Key insights in navigating fraud in open banking | The Payments Association (2025)

What’s the article about?

Fraud vulnerabilities in open banking, as discussed during The Payments Association’s FC360 open banking and financial crime workshop

Why is it important?

It highlights critical challenges and solutions for safeguarding open banking, ensuring its trust, security, and growth in the financial sector.

What next?

The industry must collaborate on fraud prevention, enhance data sharing, and align regulatory frameworks with innovation.

On the 19th of November in London, The Payments Association hosted a workshop as part of its Financial Crime 360 conference, focusing on a newly-emerging but pressing topic of fraud within open banking. The session convened industry leaders, fraud prevention experts, and stakeholders from diverse financial sectors. With open banking accelerating financial inclusivity and innovation, the accompanying challenges, this workshop aimed to kick-start conversations on the potential vulnerabilities of open banking as well as existing solutions, that encourage a safer, more transparent open banking ecosystem.

Framed against the backdrop of a rapidly evolving landscape where financial crime continuously adapts, the event underscored a stark reality: fraud, now exceeding £1 billion annually in the UK, remains an existential threat to the sector. Strong customer authentication (SCA), frictionless user experiences, and regulatory oversight were among the focal points as experts dissected the existing risks and potential remedies for open banking fraud. The discussions fostered a shared commitment to innovation while ensuring consumer safety.

Participants:

• Jan van Vonno, Open Banking Working Group Lead, TPA, and head of industry and wallets, Tink
• Jane Jee, Financial Crime Working Group Lead, TPA
• Carlos Albo, CEO & co-founder, Wenalyze
• Andrew Churchill, Ambassador, TPA
• Nick Davey, Senior Policy and Strategy Lead, Open Banking Limited
• Bhaswant Gandham, Customer Journey Manager – Open Banking, Natwest
• Michael Hammond, Fraud Product Owner, Pay.UK
• Lerato Matsio, Founder and CEO, Trudenty
• Mark McMurtrie, Ambassador, TPA
• Mark O’Keefe, Ambassador, TPA
• David Rennie, Payments Expert
• John Erik Setsaas, Director of Innovation, Tietovery
• Archi Shrimpton, Senior Manager, Open Banking & Open Finance, Lloyds Banking Group

Fraudulent activities in open banking are rising, fuelled by sophisticated tactics such as impersonation scams, account takeovers, and authorised push payment (APP) fraud. According to Nick Davey, OBL, who shared insights from a six-month data collection exercise covering 60% of the UK market, the threat is evenly split between authorised and unauthorised fraud. “Unauthorised fraud often stems from device theft,” Davey explained, noting that once criminals gain access to interconnected apps, they exploit the ecosystem to drain accounts. On the other hand, authorised fraud, such as impersonation and investment scams, preys on the vulnerabilities of human psychology and trust.

The Payments Association’s Financial Crime Survey highlights that account takeovers, representing a rapidly growing £50 million annual loss, remain a predominant concern. Fraudsters often exploit advanced social engineering tactics to deceive consumers into granting access to their accounts. These criminals are not only technically adept but also highly organised. “Fraudsters share information as effectively as we should,” emphasised John Erik Setsaas (Tietovery), underlining the necessity for public-private collaboration in combatting these threats.

Data breaches and ransomware attacks were also flagged as significant risks. A recurring theme during the discussion was the asymmetry between fraudsters’ innovation and industry preparedness. “The criminals are investing heavily in exploiting our vulnerabilities,” Mark McMurtrie (The Payments Association) said, referencing the surge in cybercrime that parallels technological advancements. He also lauded the UK’s robust reporting mechanisms, which provide valuable insights into fraud trends, while cautioning that open banking-specific reporting remains nascent.

Beyond the impact of accidental errors, explained Carlos Albo (WeAnalyze), malicious actors exploit the lack of vigilance in validating payment information. “By manipulating transaction parameters, such as account numbers, amounts, or even timestamps, fraudsters can successfully complete illicit transfers while masking their actions from traditional security checks.”

The workshop participants reached a consensus: open banking’s fraud challenges are not inherently unique but reflect broader trends in financial crime. However, the frictionless nature of open banking payments and the sector’s rapid expansion could present new challenges. “Fraud in open banking is not yet as significant in volume compared to traditional channels, but as adoption scales, so will the risks,” remarked Jan van Vonno (Tink). This underscores the urgency for preemptive measures.

The section concluded with a call for enhanced industry initiatives, including standardised data sharing and improved fraud detection strategies. Participants highlighted the potential of open banking to transform financial services but stressed that addressing fraud vulnerabilities is critical to sustaining trust and fostering growth. As McMurtrie summarised, “We must innovate at the pace of the criminals to stay ahead.”

However, not everyone supported placing responsibility on users. Lerato Matsio (Trudenty) cautioned against relying on consumers to make complex security decisions. “Do we really want to offload fraud prevention onto users? Most people lack the expertise or foresight to manage these settings effectively. The onus should remain on financial institutions,” she argued. Instead, Matsio proposed leveraging shared data to create predictive fraud prevention systems that operate behind the scenes.

The group also discussed the role of education and standardised messaging in mitigating fraud risks. “Many noted inconsistencies in the language used by banks to warn customers about suspicious transactions. ‘Confusing prompts or poorly designed alerts can lead to customer complacency,’ said O’Keefe, emphasising the need for clearer, uniform communication. “The industry has taken different paths, leading to a lack of consistency,” added Nick Davey (The PSR), stressing the importance of a unified approach to fraud prevention.”

Ultimately, the participants agreed that security and friction are not mutually exclusive. Properly implemented, friction can enhance trust and deter fraud without undermining usability. “The challenge is not friction itself but striking the right balance,” summarised Setsaas. The consensus was that industry collaboration, supported by technological innovation, is key to creating secure yet user-friendly open banking experiences.

A recurring theme during the workshop was the critical role of data sharing and collaboration in mitigating fraud risks within open banking. Participants emphasised that the fragmented approach to fraud detection and prevention across the financial ecosystem often creates gaps that fraudsters exploit.

“Fraudsters are incredibly effective at sharing information and strategies,” observed John Erik Setsaas. “Meanwhile, financial institutions often operate in silos, reluctant or unable to share data with each other.” Setsaas and others argued that a more unified approach is necessary, one that transcends individual organisations to create a collective defence mechanism.

The discussion also touched on global best practices. Mark O’Keefe cited Singapore’s regulatory approach, where institutions are required to implement standardised operational features to reduce fraud risks. “In Singapore, fraud prevention isn’t optional—it’s prescribed by the government,” he explained, contrasting this with the UK’s more decentralised framework. While some participants lauded the flexibility of the UK model, others suggested that a stronger regulatory mandate might be necessary to achieve consistent fraud prevention standards.

Albo stated that a strong system of verification, involving cross-checking against multiple databases and implementing layered security protocols, serves as a “key deterrent” against fraud by ensuring the integrity of transaction data, which is “a critical component in preserving trust and confidence in digital payment systems.”

As the section concluded, a consensus emerged around the importance of interoperability in fraud prevention systems. Whether through public-private partnerships or private-sector innovation, participants agreed that sharing data across institutions and geographies is essential to keeping pace with increasingly sophisticated fraud schemes. “The comprehensive collection of fraud cases in the UK will be incredibly rich,” Michael Hammond (Pay.UK) emphasised, highlighting the potential of centralised data to enhance our capabilities to detect and prevent fraud effectively.” As Matsio aptly summarised, “We need to think of fraud prevention as a collective responsibility—not as a competitive edge.”

The evolving regulatory landscape was a central focus during the workshop, as participants grappled with the challenge of aligning open banking innovation with robust fraud prevention. While existing frameworks such as the Payment Services Directive 2 (PSD2) and strong customer authentication (SCA) have set foundational standards, many argued that these measures are insufficient to address the rapidly changing nature of financial crime.

McMurtrie began the discussion by highlighting the uneven regulatory environment within the UK. “The current frameworks focus primarily on larger institutions, leaving smaller players and new entrants with less oversight,” he observed. This creates a fragmented ecosystem where fraudsters can exploit inconsistencies between institutions. He pointed to the absence of enforceable fraud management standards for third-party providers as a critical vulnerability.

However, others warned against overregulation, which could stifle innovation. “Regulation must strike a balance,” said David. “We need enough oversight to protect consumers, but too much bureaucracy could hinder the growth of open banking and the fintech sector.”

“Everyone’s invading bank security, no one’s invaded digital identity,” observed Andrew Churchill (TPA), emphasising the gap in current regulatory measures. He proposed a more dynamic regulatory model that adapts to emerging risks while preserving flexibility for market participants.

Several participants emphasised the need for more prescriptive regulatory approaches. Mark O’Keefe compared the UK’s model with Singapore’s, noting how the latter mandates specific operational features for fraud prevention, such as mandatory notifications for high-risk transactions. “In Singapore, it’s not just guidance—it’s law,” he said, adding that a similar approach could provide clarity and uniformity in the UK.

“The open banking standards tie one arm behind the bank’s back can, in places, restrict banks’ ability to tackle fraud as they ordinarily would,” added Archi Shrimpton (Lloyds Banking Group), highlighting how regulatory constraints limit banks’ ability to balance reducing friction with fraud prevention effectively. He explained that in their own channels, banks can strike this balance themselves, but prescribed standards in open banking journeys leave less room for flexibility.”

David Rennie, payments expert, proposed a more dynamic regulatory model that incorporates identity verification standards, explaining that “The problem fundamentally is not about the methods of payment but about identity.” He suggested slowing down payments for better security checks as a novel approach that contrasts with existing practices, which often prioritise speed and convenience over security. This idea underscores the need for regulations that not only respond to but also anticipate the methods employed by fraudsters.

However, others warned against overregulation, which could stifle innovation. “Regulation must strike a balance,” said Davey. “We need enough oversight to protect consumers, but too much bureaucracy could hinder the growth of open banking and the fintech sector.” He proposed a more dynamic regulatory model that adapts to emerging risks while preserving flexibility for market participants.

A key area of focus was the recent amendment to the Payment Services Regulations, allowing payment service providers (PSPs) to delay transactions in cases of suspected fraud. Participants generally welcomed this change, with several noting its potential to reduce authorised push payment (APP) fraud. “The ability to pause payments while investigating suspicious activity is a game changer for manual bank transfers,” said van Vonno. “But its success for retail payments will depend on how consistently and effectively it’s implemented across the sector.”

Collaboration between regulators and the private sector was another recurring theme. Jane Jee argued that regulators need to work more closely with industry players to understand the on-the-ground challenges of fraud prevention. “Legislation alone isn’t enough,” she said. “We need public-private partnerships to develop practical solutions that address real-world vulnerabilities.”

One such solution discussed was the establishment of a centralised fraud intelligence hub, which could facilitate real-time data sharing across institutions. While many participants supported the idea, they also acknowledged the logistical and political challenges of implementing it. “It would require significant investment, legislative backing, and trust between institutions,” McMurtrie noted. “But if we want to stay ahead of fraudsters, it’s a necessary step.”

As the session drew to a close, the participants agreed on the need for a forward-looking regulatory approach that embraces innovation without compromising security. “Regulators must move at the pace of change, not just react to it,” said O’Keefe. The workshop ended on a hopeful note, with a collective commitment to driving industry initiatives and fostering collaboration to create a safer and more resilient open banking ecosystem.