January 14 2025
by Payments Intelligence
What’s the article about?
Fraud vulnerabilities in open banking, as discussed during The Payments Association’s FC360 open banking and financial crime workshop
Why is it important?
It highlights critical challenges and solutions for safeguarding open banking, ensuring its trust, security, and growth in the financial sector.
What next?
The industry must collaborate on fraud prevention, enhance data sharing, and align regulatory frameworks with innovation.
On the 19th of November in London, The Payments Association hosted a workshop as part of its Financial Crime 360 conference, focusing on a newly-emerging but pressing topic of fraud within open banking. The session convened industry leaders, fraud prevention experts, and stakeholders from diverse financial sectors. With open banking accelerating financial inclusivity and innovation, the accompanying challenges, this workshop aimed to kick-start conversations on the potential vulnerabilities of open banking as well as existing solutions, that encourage a safer, more transparent open banking ecosystem.
Framed against the backdrop of a rapidly evolving landscape where financial crime continuously adapts, the event underscored a stark reality: fraud, now exceeding £1 billion annually in the UK, remains an existential threat to the sector. Strong customer authentication (SCA), frictionless user experiences, and regulatory oversight were among the focal points as experts dissected the existing risks and potential remedies for open banking fraud. The discussions fostered a shared commitment to innovation while ensuring consumer safety.
Participants:
Fraudulent activities in open banking are rising, fuelled by sophisticated tactics such as impersonation scams, account takeovers, and authorised push payment (APP) fraud. According to Nick Davey, OBL, who shared insights from a six-month data collection exercise covering 60% of the UK market, the threat is evenly split between authorised and unauthorised fraud. “Unauthorised fraud often stems from device theft,” Davey explained, noting that once criminals gain access to interconnected apps, they exploit the ecosystem to drain accounts. On the other hand, authorised fraud, such as impersonation and investment scams, preys on the vulnerabilities of human psychology and trust.
The Payments Association’s Financial Crime Survey highlights that account takeovers, representing a rapidly growing £50 million annual loss, remain a predominant concern. Fraudsters often exploit advanced social engineering tactics to deceive consumers into granting access to their accounts. These criminals are not only technically adept but also highly organised. “Fraudsters share information as effectively as we should,” emphasised John Erik Setsaas (Tietovery), underlining the necessity for public-private collaboration in combatting these threats.
Data breaches and ransomware attacks were also flagged as significant risks. A recurring theme during the discussion was the asymmetry between fraudsters’ innovation and industry preparedness. “The criminals are investing heavily in exploiting our vulnerabilities,” Mark McMurtrie (The Payments Association) said, referencing the surge in cybercrime that parallels technological advancements. He also lauded the UK’s robust reporting mechanisms, which provide valuable insights into fraud trends, while cautioning that open banking-specific reporting remains nascent.
Beyond the impact of accidental errors, explained Carlos Albo (WeAnalyze), malicious actors exploit the lack of vigilance in validating payment information. “By manipulating transaction parameters, such as account numbers, amounts, or even timestamps, fraudsters can successfully complete illicit transfers while masking their actions from traditional security checks.”
The workshop participants reached a consensus: open banking’s fraud challenges are not inherently unique but reflect broader trends in financial crime. However, the frictionless nature of open banking payments and the sector’s rapid expansion could present new challenges. “Fraud in open banking is not yet as significant in volume compared to traditional channels, but as adoption scales, so will the risks,” remarked Jan van Vonno (Tink). This underscores the urgency for preemptive measures.
The section concluded with a call for enhanced industry initiatives, including standardised data sharing and improved fraud detection strategies. Participants highlighted the potential of open banking to transform financial services but stressed that addressing fraud vulnerabilities is critical to sustaining trust and fostering growth. As McMurtrie summarised, “We must innovate at the pace of the criminals to stay ahead.”
One of the most debated aspects of open banking during the workshop was the tension between delivering seamless user experiences and implementing robust security measures. The introduction of strong customer authentication (SCA) was intended to enhance safety by requiring multifactor authentication for transactions. However, it has also sparked concerns about increasing friction, which can deter user adoption. Participants explored whether open banking’s emphasis on frictionless journeys inadvertently facilitates fraud.
“The frictionless experience, while central to open banking’s appeal, creates certain challenges,” remarked Jan van Vonno. He highlighted how streamlined payment processes might enable fraudsters to exploit unsuspecting users. This is why it is important that payment service providers (PSPs) find solutions that allow for the exchange of fraud risk data concerning the sending and receiving payment accounts in a non-discriminatory manner.
Bhaswant Gandham (NatWest) added that this lack of behavioural context is a key limitation in open banking payments compared to traditional banking. “When payments are initiated in our app, we have access to a richer set of data—keystrokes, navigation habits, and other indicators. Open banking doesn’t provide the same depth, leaving us less equipped to identify anomalies,” he explained. Several participants called for a more dynamic approach to security, advocating for tailored friction rather than a one-size-fits-all model. Mark O’Keefe (TPA) suggested that allowing customers to customise their security thresholds—for example, setting transaction limits above which additional verification steps are triggered—could empower users without compromising safety. “Some neobanks already let users define personal limits, adding an extra layer of personalised protection,” he noted.
However, not everyone supported placing responsibility on users. Lerato Matsio (Trudenty) cautioned against relying on consumers to make complex security decisions. “Do we really want to offload fraud prevention onto users? Most people lack the expertise or foresight to manage these settings effectively. The onus should remain on financial institutions,” she argued. Instead, Matsio proposed leveraging shared data to create predictive fraud prevention systems that operate behind the scenes.
The group also discussed the role of education and standardised messaging in mitigating fraud risks. “Many noted inconsistencies in the language used by banks to warn customers about suspicious transactions. ‘Confusing prompts or poorly designed alerts can lead to customer complacency,’ said O’Keefe, emphasising the need for clearer, uniform communication. “The industry has taken different paths, leading to a lack of consistency,” added Nick Davey (The PSR), stressing the importance of a unified approach to fraud prevention.”
Ultimately, the participants agreed that security and friction are not mutually exclusive. Properly implemented, friction can enhance trust and deter fraud without undermining usability. “The challenge is not friction itself but striking the right balance,” summarised Setsaas. The consensus was that industry collaboration, supported by technological innovation, is key to creating secure yet user-friendly open banking experiences.
A recurring theme during the workshop was the critical role of data sharing and collaboration in mitigating fraud risks within open banking. Participants emphasised that the fragmented approach to fraud detection and prevention across the financial ecosystem often creates gaps that fraudsters exploit.
“Fraudsters are incredibly effective at sharing information and strategies,” observed John Erik Setsaas. “Meanwhile, financial institutions often operate in silos, reluctant or unable to share data with each other.” Setsaas and others argued that a more unified approach is necessary, one that transcends individual organisations to create a collective defence mechanism.
Several initiatives were cited as potential models for effective data sharing. Lerato Matsio outlined her company’s work on developing a data-sharing network that enables participants across the payments ecosystem to share actionable fraud risk intelligence. By connecting behavioural and transactional signals without exposing the underlying data, the solution empowers businesses to prevent fraud while preserving consumer trust. “The idea is to eliminate the visibility gap,” she explained. “For example, by sharing fraud risk insights for payers and payees, we can generate and embed intelligence earlier in the transaction process to pre-empt fraud.” This approach could be particularly effective in combating APP scams and other authorised fraud types.
However, participants acknowledged significant barriers to data sharing, including privacy concerns, regulatory restrictions, and competitive interests. Mark McMurtrie pointed out that banks are often hesitant to collaborate, even when their mutual interests align. “There’s an inherent tension between protecting competitive advantage and fostering collective security,” he noted.
One proposed solution was the establishment of a centralised, government-backed repository for fraud data. Jane Jee (The Payments Association) strongly advocated for this approach, arguing that public-private partnerships are essential to overcoming trust issues and ensuring widespread adoption. “A central system where institutions can query fraud patterns and receive actionable intelligence in real-time would be transformative,” she stated. However, others raised concerns about the feasibility of such a system, including its potential costs and the need for legislative backing to mandate participation.
The discussion also touched on global best practices. Mark O’Keefe cited Singapore’s regulatory approach, where institutions are required to implement standardised operational features to reduce fraud risks. “In Singapore, fraud prevention isn’t optional—it’s prescribed by the government,” he explained, contrasting this with the UK’s more decentralised framework. While some participants lauded the flexibility of the UK model, others suggested that a stronger regulatory mandate might be necessary to achieve consistent fraud prevention standards.
Albo stated that a strong system of verification, involving cross-checking against multiple databases and implementing layered security protocols, serves as a “key deterrent” against fraud by ensuring the integrity of transaction data, which is “a critical component in preserving trust and confidence in digital payment systems.”
As the section concluded, a consensus emerged around the importance of interoperability in fraud prevention systems. Whether through public-private partnerships or private-sector innovation, participants agreed that sharing data across institutions and geographies is essential to keeping pace with increasingly sophisticated fraud schemes. “The comprehensive collection of fraud cases in the UK will be incredibly rich,” Michael Hammond (Pay.UK) emphasised, highlighting the potential of centralised data to enhance our capabilities to detect and prevent fraud effectively.” As Matsio aptly summarised, “We need to think of fraud prevention as a collective responsibility—not as a competitive edge.”
The evolving regulatory landscape was a central focus during the workshop, as participants grappled with the challenge of aligning open banking innovation with robust fraud prevention. While existing frameworks such as the Payment Services Directive 2 (PSD2) and strong customer authentication (SCA) have set foundational standards, many argued that these measures are insufficient to address the rapidly changing nature of financial crime.
McMurtrie began the discussion by highlighting the uneven regulatory environment within the UK. “The current frameworks focus primarily on larger institutions, leaving smaller players and new entrants with less oversight,” he observed. This creates a fragmented ecosystem where fraudsters can exploit inconsistencies between institutions. He pointed to the absence of enforceable fraud management standards for third-party providers as a critical vulnerability.
However, others warned against overregulation, which could stifle innovation. “Regulation must strike a balance,” said David. “We need enough oversight to protect consumers, but too much bureaucracy could hinder the growth of open banking and the fintech sector.”
“Everyone’s invading bank security, no one’s invaded digital identity,” observed Andrew Churchill (TPA), emphasising the gap in current regulatory measures. He proposed a more dynamic regulatory model that adapts to emerging risks while preserving flexibility for market participants.
Several participants emphasised the need for more prescriptive regulatory approaches. Mark O’Keefe compared the UK’s model with Singapore’s, noting how the latter mandates specific operational features for fraud prevention, such as mandatory notifications for high-risk transactions. “In Singapore, it’s not just guidance—it’s law,” he said, adding that a similar approach could provide clarity and uniformity in the UK.
“The open banking standards tie one arm behind the bank’s back can, in places, restrict banks’ ability to tackle fraud as they ordinarily would,” added Archi Shrimpton (Lloyds Banking Group), highlighting how regulatory constraints limit banks’ ability to balance reducing friction with fraud prevention effectively. He explained that in their own channels, banks can strike this balance themselves, but prescribed standards in open banking journeys leave less room for flexibility.”
David Rennie, payments expert, proposed a more dynamic regulatory model that incorporates identity verification standards, explaining that “The problem fundamentally is not about the methods of payment but about identity.” He suggested slowing down payments for better security checks as a novel approach that contrasts with existing practices, which often prioritise speed and convenience over security. This idea underscores the need for regulations that not only respond to but also anticipate the methods employed by fraudsters.
However, others warned against overregulation, which could stifle innovation. “Regulation must strike a balance,” said Davey. “We need enough oversight to protect consumers, but too much bureaucracy could hinder the growth of open banking and the fintech sector.” He proposed a more dynamic regulatory model that adapts to emerging risks while preserving flexibility for market participants.
A key area of focus was the recent amendment to the Payment Services Regulations, allowing payment service providers (PSPs) to delay transactions in cases of suspected fraud. Participants generally welcomed this change, with several noting its potential to reduce authorised push payment (APP) fraud. “The ability to pause payments while investigating suspicious activity is a game changer for manual bank transfers,” said van Vonno. “But its success for retail payments will depend on how consistently and effectively it’s implemented across the sector.”
Collaboration between regulators and the private sector was another recurring theme. Jane Jee argued that regulators need to work more closely with industry players to understand the on-the-ground challenges of fraud prevention. “Legislation alone isn’t enough,” she said. “We need public-private partnerships to develop practical solutions that address real-world vulnerabilities.”
One such solution discussed was the establishment of a centralised fraud intelligence hub, which could facilitate real-time data sharing across institutions. While many participants supported the idea, they also acknowledged the logistical and political challenges of implementing it. “It would require significant investment, legislative backing, and trust between institutions,” McMurtrie noted. “But if we want to stay ahead of fraudsters, it’s a necessary step.”
As the session drew to a close, the participants agreed on the need for a forward-looking regulatory approach that embraces innovation without compromising security. “Regulators must move at the pace of change, not just react to it,” said O’Keefe. The workshop ended on a hopeful note, with a collective commitment to driving industry initiatives and fostering collaboration to create a safer and more resilient open banking ecosystem.
The Economic Crime and Corporate Transparency Act 2023 holds businesses accountable for fraud unless they prove strong prevention measures.
Virtual IBANs streamline payments but pose AML risks, demanding stricter oversight from PSPs.
Discover how AI-driven innovation, blockchain advancements, and evolving consumer behaviours are reshaping the payments industry.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
