Asia's Cross-Border QR Boom Has a Fraud Problem Nobody Is Costing Yet

Asia is having one of those quiet, decade-defining moments, the kind that looks unremarkable on a Tuesday and reshapes an entire continent's financial plumbing by the time anyone gets around to noticing.

Roughly 31% of the world's retail cross-border payments now originate from Asia-Pacific. By 2033, FXC Intelligence and Money20/20's latest whitepaper, The New Era of Asia's Cross-Border Payments, projects the regional cross-border payments market will hit $24 trillion. That isn't a typo. That's the trajectory.

QR code interoperability is sitting right at the centre of it. China and Vietnam linked their retail QRs last year. China and Indonesia ran a bilateral QR pilot in September. India is reportedly in talks with Ant International to plug UPI into Alipay+, which would — in one stroke — open up roughly 150 million merchants across 100+ markets to anyone holding a PhonePe, GPay, or Paytm app.

The mood, as the whitepaper carefully documents, is overwhelmingly upbeat. 67% of Indian news coverage on QR interoperability is positive in tone. Singapore, Hong Kong, Malaysia, Thailand — all leaning the same way.

But sitting four pages into the QR section of that report is a single sentence the industry seems to have collectively decided not to dwell on:

"Much of the coverage has been positive, although warnings around fraud concerns and related challenges have driven down sentiment in some markets."

One line. The report moves on. It shouldn't.

₹300 Lakh Crore in UPI Volume vs ₹4,245 Crore in Fraud — The Two Numbers Nobody Puts on the Same Slide

UPI processed 228 billion transactions in calendar 2025. Roughly ₹300 lakh crore in total transaction value. December alone saw 21.6 billion transactions — 698 million payments a day, on average. Indians now scan QR codes to buy ₹40 chai as instinctively as they used to fish out change.

Cross-border UPI transactions, tracked separately, grew 20-fold in a single year. Then look at the fraud column.

The RBI's Annual Report for FY2024–25 recorded 13,516 digital payment fraud cases, making up 56.5% of all banking frauds, with reported losses of ₹520 crore. The previous year — FY2023–24 — UPI fraud losses alone touched ₹1,087 crore. Pull out from the official banking-fraud tally and the picture gets worse: the Ministry of Finance told Parliament that digital financial fraud crossed ₹4,245 crore in just the first 10 months of FY24–25, across roughly 24 lakh incidents.

A LocalCircles survey across 365 districts found 1 in 5 Indian families using UPI has experienced fraud in the last three years. 51% of victims never filed a complaint anywhere — not the police, not the bank, not NPCI, not RBI. So the real number is, almost by definition, worse than the reported one.

Now ask the obvious question.

If a domestic rail running inside one of the most aggressively defended payments environments on earth is leaking this much, what happens when that rail starts connecting to another country's rail — where neither side fully owns the other's identity layer?

Why National KYC Stops at the Border, and the Fraudster Doesn't

A quick reframing.

KYC, as India built it, is a national stack. Aadhaar. PAN. Penny-drop bank verification. CKYC. Device binding. SIM-to-account checks. Add in NPCI's MuleHunter.AI, RBI's Central Payment Fraud Information Registry, the new beneficiary-name display rule from June 2025, and you get a defence layer that, for all its gaps, is genuinely formidable inside India's borders.

Now extend UPI to Singapore via PayNow. Or to PromptPay in Thailand. Or, via the proposed Alipay+ link, to merchants in Bangkok, Tokyo, Manila, and Macau.

Singapore's banks do their own KYC. The MAS-licensed PSPs in Thailand do theirs. Ant International runs its own. They can share outcomes — pass, fail, flag. They cannot meaningfully share the signal layer underneath those outcomes.

That signal layer is the part that matters.

A fraudster who got kicked off PhonePe last week for running a mule racket can resurface tomorrow in a connected corridor, "fresh foreign wallet", Vietnamese merchant on the receiving end, not a single national flag travelling with them. The corridor opens the door. The flag stays home.

This is the gap the M2020 whitepaper gestures at and walks past. It's also the gap that the next ₹500 crore of cross-border fraud is going to walk straight through.

Anatomy of a Cross-Border QR Fraud Ring (Hypothetical, but Plausible)

Walk through this one concretely.

A fraud ring operating out of a Tier-3 town in eastern India — call it a Jamtara-pattern operation, since that's the documented archetype — onboards 40 mule UPI wallets. The KYC inputs are scraped Aadhaar–PAN combinations sourced from a leaked dataset, mapped to fresh SIMs bought in batches. Every wallet clears NPCI's KYC checks. On paper, 40 verified customers.

Phase one is domestic. Small phishing calls to senior citizens — ₹2,000 here, ₹5,000 there, deliberately under the transaction-trigger thresholds. Funds get aggregated across the 40 mules over a 5–6 week window. Eventually MuleHunter picks up the velocity pattern. Some accounts get frozen. The ring loses about 30% of the haul to system response.

Phase two — and this is where it gets interesting — is the cross-border exit.

Instead of trying to launder onward inside India, where mule-account closure rates have climbed sharply, the ring routes outbound via a connected corridor. A shell merchant entity in a free zone (Sharjah, Dubai South, take your pick) is set up to accept inbound UPI–NEOPAY settlements. The ring's mule UPI wallets push small-ticket "purchases" to the shell merchant. The receiving acquirer in the UAE sees a string of clean cross-border merchant settlements. Three weeks later the funds are withdrawn or routed onward.

The NPCI fraud signal that flagged the mules domestically does not propagate to the UAE acquirer. There is no protocol that requires it to.

Where this gets caught — if it gets caught — is the device layer. Forty wallets operated from seven or eight physical handsets is a device-to-account ratio no legitimate user displays. Sign3's device fingerprinting flags exactly this — across borders, in real time, regardless of which corridor the wallet activity is pointing at. The corridor doesn't issue the device a new identity.

What Crosses Borders Anyway: Device IDs, Digital Footprints, Behavioural Patterns

Here's the thing, not everything stops at the border.

Device IDs travel. Digital footprints travel. Behavioural patterns travel. The fraudster who used an (for example - OnePlus 9) to run eleven mule accounts on a domestic rail doesn't get issued a new handset when their wallet starts pointing at a Hanoi merchant. Their email signature, their typing cadence, their browser fingerprint, the rotating proxy they've been sitting on for nine months, 'none of that gets a passport stamp".

This is the part the industry hasn't priced in yet. The defence layer that travels with the payment isn't the document layer. It's the device layer. The footprint layer. The behaviour layer.

That's where Sign3 sits.

Sign3's Three Products and Six Use Cases, Mapped to Cross-Border QR Fraud

A few honest observations on where each piece plugs in.

Device Intelligence

Sign3's device fingerprinting clocks 99.9% accuracy — but the accuracy figure is the boring number. The interesting one is persistence. The fingerprint survives app reinstalls. It survives VPNs. It survives emulator masking. In a cross-border world where the same handset can be hitting UPI today and a Singapore PayNow merchant tomorrow, that persistence is the only real thread linking the two sessions in real time. Two national KYC systems see two separate users. Sign3's device intelligence sees one.

Digital Footprint

A phone number that's 14 days old, not on WhatsApp, not on any social platform, not tied to a delivery address — looks nothing like a number that's been around four years and shows up across twelve platforms. Sign3's footprint engine pulls in 100+ digital, social, and device signals to make that distinction. National KYC will see both as "verified." Footprint scoring will see them as worlds apart. In a cross-border setting, where the receiving merchant's bank cannot run local KYC on the payer, the footprint score is, frankly, the only meaningful identity signal available at decision time.

Behavioural Biometrics

Typing cadence. Scroll behaviour. The micro-tilt of the device when a real human is holding it versus when an emulator is faking touchpoints. A mule operator running multiple wallets on a single handset exhibits a different behavioural signature from the genuine account-holder. Cross-border or not, the muscle memory of a fraudster looks different from the muscle memory of the person whose wallet it actually is.

That's the product side. The use cases stack on top.

Now Six Use Cases

Identity Fraud.

Sign3's real-time identity fraud solution is built for the moment of truth — payment time, login time, onboarding time. In a domestic UPI flow, there are multiple checkpoints. In a cross-border QR flow, there's often only one. That single decision has to be right. The combination of digital footprinting and device-level risk scoring is what makes the single decision survivable.

Account Takeover.

Sign3 reports under 5 seconds to detect an ATO event and has already blocked 2 million+ stolen accounts. A serious share of cross-border QR fraud is not going to come from new fake accounts. It will come from compromised genuine ones, the Bengaluru user whose wallet gets phished, then drained against a merchant in Phnom Penh while she's asleep. The geography of the receiving merchant is exactly the kind of behavioural anomaly that should trip an ATO model. It only trips one if the model is watching the cross-border signal at all.

Bonus Abuse.

Cross-border cashback wars are coming. They always do. The minute Alipay+ opens up promotional offers across 100+ markets, the multi-accounting playbook that hit Indian fintechs between 2018 and 2022 is going to find a much larger sandbox. Sign3's bonus abuse stack — device-linked, footprint-aware — is the only thing that catches a fraud ring running 47 wallets across 4 corridors against the same set of merchant offers.

Digital Onboarding.

As more remittance corridors come online, more first-time digital wallet users will be onboarded specifically for cross-border use. These are exactly the cohort with the thinnest digital trail and the highest synthetic-identity exposure. Layered onboarding — KYC + footprint + device + behavioural — is what separates a genuine first-time UAE-bound remitter from a synthetic identity built specifically to game a new corridor.

Credit Underwriting.

Often missed in the fraud conversation. Cross-border remittance flows are increasingly being used as alternative-data signal for credit decisions in India, particularly for thin-file rural borrowers whose families remit from the Gulf. The integrity of that signal collapses if any meaningful share of the underlying flows turn out to be fraud-driven. Device and footprint hygiene on the cross-border rail directly determines whether the downstream data is usable for underwriting.

User Prospecting.

The flip side. Of the millions of new cross-border-enabled users, who are the genuinely high-intent, high-LTV ones worth acquiring? Sign3's prospecting layer answers that — and the value of getting the answer right goes up sharply when your acquisition cost is now operating across geographies, not just across Indian cities.

The Regulatory Gap: Five Central Banks, Zero Shared Fraud Framework

Step back from the technology layer and look at the regulators.

RBI runs MuleHunter.AI, the Central Payment Fraud Information Registry, the Digital Payments Intelligence Platform. MAS in Singapore runs the Shared Responsibility Framework for phishing losses. Bank of Thailand has its own fraud-reporting protocols, Bank Negara Malaysia operates the National Scam Response Centre, Bangko Sentral ng Pilipinas runs its fraud monitoring on InstaPay, and Bank Indonesia coordinates BI-FAST defences. Hong Kong's HKMA, Japan's BoJ, the State Bank of Vietnam — each one has built its own apparatus.

These apparatuses do not operationally talk to each other.

There is no Asian equivalent of a FATF-style cross-border fraud signal exchange. Project Nexus is solving for interoperability of the rail, not interoperability of the fraud framework. mBridge connects wholesale CBDCs across the BIS hub markets, but it doesn't connect retail fraud signals across them. Even when two regulators sign an MOU on payment connectivity — as RBI and MAS did for UPI–PayNow — the document covers settlement, dispute, and KYC equivalence. It doesn't cover the live signal exchange that would let one country's fraud flag reach another country's acquirer in time to matter.

This is why the cross-border defence has to sit somewhere below the regulator layer. At the rail layer. At the PSP layer. At the device-and-footprint layer that doesn't require a treaty to operate across two jurisdictions.

That's structurally where Sign3's stack lives. The signal is the device. The device travels. The treaty isn't required.

The UAE–India Corridor: Where the First Cross-Border QR Fraud Wave Will Land

If you had to bet on where the first material cross-border QR fraud quarter shows up — bet on UAE–India.

The corridor is the largest single remittance link in the world. Officially, around $20 billion in annual flow from UAE to India; with informal channels, the real figure is closer to ₹2.5 lakh crore. The Indian diaspora in UAE is roughly 3.5 million people. Indian tourist arrivals into UAE crossed 5.29 million in 2024. UPI has been live in UAE through the NIPL–Mashreq–NEOPAY partnership since 2023. Acceptance is patchy — traveller reports peg merchant-level success rates around 60% — but the infrastructure is fully in place.

This is the corridor that combines every fraud-attractive property in one place: high volume, dual-direction flow (remittance + tourist + merchant), large diaspora that provides natural laundering cover, generous cash-out options in UAE itself, and an Indian-origin payer base that fraud rings already know how to target.

Add to that the structural detail that AED–INR isn't a heavily monitored cross-border pair on the retail side. SWIFT-CSP doesn't cover retail QR. The acquirer in UAE doesn't get NPCI's mule signals. The Indian fraud monitoring doesn't see the UAE-side merchant cluster.

A device-level defence is the only layer that operates symmetrically here — it sees the Indian-issued handset, sees that the same handset has been operating from a UAE IP block for six days, sees that the wallet activity pattern doesn't match the historical baseline, and scores the transaction in real time. National KYC has nothing to say about any of that.

The Frictionless Trade-Off: Every Removed Checkpoint Is Also a Removed Defence

Here's the part that the M2020 whitepaper does get right, and that's worth sitting with.

QR interoperability is an unambiguous good. Sending money home from Dubai shouldn't cost ₹1,200 in fees. A tourist in Singapore shouldn't have to carry a forex card she'll use twice. A merchant in Hanoi should be able to accept a payment from a Chinese visitor without taking on three weeks of currency risk. The whole point of stitching Asia's payment rails together is to remove friction that has no business existing in 2026.

And both things can be true, every removal of friction is the removal of a checkpoint. The friction in the old system did some work. The new frictionless system has to find another way to replicate that work. Otherwise the only thing being made frictionless is fraud.

This is what the report hints at and doesn't develop. The same data that shows positive sentiment also shows fraud anxieties pulling that positive number down in the very markets where cross-border rails are most active. That isn't a contradiction. That's a warning.

What India Needs to Get Right Before the Alipay+ Switch Flips

A few things are about to be true simultaneously.

UPI is already live in 8 countries — UAE, Singapore, Bhutan, Nepal, Sri Lanka, France, Mauritius, Qatar — and accepted by 1.5 million+ international merchants. NIPL has indicated four to six more countries this year. The Alipay+ integration, if it goes through, will dwarf every cross-border QR link India has built so far. RBI's Payments Vision 2028 has put remittance efficiency in the top tier of priorities. Project Nexus moves from planning to live operation.

None of these initiatives currently publishes a cross-border fraud number. Domestic UPI fraud is reported. Banking fraud is reported. Cross-border QR fraud sits in a measurement gap.

By the time it stops sitting in that gap, the losses will already be material. The honest move is to assume that — and to layer in device, footprint, and behavioural defences now, on the rails as they're built, not after the first ₹500 crore quarter of cross-border QR fraud shows up in an RBI footnote two years from now.

Conclusion: The Asymmetry That Defines Asia's Next Payments Decade

The interoperability story is the right story. India's UPI is going to be one of the great financial infrastructure exports of this decade. Asia's QR fabric is going to make every other regional payments network look slow.

The fraud story is the under-told one. National KYC stops at national borders. Device intelligence, digital footprint analysis, and behavioural biometrics don't. That asymmetry is the entire opportunity — and the entire risk.

Sign3 was built around exactly that asymmetry.

The QR boom isn't slowing down. The fraud surface underneath it widens every quarter the industry treats this as a single line in a whitepaper. Somebody has to read the line.

Source: The New Era of Asia's Cross-Border Payments — Money20/20 × FXC Intelligence, 2026. Indian fraud data sourced from RBI Annual Report FY2024–25, Ministry of Finance disclosures to Parliament, Ministry of Home Affairs cyber crime data, and the LocalCircles 2025 survey across 365 districts.

[https://asia.money2020.com/resources/crossborder-payments-2026-whitepaper]