GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Payments - Introduction / Learning brief

Security and fraud controls in payment operations

Your notes

What this means in plain language

Explains where access control, segregation of duties, dual authorization, and screening and fraud checkpoints sit inside payment operations, and how these layered controls protect payments by detecting, reviewing, and escalating what looks wrong.

Payment operations protects money in layers, on the working assumption that any single control will sometimes fail. Some layers check who is acting: access control and strong authentication confirm that a user is who they claim and may act at all. Some check whether a specific instruction is allowed: entitlements bound what a user can initiate, and dual authorization requires a second person to approve before a payment is released. Some watch the flow itself: monitoring looks for amounts or patterns that do not fit, and reconciliation afterward is where an altered or injected payment shows up as a break. Sanctions screening sits alongside these as a separate legal obligation rather than a fraud control. The design principle is that the layers should fail independently, so that getting past one tells an attacker nothing about the next. No single control is the security; the layering is, and each layer is built to detect and escalate rather than to be invisible.

Understand the full idea, step by step

At most companies, you cannot both raise an expense and approve your own reimbursement — a second person has to sign it off. A payments shop runs on the same instinct, only scaled up and made into system rules. Let us see what that security posture actually looks like inside a bank.

Three different questions about who may act

It helps to separate three things people often blur together. Authentication proves who is acting — a password, a token, a device check. Authorization approves this specific payment. Entitlements bound what a person may ever do: which payment types, which accounts, up to which limits. A user can be perfectly authenticated and still have no entitlement to release a six-figure wire. Each question is answered by a different control, so a gap in one does not open all the others.

Segregation of duties (SoD)no single person controls every step of a sensitive process

Segregation of duties is the principle that a sensitive job is split so no one person can carry it end to end. In payments its most visible form is separating the act of recording an instruction from the act of releasing it. Split that way, one individual can neither create a payment and send it to settlement unseen, nor quietly alter one they alone control.

Dual authorization (maker-checker, four-eyes)one person captures, a different person approves before release

Dual authorization is segregation of duties made concrete. The maker captures the instruction; a separate checker, holding release entitlement, reviews and approves it. Because recording and sending are never the same act by the same person, a single mistake cannot reach settlement on its own, and there is no single point that one compromised account can push a payment through. The everyday name is the four-eyes principle: two people look before value moves.

The four-eyes flow, step by step

  1. INSTRUCTION

    The maker captures the payment: payer account, beneficiary, amount, reference. Nothing has left Bank Alfa yet.

  2. VALIDATION

    The system checks the maker's entitlements — is this user allowed to raise this type and size of payment at all? Only then does it become a pending item.

  3. VALIDATION

    The checker, a different user with release rights, opens the pending item and reviews it against the supporting document and the customer's normal pattern.

  4. MESSAGE

    Only after the checker approves does Bank Alfa release the instruction toward the clearing and settlement chain. The release is logged against that second identity.

  5. LEDGER

    Reconciliation afterwards is the detective backstop: an injected or altered payment surfaces as a break that matches no expected entry, so nothing slips through unseen even if a control upstream failed.

You may be wondering: these controls sound aimed at outsiders — what about someone inside the bank?

That is exactly why the roles are held by different people who do not report the outcome to each other. External fraud tries to inject or alter an instruction from outside; internal fraud misuses legitimate access from inside. Segregation of duties answers both at once, because it removes any single individual's ability to complete a sensitive act alone. Entitlements keep each person's reach small, dual authorization forces a second independent pair of eyes, and reconciliation makes the finished payments checkable against what was expected. No layer trusts a single actor completely.

Where each control sits in the payment's life
StageControlWhat it answers
InitiationStrong authentication, entitlementsIs this really the user, and may they raise this at all?
Capture to releaseDual authorization (four-eyes)Has a second, separate person approved it?
ProcessingLimits, velocity, anomaly monitoringDoes this instruction fit the customer's normal behaviour?
After the factReconciliationDoes every settled payment match an expected entry?

COMMON CONFUSION

Dual control and entitlements are bureaucratic drag that just slow good payments down.

The friction is the security. The design assumes any single layer will sometimes fail — a mistake, a stolen credential, a dishonest insider — so several independent layers are stacked with the goal that they fail independently. That is defence in depth: the strength is not one clever check but the fact that a payment must pass several separate hands and tests before value moves.

WHAT IF — A new or amended beneficiary appears on a payment, or the amount is far above the customer's usual size

What happens: The payment is held for review rather than released straight through. A change-of-payee control forces re-verification, and an anomaly on amount or velocity routes the item to an analyst like Maya.

How it is handled: Maya confirms the instruction is genuine before it moves — she treats the hold as the system working, not failing. If it checks out, she releases it and records why; if it does not, it is escalated. The point of the pause is that a person confirms it is safe before value leaves the bank.

STRICTLY SPEAKING

Strictly speaking, real control frameworks are institution-specific and partly confidential — the exact entitlement structures, thresholds, and monitoring rules vary by bank and are not published. What travels between banks is the shared pattern: separate the actor from the act, force independent approval, and reconcile afterwards. Treat the specifics here as an illustrative teaching model, not any one bank's live configuration.

FOR NOW, REMEMBER

  • Authentication proves who is acting, authorization approves this payment, and entitlements bound what a user may ever do — three different questions, three different controls.
  • Segregation of duties splits a sensitive act so no one person can complete it; dual authorization (four-eyes) is its concrete form in payments.
  • The same controls contain both external and internal fraud, because none of them trusts a single actor to finish alone.
  • Defence in depth stacks independent layers — initiation, release, monitoring, reconciliation — assuming each will sometimes fail.

TRY IT YOURSELF

A trusted senior operator at Bank Alfa, fully authenticated, tries to push through a large payment to a brand-new beneficiary by themselves. What should the security posture do?

Let it proceed — a senior, correctly authenticated user has proven who they are, which is enough.

Not this one — Authentication only answers who is acting. It says nothing about whether one person alone may release the payment. Segregation of duties exists precisely so seniority and a valid login are not enough to complete a sensitive act unaccompanied.

Require a separate person with release rights to approve it, and route the new beneficiary and large amount for review.

Correct — Correct. Four-eyes means capture and release are different acts by different people, and a new payee plus an unusual amount is exactly what change-of-payee and anomaly controls hold for review — the safeguards apply to insiders too.

Decline it outright as fraud, since only a criminal would send money to a new beneficiary.

Not this one — New beneficiaries are ordinary business. The posture is to hold and verify, not to assume guilt — a held payment is the system working, giving a second person the chance to confirm it is safe before value moves.

You have seen the controls a payments shop stacks. The next question is what they are stacked against: the recognised patterns of payment fraud, and the red flags each one leaves for those controls to watch.

KEEP GOING

Three things to remember

  1. 01

    Payment security is layered so that no single control is the whole defense, and the layers are designed to fail independently.

  2. 02

    Segregation of duties and dual authorization keep recording a payment and releasing it as separate acts by different people.

  3. 03

    Sanctions screening is a legal obligation with its own queues and release authority, distinct from fraud controls even when one system hosts both.

Where you would use this

USE CASE 01

An operations lead configures maker-checker so the user who captures a high-value payment cannot also release it.

USE CASE 02

A fraud analyst reviews a monitoring alert and adds a verification step before a payment to a newly added beneficiary is released.

USE CASE 03

An access administrator reviews user entitlements so each role can initiate only the payment types and limits it needs.

Put the idea into a real situation

Illustrative example: at a fictional bank, Meridian Trust, an operations clerk captures a EUR 480,000.00 payment to a beneficiary added earlier that day. Three controls engage in sequence. Entitlements confirm the clerk may capture, but not release, a payment of that size. Dual authorization then routes it to a second officer for approval. Because the beneficiary is new, a monitoring rule flags it for a verification step before release. Each control is a separate checkpoint owned by a different person or system, so a single mistaken or compromised action cannot move the funds alone — the payment proceeds only when every layer is satisfied.

Evidence & review

REVIEWED 2026-07-13

General payment-operations control patterns; specific entitlement structures, thresholds, and monitoring rules are institution-specific and not published. Strong customer authentication framing reflects EU/EEA PSD2.

What this brief simplifies: Presents a generic maker-checker and defence-in-depth model rather than any one bank's live configuration; entitlement, threshold, and reconciliation detail is described at pattern level only.

Sources for this brief3
  1. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Maya scenario, illustrative control framework and thresholds

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

  2. Official requirement

    PSD2 and the RTS on strong customer authentication and secure communicationEuropean Banking Authority · Strong customer authentication expectations at payment initiation

    Governs open banking access in the European Union, including payment initiation and account information services offered by third-party providers, and the requirement for strong customer authentication. · Checked 2026-07-13

    Referenced from the European Banking Authority's public summaries, guidelines, and technical standards on payment services.

  3. Market practice

    Wolfsberg Group Payment Transparency StandardsThe Wolfsberg Group · Layered payment-operations controls and defence-in-depth principles

    Industry standards on preserving complete and accurate party information through payment chains, expressed in ISO 20022 terminology. · Checked 2026-07-12

    The 2023 standards replace the 2017 version and are supplemented by separate Wolfsberg guidance on roles and responsibilities in payment chains.

Learn this properly

Related briefs

View Payments - Introduction archive

Misc Payment Concepts

Provides a compact glossary of foundational terms such as SWIFT, SEPA, ISO 20022, payment infrastructures, and related standards.

READ BRIEF

Payment Engines

Introduces the bank software that validates, routes, enriches, and processes incoming and outgoing credit transfers at scale.

READ BRIEF

Payment Messages

Explains how customer and interbank messages carry payment instructions and status information across an end-to-end transfer.

READ BRIEF