Subscribe to the Non-Human & AI Identity Journal
Home FAQ Identity Beyond IAM Who is accountable when scam proceeds are frozen…
Identity Beyond IAM

Who is accountable when scam proceeds are frozen or seized?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 12, 2026 Domain: Identity Beyond IAM

Accountability is shared across the exchange, the issuer, the investigators, and law enforcement, but each party has a different role. Financial institutions need preserved evidence, clear escalation criteria, and legal review paths. Regulatory expectations often focus on timely reporting, cooperation, and controls that support recovery.

Why This Matters for Security Teams

When scam proceeds are frozen or seized, accountability is not just a legal question. It affects evidence handling, customer communications, fraud operations, and whether a financial institution can support recovery without compromising investigations. Security teams often assume the act of freezing funds transfers ownership of responsibility, but the reality is more layered: the exchange or institution may control the account, investigators may direct preservation, and law enforcement may require chain-of-custody discipline. NIST guidance on access, auditability, and incident response in NIST SP 800-53 Rev 5 Security and Privacy Controls is a useful reference point for the control expectations behind that process.

What practitioners get wrong is treating freeze or seizure as a purely back-office outcome. In practice, it is a control event that depends on accurate identity records, timely escalation, and defensible decision-making. If those controls are weak, funds may be held or released incorrectly, evidence can become inadmissible, and the organisation may struggle to explain who approved what, when, and under which authority. In practice, many security teams encounter gaps in accountability only after customer disputes or investigative delays have already exposed weak preservation and escalation paths.

How It Works in Practice

Accountability typically follows the operational control of the asset and the authority under which it is restrained. The institution that freezes the account is usually responsible for executing the hold correctly, preserving relevant records, and preventing unauthorised access or release. Law enforcement or a court may direct seizure or restraint, but they generally do not run the institution’s internal controls. Investigators and fraud teams support the case by correlating transaction data, device signals, beneficiary details, and communications, while legal teams confirm the basis for action.

That means the organisation needs a documented workflow that assigns responsibility at each stage:

  • Trigger detection, such as suspicious transfer patterns, mule-account indicators, or victim reports.
  • Escalation to fraud, legal, and compliance for authority review.
  • Preservation of logs, account history, and relevant communications.
  • Approval and execution of the freeze or restraint.
  • Tracking of external instructions from investigators or courts.
  • Release, continued hold, or handover based on documented decision criteria.

This is where CISA scam prevention guidance and FATF risk-based supervision guidance are useful as supporting references, because they reinforce the need for timely reporting, cooperation, and proportionate controls. For institutions handling digital payment rails, identity evidence also matters: the person named on the account may not be the person exercising control, so KYC records, device intelligence, and beneficiary analysis can become part of the accountability trail. These controls tend to break down when multiple jurisdictions are involved because legal authority, retention rules, and release conditions do not align cleanly across borders.

Common Variations and Edge Cases

Tighter freeze controls often increase operational friction, requiring organisations to balance recovery speed against false positives, customer impact, and legal exposure. There is no universal standard for this yet, especially when the funds move across banks, payment platforms, crypto venues, or overseas entities.

One common edge case is where an institution receives an informal request to freeze funds before a formal order exists. Best practice is evolving, but the organisation still needs a clear legal review path and a record of who authorised the temporary hold. Another variation is partial seizure, where only a portion of the balance is restrained; that creates extra accounting and communications work, and missteps can lead to accidental release.

In cross-border cases, the account holder, the intermediary, and the receiving institution may each have different obligations, so accountability can be shared without being symmetrical. If the question involves identity fraud, synthetic identities, or mule accounts, then NIST digital identity guidance such as NIST SP 800-63B Digital Identity Guidelines helps explain why verification strength affects downstream recovery decisions. The practical test is simple: can the organisation prove who initiated the freeze, on what basis, and with what evidence retained?

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the technical controls, while PCI DSS v4.0, NIS2 and DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0RS.RP-1Incident response needs clear roles when funds are frozen or seized.
NIST SP 800-63IAL2Identity evidence affects who can be linked to an account or payment action.
PCI DSS v4.010.2Audit trails matter when financial actions must be traced and justified.
NIS2Operational resilience and reporting duties apply when fraud events disrupt services.
DORAFinancial entities need controlled response and recovery processes for fraud events.

Document who acts, who approves, and how evidence is preserved during scam recovery events.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org