Europe Wants Payment Sovereignty — But Can Wero Match Visa's Fraud Detection Infrastructure Built Over 50 Years?

General
1

Let’s Talk About What “Payment Sovereignty” Actually Requires From a Security Standpoint

The EPI/EuroPA agreement to cover 130 million users across 13 countries is politically impressive. But I want to zoom in on the part nobody’s discussing honestly: the security infrastructure gap between Wero and the incumbent networks.

I spent four years at Stripe building payment security systems. Before that, I worked on fraud detection at a major bank. What I learned is that payment security isn’t something you can buy off the shelf or build in a sprint. It’s a decades-long accumulation of data, models, and institutional knowledge.

Visa’s Fraud Detection: The Gold Standard Nobody Appreciates

Visa’s Advanced Authorization system processes over 500 risk factors per transaction in real-time — typically in under 300 milliseconds. It draws from:

  • 65+ billion transactions annually as training data
  • Historical behavior patterns across billions of cardholders
  • Cross-merchant intelligence (if a card is compromised at one merchant, the pattern is immediately applied globally)
  • Geolocation, device fingerprinting, behavioral biometrics
  • Consortium data sharing across thousands of financial institutions

The result? Visa’s global fraud rate is approximately 0.07% — 7 cents per $100 transacted. That’s extraordinary for a system processing $14+ trillion annually.

What Wero Is Up Against

Wero is starting with zero transaction history for its fraud models. Yes, the underlying banks have their own fraud detection for existing products, but Wero as a new payment method creates new attack vectors:

Account-to-Account Specific Risks

  • Authorized Push Payment (APP) fraud — convincing users to send money to fraudsters. This is the #1 fraud type on instant payment systems in the UK (Faster Payments) and has cost consumers over £500M annually.
  • Account takeover at scale — compromising Wero wallet credentials to initiate fraudulent transfers
  • Social engineering exploiting unfamiliarity — consumers who don’t understand how Wero works are more susceptible to scams
  • Money mule networks — instant, irrevocable payments are a gift to money launderers

The Irrevocability Problem

Card payments have chargeback mechanisms. Wero’s account-to-account transfers are instant and irrevocable. Once the money moves, it’s gone. This fundamentally changes the fraud risk profile. The UK’s experience with Faster Payments should be a cautionary tale — APP fraud exploded precisely because instant payments removed the safety net.

Can Modern ML Close the Gap?

The optimistic argument is that Wero can deploy modern machine learning models that leapfrog Visa’s legacy systems. There’s some truth here:

  • Transformer-based fraud models can learn patterns faster from less data than older statistical approaches
  • Behavioral biometrics (typing patterns, swipe dynamics) add a layer Visa’s card-based system can’t easily match
  • Graph neural networks for detecting money mule networks are cutting-edge and not widely deployed by incumbents

But here’s the reality check: ML models are only as good as their training data. Wero won’t have meaningful fraud data until it’s processing significant volume, and by then the fraudsters will have already exploited the early vulnerabilities.

My Recommended Security Architecture for Wero

If I were advising EPI’s security team, here’s what I’d prioritize:

  1. Mandatory Strong Customer Authentication (SCA) for all transactions above €50 — yes, this adds friction, but it’s necessary during the trust-building phase
  2. Transaction velocity limits — cap daily/weekly transfer amounts per user during the first 2 years
  3. Consortium fraud data sharing from day one — require participating banks to feed their existing fraud intelligence into Wero’s models
  4. Delayed settlement for high-risk transactions — introduce a 15-minute hold for flagged transfers (sacrificing “instant” for security)
  5. Dedicated APP fraud prevention — mandatory confirmation-of-payee checks and cooling-off periods for first-time recipients

The Trust Equation

Ultimately, Wero’s success depends on consumer trust. One major fraud incident — a large-scale data breach, a fraud wave that costs consumers millions — could set the entire initiative back years. Visa and Mastercard have built trust over decades through consistent, low-friction, secure experiences. Wero needs to be more secure than the incumbents from day one, not less.

The “several billion euros” EPI estimates for the full buildout? I’d argue at least 20-30% of that should go to security infrastructure. Anything less is building a house without a foundation.

What’s your take on the fraud economics and the infrastructure scaling challenge?

2

The Fraud Economics Are the Hidden Killer

Sam, this is the piece I’ve been trying to model and your numbers help enormously. Let me put the fraud cost in financial terms.

Modeling the Fraud Cost Curve

Using your 3-5x fraud rate estimate for new payment rails versus Visa’s 0.07% baseline:

Scenario Fraud Rate Annual Volume ($B) Annual Fraud Loss
Visa baseline 0.07% 500 $350M
Wero Year 1 (3x) 0.21% 500 $1.05B
Wero Year 1 (5x) 0.35% 500 $1.75B
Wero Year 3 (2x) 0.14% 1,000 $1.4B

Even in the optimistic scenario (3x fraud rate declining to 2x by year 3), Wero is looking at $3-5 billion in cumulative excess fraud losses during the ramp-up period. That’s on top of the “several billion euros” in infrastructure investment.

Who Bears the Fraud Losses?

This is the critical financial question. In the Visa/Mastercard model, fraud losses are distributed across the ecosystem — issuing banks, merchants, and consumers each bear different portions depending on the transaction type and liability shift rules.

Wero’s account-to-account model changes this distribution. Without a chargeback mechanism, the consumer bears more risk by default. That’s politically toxic in Europe, where consumer protection regulations are strong. EPI will likely need to create a fraud reimbursement fund, which is another cost center.

The Insurance Analogy

Think of Visa’s fraud infrastructure as a 50-year-old insurance company with actuarial tables refined over billions of claims. Wero is a new insurer trying to price risk without historical data. They’ll either:

  1. Underprice risk (low friction, high losses) — and blow through their capital reserves
  2. Overprice risk (high friction, aggressive SCA) — and kill user adoption

Your recommended approach of aggressive SCA plus transaction limits is the right call from a security standpoint, but it creates a user experience disadvantage versus tap-and-go Visa payments. This is the fundamental tension EPI needs to navigate.

My Updated Model

After incorporating your security cost estimates, I’m adjusting my financial model:

  • Infrastructure build: €3-5B (up from “several billion”)
  • Cumulative fraud losses years 1-3: €3-5B
  • Security infrastructure: €1-2B
  • Total investment to reach sustainability: €7-12B

That’s a staggering number, but split across 16+ major European banks and with political support, it’s feasible. The question is patience — will the consortium hold together long enough?

3

The Infrastructure Scaling Challenge Is Underappreciated

Sam, I want to drill into the infrastructure side of your security argument because this is where the rubber meets the road.

Real-Time Fraud Detection at Scale Is an Infrastructure Problem

When you talk about processing 500+ risk factors per transaction in under 300 milliseconds, you’re describing one of the most demanding real-time computing workloads in existence. Let me break down what this requires:

Compute: Each transaction needs to hit a fraud scoring model that incorporates:

  • Feature computation from historical transaction data (requires fast key-value stores)
  • ML model inference (typically ensemble models or deep learning)
  • Rule engine evaluation (regulatory rules, velocity checks)
  • Graph database queries (relationship analysis between accounts)

All of this in sub-300ms end-to-end latency while handling potentially thousands of transactions per second at peak.

Data Infrastructure:

  • Event streaming (Kafka-scale) for real-time transaction feeds across 13 countries
  • Feature store maintaining rolling aggregates for hundreds of millions of accounts
  • Model serving infrastructure with low-latency inference at scale
  • Graph database mapping account relationships for mule detection

Geographic Distribution:
Wero operates across 13 countries, which means the fraud detection system needs to be either:

  1. Centralized — single data center with sub-300ms latency across Europe (achievable but creates a single point of failure)
  2. Distributed — multiple regional deployments that need to synchronize fraud intelligence in near-real-time

The Cold Start Problem

Your point about training data is critical from an infrastructure perspective. The typical approach for new payment systems is:

  1. Import historical fraud patterns from participating banks (requires data normalization across 16+ banks with different data schemas)
  2. Synthetic data augmentation — generate artificial fraud scenarios for model training
  3. Transfer learning — use pre-trained models from similar payment systems and fine-tune on Wero data
  4. Conservative rule-based system as a baseline while ML models accumulate data

None of these are ideal. The realistic timeline to reach Visa-equivalent fraud detection accuracy is 3-5 years of live transaction processing, assuming the infrastructure is built correctly from day one.

My Infrastructure Recommendation

If I were designing Wero’s fraud detection infrastructure:

  • Cloud-native from day one — don’t repeat the mistakes of legacy payment systems built on mainframes
  • Multi-region active-active deployment across at least 3 European cloud regions
  • Stream processing architecture (Apache Flink or similar) for real-time feature computation
  • Federated learning across participating banks — train models on distributed data without centralizing sensitive information

The technology exists to build this. The question is execution speed and whether EPI can attract the engineering talent to do it. Sam’s right that 20-30% of the budget should go to security — I’d add that another 20-30% should go to the data infrastructure that makes security possible.

4

The Compliance Perspective: It’s Not Just Fraud, It’s Regulatory Survival

Sam, your security analysis is excellent but I want to add the compliance dimension because in financial services, compliance failures are existential threats in ways that fraud losses aren’t.

The Regulatory Landscape Is Staggering

Wero doesn’t just need fraud detection — it needs compliance infrastructure for:

  • AML/KYC (Anti-Money Laundering / Know Your Customer): 6th Anti-Money Laundering Directive (6AMLD) requirements across all 13 countries
  • PSD2/PSD3 compliance: Strong Customer Authentication, Open Banking requirements, and the upcoming PSD3 revisions
  • GDPR: Processing fraud data across 13 countries while maintaining data protection compliance — this is a minefield
  • DORA (Digital Operational Resilience Act): The new EU regulation requiring financial entities to manage ICT risk, including third-party providers
  • National regulations: Each country has additional requirements. Germany’s BaFin, France’s ACPR, Belgium’s NBB — each with distinct expectations

The GDPR vs. Fraud Detection Tension

Here’s a tension nobody’s talking about: effective fraud detection requires sharing and analyzing personal data across borders, but GDPR constrains exactly that. Visa and Mastercard built their fraud systems before GDPR existed and have been grandfathered in to some extent.

Wero needs to build consortium-wide fraud intelligence while:

  • Maintaining data minimization principles
  • Providing right-to-erasure compliance (how do you delete someone’s fraud history while maintaining model integrity?)
  • Conducting cross-border data transfers within the EEA (theoretically straightforward but practically complex with 13 different Data Protection Authorities)

What I’m Seeing in Our Compliance Reviews

At my company, our compliance team has been reviewing Wero integration requirements. Their preliminary assessment:

  1. Compliance cost per transaction for Wero is estimated at 2-3x higher than Visa/Mastercard due to the A2A payment model requiring different AML screening
  2. Transaction monitoring systems need to be rebuilt — our existing monitoring is designed for card transactions, not instant account-to-account transfers
  3. Suspicious Activity Report (SAR) filing procedures differ across 13 countries — we’d need country-specific compliance workflows

The Silver Lining

The one advantage Wero has is that it’s being built inside the European regulatory framework from day one. There’s no retrofitting of American-designed systems to European regulations. If EPI does this right, Wero could actually be more compliant by design than Visa/Mastercard, which would be a selling point for regulated institutions.

But “doing this right” requires compliance expertise that is expensive, scarce, and currently employed by the incumbents. The talent war isn’t just for engineers — it’s for compliance professionals, and that might be the bigger bottleneck.