Forty percent of consumers have pulled their business from a company after learning it failed to protect customer data, according to McKinsey research on digital trust. In financial services, where customer acquisition costs are substantial, these losses represent a potential commercial crisis.
The United Kingdom saw mobile contactless payment adoption reach half of all adults in 2024, according to UK Finance, with cash now accounting for less than 10 percent of transactions, down from 34 percent in 2017. This acceleration has created an immense commercial opportunity. It has also opened attack vectors that many payment providers are not fully equipped to defend. The companies that recognize this gap as existential will survive, leaving those who treat cybersecurity as another cost to struggle.
The fraud economy operates at machine speed
The days of random, small-scale fraud are over. Financial crime has industrialized. Organized groups of bad actors use generative AI to automate phishing at scale, producing communications indistinguishable from legitimate bank correspondence. Credential stuffing attacks test millions of stolen username and password combinations across platforms in hours, while synthetic identity fraud uses AI-generated profiles that pass traditional verification checks with worrying consistency.
Deepfake voice technology has reached the point where attackers can impersonate executives by authorizing wire transfers or resetting account credentials. Take the example of the engineering firm, Arup. In early 2024, an employee at the multi-national engineering firmwas tricked into transferring approximately $25 million after participating in what looked like a legitimate video conference with senior executives. In reality, all participants were AI-generated deepfakes.
We’re also seeing bots navigate payment flows with human-like behavior patterns, skirtingvelocity checks and CAPTCHA challenges that were designed for a legacy threat environment. The volume is becoming overwhelming, and the sophistication is accelerating.
Manual fraud detection is now increasingly obsolete. Almost every bank has responded by deploying AI-powered fraud detection systems that analyze transaction patterns in real-time. These systems evaluate device biometrics, geographic anomalies, spending velocity and behavioral markers to assign risk scores. High-risk transactions trigger additional verification while legitimate customers proceed uninterrupted.
This approach is practical for known fraud patterns. However, it fails when criminals adapt faster than the models can be retrained. The limitation lies in how these systems learn.
Many rely on retrieval-augmented generation (RAG), which pulls context from internal databases to inform decision-making. RAG introduces two failure modes. Firstly, it omits context that matters, such as recent travel notifications, legitimate account changes or unusual but verified customer behavior. This creates false negatives where fraud passes undetected.
Secondly, it can introduce conflicting information when external training data contradicts the proprietary intelligence stored behind the institution’s firewall. Public datasets cannot capture fraud patterns specific to a bank’s customer base.
Domain-specific AI models trained on internal data close the gap
Financial institutions with extensive internal documentation, including transaction histories, compliance records and fraud case investigations, hold data that general-purpose AI models will never see. Training domain-specific models on this first-party data produces fraud detection systems that recognize patterns unique to that institution’s risk profile. Retrieval-augmented fine-tuning (RAFT) enables this by combining retrieval-based context with selective model retraining. This allows systems to learn continuously without exposing sensitive customer information to external AI providers. It is essential that this data is masked and anonymized, and it is worth noting the increase in the number of software players within the market that provide this solution.
The good news is that the commercial advantage is measurable. Banks using domain-specific models to detect fraud earlier, reduce the false positives that frustrate customers and maintain detection accuracy as criminal tactics evolve. More significantly, there is explainability to regulators and auditors on exactly how a fraud decision was made, which data points contributed, which thresholds were crossed and why a transaction was flagged.
This explainability is no longer optional. Regulators across Europe are continuing to tighten requirements around automated decision-making in financial services. AI systems that operate without the required transparency will no longer pass compliance reviews.
CFOs and CIOs require this transparency before approving enterprise-wide AI deployment. If leadership cannot assess the risk of false positives or defend fraud detection logic during regulatory scrutiny, the system represents a liability. Explainability is now a critical governance requirement, which our clients are consistently flagging to us. It determines whether AI becomes a competitive advantage or a compliance failure.
Encryption and zero-trust architecture are table stakes, not differentiators
Payment security begins with foundations that cannot be negotiated. Encryption protects data in transit and at rest. Tokenization ensures card details never exist in their original form within merchant systems. Multi-factor authentication makes account takeover exponentially harder.
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 entered mandatory enforcement in March 2025. The second Payment Services Directive (PSD2) mandated robust customer authentication across Europe. PSD3 will further tighten fraud liability and authentication requirements. The Financial Conduct Authority (FCA) continues to issue enforcement actions against institutions with inadequate controls.
Compliance is a constant operational requirement. Zero-trust architecture assumes no user or system is trusted by default. Every access request is verified, and every transaction is authenticated.
Secure payment gateways limit where cardholder data can be accessed, reducing the falloutwhen breaches occur. Companies that deploy these controls see faster incident response, lower breach exposure and reduced fraud losses. The greatest benefit is maintaining customer confidence when competitors are losing it.
Customer education remains the weakest link and the first defense
No fraud prevention system functions effectively without better-informed customers. Social engineering succeeds when users trust what they should question. Phishing emails, fraudulent SMS messages and fake payment portals exploit human psychology, not technical vulnerabilities.
Financial institutions that invest in sustained customer education programs measurably reduce authorized push payment (APP) fraud. Teaching customers to verify unexpected payment requests, scrutinize URLs thoroughly and challenge unsolicited messages creates a defensive layer that complements technical controls.
Only improved transparency can accelerate this. When customers understand how their data is protected and what verification steps the bank takes, they report suspicious activity earlier. Early reporting will ensure that any potential fraud is identified and contained, before it escalates, while providing data and insight that continuously improves detection models.
In short, the most secure payment systems combine sophisticated AI with a customer base trained to recognize evolving threats.
Operational resilience determines who survives the next attack
Fraud tactics evolve with every wave. Detection models trained six months ago miss techniques criminals deployed last week. Financial institutions that treat AI as a static processwill fall behind competitors who build continuous monitoring, regular model retraining and human oversight into their fraud prevention architecture.
Operational resilience is the key to maintaining a market position and avoiding loss. Thosethat move decisively to implement architectures combining domain-specific AI, explainable decision-making, robust encryption and informed customers will protect their market share. Those who continue to treat cybersecurity as a cost will lose four in ten customers when, not if, their defenses fail.