As fraud tactics evolve, traditional security measures struggle to keep up. Many financial institutions still rely on legacy authentication methods, leaving them vulnerable to modern attack vectors. Risk-based authentication (RBA) offers a way forward, balancing security and user experience while addressing the growing sophistication of fraud.
It’s a great time to be a fraudster. With many banks and issuers still using one-time passcodes (OTPs) to protect customers from fraud, modern tools and attack vectors make their days at the office easier.
Outdated security methods like OTPs and siloed authentication methods don’t provide the strong security or seamless customer experience needed to stay competitive post-PSD2. Here’s why financial institutions must rethink their authentication strategies to remain competitive.
As new payment use cases and systems take flight, new fraud risks naturally introduce themselves. Decreasing authorised push payment (APP) fraud, for instance, is still a key priority for the UK’s Payment Systems Regulator (PSR) in 2025.
The rise of instant payments has significantly shortened fraud detection windows, increasing the challenge for financial institutions. The European Instant Payments Regulation (IPR) mandates that transactions settle in under ten seconds, while APP fraud alone costs the UK economy £459.7 million in 2023. Without more advanced authentication measures, these faster transactions could also mean faster fraud losses.
Regulations like PSD2 go a long way in providing secure guardrails for payments. Still, many financial institutions (FIs) struggle to keep pace with modern attack vectors and, as a result, find it challenging to strike that essential balance between strong security and convenience.
While the second Payment Services Directive (PSD2) and strong customer authentication (SCA) continue to shape the EU regulatory landscape, banks and issuers can access multi-factor authentication solutions, even frictionless options. Yet, the debate on payment security versus user experience continues.
Strong payment security does not have to come at the expense of a seamless customer experience. Modern authentication solutions can intelligently apply the right security measures without disrupting legitimate transactions.
Legacy fraud prevention technology is no longer suitable in today’s fast-evolving payments landscape. It’s not up to the task anymore and poses significant security risks.
Static authentication is a significant vulnerability for FIs. Those who continue to rely on it risk falling behind in an increasingly sophisticated fraud landscape. I say this because these measures don’t convey the context that the risk engine utilises to properly consider each transaction’s risk level.
Here’s an example. A fraudster obtains a customer’s contact and card details during a recent data breach. They initiate a transaction online using the stolen card details. At the time of the transaction, the fraudster calls the cardholder, claiming to be from the bank. The fraudster tells the customer they’ve noticed some unusual activity on their card and wants to help them prevent any potential fraud. But they first need to verify that they are the legitimate account owner. To do this, they ask the customer to read back the OTP sent to their phone. The transaction performed by the fraudster triggers an OTP to be sent to the cardholder, and since the cardholder was expecting it, coached by the fraudster on the phone, the customer reads the OTP to them. The fraudster enters the OTP, and the transaction is complete.
The key weakness of static OTP authentication is its lack of contextual awareness. Without signals such as location data, transaction history, or device recognition, financial institutions cannot differentiate between a legitimate customer and a fraudster manipulating a transaction in real-time.
Outdated authentication lacks the context for informed risk decisions, but modern solutions, combined with risk-based authentication (RBA), do. They analyse multiple signals to apply the least disruptive authentication challenge.
For FIs, this means higher transaction success rates, increased revenue, and reduced fraud rates—essential components for remaining competitive.
The real question isn’t whether RBA meets current and upcoming regulatory standards—it’s whether the technology can keep pace with the evolution of e-commerce payments and consumer expectations. FIs relying on outdated fraud prevention measures will battle to maintain top-of-wallet status and soon be left behind by data-driven competitors.
RBA, in combination with modern authentication methods, can provide FIs with maximum security and an intuitive customer experience. A good example is augmenting next-generation 3-D Secure, which offers rich transaction context from the merchant to the issuer, with intelligence-driven RBA—creating a safer and more user-friendly e-commerce future for all.
With fraud tactics evolving and payment speeds accelerating, financial institutions must rethink authentication strategies. Risk-based authentication, supported by AI-driven fraud detection, provides a scalable approach to balancing security and customer experience. As regulatory expectations evolve, modern authentication will be essential for staying competitive in the financial landscape.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
