Last week British fintech, Revolut, hit the headlines for all the wrong reasons, as fraudsters imitating the company’s security team withdrew hundreds of thousands of pounds from a customer’s business account. It was the centrepiece of a BBC investigation, which also revealed Revolut had been named in more fraud reports than any major UK bank over the past year.
While the BBC chose to focus on Revolut’s engineering culture – an apparent desire to launch new products without an equal focus on security – in our experience, few fintechs cut corners on safety. Rather, we think the headlines highlight the risks of what might be called an ‘innovator’s dilemma’ in financial services. In a landscape dominated by legacy banks with branch-based networks, digital challengers distinguish themselves by offering simple and speedy, mobile-based banking. Pursue so-called ‘frictionless banking’ to its logical conclusion of instantaneous transfers to any new payee, however, and you arguably risk opening back doors to fraud.
It is not just a few aggrieved Revolut customers who are concerned about this but increasingly regulators, too. Two different governors of the US Federal Reserve system have separately called for friction to be consciously maintained within cross-border payments systems, even as technology creates the possibility to remove it, to counter fraud and money laundering.
At Thoughtworks, we strive to empower our clients, particularly in the financial services sector, to build systems that can be trusted. We understand that establishing trust is essential for maintaining a solid reputation, as security lapses can have severe consequences for both customers and organizations. While we recognize the demand for speed in delivering services, we also focus on developing anti-fraud technologies that operate in real-time, ensuring that frictionless banking remains secure. Our approach includes advising clients to incorporate thoughtful friction as a fallback security measure, balancing the need for swift transactions with the imperative of safeguarding customer trust.
Multiplying challenges
The rash of recent headlines about banking fraud comes in the context of deepening security challenges for financial services companies.
While technology has revolutionized our lives, it can also be exploited by fraudsters in significant ways. First by giving them more processing power to, for example, use brute force to hack security codes or pins through trial and error. Second, by making it easier for them to “spoof” potential victims by pretending they work for the victim’s banking service provider, as happened in the case of Revolut. As we engage more with social media, we leave a wealth of information that can be analyzed by artificial intelligence or machine learning algorithms to profile us. Fraudsters then use these profiles to impersonate someone who knows us or has access to enough information about our activities to suggest they do indeed work for our banking provider.
Smart devices—ranging from mobile phones to tablets and computers—serve as vulnerable interfaces for fraudsters due to the wealth of information they store for user convenience. Even when fintech companies secure their customer-facing networks, these personal devices often present easy targets for fraud, especially as users increasingly rely on them for both personal and professional tasks. This shift highlights the need for robust security measures that protect sensitive data and maintain trust in digital banking environments.
Diversifying defence
In this context, financial services companies need to be nimble and use different resources to defend against fraud.
One fertile area for development involves working in partnership with other service providers in the mobile and banking ecosystem. In India, for instance, financial transactions are authenticated and verified using a combination of payment profile intelligence, device authentication, and mobile SIM verification. This multi-layered approach eliminates a single point of failure and poses a significant challenge to fraudsters.
Ultimately, however, if ‘frictionless’ banking is to be made secure, predictive forms of fraud detection that use artificial intelligence and machine learning to spot fraud in real time are required. Potentially fraudulent transactions must be spotted and blocked in the milliseconds customers expect app-based transfers to execute.
We assist financial services clients in developing fraud detection solutions by focusing on three key areas. First, we help them organize, govern, and democratize data within their organizations through secure consumer interfaces. This includes data anonymization, governance, quality checks, and creating accessible data interfaces for building machine learning (ML) algorithms. Second, we support clients in building secure environments where ML algorithms can be trained on real-world data, allowing them to adapt to real-world scenarios with minimal bias. Finally, we help companies deploy these solutions at scale, integrating fraud detection models into real-world transactions to ensure a seamless, frictionless user experience.
Friction as a fallback
Even with sophisticated real-time, machine learning-based methods of fraud detection, we recognize that some aspects of friction may be desirable.
One area where we encourage clients to focus is making the edge device on which their customers transact – most often a mobile phone – more secure so that more fraud attempts are stopped at the source before they even hit a fintech or bank’s servers. In addition to edge device intelligence, continuous updates with new behavioural trends, tamper-proof encryption, and device locks triggered by abnormal or incorrect usage patterns help maintain the security of edge devices for transactions.
Financial services companies might also consider tiered levels of security so that even as the vast majority of transactions proceed without any friction, transactions of a certain size or frequency to a newly added payee, for example, may trigger additional security protocols. In this way, traditional rules-based systems can supplement pattern-spotting algorithm detection in specific cases. Companies can also add fail-safes, such as the ability to pause an account so that all payments out are blocked, in the same way that many financial services companies now allow customers to freeze debit cards from within their apps.
Finally, companies might want to apply different levels of security to different accounts, depending on how engaged or active the account holder appears to be. This might be determined by algorithmic analysis of the user’s history or by a setting the customer can choose for themselves.
As smartphone and app-based banking continue to evolve, the drive for trust, speed and convenience remains a priority for increasingly demanding customers. However, in an era of growing and more sophisticated fraud, financial services companies cannot afford to prioritize convenience at the expense of security. To protect both their customers and their own reputation, they must proactively embed smart friction points in payment journeys where appropriate. The future of banking will depend not only on seamless user experiences but on how well institutions can anticipate, detect, and counteract fraud in real-time, and develop generic and personalized fraud detection and management strategies, ensuring trust is maintained in a fast-paced digital world.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.