Banking Exchange Payments Panel Focuses on Risk

On Friday April 10 at the University of Connecticut in Stamford, Banking Exchange welcomed a panel of experts to discuss tackling the evolving risks in Payments. The panel included City National Bank’s Electronic Payments Lead Attila Csutak, First Central Savings Bank’s Chief Compliance Officer Tan Ansari, and Ironvest’s Global SVP of Solution Engineering Andrew Showstead.

The panel spoke in front of a full room of 100 bankers and credit union executives. CNB is a $100 billion bank that was recently acquired by RBC whereas First Central Savings Bank has about $1 billion under management so the discussion focused on banks of all sizes.

IronVest is an AI and machine vision based solution that fuses user identity with real-time actions, creating an intent-based verification that eliminates account takeovers, session hijacking, scams, first-party fraud, and emerging AI threats.

Two key observations by Showstead stood out.

The panelists were asked, “Most banks have enabled RTP receive but not send, largely due to fraud and liability concerns highlighted by scams on push-payment rails like Zelle. What path forward allows banks to offer real-time P2P payments without taking on unbounded liability?”

Showstead commented, “Our industry has been trying to solve a real-time payment problem with tools designed for a batch-processing world. The underlying rails supporting push payments (Zelle, RTP, etc.) aren't broken, the problem is that our fraud and scam controls haven't kept pace with the irrevocability of the payment itself.

The way I think about it: traditional fraud controls authenticate a customer at login, maybe send an OTP, and then treat the session as trusted. That was a defensible posture when payments had settlement delays and human review windows. In a real-time, irreversible environment, that posture creates enormous exposure.

What changes the equation is verifying identity concurrently with transaction entry — not as a step-up prompt that adds friction, but running transparently in the background while the customer is executing the payment. The question you're answering in real time is: is the legitimate account holder present right now, entering these specific values, with full awareness of what they're authorizing? If you can answer that deterministically, you've essentially closed the door on account takeover and unauthorized fraud entirely. And when you have that forensic record, it also resolves the first-party fraud problem — the "friendly fraud" claims where a legitimate customer completes a transaction and later disputes it. That record makes those claims unsustainable

Banks don't have to choose between offering Zelle and managing fraud risk. They need controls that match the speed and finality of the rail.”

The host followed up mentioning that the industry spends enormous energy on "Know Your Customer" and if that is sufficient in a real-time payments environment?

“No, and I think this is the most underappreciated gap in the current conversation”, Showstead stated. “We've built extraordinarily sophisticated processes for understanding the sender. We know their history, their device, their behavioral patterns. And then we send money to a recipient we've done almost nothing to vet.

In a world with settlement delays, that asymmetry was tolerable. You had time to catch anomalies after the fact. In real-time settlement, you don't. Once that Zelle payment clears, it's gone — it's what makes APP scams so attractive to fraudsters.

The principle I'd advocate for is what I call "Know Your Recipient" — applying meaningful identity verification to the receiving party before the transaction settles, not after. This is actually where a significant portion of social engineering scams live. The customer is real, they're present, they're authorizing the payment, but they've been manipulated about who they're sending money to. Better authentication of the sender doesn't help you there. You need to know something about the recipient.

I'm increasingly seeing forward-thinking institutions start to ask this question seriously, and I think it becomes a regulatory expectation over the next few years. The institutions that build that capability now are going to have a meaningful advantage — both in fraud losses and in the liability frameworks that are still being worked out.