for banks, because recovery is only possible when hold logic is wired into the transaction lifecycle itself. Institutions that still separate fraud investigation from execution control will struggle to meet the intent of the framework. The practitioner conclusion is to test whether every suspicious flow has a reversible decision point.
Multi-step fraud now behaves like a lifecycle problem across channels, devices, and identities. The rise in coordinated attacks and deepfake abuse means the fraud path often spans enrolment, access, transaction initiation, and social engineering. This makes one-off detection weak unless the programme can correlate the whole sequence. The practitioner conclusion is to govern fraud as a chain of identity events, not as isolated alerts.
Dynamic risk scoring should be treated as a named governance pattern, not just a feature. A hybrid model only works when the institution has explicit thresholds, clear escalation logic, and accountable ownership for each decision class. Without that, scoring becomes an opaque layer that delays action rather than improving it. The practitioner conclusion is to define who can hold, approve, escalate, or recover funds under each risk band.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
- That confidence gap reinforces why the NHI Lifecycle Management Guide matters when institutions need durable lifecycle controls instead of reactive cleanup.
What this signals
The direction of travel is clear. As fraud becomes faster and more coordinated, institutions will need control architectures that blend identity assurance, transaction monitoring, and recovery authority into one operational model. The old split between security monitoring and payment operations leaves too much time between detection and action.
Identity-to-transaction correlation: This is the emerging governance pattern where identity, device, and payment signals are judged together before finality. For banks, that means fraud teams will increasingly depend on access context, not just transaction content, to decide whether to let money move.
Programme leaders should expect stronger pressure to prove not only that suspicious activity is detected, but that it can be interrupted consistently across channels. The practical test will be whether policy, evidence, and authority line up quickly enough to support hold, review, and recovery decisions.
For practitioners
- Map transaction decision points to reversibility: Identify the exact point in each payment flow where a hold, rejection, or escalation is still effective. Test whether your controls can act before settlement, not after case creation.
- Separate hard-stop rules from scored reviews: Use deterministic rules for clear fraud indicators such as blacklist matches and automation, then route ambiguous cases into a scored review queue with explicit thresholds.
- Join identity, device, and transaction evidence: Feed KYC, device intelligence, and behavioural context into the same case record so investigators can see whether the session matches the account profile.
- Define escalation ownership for recovered funds: Document who can approve holds, reversals, and recovery actions under each fraud-risk band, including the handoff between operations, fraud, and compliance.
Key takeaways
- AFASA pushes fraud management into the identity and transaction control plane, where timing matters as much as detection quality.
- Sumsub reports a 180% global rise in multi-step coordinated fraud and a 61% rise in deepfake attacks in the Philippines in 2025.
- Institutions should design monitoring around reversible decision points, because recovery is weakest once settlement has already occurred.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is central to catching suspicious transactions before settlement. |
| NIST SP 800-63 | Authentication strength and step-up decisions affect how suspicious access is challenged. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Compromised access and over-privileged accounts are direct NHI fraud enablers. |
Review privileged service and machine credentials that can trigger or conceal suspicious transaction activity.
Key terms
- Hybrid transaction monitoring: A control model that combines fixed rules with risk scoring to evaluate a transaction in real time. The rule layer catches clear abuse quickly, while the scoring layer weighs weaker behavioural and contextual signals before a payment is approved, held, or escalated.
- Dynamic risk scoring: A method for assigning changing risk values to a transaction based on identity, device, behaviour, and contextual evidence. It is useful when fraud cannot be identified by a single indicator and the institution needs a decision that adapts to evolving signals.
- Reversible decision point: The last moment in a payment flow when a bank can still hold, reject, or reroute a transaction before funds become hard to recover. Governance quality depends on whether monitoring and authority are connected to that point in time.
- Identity-to-transaction correlation: The practice of evaluating account identity, device context, and payment behaviour together before a transaction is finalised. It improves fraud decisions by showing whether the current session is consistent with the customer or account history.
Deepen your knowledge
Fraud monitoring, identity assurance, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for transaction-heavy environments, it is worth exploring.
This post draws on content published by Sumsub: AFASA fraud management bundle for Philippine financial institutions. Read the original.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
