TL;DR: Fifty-four percent of consumers say they feel guilt yet still commit policy abuse, underscoring that behavioural friction alone does not stop abuse and that merchants need better policy design and detection, according to Riskified. The real control problem is not customer remorse but the gap between policy intent and enforcement.
At a glance
What this is: This survey examines why consumers commit policy abuse and finds that guilt does not reliably deter harmful behaviour.
Why it matters: It matters to IAM-adjacent fraud and trust teams because policy abuse sits at the boundary of identity, entitlement, and account misuse, where controls must distinguish legitimate customers from repeat abusers without creating avoidable friction.
By the numbers:
- 54% of consumers admitted to feeling guilt yet actively committed policy abuse anyway.
👉 Read Riskified's report on consumer attitudes toward policy abuse
Context
Policy abuse is the misuse of customer-facing entitlements such as returns, refunds, discounts, or promotional rules. In retail and ecommerce, the challenge is not only whether a customer can complete a transaction, but whether the business can enforce the policy conditions that are meant to protect margin and fairness. The primary keyword here is consumer policy abuse, and the survey argues that emotion alone does not explain or stop it.
For identity, fraud, and trust-and-safety teams, the governance question is how to recognise repeat abuse patterns without treating every customer as suspicious. That creates an intersection with identity verification, account reputation, and access to consumer benefits, even though this is not a classic IAM or NHI control problem. The starting position described in the report is typical of retail environments facing policy pressure, not an outlier.
Key questions
Q: How should merchants detect consumer policy abuse without blocking normal customers?
A: Use layered signals rather than a single denial rule. Combine account age, device history, refund frequency, return timing, and linked identity signals to score risk. That lets merchants step up scrutiny only when behaviour matches repeat abuse patterns, rather than treating every return or discount request as suspicious.
Q: Why does guilt fail to stop policy abuse in retail environments?
A: Guilt is a weak control because abuse is often rationalised as low consequence or justified by price, convenience, or perceived unfairness. Merchants need enforcement that is based on observable behaviour and policy exceptions, not on customer intention or self-reported remorse.
Q: What do security and fraud teams get wrong about policy abuse?
A: They often treat it as a customer service nuisance instead of a governed risk pattern. When fraud, ecommerce, and identity teams do not share the same abuse definitions, repeat offenders exploit gaps between policy design, account controls, and manual review.
Q: How should organisations decide when to tighten return and refund controls?
A: Tighten controls when exception rates rise, abuse patterns repeat across linked accounts, or operational losses outpace legitimate customer needs. The best trigger is not a single complaint but evidence that policy rules are being systematically gamed.
Technical breakdown
How policy abuse is operationalised across retail and ecommerce
Policy abuse is not one behaviour but a set of actions that exploit customer policy gaps. Typical examples include return abuse, coupon misuse, chargeback manipulation, and account-level gaming of reward rules. These behaviours often succeed because the merchant system authenticates the customer for purchase, but does not continuously assess behaviour against policy intent across the customer lifecycle. That creates a governance gap between identity recognition and entitlement enforcement, especially where different teams own fraud, payments, and customer experience.
Practical implication: merchants need shared policy controls that tie customer identity signals to entitlement decisions, not isolated rule sets.
Why guilt does not function as an effective control
The survey’s key behavioural finding is that moral discomfort does not reliably prevent abuse. In practice, policy abusers often rationalise behaviour as harmless, low-risk, or justified by price, convenience, or perceived unfairness. That means policy enforcement cannot depend on self-regulation or customer intent. Security and fraud programmes should treat abusive behaviour as a repeatable risk pattern that emerges from incentives, not a one-off lapse in judgement.
Practical implication: build detection and enforcement around observable behaviour, because sentiment is not a dependable control boundary.
Identity signals and consumer reputation are the missing layer
Consumer policy abuse becomes harder to stop when merchants lack persistent identity and reputation signals across sessions, devices, and accounts. A single account can look legitimate in isolation while the behaviour over time reveals abuse. That is where identity verification, account linking, device intelligence, and historical policy outcomes become more useful than static rules. In broader trust and safety terms, this is a form of entitlement misuse that benefits from longitudinal identity context.
Practical implication: connect account reputation, device history, and policy outcomes before approving high-risk refunds or returns.
Threat narrative
Attacker objective: The objective is to extract value from merchant policies while remaining inside the appearance of legitimate customer behaviour.
- Entry occurs when a consumer creates or uses a legitimate account that can access merchant policy benefits, such as returns, refunds, or promotions.
- Escalation happens when the consumer repeats edge-case behaviour, rotates accounts, or exploits lenient policy thresholds to obtain benefits beyond intended use.
- Impact is margin erosion, operational cost, and distorted fraud signals that make genuine abuse harder to separate from normal customer activity.
NHI Mgmt Group analysis
Consumer policy abuse is an identity problem disguised as a commerce problem. Merchants often treat returns and promotions as back-office policy issues, but the real weakness is the absence of durable customer reputation across the policy lifecycle. Once a customer account can repeatedly re-enter the same entitlement path, the policy itself becomes the attack surface. Practitioners should treat consumer abuse as entitlement governance, not just customer service friction.
Guilt is not a reliable control, so enforcement must move from intent to evidence. The survey result that 54% of consumers felt guilt yet still abused policy shows that psychological deterrence is weak in the face of low-perceived consequences. That aligns with a broader fraud pattern: when the environment makes abuse easy, sentiment rarely matters. The practical conclusion is that organisations need behavioural scoring, limits, and exception handling that operate independently of customer self-reporting.
Consumer reputation needs to be treated as a governed security signal. Fraud teams already use devices, accounts, and history to identify repeat abuse, but the governance challenge is making those signals consistent across channels and business units. Without that consistency, abusers simply move between accounts, channels, or policy types. Practitioners should formalise reputation as part of the entitlement decision, not as an after-the-fact review tool.
Policy abuse creates blind spots when commerce, fraud, and identity teams operate separately. The report points to a familiar operational failure: one team owns customer experience, another owns fraud, and neither owns the combined policy risk. That split encourages loopholes because every control only sees part of the pattern. Organisations should align fraud, identity, and customer policy governance around shared abuse definitions and escalation thresholds.
What this signals
Consumer abuse programmes need a reputation layer, not just a rules engine. When abusive behaviour spans sessions and channels, the programme signal is whether identity-linked history is actually feeding decisioning. Teams that only inspect individual transactions will continue to miss clustered abuse patterns that are obvious in aggregate. The practical shift is to treat customer history as a governed security input, not a CRM afterthought.
The more fragmented the control ownership, the easier it becomes for abuse to move between policy types. Organisations should expect fraud, identity, and ecommerce policy to converge operationally, especially where account creation, returns, and rewards all touch the same customer identity data. For governance teams, this is a cue to tighten definitions and review thresholds before losses become normalised.
Policy drift is the real risk signal. Once merchants accept that abuse is part of the operating environment, thresholds quietly loosen and manual review loses consistency. That is the moment to re-baseline exception rates, link customer reputation to decisioning, and align policy enforcement with a control framework such as the NIST Cybersecurity Framework 2.0 for governance discipline.
For practitioners
- Map policy abuse to identity and entitlement signals Correlate returns, refunds, promotion use, device history, and account age so repeated abuse patterns are visible across sessions and channels.
- Set tiered policy thresholds for high-risk customers Apply stricter review or step-up checks when a customer repeatedly triggers exceptions, especially for high-value returns or refund requests.
- Unify fraud and customer policy rules Create one abuse taxonomy so fraud analysts, ecommerce teams, and customer service use the same definitions for suspicious entitlement behaviour.
- Track abuse by account clusters, not only individual orders Use linked identifiers to spot rotating accounts, reused payment instruments, and repeated claims that look legitimate when viewed one order at a time.
Key takeaways
- Consumer policy abuse is driven by repeatable behaviour, not moral hesitation, so merchants need governed controls rather than appeals to intent.
- The survey shows that guilt does not reliably stop abuse, which means policy design and identity-linked detection matter more than customer self-reporting.
- Organisations should connect fraud, identity, and customer policy governance so repeat offenders cannot move between channels unnoticed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Customer entitlement abuse is an access and governance problem across retail systems. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege principles help limit repeated misuse of customer benefits. |
| GDPR | Art.5 | Consumer identity and behavioral data used for abuse detection can trigger data-minimisation duties. |
Review collection and retention of customer reputation data against Art.5 minimisation requirements.
Key terms
- Policy Abuse: Policy abuse is the repeated or intentional misuse of a merchant’s customer-facing rules, such as returns, refunds, coupons, or loyalty benefits. It is a governance problem because the customer appears legitimate while the behaviour violates the policy’s intended boundaries.
- Consumer Reputation: Consumer reputation is the history of behavioural signals associated with an account, device, or linked identity that helps assess whether the customer is acting within expected norms. In fraud and trust programmes, it turns past behaviour into a controlled decision input.
- Entitlement Governance: Entitlement governance is the discipline of deciding who or what can use a benefit, under what conditions, and with what limits. In retail, it applies to refunds, returns, rewards, and promotions, where access is commercial rather than technical but still needs control.
What's in the full report
Riskified's full report covers the operational detail this post intentionally leaves for the source:
- Behavioral breakdowns of five policy abuse patterns across consumer journeys.
- US versus UK differences in policy abuse attitudes and tactics.
- Four suggested steps for reducing policy abuse in merchant environments.
- Survey framing and the report's broader set of consumer attitude findings.
👉 Riskified's full report covers the behavioural drivers and suggested responses in more detail.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It is designed for practitioners who need a stronger foundation in access control and governance across complex environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org