Category: Security

Trust in the Future of Finance: Key insights from M2020 Asia.

Posted on by Leave a comment

Steve Pannifer, Senior Vice President of Digital Identity at Fime, summarizes the key insights and discussions from Money 20/20 Asia in Bangkok, Thailand – a prominent event that brings together the Asia-Pacific payments ecosystem to delve into the latest opportunities within the industry.

One of the main themes at Money 20/20 Asia this year was “Trust in the Future of Finance”. It is an important topic. Many of the pain points in the digital economy are related to trust, not least the rampant fraud occurring within an ever-increasing number of digital spaces such as social media. People get scammed because they trust people who they shouldn’t. The internet is over 30 years old and yet it still has no trust layer. This is essentially the problem that digital identity is trying to solve.

Alongside colleagues from Fime and Consult Hyperion, I was delighted to be able to contribute to a number of trust related sessions at the event:

  • Building Digital Trust with Modern Identity Security and Orchestration
  • Navigating Compliance and Security in Digital Identity
  • Selling to Robots: The Digital Identity Imperative in Agentic Commerce
  • Brainstorm: Building Trust with AI in Digital Identity
  • It Takes a Village – Making Digital Identity Work
  • Your Face Becomes Your Wallet of Everything: Personalization vs Security

Here are some of my key takeaways:

More friction does not necessarily mean more security

I’ve sometimes heard it said that people are lazy when it comes to online security, and it is this that results in them not taking the steps necessary to protect themselves online. I’m sure there is some truth in that, but I also believe a big part of the problem is to do with the ways systems are designed. If we put a lot of friction into the customer experience, that will also encourage poor behavior. For example, asking a customer for a memorable word is a terrible idea. They will inevitably choose something so obvious that the smallest amount of social engineering will reveal it.

Building a good customer experience is an essential part of creating a trusted service – a point that Linden Dawson, Senior Product Manager of Customer Digital Identity at National Australia Bank (NAB), made during the session “Building Digital Trust with Modern Identity Security and Orchestration”. It’s not that we need to design services with no friction. Some friction can be reassuring to customers and is an important element of building trust.

Regulation needs to address the root cause

In the same session, Natalie Reed, Director at Deloitte, described Australia as the “scam capital of the world”. I think the UK could give Australia a run for its money. Her point was that it is out of control. This report, published by the United Nations’ Office on Drugs and Crime in April 2025, highlights the level of industrialization of the scam business, which employ “multi-lingual workforces comprised of hundreds of thousands of trafficked victims and complicit individuals”. From centers in Southeast Asia and beyond, transnational organized crime is able to target victims across the world.

In some countries (like the UK) regulators are trying to address the scam issue by making the banks pick up the tab but this does little to address the root cause. It does not stop the activity of scammers. Neither does it encourage people to make sure they can trust the person to whom they are sending money. One glimmer of hope, as Natalie explained, is the new scams prevention framework in Australia which places some responsibility on the social media platforms, where many scams originate. We will have to wait to see how far the regulator can go in holding social media platforms to account.
Trust is needed across the whole lifecycle.

Too often the trust conversation has been focused on onboarding, ignoring the need for trust through the whole customer lifecycle – a point well made by Ian Sorbello, Principal Solutions Architect at Transmit Security, in the session on “Navigating Compliance and Security in Digital Identity”. Those initial checks are important but unless they are linked to strong authentication and fraud checks, weaknesses will be exploited and trust will be lost.

Anoosh Arevshatian, Chief Product Officer at Zodia Custody, took this a step further, explaining the connection between digital identity and digital assets. Ultimately digital identity boils down to the private keys under the control of the user (but likely managed by a custodian). The binding of the corresponding public keys to digital assets establishes ownership. Protecting those keys through the customer lifecycle is essential for customers to be able to trust that their assets are safe.

Trust is about to get a lot more complicated

In their session “Selling to Robots: The Digital Identity Imperative in Agentic Commerce”, Dave Birch, Global Ambassador at Consult Hyperion, Consulting by Fime and Victoria Richardson, Partner at ID Partners, highlighted how agentic AI will dramatically change the relationship between organizations and their customers. For example, AI agents will help customers find the best deals, switching as needed – meaning that businesses will no longer be able to rely on customer inertia.

Customers will of course need to trust AI agents to use them. But as Dave and Victoria explained, organizations will need to trust agents too. A key question will be whether organizations will even know that they are dealing with agents rather than actual customers?

Several emerging AI agents use screen scraping to access services through the same interface as human customers, making it difficult to distinguish between the customer and their AI agent. Frameworks such as the Model Context Protocol (MCP), which is seeking to standardize how AI agents access data sources, may help. By giving agents a different end-point to the human customer, organizations will have a better chance of working out what or who they are interacting with.

The technology and standards to deliver trusted digital identities exist. These can address the issues of fraud, friction, inclusion and privacy we see all around us today. The task of building a trusted internet may be complex, requiring the commitment of many stakeholders but it is not unachievable. Examples around the world have shown that with the right incentives, real progress can be made – the key point from my session.

Stay ahead of key market trends

Attending conferences such as Money 20/20 Asia allows us to keep our finger on the pulse of the key challenges and opportunities faced by each player in the market. It isn’t just the main conference programme that offers these insights; it’s getting the chance to speak directly with the banks, merchants, and service providers that operate within each region and finding out what matters most to them. Trust remains the cornerstone of a secure digital future. Events like Money 20/20 Asia show us that while the challenges are complex, the solutions are within reach – if we work together.

Learn more about Fime’s expertise across the digital identity ecosystem.

Slower Payments?

Posted on by 1 Comment

I’ve just received a cheery email from my credit card provider entitled, “We’re improving your fraud protection.” I assume it is from them: it arrived amongst a barrage of emails telling me not believe what I read in emails. When online scamming was in its infancy, you could spot the difference but, as fraudsters’ skills, use of AI and sophistication has developed, nobody really can any more.

It is important to remember that this is an equal opportunities form of fraud. You don’t have to be online. You don’t even need a mobile phone. If you have a UK bank account and a phone number, the scammers will delight in using their social engineering skills to extract your life’s savings.

In the communication I’ve received, beyond all the good news about the generosity of the bank, there is a brief mention of the Payment Systems Regulator (PSR) [1]. Apparently, they require all Authorised Push Payment (APP) transactions to be subject to a refund within 5 workings days if they are found to be fraudulent. This applies to payments over both Faster Payments and CHAPS. There are exceptions to this, for example where the customer is grossly negligent and not considered vulnerable [2].

There is also a ceiling set on the amount. This was initially announced as £415k but, due to strong resistance from the banks, is now set at £85k. The PSR state that this will cover 99% of APP claims. It happens to be the same amount as individuals can claim for lost savings under the Financial Services Compensation Scheme [3], should their bank become insolvent.

In the early days, Faster Payments was a rather unpredictable experience but, as it has scaled, many of the creases have been ironed out. Confirmation of Payee has helped to ensure that the payment reaches the intended beneficiary. It can take a couple of attempts to get it right. e.g. for dog walkers, they may appear as Wendy’s Walkies, under the name of the owner Wendy Walker and as a business account or a personal account. Still, if you have the correct sort code and account number, things tend to fall into place.

My bank has sent me a similar email, telling me to be wary around One Time Passwords (OTPs) and referring me to the Take Five To Stop Fraud [4] website. Again, it looks plausible and the advice is not unreasonable. It is, however, disappointing that there seems to be very little discussion of mutual authentication these days.

One aspect of the new regime is that all Payment Service Providers (PSPs) must be registered with Pay.UK. Both receiving PSPs and sending PSPs can be liable for any APP fraud. This is a significant departure from the existing regime, where the burden tends to fall on the sending PSP.

Losses due to APP scams are estimated at nearly £500m [5] annually. UK Finance [6] has identified factors which contribute to APP fraud, one of which is perceived urgency in dealing with a situation. While Faster Payments provides real convenience, the transactions are not reversible and so it has become a honey pot for thieves. Once money is transferred to a fraudulent account, it can be sent on to multiple accounts, sometimes with the assistance of money mules, either in the UK or overseas.

Frequently, by the time the fraud is investigated, the money is long gone. In response to this, PSPs are permitted to introduce a delay into the processing of payments. In principle, where a payment appears suspicious, they can put in place a pause of up to four days [7]. Clearly, this has serious implications for transactions such as conveyancing, where a housing chain requires everyone to complete on the same day. Even in simple situations, like paying a credit card bill, delays can result in the cardholder having to pay additional charges and interest.

While it is positive to see the challenges of APP fraud being addressed, it will be interesting to see how these significant changes to the payments landscape play out over the coming months. Activities such as intelligence sharing, risk-scoring and real-time screening [8] will remain central to tackling fraud.

It is interesting to note that in other countries where approaches to Open Banking are being explored, the focus tends to be on data sharing rather than payment initiation. For example, in the US, the Consumer Financial Protection Bureau [9] (CFPB) is working to open up data sharing, to promote innovation in financial services.

References

[1] https://www.psr.org.uk/news-and-updates/latest-news/news/psr-confirms-its-decision-on-app-scams-reimbursement/
[2] https://www.psr.org.uk/media/tbbdhkcx/sr1-consumer-standard-of-caution-exception-dec-2023.pdf
[3] https://www.fscs.org.uk/what-we-cover/banks-building-societies-credit-unions/
[4] https://www.takefive-stopfraud.org.uk/
[5] https://www.psr.org.uk/our-work/app-scams/#:~:text=Every%20year%20thousands%20of%20individuals,to%20APP%20scams%20in%202023.
[6] https://www.ukfinance.org.uk/news-and-insight/blog/how-understanding-human-behaviour-key-effective-prevention-app-fraud
[7] https://www.bbc.co.uk/news/articles/cn7yel28rx6o
[8] https://www.synectics-solutions.com/our-thinking/why-your-app-scam-strategy-must-not-be-swayed-by-the-reimbursement-limit-update
[9] https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-process-to-recognize-open-banking-standards/

CBDCs – wallets, liability and acceptance

Posted on by Leave a comment
illuminated cityscape against blue sky at night

CBDCs are everywhere – and nowhere. Everyone is discussing them, but almost no one is actually deploying them. Sure, this is in part due to the early stage thinking that is going into working out what is actually required but it’s also due to the tricky business of actually working out how they would be implemented. Developing a retail payment solution is a lot harder than creating a Central Bank backed payment instrument.

Continue reading “CBDCs – wallets, liability and acceptance”

Identity in the Metaverse

Posted on by 1 Comment
An aurora accents Earth's atmospheric glow underneath a starry sky

I had the privilege to chair a discussion about identity in the metaverse at the Identiverse conference in Denver in June 2022, and had great fun discussing the new landscape for identity with Heather Vescent, Jonathan Howle, Katryna Dow and Gopal Padinjaruveetil. In order to frame my thoughts and get the discussion about identity and privacy going, I needed a mental model.

Continue reading “Identity in the Metaverse”

Do I need to upgrade my Fare Collection system to support CBDC?

Posted on by Leave a comment
automated ticket machine

This week, a press release from China announced they had expanded acceptance of the digital Yuan onto public transport in 12 cities. China has led the way in the development of a Central Bank Digital Currency (CBDC), launching a trial in 2020 which has been expanding steadily. But what does this mean? What is a CBDC? And when will I need to consider accepting them in public transportation?

Continue reading “Do I need to upgrade my Fare Collection system to support CBDC?”

What Exactly Is A Smart Wallet?

Posted on by Leave a comment
pexels-photo-887751.jpeg

A wallet is a way of organising things. My Apple Wallet, just like my real wallet, doesn’t have any cash in it. It has credit cards, debit cards, loyalty cards, vaccination records, boarding passes, train tickets and driving licences (Apple have just gone live with their driving licence and state in Arizona). These things are all held independently in the wallet: they don’t talk to each other and they don’t share data with each other. They are also, as you will have noticed, mostly about identity, not money.

Continue reading “What Exactly Is A Smart Wallet?”

Apple Finally Enables Payment Card Acceptance on iPhone

Posted on by 2 Comments
person-woman-hand-space.jpg

Contactless Card Acceptance

Solutions to enable Android phones to be used to accept EMV contactless card payments without requiring additional hardware have been around for a while.  We’ve been advising and helping our clients architect, secure, build and certify SoftPOS solutions for the last 5 years.  However, this has not been possible on iOS devices, until now.  Speculation that Apple was looking to add contactless payment card acceptance support to iPhone grew when they bought Mobeewave for $100MM in 2020. Based on the technology acquired in this purchase, Apple has recently added contactless card acceptance capability by implementing their Proximity Reader framework to iOS 15.4, for what Apple calls Tap to Pay.

Continue reading “Apple Finally Enables Payment Card Acceptance on iPhone”

Brazilians wow the world of Open Banking

Posted on by Leave a comment
flag of brazil

At last week’s FDX Virtual Spring Global Summit, I received a glimpse into the huge strides being made by the Financial Data Exchange in the adoption of their data sharing API for the US market. In the context of minimal centralised regulation in the US, progress is driven by industry. This marks a substantial move away from screen scraping, which has historically been prominent in the US market. While the API approach provides value in terms of security and standardisation, many organisations still depend on screen scraping to support their business model.

Continue reading “Brazilians wow the world of Open Banking”

Biometrics on Cards

Posted on by Leave a comment

Improving Cardholder Authentication

On-card fingerprint readers have been in development for a few years now, with a number of products now in market from vendors such as Fingerprint Cards, Zwipe, Idemia and G+D.

Continue reading “Biometrics on Cards”

Arm’s CHERI-Based Morello Prototype Adopts New Approach to Security

Posted on by Leave a comment
security logo

Developing secure software and systems is hard.  Even if the most experienced engineers use the best tools and follow best practices, bugs and vulnerabilities can slip through.  Add to that the amount of legacy or 3rd-party code in use today, developer turnover and the use of outsourcing, and we can see that it is very difficult to eliminate all vulnerabilities from within a solution.  This is why security by design and defence in depth are important principles. By designing-in security right from the start, and having multiple independent and overlapping methods of protection, the impacts of vulnerabilities can be reduced.

Continue reading “Arm’s CHERI-Based Morello Prototype Adopts New Approach to Security”

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.