Project Nexus Connects Five National Rails. Its Fraud Defence Connects None of Them.

On 30 June 2024, in a quiet ceremony in Basel, the central bank governors of India, Malaysia, the Philippines, Singapore, and Thailand signed an agreement that, over the next eighteen months, will reorganise how money moves across Asia.

The agreement was for Project Nexus a Bank for International Settlements initiative four years in the making. Its core idea is almost embarrassingly simple. Instead of each domestic instant payment system negotiating bilateral connections one country at a time, every system plugs into a single multilateral hub. One technical integration. ISO 20022 messaging. Phone-number or QR-code addressing. Sub-60-second settlement. UN Sustainable Development Goal pricing target 3% cost on cross-border retail, down from the current global average of 6%.

The participating systems together cover 1.7 billion people. India's UPI alone processed 228 billion transactions in 2025. Thailand's PromptPay has 81 million registered accounts. Singapore's PayNow has 80% domestic adoption. Malaysia's DuitNow runs the second-highest QR adoption rate in the world after China. The Philippines' InstaPay handles 1.5 billion transactions annually, with electronic fund transfers now equal to roughly 90% of Philippine GDP.

The governing body —** the Nexus Scheme Organisation, headquartered in Singapore has been quietly building out the operational rulebook through 2025.**

Live implementation: 2026

Everything about this is a step forward. Cheaper remittances. Faster settlements. A genuine alternative to correspondent banking. Less currency-conversion friction for tourists, students, traders, gig workers, families. There is, however, one paragraph in the NSO's published phase-four documentation that hasn't been written. The paragraph that says how five different national fraud frameworks operationally talk to each other across this rail. Because they don't.

The Rail Is Unified. The Defence Is Five Separate Things.

A useful distinction to hold onto: Nexus standardises messaging, not risk.

ISO 20022 lets a payment instruction generated in Manila be parsed cleanly by an acquirer in Mumbai. The messaging is interoperable. The settlement is interoperable. The dispute-resolution choreography is interoperable. None of that is in question.

But each member country's fraud apparatus continues to operate as a national silo. The Reserve Bank of India runs the Central Payment Fraud Information Registry, the Digital Payments Intelligence Platform, and MuleHunter.AI. The Monetary Authority of Singapore operates the Shared Responsibility Framework. Bank Negara Malaysia runs the National Scam Response Centre. Bangko Sentral ng Pilipinas has just signed information-sharing MoUs with the NBI, CICC, and SEC. The Bank of Thailand has its own fraud-monitoring protocols stacked under the National Anti-Scam Operations Centre.

These five frameworks were built for closed-loop domestic environments. Each has its own definition of what counts as a mule account, what triggers a freeze, what gets escalated, what gets shared with law enforcement. The blacklists don't sync. The risk scores don't translate. The behavioural signatures stay national.

NSO governs the rail. NSO does not, at least, not in any document published so far, govern a shared fraud intelligence layer. There are reasons for this: data-residency rules, PII definitions that differ across jurisdictions, consent frameworks that aren't harmonised, multi-year regulatory negotiations that would slow the launch by years.

The pragmatic decision was to ship the rail first and figure out the rest later. The "later" is where the problem lives.

The Same Transaction, Seen Five Different Ways

Here's a thought experiment that maps the problem more cleanly than a linear walkthrough ever could. Picture a single coordinated fraud operation running across Nexus on day 47 after launch. The same operation. One ring. One set of operators. Money moving in real time through five rails.

The Reserve Bank of India sees a series of small-ticket outbound remittances from a cluster of UPI wallets, averaging ₹4,800 per transaction, well below MuleHunter. AI's velocity-trigger thresholds, distributed across 80 different sender accounts. The pattern looks like diaspora remittance behaviour. Indian-side flags: none. Bangko Sentral ng Pilipinas sees inbound activity into 60 InstaPay accounts that were KYC-cleared 38 days ago. The accounts are receiving funds at amounts consistent with family-support transfers. No single account shows accumulation velocity that would flag domestic monitoring. Philippine-side flags: none.

Bank Negara Malaysia sees onward DuitNow transfers from the same 60 InstaPay accounts to a smaller cluster of Malaysian accounts at retail merchants. The amounts have been broken up further. The merchants are real. Some have been operating for years. Malaysian-side flags: none.

The Bank of Thailand sees PromptPay payouts to small-merchant cash-out networks at retail locations across Bangkok and Chiang Mai. Each individual payout is within normal merchant settlement range. Thai-side flags: none. The Monetary Authority of Singapore sees almost nothing — Singapore is a transit jurisdiction for some of the flow, with funds passing through PayNow corporate accounts under MAS-licensed PSPs. The activity is consistent with normal corporate cash management. Singapore-side flags: none.

Five regulators. Five compliance teams. Five independent monitoring stacks. Each one looking at its own slice. Each one seeing nothing actionable.

The ring exists. The ring is laundering, conservatively, ₹40 crore a week through this exact pattern. The ring is visible only at the signal level, at the layer where you can see that 14 of the Indian handsets share a Bluetooth proximity history with 9 of the Philippine handsets, that four of the Malaysian merchant accounts share registration IP blocks with the InstaPay onboarding cluster, that the typing cadence on three of the Thai cash-out wallets matches the Indian sender wallets to within milliseconds.

Five fraud teams cannot, by the architecture of how they're built, see that picture. A graph can.

What India Has Already Built And Where It Stops

The most useful Indian case study here isn't a fraud incident. It's a tool. And not a tool that failed — a tool that succeeded.

MuleHunter.AI was launched by the Reserve Bank Innovation Hub in late 2024. The architecture is genuinely sophisticated: 19 distinct behavioural patterns of mule-account activity, machine learning models trained on real Indian banking data, transaction-graph analysis that replaces the static rule-based systems most Indian banks were running. The initial pilot, with two large public sector banks, returned what the RBI carefully described as "encouraging" results. Specific numbers weren't disclosed — the RBI cited fiduciary obligations to participating banks but the adoption signal told the story for them.

By 10 December 2025, an RTI response revealed that 23 banks had implemented MuleHunter.AI. That curve is steep by Indian banking standards. It tells you the tool is doing what it was built to do.

For context: The National Crime Records Bureau puts online financial fraud at 67.8% of all cybercrime complaints in India. MuleHunter.AI is the most advanced AI response India has built to that problem. And the data it operates on — every transaction record, every account behaviour pattern, every velocity signal — lives inside the Indian banking perimeter.

Which is exactly the design.

MuleHunter.AI is country-bounded. The 19 behavioural patterns were drawn from Indian fraud archetypes. The training data is Indian. The blacklist it produces is consumed by Indian banks. None of this is a flaw — it's a deliberate choice for a domestic tool. The flaw enters only when the perimeter itself starts leaking, which is what Nexus does.

A Nexus-routed mule operation can have its Indian leg detected by MuleHunter.AI while its Philippine, Malaysian, Thai, or Singaporean legs remain entirely invisible to the equivalent monitoring stacks in those countries. The Indian-side detection won't propagate. The Philippine-side acquirer won't know what RBIH already knows. The ring continues operating across the parts of the rail where the defence isn't watching.

India built the best country-bounded mule detection in Asia. Nexus is about to make country-bounded the wrong frame.

Singapore Has Already Paid the Price for Reactive Defence

The international case study is harder to look at, because of how much it cost.

In December 2021, an SMS phishing campaign impersonating OCBC Bank, Singapore's second-largest lender, moved through 790 customers over a four-week window and stole S$13.7 million. The mechanics were almost unremarkable: spoofed SMS messages landing inside OCBC's own legitimate SMS thread (Singapore's sender-ID system at the time permitted it), embedded links to cloned login pages, credentials harvested, OTPs harvested, outbound transfers executed in seconds. Several victims lost their entire life savings. At least two lost over S$100,000 each. One transfer routed to a UK account was beyond Singapore's domestic recovery reach within minutes of execution.

OCBC's defence stack at the time was largely rule-based and post-transaction. The bank's hotline couldn't handle call volume. Customer service couldn't action freezes fast enough. Real-time stopping was effectively impossible. The supervisory response when it eventually came in May 2022 was the harshest action the Monetary Authority of Singapore had taken against a domestic bank in years. MAS imposed a S$330 million additional capital requirement on OCBC, applied as a 1.3x multiplier to operational-risk-weighted assets. OCBC was forced to implement an entire generation of new controls: removal of clickable links in all customer SMS, a 24-hour cooling-off period for digital token provisioning, a "kill switch" feature for emergency account freezes, dedicated onsite staff at the Singapore Police Anti-Scam Centre, and eventually the phased removal of OTPs as a primary authentication factor. The MAS-ABS Shared Responsibility Framework, which now governs how scam losses are split between banks and customers, was a direct consequence.

That entire response — penalty, structural changes, framework redesign, took fourteen months from the original scam.

Now consider what that timeline looks like inside a Nexus context.

OCBC was contained by Singapore's banking system, Singapore's regulator, and Singapore's recovery jurisdiction. Even with every domestic advantage in the bank's favour, the response took months. Now imagine the same scam pattern executed across five interconnected jurisdictions, with stolen funds routed through Philippine, Thai, and Malaysian rails before any single monitoring stack catches up. There is no MAS to fine the originating bank because the originating bank might be in a different country. There is no national supervisory authority with jurisdiction over the entire flow. There is no equivalent of the Shared Responsibility Framework that operates across borders.

The OCBC episode is, in a real sense, the optimistic baseline. It's what failure looks like inside a single, highly resourced, tightly supervised market. Nexus extends that failure mode across five.

The defence layer for a multilateral rail has to be in place before the first transaction crosses it. Retrofitting, as OCBC demonstrated at the cost of S$330 million, is what you do when you've already lost.

What Graph Intelligence Actually Sees

Sign3's approach to this problem starts from a different premise.

A national fraud database asks: Is this account a mule? A graph asks: Is this account part of a structure that includes a mule?

The first question can be answered with the data inside one country. The second cannot. The graph is a real-time map of relationships between entities — phones, emails, devices, IP blocks, locations, wallets, and behavioural signatures. Each entity is a node. Each relationship is an edge. Fraud rings don't exist as individual accounts; they exist as dense subgraphs clusters of nodes connected by patterns that legitimate users almost never produce. A single mule wallet looks clean in isolation. The same wallet, sitting in a subgraph with 47 other accounts that share device fingerprints, recovery-email roots, and onboarding IP signatures, looks like exactly what it is.

This is what Sign3's Network & Graph Intelligence module is built to do. It operates on a continuous identity graph that updates with every signal — a new device, a new login, a new transaction, a new behavioural anomaly. The graph doesn't ask which country an entity is in. It asks what other entities it's connected to.

The graph is fed by five other intelligence modalities, each contributing edges:

• Device intelligence maintains persistent fingerprints across app reinstalls, VPN switches, factory resets, and emulator masking. In the Nexus scenario above, this is the layer that identifies that 80 wallets are running off 11 physical handsets — an anomaly invisible to wallet-level KYC.

• Behavioural biometrics captures typing cadence, scroll velocity, and the micro-tilt of how a phone is held; the cadence of a single fraud operator running multiple wallets remains constant even when the wallets sit on different national rails.

• Image intelligence detects manipulation artefacts in identity documents at the pixel level — the JPEG quantisation patterns and splice boundaries that betray AI-generated or composite Aadhaar photos, deepfake selfies, and edited passport scans.

• Location intelligence correlates IP geolocation, WiFi SSID history, and cell-tower triangulation into a longitudinal baseline that flags anomalies like a long-stable Bengaluru wallet suddenly transacting from Davao at 3 AM IST.

• Digital footprint signals pull from 100+ data points — phone vintage, social presence, platform linkages — to distinguish a six-year-old genuine number from an eleven-day-old burner that's KYC-clean on paper.

These five modalities don't replace each other. They feed the graph. The graph is what produces the cross-rail intelligence that no single national monitoring stack can produce on its own.

Critically, none of this requires inter-governmental cooperation to function. The signals travel with the user with the device, with the network, with the behavioural fingerprint. They don't need an MoU between RBI and MAS. They don't need NSO to operate a shared registry. They operate at the layer below the regulator, which is exactly the layer where multilateral defence has to live.

Why Five Markets Is Not Five Times the Problem — It's More

A piece of the Nexus mathematics that hasn't been discussed publicly: the fraud surface doesn't scale linearly with the number of connected markets. It scales combinatorially.

Two markets connected bilaterally produce one corridor, a single pair where fraud can flow. Five markets connected multilaterally produce ten corridors. Six markets produce fifteen. Seven, twenty-one. The pattern is the standard combinatorial expansion: n(n−1)/2.*

The defence work, however, is not additive. It is also combinatorial and worse, it introduces a category of fraud that doesn't exist in bilateral environments at all.

That category is transit fraud. A flow originates in country A, lands in country B, and routes onward to country C. Country C's acquirer cannot see the country A origin signal even if it exists. Country A's monitoring stack lost sight of the flow the moment it crossed into B. Country B saw what looked like a legitimate intermediate settlement and waved it through. The fraud lives in the gap between three jurisdictions, and no individual jurisdiction can see the full shape.

This is why bilateral linkage models — UPI–PayNow, UPI–NEOPAY, China–Vietnam QR — were always going to be a transitional architecture. They scale linearly. You can build defences pair by pair. It's slow, but it's tractable. Multilateral environments don't scale linearly, which means defence built pair-by-pair will always trail the fraud surface. The only defence model that scales multilaterally without requiring pairwise treaties is the model where the signals travel with the user, not with the corridor. Device fingerprint. Digital footprint. Behavioural signature. Graph linkage.

The mismatch: small number of bilateral treaties versus large number of corridors going live, is the opportunity and the risk in the same sentence.

India Carries Disproportionate Risk

Among the five Nexus members, India contributes the largest user base, the largest current transaction volume, and the deepest existing fraud base. UPI is the world's largest IPS by every operational metric. When Nexus goes live, India isn't one of five equal participants. India is one ocean connecting to four lakes.

Most early cross-border flow will be India-originating or India-terminating. Most cross-border fraud, following the same logic, will be too.

The Ministry of Finance disclosed digital financial fraud of ₹4,245 crore in just the first ten months of FY24–25 — and that's the domestic-only number, in a system designed for closed-loop operations. Layer on the fact that India's payment ecosystem includes 500 million+ active digital payment users and 100 billion+ digital transactions annually, and the absolute exposure that opens the day Nexus turns on is, frankly, a number nobody has tried to price. A conservative projection — assuming cross-border fraud rates approximate the existing domestic UPI fraud rate of roughly 0.4% by value — puts year-one cross-border fraud losses in low four-digit crore territory. That assumes nothing gets worse on the rail. Which, given the architectural points above, is almost certainly an underestimate.

What Needs to Be in Place

For Indian PSPs — banks, payment apps, NPCI-licensed acquirers, NBFC wallet providers, the window for proactive defence design is roughly nine months wide. After that, the rails are live and retrofitting starts. Five things that should already be in motion:

A persistent identity graph across all rails the user touches, maintained continuously, with edges that include device, network, location, behavioural, and footprint signals. This is the foundation. Everything else is built on top. Cross-border-aware fraud models that flag a first-ever cross-border transaction from a long-standing domestic wallet as a step-up event. The current model assumption, that cross-border is a marginal-volume edge case, stops being true on day one of Nexus.

Image intelligence as a standard onboarding gate for any wallet that will have cross-border capability. The synthetic-identity factories operating on the dark web are already adapting their document templates for the new opportunity.

Behavioural baselines that capture the longitudinal signature of every active user, with anomaly detection that doesn't reset when the destination country changes.

Real-time graph queries at the moment of transaction, not at the end of the day, not in the weekly compliance review, not in the chargeback investigation three weeks later.

Sign3 operates this stack today. Twenty-plus banks, fintechs, and marketplaces are already running the unified intelligence layer through onboarding, payment, and lifecycle monitoring. The Indian market has nine months to either build equivalent capability internally, partner for it, or accept that the first material cross-border fraud quarter will be measured in crores per week, not per month.

The Quiet Part of the BIS Vision

There's a line in the original BIS Project Nexus blueprint, published back in 2021, that has aged into a quiet warning.

The blueprint described Nexus as a standardised connection between instant payment systems a way to replace bilateral complexity with a single integration point. The framing was deliberately narrow. Nexus was always pitched as a payments-rail project, not a fraud-defence project. Standardise the messaging, the settlement, the dispute resolution; let national systems handle everything else.

In a world where domestic instant payments were largely isolated from each other, that scope was defensible. In a world where Nexus is about to enable real-time multilateral flows across 1.7 billion people, the scope leaves a gap so large that any honest fraud-operations executive in any of the five member countries should already be planning for it.

The BIS built the rail. The NSO will operate the rail. Neither will defend the rail in the sense that matters. That work is going to fall to the platforms the PSPs, the banks, the fraud-intelligence layers like Sign3 and it is going to happen either before launch or after it. The cost differential between those two timings, if the OCBC precedent is any guide, is the difference between a planned engineering project and a multi-quarter remediation programme conducted under regulatory observation.

The rail is being built. The defence has to be built alongside it. There isn't time to do it the other way around.

Sources: BIS Project Nexus Phase Four documentation (2024–2025); BIS press release on Nexus agreement signing, Basel, 30 June 2024; Reserve Bank Innovation Hub MuleHunter.AI announcements (Dec 2024); RTI response on MuleHunter.AI adoption — MediaNama (Dec 2025); RBI Annual Report FY2024–25; Monetary Authority of Singapore supervisory action on OCBC Bank (May 2022); OCBC Group media statement on MAS action (May 2022); MAS Parliamentary Replies on OCBC scam review (Aug 2022); Ministry of Finance disclosures to Lok Sabha on UPI fraud (FY24–25); Bangko Sentral ng Pilipinas press communications, 2026; National Crime Records Bureau cybercrime statistics; FXC Intelligence and Money20/20 — The New Era of Asia's Cross-Border Payments [https://asia.money2020.com/resources/crossborder-payments-2026-whitepaper]