Your Biggest Fraud Risk Is Not Onboarding. It Is the Moment Money Leaves.
Investment platforms verify identity at onboarding but not at the point of payment. That gap is where payment redirection fraud happens, and regulators are starting to notice.
The onboarding illusion
Every investment platform in Australia verifies identity at onboarding. KYC checks. Document Verification Service (DVS). Biometric matching. The box is ticked. The compliance team is satisfied.
Then an investor holds a term deposit for 12 months. A managed fund for three years. A super balance for a decade.
When that money matures or gets redeemed, the platform sends it to the bank account on file. The same account that was verified once, years ago. With no check that the account details are still correct. No check that the person requesting the redemption is the person who opened the account. No check that the bank account still belongs to the same entity.
That gap, between onboarding verification and payment execution, is where fraud happens.
How the attack works
Payment redirection fraud against investment platforms follows a consistent pattern.
Compromise
An attacker gains access to an investor's account, an adviser's email, or a platform's communication channel. Business email compromise (BEC) is the most common entry point, with $84 million in self-reported BEC losses to the ACSC in 2024 alone.
Change the bank details
The attacker submits a change-of-account request. On most platforms, this requires documentation: a signed form, a certified ID copy, maybe all account holders to sign off. But these are paper-based controls. A forged signature on a scanned form passes most manual checks.
Wait for the payment event
A term deposit matures. A managed fund pays a distribution. A super member requests a rollover. The platform processes the payment to the "updated" bank account. The money is gone.
Discover it too late
The real investor notices weeks or months later. By then, 96% of redirected funds are irrecoverable.
The scale of the problem
ASIC wrote to all superannuation trustees in January 2025 calling out weak anti-scam practices. The letter was not a suggestion. It was a warning.
In May 2024, ASIC issued a formal scam alert about sophisticated criminals impersonating legitimate financial services firms, copying ABN numbers, AFSL details, and disclosure documents to create convincing fake investment applications. The target: term deposit and bond investors.
The ATO's Counter Fraud Program received $187 million in new funding for FY25-28, specifically because identity-enabled fraud against SMSF holders and individual investors has spiked. ATO identity fraud has increased significantly in recent years.
This is not a hypothetical risk for platforms managing investor funds. It is an active, escalating threat that regulators are publicly flagging.
Why existing controls fall short
Two common assumptions leave investment platforms exposed: that DVS is sufficient and that adviser instructions can be trusted at face value.
DVS is not enough
DVS answers one question: "Is this document real?" It does not answer: "Is the person presenting this document the rightful owner?" It does not answer: "Does this person still own this bank account?" And it does not answer: "Have the bank details on file been tampered with since we last checked?" DVS is an onboarding tool. Fraud does not happen at onboarding.
The adviser blind spot
Platforms that operate under a Limited Power of Attorney (LPOA) model trust adviser instructions because the LPOA authorises them to act. But if the adviser's email or credentials are compromised, every instruction looks legitimate. BEC attacks specifically target financial advisers because a single compromised account provides access to multiple client accounts.
What the new AML/CTF rules require
The amended AML/CTF Rules (tabled August 2025, compliance deadline 31 March 2026) do not just strengthen onboarding KYC. They require ongoing due diligence.
That means platforms can no longer verify once and forget. They need to demonstrate that payment details are re-verified, not just at onboarding, but at the point money moves. The regulatory shift mirrors the fraud reality: the risk is not at the front door. It is at the back door, when funds leave.
The Scams Prevention Framework (effective July 2026) adds another layer. Banks, including the settlement banks that investment platforms use for Cash Management Accounts, are directly captured. Platforms have indirect exposure through their banking partners' obligations.
The verification gap
Consider the typical flow when a term deposit matures. Every step after onboarding is a paper-based control with no digital verification.
Maturity notice sent
Platform sends a maturity notice to the investor.
Investor decides
Investor chooses to redeem or reinvest.
Funds transfer
If redeeming, funds transfer to the linked bank account on file.
No re-verification
The bank account was verified at onboarding, possibly years ago. Any changes were processed via signed paperwork. No real-time verification occurs at the point of payment.
Every payment event is a discrete fraud opportunity
For platforms processing thousands of maturities, distributions, and redemptions, each payment event is a discrete fraud opportunity. At scale, even a low fraud rate produces material losses and material liability.
What "good" looks like
The platforms that are closing this gap share three characteristics. Together, they create an audit trail that demonstrates due diligence, exactly what the new AML/CTF rules and the Scams Prevention Framework require.
See How It WorksVerify at the point of payment
Every maturity, redemption, or distribution triggers a re-check of the destination bank account. If the account details have changed since the last verification, the payment is held until the change is confirmed.
Authenticated digital flows
Instead of accepting scanned forms with wet signatures, require the account holder to confirm changes through a biometric-authenticated channel. A forged signature cannot pass a facial recognition check.
Verification fingerprinting
Every verified payment detail is cryptographically fingerprinted. Before each payment event, the current details are compared against the fingerprint. Any discrepancy triggers automatic re-verification.
Frequently asked questions
What is maturity and redemption fraud on investment platforms?
Why does onboarding KYC not prevent this type of fraud?
What did ASIC say about superannuation scams?
How does the new AML/CTF regime affect investment platforms?
How can investment platforms close the verification gap?
Related content
AML/CTF Ongoing Due Diligence
What the amended rules require and what "ongoing" looks like in practice.
THREATPayment Redirection Fraud
How attackers redirect payments and how to stop them.
THREATBusiness Email Compromise
The most common entry point for investment platform fraud.
PRODUCTHow ezyshield Works
See how ezyshield verifies payees before every payment.
Verify before money moves
See how investment platforms are closing the gap between onboarding and payment. Protect maturities, redemptions, and distributions with real-time verification.