Security-by-Design: The Key to Solving Payments Modernization's Biggest Challenge

The payments industry continues to innovate, with new interoperable systems like Pix in Brazil and UPI in India providing blueprints for how countries can break down the silos that have traditionally stood in the way of payments. Blockchain-based payments and the rise of stablecoins have added yet another way to move money across borders. All of this means that instead of waiting days for money to transfer and settle, we are moving towards a world where money moves instantly.

Each of these innovations in payments has focused largely on speed and providing a frictionless experience, but fraud protections have not kept pace. As with most innovations, product teams focus first on functionality — can the technology do what it’s supposed to? Security and privacy come later, once the technology is already built, creating an environment where companies build fast and fix problems after the fact. This is especially true in market-driven environments like the US, where innovation is rewarded.

But in payments, that order has consequences and innovation and security don’t need to be mutually exclusive. Using security-by-design principles, supported by digital identity frameworks and behavioral verification, can get products to market quickly while ensuring privacy is built in from the start rather than bolted on at the end.

**Build security into the payments foundation. **

Product teams design the perfect user experience, but the work doesn’t stop there. Security teams arrive after the fact and say, “We need to add fraud prevention, compliance checks and privacy controls.” This means security is retrofitted around the existing fast payments functionality, making it more of an afterthought than a defense. The better approach flips that order entirely by establishing the security foundation first, then building how to move data, enable transactions and deliver business functionality on top of it. This ensures every payment process sits on a secure framework from the beginning.

When security is foundational, it helps payment innovations move faster. For example, regulatory approval is quicker, customer trust builds faster because the product was designed with their protection in mind and fraud costs stay lower by preventing problems. Engineering teams can also spend less time patching vulnerabilities and more time building payment functionality that helps money move faster.

Regulators globally also agree that this is the best approach. Europe has the most advanced framework with digital identity wallets that adjust security levels based on transaction risk, with low friction for low-risk interactions and stronger verification when needed. The US is following a similar path, applying traditional banking compliance requirements such as know-your-customer (KYC) and anti-money-laundering (AML) to payment providers.

**Identity belongs to the individual, not the provider. **

When someone needs to access their bank account or a peer-to-peer payment app, they provide login credentials and, if available, two-factor authentication via a code sent to their email or phone. Every platform has its own requirements, such as an email address, username and password.  This means that for each system someone uses, their identity is verified on an account basis rather than a true representation of the person themselves.

That worked when money mostly stayed within a single institution, but it breaks down when money needs to move freely. Rather than establishing an identity on an institution-by-institution basis, digital identity presents a new approach, acting as a digital wallet held by the end user that can grant access to every institution. In this model, the user holds their own identity, rather than the company or institution.

The EU Digital Identity Wallet offers an early view of what this looks like in practice, where identity is held by the user then selectively presented to banks and fintechs as needed. The US is unlikely to replicate it directly, but the underlying principles are already shaping the conversation around user-held credentials and reusable KYC. With these frameworks, a user can prove “I’m over 21” or “I’m a US resident” without handing over a full ID document.

When someone walks around with a physical wallet, they’re likely carrying everything from a driver’s license to a debit card and an insurance card, which each serve a different purpose depending on the situation – digital identity works the same way. In a digital scenario, the end user presents the appropriate credentials for the context such as basic authentication for low-value transactions, multi-layered verification for high-value transactions and jurisdiction-based identity for cross-border transactions.

For this to work at scale, though, it will need to operate across vastly different digital identification methods across the globe. The resulting infrastructure will need to do all of this while keeping privacy at the center and treating KYC as a reusable credential rather than something every institution does from scratch.

**Move towards dynamic identity checks with behaviors. **

Traditionally, fraud prevention has relied on static information including names, account numbers and documents. But fraudsters have learned to fake these.

Additionally, digital payments introduce a new vulnerability with downstream disconnection. A payments provider likely performs a KYC check on an individual when they sign up for the platform and then their log in credentials continue to verify that the user is who they say they are. The problem is that, once the  money starts moving — that visibility disappears. The payments provider sent it but they have no visibility into the receiving end.

Because of this, when fraud occurs, it becomes nearly impossible to investigate effectively or establish liability. Additionally, when customers cannot access their money and have no way to recover funds, trust erodes and adoption suffers.

This is where identity can go beyond static documents to learn if someone is legitimate. Behavioral verification examines how someone interacts with their device and payments, such as keystroke patterns, mouse movements and transaction behavior. The way each person uses a device is unique and can serve as a digital fingerprint.

With behavioral identification, payment providers can detect fraud without collecting or storing sensitive personal information. Additionally, when fraud claims do arise, investigators can follow the full payment trail from start to end, identifying where and how the fraud occurred.

Much of what’s needed already exists today in traditional fraud prevention. The challenge now is adapting these frameworks to instant and borderless payments. For the companies that build the foundation right, speed follows naturally.