In my role at Entersekt, I frequently get asked which financial authentication competitors concern me the most. The reality is, no competitor concerns me as much as a financial institution (FI) deciding “not now”. In other words, FIs that believe their current approach is "good enough" and offers an acceptable level of risk mitigation. They don’t recognise the potentially devastating impact and sophistication of emerging fraud threats and just how vulnerable they are.
That “not now” or “good enough” sentiment may have worked in the past. But with the rapid rise of AI-fuelled fraud, regulators holding FIs accountable for not protecting customers, and the availability of more customer-friendly authentication methods, that approach is no longer viable.
FIs that don’t prioritise modernising and centralising their authentication strategies will become soft targets for fraudsters, find themselves under attack, and lose the trust of their customers. They could potentially become the next big headline — for all the wrong reasons.
That “not now” or “good enough” sentiment may have worked in the past. But with the rapid rise of AI-fuelled fraud, regulators holding FIs accountable for not protecting customers, and the availability of more customer-friendly authentication methods, that approach is no longer viable.
FIs that don’t prioritise modernising and centralising their authentication strategies will become soft targets for fraudsters, find themselves under attack, and lose the trust of their customers. They could potentially become the next big headline — for all the wrong reasons.
Online banking fraud: The current threat landscape
The current threat vectors, such as social engineering, account takeover (ATO), and instant payments fraud are taking their toll on banking customers. Fraudsters leverage the latest technology, including AI, to rapidly scale their tactics and create convincing scams that trick consumers into making hasty, and often catastrophic, decisions.
Instant payments, for instance, have been around in the UK since 2008 already. And, in 2024, the UK government proposed extending the approval time on ‘instant’ by up to four days for suspicious transactions to better protect consumers. According to a recent PYMNTS report, instant payment fraud has increased by 68% in UK over the past three years.
While many practitioners may think this type of fraud is not in the U.S., think again. The inevitable migration of new types of fraud to the U.S., like attacks on real-time payment (RTP) and peer-to-peer payment (P2P) fraud, pushes up the risks and liabilities for North American FIs too.
Findings in a recent Liminal report are particularly interesting: 83% of FIs are concerned about the security of OTPs, yet 75% say they will continue to use the outdated technology irrespective of these concerns.
What’s stopping FIs upgrading their customer authentication?
At Entersekt, we’ve uncovered a couple of common themes relating to why FIs are not ready to update their authentication strategy.
The first one I want to highlight is prioritisation. Many FIs have prioritised and committed resources to digital transformation and AI-driven initiatives that allow them to make big changes to customer experience and roll out new services. However, these broad, customer-focused initiatives run the risk of not attaining their overall goal, if the bank’s essential digital banking services are not on par.
"Outdated, weak authentication measures create a non-optimum customer experience that likely discourages customers and dissuades them from considering any new services the FI is offering."
What’s more, we still find that the authentication approach can be siloed, and investment in one area of the business does not necessarily involve another even though they both touch the authentication journey for the same customer.
The second commonality is that they have not yet been hit by substantial fraud. Many organisations are absorbing the cost of customer losses and have not exceeded their budgeted allocations. Without feeling the impact of major fraud losses, FIs have less impetus to change. Hand in hand with that, they have the challenge of convincing their organisation of the value of investing in a more effective authentication strategy (and the impact of inaction).
The problem with putting authentication modernisation on the back-burner is that overnight, the effects of AI-driven fraud could put a severe strain on an FI’s budget — and sabotage all the well-intended priorities to drive enhanced customer experience and expanded services. It’s imperative that the level of protection matches the sophistication of the fraud attacks gaining traction now. The impact of this vulnerability, both the cost of fraud as well as the return on investment, crosses all departments.
Financial fraud losses reached nearly £1.2 billion in the U.K. in 2023 — UK Finance: Annual Fraud Report 2024
The dangers of not modernising banking authentication
FIs that have not included authentication upgrades on their roadmap may not be able to deliver the user experience their customers expect. Inconsistent, outdated authentication can add unnecessary friction that frustrates customers. As customers become more security conscious and adopt more advanced methods in other aspects of their digital lives, they become more familiar with new technology, like verifying their identity with a fingerprint scan. This changes their expectations of their financial services provider.
Another factor that FIs may not recognise is the impact antiquated authentication has on increasing operational costs. Introducing modern, integrated fraud prevention tools can improve operational efficiencies while also enhancing customer experience. If we look at contact centres as an example, some FIs require calls to their contact centre to reset passwords or authorise Automated Clearing House (ACH) or wire transfers. For many of those institutions, an authentication solution that utilises an advanced risk engine combined with biometrics, can enable a self-serve password reset process that is far more appealing to customers. It also gives the FI confidence in the security of those high-risk transactions.
"From a security perspective, outdated technology is not sustainable for protecting consumers from modern fraud vectors. Social engineering and SIM-swap attacks will be supercharged by AI making account takeover (ATO) and authorised push payments (APP) easier — and likely to escalate exponentially without warning."
The availability of AI in the hands of fraudsters will not have a gentle ramp-up period. An attack will happen suddenly, and the FI’s response options will be limited. Recovering the confidence of customers will be a pricey challenge.
Per Liminal: “Many organisations operate under the misconception that heightened security must inevitably lead to increased user friction; however, the current market is abundant with solutions that can optimise for both.”
How to bridge the digital banking fraud gap
Organisations need to take near-term action with a long-term solution to close the authentication gap. The good news is that the problem is surmountable. Next-gen fraud prevention that harnesses AI and ML can gather risk intelligence in real-time and protect consumers from today’s fraud threats, and more importantly, emerging fraud that is certain to be even more devastating.
And that takes me back to the question of which competitors concern me. Our solutions and support teams can match — even surpass — any of our typical competitors. My concern is around FIs that are not prioritising the investment and resources to modernise because they remain convinced that their antiquated methods are "good enough."
"In reality, the consequences of inaction couldn’t be more serious: Financial losses, customer attrition, regulatory and legal accountability, reputational damage, and ultimately failing to protect the livelihoods of their customers."
As final food for thought, I noted a comment I heard in a recent presentation by Mastercard: "It’s not whether you’ve been compromised, it’s when and how the fraudsters will use it." The time for kicking authentication modernisation down the road has passed. It must be a priority now, and considered a major contributing factor to the success of all other high-priority initiatives.
