In August, German banks froze over €10 billion in PayPal payments due to suspected fraud, a disruption that underscored the scale of growing financial security concerns. If even long-standing, trusted names like PayPal are vulnerable to fraud detection failures, what does that mean for the overall safety of global payments?
Security breaches are, unfortunately, inevitable. Preventing 100 percent of fraud is simply not a realistic expectation. But the story doesn’t end there. The real question is: How can banks reassure customers and rebuild trust once fraud has occurred?
Fault lines that undermine fraud defenses
In over two decades of experience working with banks, two recurring errors undermine public confidence after a fraud event.
The first is silence. After a breach, internal teams often turn inward, focused on investigating the issues, patching up holes in their security and satisfying regulators. These are necessary steps, but they frequently come at the expense of customer communication. During that gap, clients are left with delayed responses and vague statements that fail to clarify what happened or what measures are being taken. This uncertainty has a way of eroding trust faster than the fraud itself. In the absence of clear updates, speculation fills the void, amplifying panic and making it harder for banks to put users’ minds at ease and regain control of the narrative.
Banks need detailed, pre-defined communication protocols for post-incident response—plans that include transparent updates, defined spokespersons and proactive support channels. When prepared in advance, these frameworks allow teams to move swiftly and restore calm before rumors can take hold.
The second mistake is overreaction. In an effort to appear decisive, some banks impose blanket freezes on all operations, halting entire payment corridors or customer segments. While an understandable reflex, these knee-jerk measures can be counterproductive. No bank wants to be seen as complacent in the face of a security issue, but such rushed measures often cause more harm than good. By blocking large payment routes or entire customer segments, banks end up punishing legitimate users and eroding confidence even further, projecting an image of panic rather than control.
A better approach is targeted containment: isolating suspicious activity based on geography, transaction patterns or counterparties involved. With the right analytics and monitoring tools, it’s possible to confine the threat without paralyzing operations. Precision restores confidence—and normal operations—faster. Regulators see a clear response plan driven by data. Partners understand which channels remain safe to make use of. Customers stay informed without getting swept into chaos or unnecessary disruption. In moments of crisis, reassurance—not overreaction—is what keeps trust alive.
Legacy systems as the weak link
Many banks compound their problems by clinging to outdated infrastructure that slows detection, containment and recovery. Consider Metro Bank, which in 2024 was fined almost £17 million by the U.K.’s Financial Conduct Authority for failing to monitor over 60 million transactions for money-laundering risks. Employees had raised alarms years before things came to a head, but the bank failed to act on those warnings due to a lack of modern monitoring tools and oversight infrastructure. It’s a cautionary tale: when systems can’t see a problem, institutions can’t fix it.
By contrast, modern microservices-based architectures give banks the agility to contain incidents, offering a better path forward. In these modular setups, different components of the payment ecosystem operate independently but remain interconnected units. If one module becomes compromised, the others can keep functioning, allowing banks to isolate and resolve issues without halting operations across the board.
Vendor diversification adds another layer of resilience. When banks rely on a single third-party provider for key services, that vendor’s weaknesses become the bank’s own. Splitting critical functions like KYC checks or payment routing across multiple trusted partners mitigates systemic risk and improves agility during crises.
What works—and what doesn’t
Some regulatory controls are proving their worth. Strong Customer Authentication (SCA), mandated under Europe’s PSD2 directive, has made two-factor authentication the standard, significantly reducing fraud exposure. Similarly, IBAN-name matching before transfers helps catch errors and scams before money moves.
Other defenses, however, have faltered. U.S. regulators have sued several major banks over Zelle, citing weak verification at account opening and poor complaint handling—failures that cost customers more than $870 million. Likewise, Bank of America’s “minimum criteria” fraud filters wrongly froze thousands of accounts, leaving legitimate customers stranded for weeks. The fallout was so severe that the bank faced a $125 million fine in 2022 from the Consumer Financial Protection Bureau.
These examples underscore a key truth: controls must be both strong and intelligent. Rigid filters and incomplete verification systems can harm the very people they’re meant to protect.
Collaboration is the future of compliance
In a world where cross-border payments are the norm, isolated solutions simply don’t cut it anymore. Each bank, country or payment network operating in its own silo is not enough. Fraud doesn’t respect national borders, and neither should the systems designed to prevent it, or they’ll always be one step behind.
The E.U.’s new Instant Payments Regulation (IPR), which came into effect earlier this year, is an important step in the right direction. It aims to make euro transfers easy to perform 24/7 with any bank in the E.U. bloc while also maintaining strong verification checks. It’s a solid nudge toward a more unified payments landscape where efficiency doesn’t come at the cost of safety or trust.
The upcoming PSD3 directive builds on this progress. It introduces tighter fraud rules and encourages stronger collaboration between banks and fintechs. Shared KYC data frameworks, standardised fraud reporting, better API connectivity—for banks, this means learning to see fintechs not as competitors, but as essential partners in securing their own systems. By extension, PSD3 can also be considered a regulatory incentive for banks to modernize and overcome legacy issues. Fintech partners can help institutions upgrade incrementally, integrating modular, compliant systems that traditional financial institutions can plug into without fully overhauling their entire core infrastructure. The result is more flexible and resilient systems while establishing regulatory alignment.
Rebuilding trust is a continuous effort
Ultimately, banks cannot rebuild trust through simple apologies. They need to demonstrate visible competence. Customers don’t expect perfection, but they expect transparency, accountability and clear signs of progress. Banks can’t eliminate fraud entirely. But they can demonstrate that they’re learning faster than the criminal—through better communication, modernized systems and collaborative defenses. Trust, once lost, is tricky to regain. But with precision, openness and foresight, it can be rebuilt stronger than before.
Want more insights? Join Working Title - our career elevating newsletter and get the future of work delivered weekly.
