← Essays
Fraud · AMLFraud & Risk

Adyen's 3% Refund Signal: Fraud Controls Need a Lifecycle

Refund and policy abuse can come from verified customers. Payment teams need controls across account, order, fulfilment, refund, and dispute events.

July 4, 2026·7 min read·By Rizwan Zafar
Briefing note

Adyen says 3% of identities drove half of refund value on its platform. The operator response is lifecycle controls, not more checkout friction.

Operator-written7 min read9 sectionsRecruiter-readable

Adyen's 2026 fraud report contains a number that should change how merchants design risk controls: on Adyen's platform, 3% of identities accounted for 50% of refund value.

That is not evidence that 3% of every merchant's customers are abusive. It is a platform-level concentration signal from Adyen's 2025 transaction data. The report covers US$1.6 trillion of processed volume and separately surveys 1,000 US enterprise decision makers.

The operational conclusion is narrower. Loss can accumulate after a valid customer, account, and payment pass checkout controls.

The Short Answer

First-party fraud and policy abuse cannot be managed as a checkout-only decision. Merchants need a lifecycle risk model that links identity, account creation, promotions, orders, fulfilment, refunds, disputes, and support actions over time. The goal is not to block more customers. It is to apply precise friction where repeated behaviour creates disproportionate loss.

Adyen also reports that 50% of surveyed businesses saw rising false declines. That makes a blanket tightening of authorization rules the wrong response. It would add friction at the point where legitimate customers are trying to pay while leaving many refund and policy-abuse paths untouched.

Verification Does Not Establish Future Intent

Payment risk teams have spent years improving identity checks, device recognition, authentication, and card verification. Those controls still matter for stolen credentials and account takeover.

They answer a different question, however: is this person or device likely to be genuine at this moment?

Refund abuse asks whether a genuine customer is using a legitimate policy in a way that creates repeated, disproportionate loss. First-party misuse asks whether a cardholder is disputing a transaction they authorized. Promotion abuse may involve several real accounts connected by one device, address, card, or behavioural pattern.

Adyen's full report describes first-party fraud as the most common fraud type reported in its survey, at 44.3%. Fake-account and identity abuse followed at 42.2%, with policy and promotion abuse at 39.8%. These are survey responses, not shares of transaction volume, and should not be presented as universal market incidence.

The distinction matters. A verified identity can still produce an abusive refund. A successfully authenticated payment can still become a false dispute. More verification at checkout will not resolve every problem created later in the journey.

Build One Risk Timeline

The merchant needs a durable identity layer that can connect events without assuming identity alone proves good intent.

The timeline should include:

  • account creation, login, device, and address changes;
  • promotion eligibility and redemption;
  • authorization, authentication, capture, and payment method;
  • fulfilment, delivery evidence, and service consumption;
  • cancellation, return, refund, and support contacts;
  • chargeback reason, evidence, outcome, and recovery.

Stripe's customer-abuse documentation makes the same practical point: merchants should measure refund concentration by customer history, and distinguish refund, resale, and trial abuse. A refund policy is a product rule. Risk teams need its event history just as much as they need payment data.

Separate Four Decisions

A mature control model does not force one fraud score to make every decision.

1. Access

Decide whether an account can claim a promotion, start a trial, buy limited inventory, or use a high-risk fulfilment option. These controls may run before a payment exists.

2. Payment

Decide whether to accept, authenticate, review, or decline the transaction. This remains the right layer for stolen-card and account-takeover signals.

3. Fulfilment

Decide whether to release goods or value immediately, delay fulfilment, require stronger delivery proof, or cap exposure. Digital goods, gift cards, travel, and physical retail need different controls.

4. Refund And Dispute

Decide whether a refund can be automatic, needs approval, must reference the original payment, or should return only to the original instrument. Then preserve the evidence needed if the transaction is disputed.

Adyen's report describes a late-2025 pattern in which US retailers suffered losses through unreferenced digital-wallet refunds at the point of sale. That is an authorization and staff-permission problem around the refund workflow, not a failed card-fraud score at checkout.

Use Concentration To Choose Friction

The 3% figure is useful as a prompt for merchant-specific analysis, not as a threshold to copy.

Start with a concentration curve. What share of refund value, promotion cost, disputes, and support credits comes from the top 1%, 3%, 5%, and 10% of customer identities? Then split the result by product, channel, store, policy, tenure, and fulfilment method.

Add five guardrails:

  1. legitimate approval and checkout conversion;
  2. false-positive and manual-review rates;
  3. fulfilled gross margin after refunds and disputes;
  4. support cost and time to resolve genuine customer problems;
  5. repeat-abuse loss prevented against a stable control group.

This connects risk precision to the authorization-rate P&L. A control that prevents £10,000 of policy loss but creates £30,000 of lost good orders has failed.

Dispute Evidence Is A Recovery Layer

Merchants still need clean descriptors, delivery evidence, login history, prior undisputed transactions, and customer communications. Mastercard's first-party fraud guidance explains why merchants need evidence to show that a challenged transaction was legitimate.

That process is important, but it begins after the dispute. It should not be mistaken for prevention.

The better operating model joins three layers: upstream policy design, real-time lifecycle controls, and downstream dispute recovery. Chargebacks are a product problem because the evidence and customer expectations are created long before a representment team opens the case.

A 30-Day Operator Plan

First, join refund, dispute, promotion, fulfilment, and payment records around a stable customer reference. Produce concentration curves and identify the two behaviours with the highest net loss.

Third, add one targeted control for each behaviour: a referenced-refund requirement, approval threshold, promotion-eligibility rule, delayed fulfilment, or additional evidence capture.

Fourth, run a holdout. Measure prevented loss, false positives, customer contacts, approval rate, and fulfilled margin together.

Finally, create a weekly review across product, risk, finance, operations, and support. Cross-channel abuse will survive if each team sees only its own queue.

If you are rebuilding merchant fraud, refund, or dispute controls, work with Rizwan to connect policy, payment data, fulfilment, and financial outcomes into one measurable operating model.

Actionable Takeaway

Do not respond to first-party fraud by making every checkout harder.

Measure where loss concentrates across the customer lifecycle. Preserve a low-friction path for trusted behaviour. Add targeted controls at the event where abuse becomes observable, and judge them on net merchant value rather than blocked transactions.

The debate for risk leaders is no longer whether an identity is verified. It is how long that verification should remain sufficient when the customer's behaviour changes.

FAQ

What does Adyen's 3% figure mean?

Adyen says 3% of identities accounted for 50% of refund value in its 2025 platform data. It is a platform-level concentration measure, not a universal customer-abuse rate.

Why are checkout fraud controls insufficient for first-party fraud?

The customer, account, device, and payment may all be legitimate. Abuse can appear later through promotions, fulfilment, returns, refunds, or disputes.

Which metric should a merchant add first?

Measure refund and dispute value by stable customer identity and history, then compare any new control against false positives, approval rate, support cost, and fulfilled margin.

Tags
first-party fraudrefund abuseAdyenpayment riskfalse declinesdisputes
Rizwan Zafar
Written by
Rizwan Zafar

Chief Product Officer · Payments, Fintech & AI

Payments product & program leader — scaled a regulated multi-rail platform from $0 to $1B+ GTV across five frontier markets. These essays are the public version of how I think through the work.

Continue the conversation

This writing is the public version of how I think through product, programme and payment-infrastructure decisions in regulated markets.

Contact Rizwan
Hiring for a senior payments product role?

Rizwan ZafarChief Product Officer · Payments, Fintech & AI.

Payments Infrastructure Notes

One operator email a week. No filler.

Payment acceptance, settlement and product delivery notes from running $1B+ annual GTV across frontier markets — written for founders and payment leaders.

Weekly at most. Unsubscribe with one reply.