The Federal Reserve launched FedNow in July 2023, creating the second instant payment rail in the United States alongside The Clearing House's Real Time Payments network, which has operated since 2017. The two networks have different technical specifications, settlement finality rules, and participation models, but they share a defining characteristic that creates new compliance obligations for every participating financial institution: irrevocable settlement in seconds. Once a FedNow or RTP payment settles, it cannot be recalled. The fraud and money laundering risk this creates is not hypothetical — authorised push payment fraud is now the fastest-growing payment fraud typology in markets with mature instant payment infrastructure, and US institutions are learning from the UK's bitter experience.
The Sub-Second Compliance Window
FedNow requires that a receiving institution provide a response to a payment message within a defined time window — the network specifies a maximum response time of 20 seconds, but in practice most transactions must be processed in well under 10 seconds to maintain a reasonable customer experience. Within that window, the receiving institution must: validate the message format, verify the beneficiary account exists and is eligible to receive instant payments, screen both the originator and beneficiary against OFAC sanctions lists, apply fraud detection rules, and return an affirmative response or a rejection with a reason code. This is not a sequential checklist — it must be a parallel, low-latency pipeline.
The specific compliance obligation that catches institutions unprepared is sanctions screening. OFAC's 50% rule requires screening not just against the SDN list but against entities that are at least 50% owned by blocked parties — which requires a beneficial ownership graph that must be traversed during the screening process. Fuzzy matching against the SDN list and its aliases must run against both the originator and beneficiary names within the response window. Implementations that cannot complete this process within the time window will either delay payments beyond acceptable thresholds or, worse, skip screening to meet timing requirements.
OFAC does not offer a real-time payments exemption. The obligation to screen every payment transaction against the SDN list applies regardless of the settlement speed of the payment rail. Institutions that configure their FedNow or RTP implementation to bypass or truncate sanctions screening to meet timing requirements are creating a sanctions compliance programme gap that examination will find.
Fraud Detection Architecture for Instant Payments
Authorised push payment fraud — where the legitimate account holder is manipulated into authorising a payment to a fraudster — does not look different from a legitimate payment in the transaction data. The customer authenticated successfully and authorised the payment; the bank's fraud system has no technical signal to distinguish it from a genuine transaction. The UK's Payment Systems Regulator introduced mandatory reimbursement for APP fraud in October 2023, creating a financial incentive for UK banks to invest in behavioural fraud detection. US regulators have not yet mandated reimbursement, but the pattern suggests the direction of travel.
Effective fraud detection for instant payments relies on behavioural analytics operating on real-time account data: has this account sent large payments to new payees before? Is this payment amount consistent with the account's historical behaviour? Is the beneficiary account newly opened and receiving payments from many different senders — a pattern associated with money mule activity? Answering these questions within the sub-second window requires pre-computed risk scores and feature vectors that are updated continuously from transaction history, not computed from scratch at decision time.
AML Monitoring for Instant Payments
Traditional batch AML monitoring — which aggregates transactions over a 24-hour period and runs scenario detection overnight — does not work for instant payments at the operational level. By the time a suspicious pattern is detected, the funds have settled irrevocably and have likely been forwarded onward. This does not mean instant payment institutions have no AML obligation — BSA still requires a reasonable programme — but it does mean the programme needs to be adapted for the settlement characteristics of the rail. Pre-payment risk scoring, real-time network analysis to identify payment chains associated with layering, and rapid SAR filing protocols for cases where settlement cannot be prevented are all components of an adapted AML programme.
Dual-Rail Participation Complexity
Financial institutions that participate in both FedNow and RTP face the additional complexity of operating two sets of technical integrations, compliance controls, and settlement processes simultaneously. The compliance architecture should be designed around a payment-agnostic compliance service that receives payment instructions from both rails and applies sanctions screening, fraud scoring, and AML rules consistently regardless of which network originated the instruction. Rail-specific compliance logic — different reason codes, different message formats, different timeout windows — should be handled at the integration layer, not embedded in the compliance service itself. This design allows compliance controls to be updated centrally and ensures equivalent treatment across rails.
EU AI Act: What CTOs Actually Need to Do Before August 2026
DORA Is Live. Here's What 'Operational Resilience' Means for Your Codebase
FedRAMP Rev 5: What Changed and Why Most Current ATO Holders Are Already Non-Compliant
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.