This article was originally published by The Payments Association.
As fraud tactics evolve, traditional security measures struggle to keep up. Many financial institutions still rely on legacy authentication methods, leaving them vulnerable to modern attack vectors. Risk-based authentication (RBA) offers a way forward, balancing security and user experience while addressing the growing sophistication of fraud.
It’s a great time to be a fraudster. With many banks and issuers still using one-time passcodes (OTPs) to protect customers from fraud, modern tools and attack vectors make their days at the office easier.
Outdated security methods like OTPs and siloed authentication methods don’t provide the strong security or seamless customer experience needed to stay competitive post-PSD2. Here’s why financial institutions must rethink their authentication strategies to remain competitive.
Faster payments and faster fraud
As new payment use cases and systems take flight, new fraud risks naturally introduce themselves. Decreasing authorised push payment (APP) fraud, for instance, is still a key priority for the UK’s Payment Systems Regulator (PSR) in 2025.
The rise of instant payments has significantly shortened fraud detection windows, increasing the challenge for financial institutions. The European Instant Payments Regulation (IPR) mandates that transactions settle in under ten seconds, while APP fraud alone costs the UK economy £459.7 million in 2023. Without more advanced authentication measures, these faster transactions could also mean faster fraud losses.
Regulations like PSD2 go a long way in providing secure guardrails for payments. Still, many financial institutions (FIs) struggle to keep pace with modern attack vectors and, as a result, find it challenging to strike that essential balance between strong security and convenience.
The balancing act: Security vs user experience under PSD2
While the second Payment Services Directive (PSD2) and strong customer authentication (SCA) continue to shape the EU regulatory landscape, banks and issuers can access multi-factor authentication solutions, even frictionless options. Yet, the debate on payment security versus user experience continues.
Strong payment security does not have to come at the expense of a seamless customer experience. Modern authentication solutions can intelligently apply the right security measures without disrupting legitimate transactions.
From static to modern, risk-based authentication
Legacy fraud prevention technology is no longer suitable in today’s fast-evolving payments landscape. It’s not up to the task anymore and poses significant security risks.
Static authentication is a significant vulnerability for FIs. Those who continue to rely on it risk falling behind in an increasingly sophisticated fraud landscape. I say this because these measures don’t convey the context that the risk engine utilises to properly consider each transaction’s risk level.
Here’s an example. A fraudster obtains a customer’s contact and card details during a recent data breach. They initiate a transaction online using the stolen card details. At the time of the transaction, the fraudster calls the cardholder, claiming to be from the bank. The fraudster tells the customer they’ve noticed some unusual activity on their card and wants to help them prevent any potential fraud. But they first need to verify that they are the legitimate account owner. To do this, they ask the customer to read back the OTP sent to their phone. The transaction performed by the fraudster triggers an OTP to be sent to the cardholder, and since the cardholder was expecting it, coached by the fraudster on the phone, the customer reads the OTP to them. The fraudster enters the OTP, and the transaction is complete.
The key weakness of static OTP authentication is its lack of contextual awareness. Without signals such as location data, transaction history, or device recognition, financial institutions cannot differentiate between a legitimate customer and a fraudster manipulating a transaction in real-time.
Outdated authentication lacks the context for informed risk decisions, but modern solutions, combined with risk-based authentication (RBA), do. They analyse multiple signals to apply the least disruptive authentication challenge.
For FIs, this means higher transaction success rates, increased revenue, and reduced fraud rates—essential components for remaining competitive.
Embracing RBA in payments to stay one step ahead
The real question isn’t whether RBA meets current and upcoming regulatory standards—it’s whether the technology can keep pace with the evolution of e-commerce payments and consumer expectations. FIs relying on outdated fraud prevention measures will battle to maintain top-of-wallet status and soon be left behind by data-driven competitors.
RBA, in combination with modern authentication methods, can provide FIs with maximum security and an intuitive customer experience. A good example is augmenting next-generation 3-D Secure, which offers rich transaction context from the merchant to the issuer, with intelligence-driven RBA—creating a safer and more user-friendly e-commerce future for all.
With fraud tactics evolving and payment speeds accelerating, financial institutions must rethink authentication strategies. Risk-based authentication, supported by AI-driven fraud detection, provides a scalable approach to balancing security and customer experience. As regulatory expectations evolve, modern authentication will be essential for staying competitive in the financial landscape.
Further reading
- Explore risk-based authentication in our comprehensive encyclopedia.
- Visit out blog to understand the various aspects of RBA that make it a success.
