Cross-Border Payments
Rewiring the cross-border payments paradigm: Risk and security in correspondent banking confirmation
May 14, 2025
It’s a great time to be a fraudster. While many banks and issuers still use one-time passcodes (OTPs) to protect customers from fraud, modern tools and attack vectors make their days at the office rather easy.
åOutdated security methods like OTPs and siloed authentication methods don’t provide the strong security or seamless customer experience needed to stay competitive post-PSD2. Here’s why financial institutions must rethink their authentication strategies to remain competitive.
As new payment use cases and systems emerge, they naturally introduce new fraud risks. For instance, decreasing authorized push payment (APP) fraud is still a key priority for the UK’s Payment Systems Regulator (PSR) in 2025.
With the increase in faster payments and the European Instant Payments Regulation (IPR) pushing for fund transfers to be processed in less than ten seconds, fraudsters can potentially access funds faster. Considering that APP fraud cost the UK economy approximately £459.7 million in 2023, the payments ecosystem still needs stronger security measures.
Regulations like PSD2 go a long way in providing secure guardrails for payments. Still, many financial institutions (FIs) struggle to keep pace with modern attack vectors and, as a result, find it challenging to strike that essential balance between strong security and convenience.
The balancing act: Security vs user experience under PSD2
While the second Payment Services Directive (PSD2) and Strong Customer Authentication (SCA) continue to shape the EU regulatory landscape, banks and issuers can access multi-factor authentication solutions, even frictionless options. Yet, the debate on payment security versus user experience continues.
In my experience, strong payment security does not automatically mean that the customer journey is tarred with friction. Modern authentication solutions possess the intelligence to invoke the appropriate authentication method to stop fraudsters — oftentimes in the background — without unnecessarily interrupting the completion of a legitimate payment.
Legacy fraud prevention technology is no longer appropriate for today’s fast-evolving payments landscape. It is no longer up to the task and poses significant security risks.
Static authentication is a major vulnerability for FIs. Those who continue to rely on it risk falling behind in an increasingly sophisticated fraud landscape. These measures don’t convey the context that the risk engine uses to properly consider the risk level of each transaction.
Here’s an example. A fraudster obtains a customer’s contact and card details during a recent data breach. They initiate a transaction online using the stolen card details. At the time of the transaction, the fraudster calls the cardholder, claiming to be from the bank. The fraudster tells the customer they’ve noticed some unusual activity on their card and wants to help them prevent any potential fraud. But they first need to verify that they are the legitimate account owner. To do this, they ask the customer to read back the OTP sent to their phone. The transaction performed by the fraudster triggers an OTP to be sent to the cardholder, and since the cardholder was expecting it, coached by the fraudster on the phone, the customer reads the OTP to them. The fraudster enters the OTP, and the transaction is complete.
The problem is that the OTP has no context, such as location data or transaction details. Without that context, the customer cannot be alerted to any unusual happenings. That is why static methods, such as OTP, with no context, are often the point of failure in modern attacks.
While outdated authentication doesn’t provide the context to make an informed risk decision, modern authentication solutions, in concert with RBA, do. They leverage a range of signals to employ the least intrusive authentication challenge.
For FIs, this means higher transaction success rates, increased revenue, and a reduction in fraud rates—essential components for remaining competitive.
The real question isn’t whether RBA meets current and upcoming regulatory standards—it’s whether the technology can keep pace with the evolution of e-commerce payments and consumer expectations. FIs relying on outdated fraud prevention measures will battle to maintain top-of-wallet status and soon be left behind by data-driven competitors.
Based on our team’s experience, RBA, in combination with modern authentication methods, can provide FIs with maximum security and an intuitive customer experience. A good example is augmenting next-generation 3-D Secure, which offers rich transaction context from the merchant to the issuer, with intelligence-driven RBA—creating a safer and more user-friendly e-commerce future for all.
Financial institutions must now upgrade their authentication technology—before they lose valuable customers to more agile competitors offering future-proof, customer-centric fraud prevention.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
