Instant Payments, Irreversible Fraud: Why Traditional Banking Security Can’t Keep Up
Bob Long
President, Americas
Bob is tenured veteran in the Identity and eKYC global markets. In his present role at Daon, he has operational oversight for the Americas Region as President, including a seat on the Daon Board of Directors. Operational requirements include sales, business development, customer success, marketing, and operations for the region encompassing North America, South America, and Latin America.
Bob has over 25 years of experience in financial services, payments, fraud and risk management, and technology. Prior to Daon, he’s held the positions of Interim CEO and Chief Revenue Officer at a Seattle-based payment solutions company and led one of the largest payment and technology providers to an Initial Public Offering on the NYSE (2012). He has also held several leadership roles including Senior Vice President of Financial Services at Vantiv/WorldPay and leadership roles at both First Data Corporation and US Bancorp.
Bob received his education from the University of The Pacific in Stockton, CA.
November 14, 2025
Last year, the European Union enacted new regulations that allow customers to transfer euro-denominated money within 10 seconds, at any time. The reform is aimed at accelerating Europe’s digital economy and challenging card network dominance. It has succeeded, but with consequences that most financial institutions are still absorbing.
The short version? Money is moving too fast for traditional fraud prevention systems to catch it. In the United States, Zelle’s instant payment network has seen more than $870 million disappear to fraud since 2017—an average of $125 million in losses annually. Once a fraudulent transfer is completed, the funds are often irretrievable by the time investigators can even begin tracing the transaction.
To adequately adapt to these regulations, banks face three critical challenges: stopping fraud that completes in real-time, upgrading authentication infrastructure designed for slower payment rails, and addressing a dangerous over-reliance on device-based security that authenticates hardware rather than individuals.
Transaction Speed Has Outpaced Fraud Prevention
Traditional fraud prevention systems operate on a simple premise: analyze the transaction, assess risk indicators, and intervene before funds transfer. That model assumes time exists between authorization and settlement, a buffer that instant payments have eliminated entirely. The 10-second settlement mandate has created what security experts are calling a “fraud detection impossibility.”
Unlike card transactions, which can be disputed and reversed through chargeback mechanisms, instant payments are final the moment they complete. When a fraudulent transfer leaves an account, the money is genuinely gone—often dispersed through layered accounts or converted to cryptocurrency before the victim even realizes what happened. The Federal Reserve Bank of Atlanta acknowledged this fundamental challenge, “The real-time nature of these transactions leaves little time to detect or reverse fraudulent transfers.”
This irreversibility has triggered a significant liability shift. Banks historically absorbed fraud losses as a cost of doing business, but the volume and velocity of instant payment fraud is forcing institutions to reconsider. Many are quietly pushing more risk onto customers through revised terms of service, arguing that instant payment fraud often involves customer authorization—even when that authorization was obtained through social engineering, impersonation, or coercion.
The core problem is that the security infrastructure for most banks was built during an era when payments moved slowly enough to allow intervention. Batch processing systems, delayed settlement windows, and post-authorization reviews all become useless when transactions finalize before analysis completes. Speed has exposed a foundational mismatch between how banks detect fraud and how money now moves.
How Fraudsters Weaponize Speed
The disparity between fraud detection timing and settlement speed has created a structural vulnerability that fraudsters actively exploit. Security teams accustomed to analyzing patterns over hours or days now have seconds to identify and stop suspicious activity. By the time anomaly detection systems flag unusual behavior (like multiple rapid transfers, payments to new recipients, or transactions from unfamiliar locations) the money has already settled and dispersed.
This detection lag exposes significant coverage gaps in institutional liability frameworks. When fraud completes faster than security protocols can respond, determining responsibility becomes contentious. Banks argue that customers authorized the transfers. Customers counter that they were deceived through impersonation or coercion. Regulators are struggling to establish clear standards for an environment where traditional verification windows no longer exist.
Fraudsters understand this timing advantage and engineer attacks specifically designed to exploit it. The US Faster Payments Council observed that criminals “are drawn to faster payments because they get quick and irrevocable access to funds.” Social engineering schemes now weaponize urgency: fake emergencies, time-sensitive investment opportunities, impersonated authority figures. Speed prevents the reflective pause that might expose the deception.
Siloed Security: The Disconnected Identity Problem
The most critical vulnerability in modern banking security is organizational fragmentation. Financial institutions typically treat onboarding, authentication, and step-up authorization as separate initiatives managed by different departments. A customer rigorously verified during account opening may face only a basic password when initiating a €50,000 instant transfer weeks later.
Forrester Research diagnosed the underlying problem, “These challenges are compounded by historically siloed IAM functionalities, resulting in fragmented visibility into identity security posture and threats.” When identity verification exists independently from transaction authentication, institutions lose the contextual thread connecting who a customer is with what they’re attempting to do.
Many banks have constructed hard-coded authentication systems where each channel implements security independently. Modifying these rigid frameworks becomes enormously expensive and time-consuming. Daon’s identity continuity approach addresses this by linking an individual’s identity across every channel, session, and interaction. This maintains unified identity assurance from onboarding through every subsequent transaction.
The Capability Gap: Missing Infrastructure and FinTech Misconceptions
Most banks lack capability for dynamic step-up authentication. Security checks should scale proportionally to transaction risk, but many institutions apply uniform authentication regardless of whether customers are paying a utility bill or initiating a large international transfer.
Real-time payments demand authentication that operates at matching velocity. Banks need security that delivers certainty within moments without sacrificing accuracy—a requirement legacy systems struggle to meet. Unified identity platforms like TrustX connect onboarding, authentication, and authorization within a single orchestrated framework, enabling risk-based authentication that adjusts dynamically.
Many newer financial institutions operate under a critical misconception that stronger security inherently damages user conversion rates. This belief leads FinTechs to implement minimal authentication, assuming customers will abandon transactions if security feels cumbersome.
The reality contradicts this assumption. Properly implemented security actually improves customer trust and retention. Customers who experience fraud tend to blame the institution that failed to protect them, not themselves.
Beyond conversion concerns, many FinTechs demonstrate significant awareness deficits about available authentication capabilities. Technologies like NFC-based document authentication or passive liveness detection remain unfamiliar to security teams at newer institutions, leading them to default to inadequate solutions like SMS codes that fraudsters routinely circumvent.
Lazy Biometrics and False Security
The widespread adoption of Face ID and device-based biometrics has created an industry-wide comfort trap. Financial institutions have grown dangerously complacent, treating the convenience of unlocking a smartphone as equivalent to verifying identity for high-value transactions. This represents a fundamental security flaw as device-side authentication confirms that someone has access to an authenticated device, not that they are the actual account holder.
For routine device unlocking, this distinction is of little concern, but for banking transactions that transfer thousands of euros in seconds, it matters enormously. A stolen phone with biometric authentication bypassed, a borrowed device, or a compromised device all create scenarios where device access doesn’t equal identity verification. Unfortunately, many institutions still architect their security as if these situations don’t exist.
At Daon, we call this “lazy biometrics,” the dangerous assumption that device convenience delivers bank-grade security. When financial institutions outsource identity assurance to Apple, Google, or Samsung, they cede control over authentication thresholds, enrollment standards, and security calibration. Device manufacturers optimize user experience across millions of use cases; banks need security optimized specifically for financial transactions where false positives carry severe consequences.
Server-Side Authentication: Bridging the Knowledge-to-Implementation Gap
Banks understand that server-side biometrics provide superior security. Moving biometric matching from devices to institutional infrastructure allows banks to control authentication thresholds, maintain device-agnostic verification, and calibrate security based on transaction risk rather than manufacturer defaults. Despite this knowledge, most institutions continue relying on device-side approaches.
The implementation gap reflects multiple barriers: legacy system integration complexity, unfamiliarity with deployment requirements, and organizational inertia favoring familiar solutions. AIB and NatWest demonstrated clear advantages through their server-side implementations, dramatically increasing transaction limits without corresponding fraud increases. Server-side authentication is becoming more mainstream as instant payment pressures expose device-side limitations. However, many banks are still waiting for competitive pressure or regulatory requirements rather than proactively upgrading their infrastructure.
Rethinking Security for the Speed Era
Real-time payments have permanently altered banking security requirements. The 10-second settlement window eliminates the luxury of delayed fraud detection, while new liability frameworks make inadequate security financially unsustainable. Banks must address authentication infrastructure gaps immediately, move beyond device-side biometrics that verify hardware rather than identity, and prepare systems for converging regulatory changes.
The strategic imperative is clear: institutions treating security as disconnected initiatives rather than integrated identity continuity will fall behind competitors who understand that authentication infrastructure has become a competitive advantage. In an era where fraud completes in seconds and liability is increasingly shared, security can no longer be relegated to technical implementation details.
The institutions that will define the next generation of financial services are those learning from mobile-native approaches while implementing server-side biometrics that provide true identity assurance. Transaction speed isn’t slowing down and neither can the security infrastructure protecting it.
