Core digital banking security in 2026
The firms in our database's digital security features fall into two broad categories:
- Authentication during login
- Additional authentication for specific in-app tasks
For the first category, that is controlling account access and verifying user identity, most banks on FinTech Insights' database use some form of device and biometrics-based authentication.
96.82% of the firms on our database implement biometrics. 92.93% also require users to pair their device to their account for added security.
The vast majority rely on a device's built-in biometrics. Verification workflows requiring additional steps, such as a short selfie video, are uncommon. The latter is implemented by only 1.41% of the sample.
Additional authentication for specific in-app tasks is applied less consistently.
Only 40.99% of the firms in FinTech Insights' database implement biometric authentication for in-app actions like approving payments, and just 13.43% use two-factor authentication for approving transactions.
Here again, where biometric authentication is supported, it mainly relies on a device's built-in capabilities. At 6.36%, authentication via banks' native face recognition technology is an edge case.
Levelling up digital banking fraud prevention
What advanced capabilities have firms put in place?
While securing users' identities and controlling account access through some combination of always-on anti-fraud banking features is table stakes, advanced capabilities are relatively rare.
Looking at FinTech Insights' data, there are seven specific functionalities which we'd consider "advanced": in other words, contextual, value-added protections that enhance security beyond basic authentication.
These are:
-
Incoming call verification
This flags suspicious calls in real time while users are logged into their accounts and performing specific actions, helping users distinguish genuine bank contacts from impersonation attempts.
- Merchant scam-detection
Here, the user can upload screenshots of products or online marketplace listings. The tool analyzes pricing, listing details, and known scam patterns to evaluate the likelihood of the listings being scams.
- Account security status
The banking app rates the user's current security settings and makes recommendations, nudging users to address common security vulnerabilities like weak passwords or not having two-factor authentication set up.
- Street mode
Custom transaction limits for when the user isn't connected to a predetermined WiFi network or outside a "safe" geographic area, which reduces the risk of evil twin attacks, where criminals spoof public WiFi hotspots to take over victims' accounts.
-
User verification
The app remains in view-only mode even after the user pairs their device, which makes it harder to log in or gain full access with stolen credentials. The user must take a selfie or record a short video while presenting a valid ID document to unlock full access.
- Cross-check recipient details (Verifying a payee)
The bank confirms whether a recipient's details match the account details provided while executing a transaction. This helps prevent misdirected funds and authorized push payment scams, where fraudsters trick victims into transferring money.
- Disposable virtual cards
Virtual cards with details that are automatically refreshed after each transaction. Because they're different for every use, fraudsters won't be able to use them should a merchant suffer a breach.
Out of these seven advanced security features, cross-checking recipient details is the most widely adopted. But, at 15.9% of the firms in our database, it's still relatively rare.
The feature is most widely implemented in the UK and the EU, where it became mandatory for all SEPA-area transfers in 2025. Only one bank in Latin America offers it, while it doesn't feature in North America at all.
The other six features have all been implemented by less than 10% of the firms in FinTech Insights' database.
Account security status is offered by 6.01%, while disposable virtual cards are offered by 2.83%. At 1.77%, 0.71%, and 0.35% respectively, incoming call verification, street mode, and merchant scam-detection are outliers.
Here again, EU and UK banks lead the way with incoming call verification, scam detection, and disposable virtual cards.
The latter feature is also offered by a handful of Latin American banks. Firms in this region also offer street mode, user verification, and account security status.
US banks, on the other hand, lag considerably behind. Out of the seven advanced features we've listed, just one bank — Bank of America — offers disposable virtual cards, and 13 banks supporting account security status.
The road ahead
One of the key reasons fraud is on the rise despite record investment in anti-fraud banking features is adaptability.
When one security loophole closes, bad actors excel at quickly finding and exploiting the next weak link in the chain.
Fraudsters are also adopting ever more sophisticated techniques, including using AI to construct fake identities — what is known as synthetic identity fraud. These are becoming harder and harder to spot as AI technology improves.
For banks, this means it's time to take a more holistic approach to digital banking security.
Securing a user's access point by verifying their identity and pairing a specific device is an important first step. But advanced fraud-prevention features improve fraud prevention and digital banking security by adding an extra layer of protection.
With banking customers worried about fraud in growing numbers, implementing such features is just good business. A powerful differentiator that gives customers more reasons to stick around.
Want to dive deeper into the current state of digital banking fraud prevention?
Build a digital banking strategy that can't be challenged
Let's show you how FinTech Insights can help you wow your customers, on every login.