Lessons from the Past Prove Why Instant Payments Must Prioritize Security by Design

Having just returned from an incredible week in Lisbon at EBADay 2024, I am eager to share insights from this year’s theme, “Orchestrating the Dialogue on Payments - The Collaborative Advantage.” The event encouraged collaboration and featured provocative conversations about the importance of decentralized finance in banking evolution, how tokens will be what the next generation uses for transactions, the ongoing challenges with cross-border payments, and regulatory mandates around instant payments and DORA regulation, all through discussions with leading payments and transaction banking professionals.

As we reflect on the rapid adoption of instant payments, it is imperative that we learn from the past to avoid repeating the same mistakes. The rapid adoption of instant payments mirrors the early days of the Internet—a revolutionary technology built for speed and reliability, but not with security in mind. This oversight led to a host of security challenges that we are still grappling with today. The financial services industry must heed this lesson: security cannot be an afterthought.

What Can Payments Security Learn from Both Lisbon’s and the Internet's History

Reflecting on the rich history of Lisbon provides valuable lessons if you are willing to be taught. Lisbon's history stretches back thousands of years. Walking through its ancient streets, it is easy to see the layers of history built upon each other, each era learning from the successes and failures of the past.

Lisbon's beauty is immediately apparent. The light is intense, with gorgeous sunny days and abundant white limestone. The majestic Tagus River flows gracefully through the city, offering stunning views and a sense of tranquility. The iconic 25 de Abril Bridge spans the river with a striking presence. The city’s charm is further enhanced by its warm and friendly people. And the food! From the iconic Pastéis de Nata to the rich and flavorful Porco Preto, and the decadent Pudim Abade de Priscos, Lisbon showcases its ability to blend tradition with innovation in the culinary arts.

Spending time in this beautiful city gave me ample opportunity to reflect on the lessons that history can provide. The foundations we lay today must be robust to support future growth and innovation.

In the early days of the Internet, the primary focus was on creating a network that could move information quickly and reliably. Security considerations were secondary, as the initial users were few and trusted. Protocols like BGP, DNS, and HTTP were designed for cost-efficiency and speed, not for defending against cyber threats. As the Internet grew to encompass billions of users, the lack of built-in security became a glaring issue. Online crime and aggression flourished, exploiting vulnerabilities that were never anticipated by the network's founders.

The Trouble with Retrofitting Security

Retrofitting security into a system not originally designed for it is a complex and often insufficient solution. Early efforts to add encryption and other security measures were hampered by the significant computing power they required. Today, the Internet's foundational lack of security is a reminder that building robust security frameworks from the start is far more effective than trying to add them later.

Instant Payments: A Parallel Challenge

Real-time payment systems continue to see strong usage worldwide. One of the most significant developments is the European Council’s new rule to enable instant payments across the European Union and European Economic Area. Under this regulation, instant credit transfers must arrive in recipients’ accounts within 10 seconds, regardless of the date or time of day. Additionally, all payments must arrive in euros irrespective of the currency posted by the sender, although the permitted transfer time will be extended to allow for currency conversion. The date for the rule to take effect is still to be determined.

The financial services industry now faces a similar situation with instant payments. These transactions promise unprecedented speed and efficiency, optimizing cash flows and enabling real-time financial transactions. However, the very attributes that make instant payments appealing also introduce new vulnerabilities. Once a transaction is initiated, it is final and irreversible, leaving no grace period to block suspicious activities. The rapid increase in cross-border payments further complicates the security landscape, necessitating standardized technical processes and data formats across jurisdictions.

The Indispensable Role of API Security

APIs (Application Programming Interfaces) are the linchpin of instant payments, enabling seamless integration between banks, merchants, and payment service providers. This interconnectedness, while fostering innovation, also creates potential points of vulnerability. Unauthorized access, data breaches, and cyber-attacks are substantial risks that could compromise the integrity of financial transactions.

To mitigate these risks, API security must be prioritized from the outset. Robust API security measures—including strong authentication, encryption, compliance with standards like PCI DSS and GDPR, and proactive threat mitigation—are essential. Financial services institutions must embed these security practices deeply into their systems, ensuring that the trust users place in their services is well-founded.

Navigating the Regulatory Landscape

As regulatory frameworks evolve to address the rise in payment fraud, compliance becomes not just a legal requirement but a strategic advantage. Initiatives like the Verification of Payee (VoP), with a European compliance deadline set for October 2025, highlight the critical need for enhanced payment security and fraud prevention. Payment Service Providers (PSPs) must embrace these changes, integrating security by design into their operations to meet regulatory expectations and safeguard customer data.

Proactive Security Measures Must Define the Path Forward

Staying ahead of potential threats requires integrating threat intelligence and leveraging advanced technologies such as Zero Trust Network Access (ZTNA), microsegmentation, API security and machine learning. Predictive analytics and anomaly detection can dynamically adapt to new threats, identifying and preventing security breaches before they occur. By adopting these proactive measures, the financial services industry can create a resilient defense against cyber-attacks.

The EBADay conference in Lisbon provided a crucial platform to discuss these pressing issues. By learning from the lessons of the past and prioritizing security in the design of instant payment systems, we can ensure a safer, more reliable financial ecosystem for the future.