The hidden risks of buy now, pay later

Fragmented data flows and poor visibility

Among the hidden risks of BNPL are fragmented data flows and poor visibility.

BNPL requires real time credit decisioning, repayment tracking and risk scoring. Much of this data lives with the BNPL provider rather than in a merchant's core systems, creating visibility challenges for fraud monitoring and analytics.

"The breakdown occurs in the data orchestration layer, where real time fintech APIs collide with legacy core systems," Rafael Mercado, vice president and U.S. consumer and travel market leader at Kyndryl, explained. "Most retail infrastructure operates on batch processing, while BNPL requires instantaneous reconciliation."

This creates visibility gaps across the organization. Fraud monitoring tools lack access to the necessary data. Analytics teams work with incomplete transaction information. Customer systems and BNPL provider systems show different payment statuses, making it difficult to maintain a single source of truth.

Mercado noted that misaligned data between retailers, payment systems and BNPL providers can lead to costly failures.

"This can lead to major financial discrepancies, customer dissatisfaction and weeks of manual fixes," Mercado said. "Not only does it delay revenue recognition, but it also damages customer trust, often costing far more than just the technical fix itself."

Increased fraud and identity risk

BNPL, for multiple reasons, also tends to attract increased fraud and identity risk.

Diana Rothfuss, global industry consultant for retail and consumer goods at SAS, notes the structural vulnerability that leads the increased risks.

"BNPL is fast and digital, two factors that attract fraud," she said. "The industry has seen more activity tied to synthetic identities, account takeovers and misuse of multiple BNPL lines across different providers. The signals are often subtle and evolve quickly, so rules-based systems can't keep up."

Melanie Quandt, senior director of trust and safety at Highspring, said the approval process may be a vulnerability.

"Soft checks and rapid decisioning allow high-value purchases, sometimes over $4,000, to be approved before traditional fraud controls engage," Quandt commented. She recounted a case involving a client who incurred an $8,000 loss from an instant-approval transaction with limited identity verification.

The identity verification gaps stem from inconsistent practices across providers. According to Quandt, the inconsistent know your customer (KYC) depth across BNPL providers reduces a merchant's ability to validate customer legitimacy. Some providers share minimal identity signals with merchants, limiting fraud prevention capabilities.

Adding further risk is the fact that the threat environment itself is evolving to abuse BNPL.

"We're seeing AI-generated synthetic identities, coordinated refund abuse rings and cross-platform identity hopping that exploits inconsistent KYC thresholds," Quandt said.

Addressing these risks requires multi-layered identity verification, behavioral analytics and shared fraud intelligence between merchants and BNPL vendors.

Infrastructure dependencies and integration complexity

BNPL integrations can create failure points that surface at checkout. Mercado described common infrastructure failures, including:

• Phantom inventory. Enterprise resource planning systems lag real time transactions, causing overselling of reserved inventory.
• Broken return loops. Legacy point of sale (PoS) systems fail to trigger partial-refund logic required by lenders, forcing manual workarounds.

Peak traffic exposes operational brittleness through API timeouts that lead to abandoned carts and provider outages that result in lost sales.

"Successful organizations modernize their commerce and payment stacks to handle high-volume, low-latency API traffic," Mercado said. "Struggling retailers experience API timeouts during peak events, resulting in abandoned carts and customer complaints."

Compliance and regulatory pressure

As governments increase oversight of BNPL, merchants are discovering that compliance obligations once handled by providers are now their responsibility.

"BNPL providers are shifting compliance responsibilities onto merchants as regulators begin treating BNPL like traditional credit products," Patricia Partelow, managing director of financial services consulting at EY Financial Services Consulting, said. "Merchants must now manage areas that were previously handled by providers, including creditworthiness checks, clear disclosures and dispute resolution."

The compliance burden breaks down into several operational areas.

Disclosure and transparency requirements. Merchants must ensure repayment terms, fees and interest are displayed clearly at checkout, in line with Truth in Lending Act-style requirements.

"Merchants are increasingly responsible for presenting accurate BNPL terms at checkout," Mercado said. "One client had to quickly update their POS and digital flows after regulators flagged missing fee and repayment disclosures that the BNPL partner previously owned."

Audit trails and documentation. Auditable decisioning records are a growing burden, with providers pushing merchants to maintain logs that document how BNPL offers were presented, accepted or declined. More BNPL partners also require merchants to share additional transactions and customer data to meet regulatory oversight requirements.

Dispute resolution and liability. Mercado noted that merchants now own more of the work, including documenting disputes, resolving billing errors and responding to regulatory inquiries.

It's not just about compliance; there are also potential liability concerns.

"Merchants can face liability, particularly when fraud occurs at the point of sale or when contractual terms shift risk for issues like non-receipt of goods," Partelow said.

Customer experience degradation

BNPL failures don't just create technical problems; they hurt conversions, generate support tickets and damage customer relationships in ways that are difficult to repair. Partelow noted that, in her experience, the most costly failures result in lost sales due to poor integration.

Looking at the specific causes of customer experience degradation, Mercado sees three recurring patterns that drive customer complaints and cart abandonment:

• Inconsistent eligibility decisions. Data integration problems create confusion at the worst possible moment. "When data feeds are misaligned across OMS (order management systems), checkout and BNPL APIs, customers receive conflicting approvals or denials, which erodes trust," Mercado said.
• Failed or delayed settlements. Reconciliation gaps between the merchant and BNPL provider lead to unexpected holds, duplicate charges or missing refunds. "This is one of the top drivers of complaints," Mercado commented.
• Breaks across channels. Omnichannel consistency remains a significant challenge. "Many retailers offer strong BNPL options online but have inconsistent or unavailable choices in stores," says Mercado. "Customers expect a unified experience, and the inconsistencies create friction and lost sales."

These failures create operational burdens that extend beyond technology teams. Customer support departments handle disputes over repayment errors and data mismatches. Quandt notes that limited provider visibility makes it harder for merchants to prevent fraud or win chargeback disputes. When customers experience financial harm, they attribute responsibility to the merchant offering BNPL.

What CIOs must prepare for

IT leaders need to develop capabilities across five areas to manage BNPL risk effectively.

1. Strengthen identity and fraud controls

Organizations need multi-layered identity verification beyond basic checks, behavioral analytics to detect anomalous patterns, and shared fraud intelligence with BNPL vendors.

Quandt recommends three priorities:

• Push for stronger identity transparency from BNPL partners. Even incremental metadata sharing dramatically improves risk modeling.
• Invest in independent anomaly detection and identity enrichment. Vetting alone is insufficient.
• Build trust and safety in the architecture, not just operations. Integrate supervised flags, risk scoring and exception routing directly into the BNPL workflow so issues are caught upstream.

2. Improve integration resilience

Organizations need API monitoring to track performance and failures, redundant routing or multi-provider strategies to avoid single points of failure, and performance SLAs that account for peak traffic scenarios.

There is often a clear infrastructure gap between successful and struggling retailers.

"Successful organizations modernize their commerce and payment stacks to handle high-volume, low-latency API traffic," Mercado said. "Struggling retailers experience API timeouts during peak events, resulting in abandoned carts and customer complaints."

3. Establish BNPL-specific data governance

BNPL introduces data flows that require clear ownership of BNPL datasets across teams, full lifecycle lineage tracking, and data quality thresholds to prevent bad data from feeding decisioning models.

Partelow emphasizes that payments expertise is foundational. In her experience, organizations that succeed with BNPL make payments expertise a priority. She added that for new implementations, "issues arise from gaps in payments expertise within IT teams. Technical skills don't always translate into understanding data flows."

4. Build a compliance-ready architecture

Organizations need centralized reporting to meet regulatory requirements, real time audit trails that document every decision and action, and model governance for BNPL scoring and decision processes.

"We're seeing clearer signals that BNPL will face the same requirements as traditional installment loans or credit cards," Rothfuss commented. "That means explainable models and complete audit trails for every decision. Organizations that prepare now will avoid disruption later."

5. Prepare incident and outage playbooks

Organizations need joint response runbooks with vendors that define roles and escalation paths, clear communication between merchant and provider teams, and simulated outage testing to identify weaknesses before they cause damage.

Overall, managing BNPL safely requires specific investments and a fundamental shift in approach. According to Mercado, for CIOs, the priority is straightforward.

 "Invest in modern data architecture, scalable APIs, and automated risk and compliance controls," he said. "These capabilities not only reduce BNPL exposure but also strengthen the entire retail tech stack."

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.