Bank Leaders on AI, Fraud & Trust—Money 20/20 Part 1 | “What The Fraud?” Podcast

THOMAS TARANIUK: Hello, dear audience, and welcome to “What The Fraud?”—a podcast by Sumsub, where digital fraudsters meet their match.

I’m Thomas Taraniuk, Head of Partnerships at Sumsub, the global verification platform helping to verify users, businesses, and transactions.

Today’s episode is a special one. We’re bringing you highlights from Money20/20 Europe in Amsterdam—the heartbeat of the fintech world this week—where the big topics are fast-moving innovation, rising risk, and what it really takes to build trust in modern finance. And this time, we’ve partnered with “the c-suite podcast”—bringing you inside the room with the people shaping the future of money and stopping fraud before it starts.

Our first guest is Mitch Trehan, Chief Compliance Officer at Allica Bank. Let’s get into it.

Mitch Trehan, Chief Compliance Officer at Allica Bank

THOMAS TARANIUK: Everyone’s talking about innovation moving faster than regulation within this industry. Where do you think the tension is greatest as a compliance lead? And how do you keep things moving without slowing growth within your industry — and specifically your business use case?

How can compliance keep up with innovation without slowing growth?

MITCH TREHAN: Let me talk first about how we hear these buzzwords a lot—innovation, everyone’s innovating, and regulation—and what that means. I look at it as having three distinct ways or channels that you can approach this.

1. Is regulation stifling innovation? And we’ll come to that.
2. Is regulation keeping up with innovation? look at what’s happening with the crypto space and AI—are people being protected? Because that’s one of the duties of regulation: to balance competition but also to protect people.
3. And then, is regulation actually creating innovation?

So, let’s go back to PSD2. Open banking only really happened—and all of those advances in fintech and all of that starting and taking stuff from the banks—was all because of PSD2. So regulation actually creates innovation.

Taking that to what you were saying next—about what the tension has been and what has happened—I think in the fraud space, have we really seen a lot of new regulation? I would say probably not. The biggest one in the UK, though, that we have seen is APP fraud.

Suggested read: Combating APP Fraud in Fintech

The PSR, a few years back, led by Chris Hemsley, came up with a concept of shifting where the risk is owned—to the institutions—to prevent authorized push payment fraud.

Now, for me, that was a huge shift, and the industry really had to stand up and react to it. The very interesting dynamic was that, all of a sudden, the financial institutions were on the hook. They were the ones that were going to lose the money, which really created a lot of innovation. We actually managed to achieve something as an industry to reduce fraud. For me, that was a great outcome.

But then you start talking about tension—where I think it’s really interesting, and people forget, is when you overlay fraud and consumer duty. Fraud creates friction. You want to stop the bad actors, but you also have an obligation under consumer duty not to impact people’s payments, the flow of funds, etc.

So you could be doing everything right morally—“I want to stop these payments to protect you from fraud or to protect others from fraud, the victims that might be there” —but if you get that wrong, then there’s a consumer duty claim that comes through. I think that tension is super interesting, particularly as there isn’t regulatory specificity for fraud like there is for AML.

So, what does it mean when things go wrong? The question I ask is: are we now relying on ombudsmen to really unpick and figure out what’s right and what’s wrong? And is that where we want to be as an industry? I would really question that and challenge that.

THOMAS TARANIUK: Mitch, from your experience, what types of fraud do small and medium-sized businesses face most? And how would you design a strategy to protect them without actually adding unnecessary friction within their lives and day-to-day payment practices?

What types of fraud are most common for SMEs, and how do we stop them without adding friction?

MITCH TREHAN: Again, I’m going to split this into two parts because friction is sometimes there to protect the customer directly. And sometimes friction is there not to protect that customer, but to protect the industry at large or to prevent bad actors. So you’re not actually causing friction to protect that company—you’re causing friction to make sure that you’re not getting a fraudster company coming through.

So let me come back to the first part of your question: what are the typologies that we would say SMEs see the most or are victim to the most? Two come to mind immediately. One would be invoice redirection. The SME hears from who they believe is their supplier, saying, “Oh, we’ve changed our bank account details. Let me give you the new details.” The SME then makes a payment to the wrong third party. They believe they’re paying their supplier, and unfortunately, it goes awry to the wrong person.

The friction on that reminds me of my time with my daughter. We used to watch ‘Dora the Explorer’ when she was much, much younger. And in Dora the Explorer, there was always that “Stop and Think.” That’s where you create friction in the payment journey. You’re like, stop, think—has there been an invoice redirection, potentially? Is this really your CEO that’s called you asking you to make this payment? Have you validated it?

Because that’s another type of fraud SMEs get hit with. Someone calls up the treasury department—with AI and the advent of generative AI, you can sound like anyone you want, right?—sounding like the CEO saying, “I need you to make a payment to this beneficiary, do it urgently.” And people follow that. So you can create friction in the journey there.

I think the other part, though, is where we want to protect society and the industry at large—and the friction that comes with that. That’s where SMEs really, really get impacted, because the good actors just want to continue their business. They just want to open a bank account. They just want to have a loan. But there’s friction in that journey to ensure they really are who they say they are and we’re not dealing with fraudsters. I think that’s where sometimes there are two sides to friction:

• protecting that individual or that company, and
• protecting society at large. That’s a very different type of friction.

You just need to keep running the stats. Keep seeing what’s coming through the cracks, what’s slipping, really being on top of suspicious activity and identifying ways—with that new data point—to go back and see how did that slip through, and how do we prevent that.

So there’s a right amount of friction. And again, I bring it back to what I said in the first part—consumer duty overlays that. If you’re taking too long for anything and they’re being impacted, the consumer duty aspect comes in. And then, are we leaving it up to the ombudsman to decide what was right and wrong? Really interesting.

Are AI tools in fraud prevention still fit for purpose?

THOMAS TARANIUK: When we’re talking about SMEs at large as well, it’s really important to make sure that they are supported in making these decisions, both from a regulatory framework point of view, but also in backend technologies. When we’re looking at complex AI frameworks and the AI transformation we’re seeing across the industry, it’s affecting fraud both as a tool used by fraudsters to go after businesses, and take advantage of these businesses, but also the users. But more importantly, do you think these tools and frameworks that businesses currently rely on are still fit for purpose when we take into account artificial intelligence designs that are aiming to take advantage of gaps in businesses or SMEs?

MITCH TREHAN: AI is changing everything for everyone rapidly. Do I think people are keeping up? I would probably say no. Let’s really get into the detail here. What are the risks that are coming through with this new generative AI?

People can pretend, with deepfake, to really convince systems within financial institutions that someone is somebody else. So you’ve got that impersonation fraud. And yes, there are more and more tools coming in on the defense side within financial institutions to protect SMEs.

Suggested read: The Dark Side of Deepfakes: A Halloween Horror Story

But we hear a lot about “AI to protect AI.” Now, I’ve been walking around the floor, and I’ve been speaking to a few AI firms here. What I find really interesting is: I would really start challenging them on the floor. And unfortunately, sometimes I don’t think they’re bringing the right people to these stands.

So what I’m asking is: you have, on your stand, “mule fraud,” “account detection.” And I get really excited by that, right? The geek in me comes out and says, “Tell me about what you’re talking about here. How are you using AI to find and detect mule accounts? What typologies are you looking for? What does that look like?” And unfortunately, no one’s giving me that right answer yet. No one’s really talking me through how they’ve solved that problem.

So there are a lot of buzzwords out there. A lot of people are saying “AI is doing this, AI is doing that.” But I really want to hear what the answer is. How is it doing that? What are the actual specifics and the rules that you’re looking for?

So taking that all into consideration—I think AI is actually supporting criminals, because people are using it to innovate rapidly. And we’re about to see how that’s going to change the whole industry. That will also create more defense. But from what I’m seeing and hearing across the floor—people aren’t keeping up with these threats yet. Or at least, they’re not telling me how they’re keeping up with them yet.

THOMAS TARANIUK: When we’re looking at businesses eventually taking AI as a shield, what would happen if these frameworks failed? Who would bear the risk at the end of the day?

Who bears the risk when AI-based fraud prevention fails?

MITCH TREHAN: It’s going to come down to what the individual characteristics of that situation were. How much did the victims actually take on board that they have some form of responsibility—their own standard of caution?

With APP fraud coming in, and the way the industry is moving at large, people are expecting someone else to protect them. They’re saying, “Oh, I will make these payments, I will do this, I will do that — because my bank will protect me. My financial institution will give me my money back.” And sometimes, if the financial institution has really messed up and not done what’s proportionate and correct—I think that’s 100% right.

But the concept where some people say, “Well, we are just the institution. What you do is up to you, and that’s the end of it,” isn’t right. There is an obligation on institutions to help protect, defend, and stop fraud. But I also think the customers themselves have to take some risk, some understanding, and some accountability and responsibility.

Look at SMEs, for example. You’ve got the directors of that SME. They have a fiduciary duty to that business to do the right thing. And if they’re not, and they’re failing in those fiduciary duties, I think the risk should also sit there.

So who owns the risk? Very, very dependent on the situation—who’s the one that did something objectively incorrect. But we come back to what I was saying before—are we relying on solving these problems with the ombudsman?

THOMAS TARANIUK: That’s the thing. And it’s a very manual and difficult task to think of—but absolutely right. I think it is broken down into: there’s a fiduciary business duty, the owner, etc., to actually look after their community, their shareholders, and the community as part of the wider ecosystem.

But at the end of the day, individuals need to be educated on the risks at hand—the types of fraud out there—to make sure that they understand that friction is there to protect them, not to make their lives more difficult.

But we’re at Money20/20, Mitch, so I would love to ask you the question of the day. What’s one piece of advice you would give to fintechs and payment companies here who want to scale quickly, but remain compliant at the same time?

Compliance advice for fintechs and payment companies: How to scale quickly while staying regulatory-ready

MITCH TREHAN: Scale quickly, fintechs—but be compliant. So, there are a few angles to this.

Make sure you’ve got the right people in the room when making decisions. Make sure the compliance person that you’re working with has a seat at the table upfront. Make sure it’s the right compliance person. So:

A) a person that can make decisions

B) a person that’s proportionate.

Anyone that wants to scale fast needs to have that proportionality. What is good today—and what’s appropriate for your business today—is only going to be appropriate for that size of your business. And as you’re scaling—you’re going to be smaller to start with—you need to have proportionate, acceptable controls there. But as you scale, you have to revisit. And I think that’s a key part.

Compliance people—I know, I’m one—have a tendency to want to really stop everything and do things perfectly. That’s not the right way to innovate and grow, because you’re trying to solve for edge cases that may not happen when you’re so small. So my advice would be: focus on that bulk. Figure out what your 80% is. Have tolerance for the edge cases. Have budgets set aside for the edge cases. But really solve the big problems—which are the quick problems—and then revisit. Look at it again in a few months and check: is this still right for the size of our business as we’re scaling?

It’s like cleaning your teeth, is what I always say. You don’t clean your teeth once and then say, “That’s it, my teeth are clean, I’m done.” Compliance is like that as well. You have to revisit, come back, recheck—how do I advance it? What were the cases I’ve seen that can allow this business to grow and still protect everyone that’s involved?

THOMAS TARANIUK: Mitch, I love that analogy as well—continual, evolving business hygiene. And at the end of the day, you need to do that within whatever sector you’re in to make sure that you’re compliant with evolving threats. And today, those threats are disproportionately growing in terms of scale—and also accessibility to fraudsters as well. But Mitch, really appreciate your time today on “What The Fraud?” Thank you for joining us.

MITCH TREHAN: Thomas, it’s been an absolute pleasure. Thank you for having me.

Daniele Tonella, Chief Technology Officer at ING

THOMAS TARANIUK: Now I’m joined by Daniele Tonella, Chief Technical Officer at ING. Daniele, thank you very much for joining us on “What The Fraud?” here at Money20/20 Europe. I’d love to kick off with a quick question. How should banks balance rapid innovation with long-term system stability from your experience, especially as pressure builds to modernize everyday banks? And this is growing from 2025 into 2026 as well.

How should banks balance innovation with long-term stability?

DANIELLE TONELLA: Look, multiple dimensions. The first one: rapid innovation is not everything that a bank should do. Rapid innovation requires a vision of what the purpose is for the client so that you can tune the decisions that you’re making. And then, to enable rapid innovation, you need to allocate your available resources in a mature way. So, you need to find the strength not to devote everything to what seems like innovation, but also devote things to what I call the “feng shui of tech,” which is essentially cleaning up what you’re sitting on and continuing to create that space in your resources to explore and innovate rapidly.

Then there is a big element of culture. ING has a phenomenal agile culture that is very conductive to innovation. It requires a framework of invisible controls around it, because if you just let 20,000 people run around, it’s very difficult to converge on focused, rapid innovation. So that framework is, on one side, vision and purpose, and on the other, the whole mechanism of how to make agile work.

THOMAS TARANIUK: How much of the hiring strategy is focused on making sure that employees at ING are great—that they have experience around compliance, but also experience in future-proofing organizations such as banks?

Hiring for compliance and innovation: What’s ING’s talent strategy?

DANIELLE TONELLA: We have about 20,000 engineers. So, we keep hiring because people go, people move, people change. That’s one element. We hire specialists in various areas, and we cannot hire people that know everything. So, the challenge here is more about orchestrating that human complexity, where everyone is bringing a spike in knowledge but has to be able to function in the system. This is where the ability of the company lies—not in delegating everything to everybody, but in orchestrating the complexity and having specialists intervene where it makes sense.

THOMAS TARANIUK: And there are so many different types of fraud, especially within cybersecurity and other areas these days. You need specialists who are very focused, right? From your experience at ING, what are the biggest threats that you see within cybersecurity, and from a cybersecurity perspective?

Top cybersecurity threats in banking: ING’s perspective

DANIELLE TONELLA: Of course, AI is emerging. AI is emerging as a threat vector because it accelerates the type of attacks. It can make them more sophisticated—both in the exploratory phase, when attackers are scanning your systems, but also in attacks that are directed at our clients. Everything around phishing and scamming—they can become so realistic that the level of protections has to evolve correspondingly.

Suggested read: Fraud Trends for 2025: From AI-Driven Scams to Identity Theft and Fraud Democratization

THOMAS TARANIUK: Completely agree. And when we have new regulations such as DORA—the Digital Operational Resilience Act—this regulation is designed to enhance the resilience of financial entities across the European Union or the pan-European area. And this is specifically against cyber threats as well. What impact do you think it will have, as it is still a very topical question and area that we’re looking at?

What impact will DORA have on financial cyber resilience?

DANIELLE TONELLA: Look, it will have a phenomenally positive impact for at least two reasons. The first one is: every bank and every large institution has always run DORA-like types of activities inside. They were just very deep in the organization. DORA brought them to the surface and gave the organizations complete attention to the necessity of working on incident management, working on reliability, working on these nitty-gritty elements. That’s one side.

The other one: DORA has shed a very important spotlight on the third-party risk management side. Because banks like ours have a very fragmented supply chain of technologies, products, providers, and all of them play a role in the risk chain. So, if one of my key providers goes down or gets an issue, I have an issue serving clients. Risk management along the chain is something that DORA has really brought to the surface, and it is a profound addition to the systemic reliability of banks.

Suggested read: How to Check if a Company is Legit

THOMAS TARANIUK: How challenging is it to manage internal risk versus external third-party or procurement risks that you find at ING?

Managing internal vs. external risk in banking IT systems

DANIELLE TONELLA: Internal risk has the advantage that everything is under your control. So, it’s a matter of execution. External risk—there is a legal boundary between you and the supplier, and then it’s a part of negotiation. Some suppliers have used the DORA argument to try to raise prices. And there is not really a correlation between the two things. But that’s negotiation.

And the other challenge is that banks are regulated, and not all of the third parties are under the same regulation. Now, the ECB is starting to raise the pressure on critical third parties. But historically, if you are a smaller third party—you can pick one at Money20/20—you are not necessarily under the same regulation that we are. So, we are carrying that risk in front of clients, in front of regulators. That is a challenging part.

THOMAS TARANIUK: And you want to decrease that risk profile for yourselves moving forward. And yeah, especially as different businesses will rely on different software vendors for their everyday activities—for breaking into new markets, for launching digital services—it makes it ever more cumbersome. But from your perspective, Daniele, at ING, how would you future-proof your systems to ensure prevention on the fraud side is keeping pace with this innovation and your strategy for growth?

How ING future-proofs its systems against evolving fraud threats

DANIELLE TONELLA: It’s multiple axes, and some axes are simply clean-up, if I may say. Because knowing everything about your systems—the data layer that you need to have—is a precondition for everything else. So that’s one action that the bank has been working on for years.

The second actions are new technologies. We keep exploring emerging technologies that help us cope with these types of attacks and threats.

And the third thing is work on the client side. So, we have deployed features on our mobile app. For example, there is one that says: if you are getting called by somebody pretending to be ING, you can open the app, click a button, and it tells you, yes, it’s us calling, or no, it’s somebody else.

THOMAS TARANIUK: That’s an amazing feature.

DANIELLE TONELLA: It’s a very simple feature, but it has reduced that type of fraud by 50% in one of our countries. And this is about intervening, helping the user and the client cope with the risk that they are exposed to.

THOMAS TARANIUK: Amazing types of anti-fraud procedures. Add a tiny bit of friction, but they do protect both the user and the business at large. And the community is what we care about, especially from our side as well. From your perspective at ING, what do you see as the biggest growth in fraud in the future? Is there a specific type or vector of fraud that you’re particularly worried about, or do you think it’s going to be smooth sailing from here on out?

Biggest fraud trends to watch: What’s next for cybercriminals?

DANIELLE TONELLA: I mean, cybersecurity has never been smooth sailing, right? Because it’s a marketplace too, right? So, attackers—we need to raise the cost for attackers to the point where their business case is no longer flying.

THOMAS TARANIUK: If it’s still profitable for them, they’re still going to be targeting, right?

DANIELLE TONELLA: Right. Exactly. So, it’s a matter of raising the cost of success. The emerging vectors that we see are everything AI-driven—and essentially two dimensions.

One is everything around deepfakes, be it in interactions with clients, but also in the forging of documents. Because a lot of our decisions are based on official documents. Forging is a risk that AI has increased massively.

The other one is AI is giving analytical capabilities to attackers to fingerprint us better than what was possible before. And that means that we need to be even stricter on the levels of protection that we have inside.

THOMAS TARANIUK: It’s scary stuff, but I think there’s a light at the end of the tunnel.

DANIELLE TONELLA: Has always been.

THOMAS TARANIUK: Yes, completely agree. Daniele, thank you so much for your time today. Really a pleasure to meet you and learn more.

Katherine Yeung, Chief Risk & Compliance Officer at 10x Banking

THOMAS TARANIUK: So we’re joined today by Katherine Yeung, of course, the Chief Risk and Compliance Officer at 10x Banking. Katherine, thank you for joining us today.

Embedding a proactive risk culture in banking

Very glad to have you here. You’ve worked across high-risk industries and led enterprise-level transformations across the board, Katherine. What’s the key to embedding a risk culture that’s proactive, not reactive, at the end of the day?

KATHERINE YEUNG: Tom, that’s such a good question. And I can see that you’ve already done your homework about my industry background. So, for everyone’s benefit, I’ve been around the block a bit—starting as a consultant, then working in aviation, and most recently in tech and payments.

THOMAS TARANIUK: A bit of everything.

KATHERINE YEUNG: Absolutely. And I think everything draws back to the point about culture. Culture can be seen as a nebulous word, because what is culture? Culture is what you do when no one is looking, right? For me, culture comes back to one key thing—and I know it sounds cliché—but really, it’s about winning hearts and minds. What I mean by that is, first of all, it needs to come from the top: what is important for the company? Why are we really doing all this risk management? At 10x Banking, we know banks are all about managing risk, and therefore we cascade that across the company—awareness, understanding, and, really, continuous learning. But the second bit I really want to emphasize is data—how are we truly leveraging data insights to make risk management proactive, rather than reactive?

Can compliance be a growth engine, not just a checkbox?

THOMAS TARANIUK: Very good points, Katherine. But from your perspective at 10x Banking, do you believe compliance, onboarding, or treating identity verification as a checkbox is the right approach? At the end of the day, do you think it can actually help businesses grow faster—especially when working with 10x Banking?

KATHERINE YEUNG: Specifically for compliance, I know there are folks who continue to see it as a checkbox exercise—just doing the right thing to make sure we onboard the right customers and avoid fraudulent activity. But the key, in my view, is three things that can really drive profit engines for banks and FIs. I call them the three Ds:

• data
• decision, and
• dynamic interoperability

First thing is data. The challenge for existing banks is that they have a lot of legacy systems that have been around for decades. For example, I’ve had the frustration—and maybe you have too, Tom—where you’re speaking to your bank about one account, and they say, “Oh, I didn’t realize you also have a mortgage with us.” That shows how siloed things are. So, we need to leverage data better.
Second is decision. Going back to the point of this podcast—fraud—how do we make sense of all these data points to truly understand who the person is, what their biometrics are, and how they bank? Having all the data is important, but ultimately it’s about enacting that decision quickly and seamlessly. At 10x Banking, we’ve achieved world-class transaction speed—100K per second. That means we can process huge volumes in real time, enabling AI-driven fraud checks that stop fraud at the right moment. For example, we can freeze accounts linked to suspicious activity while continuing to open legitimate ones—thanks to cutting-edge APIs. That’s really exciting.

Core tools banks need to future-proof their fraud defenses

THOMAS TARANIUK: It makes a lot of sense, Katherine. So, if I took off my shoes and stepped into the shoes of a bank, and asked you: what are the key characteristics or tools my business should use as core infrastructure to future-proof fraud detection, what would you stress—and why?

KATHERINE YEUNG: What I would stress—let me share a stat. We conducted a survey with 300 senior IT decision-makers in banks worldwide. They said they know they need to move from siloed banking systems to cloud-native systems to truly unlock data insights and dynamic decision-making. They recognize the need and urgency to move to cloud-native systems like 10x.

But why haven’t they made the decision yet? Because it’s tough. We get that. That’s why we’ve launched world-class, AI-driven tools earlier this year to make it much easier and more seamless.

Now, going back to your earlier point, Tom—why is this a growth engine? Because once you have data insights, you unlock new opportunities. Let me give two exciting examples. One is B2B. When banks have this data, they can sell “click-as-a-service” capabilities. That’s really exciting.

The other is product personalization. Knowing how a customer banks and spends enables gentle nudges—like saying, “Hey Tom, I see you love traveling. Would you like a savings product to help you hit your travel goals by year-end?” These hyper-personalized products increase both uptake and retention.

Fraud trends to watch: AI-driven threats in 2025

THOMAS TARANIUK: Stickiness is always key, of course. Customers need protection—whether they’re merchants or retail users. And when it comes to fraud, it’s an ever-evolving game, right? Fraudsters always find new ways to challenge businesses like yours. So when you look ahead, what do you see as the main challenge in the market—especially with emerging fraud types in 2025?

KATHERINE YEUNG: Yes—and I’m sure you’ve heard this—AI-driven fraud. AI technology is evolving at a rapid pace. As Chief Risk and Compliance Officer, and for banks generally, it’s critical to have the scale to implement countermeasures instantly. That’s why I go back to our 100K-per-second transaction speed—because it allows us to process insights and block fraudsters in real time.

THOMAS TARANIUK: At the same time, that’s super important—you’re matching the scale, which is perfect. Thank you, Katherine, for joining us today on “What The Fraud?” and “the c-suite podcast”. It’s been great to meet you.
KATHERINE YEUNG: Thank you so much for having me, Tom.

David McHenry, Managing Director, Head of Global Treasury & Payments Advisory in the UK, HSBC Innovation Banking

Reflecting on the first two years of HSBC innovation banking

THOMAS TARANIUK: So today we have David McHenry joining us from HSBC Innovation Banking. He is the Managing Director and Head of Global Treasury and Payments Advisory in the UK for the business. David, great to have you on here and great to see you at Money20/20.

HSBC is a big name, and the innovation banking division launched with the aim of enabling businesses focused on innovation to compete globally. And you’re two years in now, right? What milestones or shifts stand out the most for you during that time?

DAVID McHENRY: It’s been an amazing two years. We started with a focused transition in the UK, moving from our old tech stack into HSBC’s, which took about five or six months. It was a great experience—tons of connectivity and a global team effort. After that, we focused on enabling new solutions for clients: opening gateways, supporting global expansion, and scaling products. Now we’re starting to pilot new capabilities, where innovation banking becomes the first to leverage them—hopefully to be adopted across HSBC. It’s been a wild ride, but our clients are really benefiting from what we’ve built.

Serving high-growth fintechs and global innovators

THOMAS TARANIUK: Excellent. It sounds like a wild two years indeed. What does HSBC Innovation Banking look like from the perspective of a bank designed to serve fast-growing customers like the payments companies, fintechs, and SMEs we see at Money20/20?

DAVID McHENRY: Innovation Banking is built for hypergrowth companies—often with complex ownership structures. We’re often their first real banking partner, helping them scale from product development through global expansion. We support them through all stages, from early banking to IPO, while also serving their investors—venture capital and private equity. It’s a continuum of support across their full journey.

Emerging fraud threats across growing client bases

THOMAS TARANIUK: It’s a multi-pronged approach, especially when dealing with different business units. From your perspective, what are the biggest growing vectors of fraud across your client base, especially in areas like life sciences or tech?

DAVID McHENRY: Honestly, it’s similar to what everyone faces—phishing, spoofing, and malware. But early-stage companies are especially vulnerable. Their teams are small, their focus is on product, and often the business acumen or controls are still developing. For example, an email that appears to come from a CEO requesting urgent payment may be legitimate—or not. Bigger firms have more experience spotting these. So, we help startups build the right processes, approvals, and banking safeguards to slow down and interrogate suspicious activity—like speed bumps to prevent unintended payments.

Managing friction and customer experience in fraud prevention

THOMAS TARANIUK: That’s super interesting. When we talk about these “speed bumps,” they aren’t frictionless. How difficult is it to communicate their importance, and to roll them out across different business units while facing evolving fraud tactics?

DAVID McHENRY: When it comes to fraud, compliance, and regulation—you just have to explain it. Some friction is unavoidable, like two-factor authentication or dual approvals. The key is inserting it at the right times, so it’s useful rather than annoying. We’ve all had to click through cookie banners, for example—it’s a speed bump, and while annoying, it’s necessary. For high-growth companies that value seamless UX, we try to implement protective friction in smart ways—thoughtful, contextual, and at the right moments. And they’re vocal about the experience they want, which helps us build better solutions.

How HSBC Innovation Banking uses AI to fight fraud

THOMAS TARANIUK: I completely agree. And speaking of technology—you’ve heard of this AI thing, right? Everyone’s talking about it at Money20/20. How is HSBC Innovation Banking using artificial intelligence or machine learning to prevent fraud or improve compliance for SMEs and users?

DAVID McHENRY: Definitely. AI isn’t new in banking—we’ve used it for years under the banner of machine learning. Transaction monitoring, for instance, has long relied on these tools. What’s changed is the scale and sophistication. Now we’re using AI not just in fraud detection, but also in onboarding—digitizing more of the journey with ID verification and intelligent automation. On the client side, we’re starting to explore ways to enhance digital channels, like smarter chatbots or AI-assisted cash forecasting. It’s about enabling faster, more accurate decisions throughout the journey.

Advice for fintech leaders scaling through risk and growth

THOMAS TARANIUK: Absolutely. You’ve mentioned a lot of ways AI can help—from onboarding to behaviour analysis. And being here at Money20/20, I’m sure you’ve spoken to a lot of fintechs. What’s one piece of advice you’d give to fintech and payments leaders who are scaling and trying to manage fraud risk at the same time?

DAVID McHENRY: The biggest thing is to remember: you’re not just building a product—you’re building a company. That means developing internal processes, documentation, and financial controls alongside your tech. Set up policies early. Establish separation of duties. Engage your board on oversight. And choose partners who can grow with you—not just today, but when you expand globally. You don’t want to outgrow your platform or bank at a critical stage. Find partners who can unlock new markets when you’re ready.

THOMAS TARANIUK: I couldn’t agree more. Some great points there, especially about internal frameworks and vision. Hopefully that’s something you’re carrying across HSBC’s broader operations too. Thanks so much for joining us on “What The Fraud?” here at Money20/20 Europe in Amsterdam.

DAVID McHENRY: Terrific. Thanks for having me.

Lee McNabb, Head of Group Payment Strategy, NatWest

THOMAS TARANIUK: So we have Lee McNabb joining us now. Of course, working at NatWest as the Head of Group Strategy within the payments division—or should I say payment strategy?

LEE McNABB: Payment strategy is probably better, but then we can add in partnerships and innovation at the same time. So, there’s lots going on.

THOMAS TARANIUK: So you do a little bit of everything.

LEE McNABB: A little bit of everything—yeah, a lot of none.

THOMAS TARANIUK: Excellent. Well, thank you for joining us here today at Money20/20. I’m excited for this conversation. Let’s start off with a bit of insight. From your perspective, what’s the hardest part of modernizing the payments stack inside big traditional banks—especially internationally? And how do you keep up with evolving customer expectations while also managing fraud risk?

Keeping up with evolving customer expectations while managing fraud risks

LEE McNABB: A bit of context—NatWest is a UK bank with around 20 million retail customers and over a million corporate customers. We’re the largest corporate bank in the UK. Why’s that important? Because when you’re that big, you’re moving systemic volumes and values of payments—about £70 trillion in value. So, modernization isn’t just about replacing systems; it’s about managing that scale responsibly.

There isn’t one challenge—but if I had to pick one, I’d say patience. Sounds odd, but changing payment infrastructure requires time and conviction. Payments touch everything—from mobile apps to branches, through countless systems before returning to the scheme or customer. You can’t just throw money at it and expect it to be fixed in a month. To succeed, we align compliance mandates with customer improvements and architecture upgrades. We’re moving to cloud and API-first architecture to be future-ready. But again—patience and ongoing commitment are key.

Balancing real-time payments and fraud prevention

THOMAS TARANIUK: Definitely. And payments are essential across the organization and especially critical for customers, particularly now that instant gratification is the norm. Real-time payments are growing, but so is APP fraud. What do banks still need to figure out to make faster payments more secure and keep customer expectations in check?

LEE McNABB: Two things: first, our fraud numbers actually went down last year, though the overall trend is upward. Second, this is an industry-wide challenge. A lot of APP fraud starts on marketplaces. By the time the payment happens, it can already be too late.

We need better customer education—because often, the weakest link is human. Criminals are getting more sophisticated, especially with AI, and we’ve spent billions to protect customers. But protection isn’t about frictionless experiences anymore—it’s about appropriate friction. If I’m sending £1 million, I want an extra layer of confirmation. If it’s £5, I probably don’t.

THOMAS TARANIUK: So, is it also about communicating friction better—setting expectations?

LEE McNABB: Absolutely. Transparency and education are key. But there’s a challenge—most people now use phones or wearables, not branches. The interaction is digital and sometimes passive. You can flag risks, but many will still proceed. We’ve even sent police to stop fraud, and the customer insisted on going ahead. At the end of the day, it’s their money—but it’s a tricky balance.

Ethical AI and personalization in banking

THOMAS TARANIUK: And it’s their choice, ultimately. You mentioned AI earlier—and there’s huge excitement around how it can modernize and personalize banking. But how do you ensure personalization stays helpful, without pressuring users into poor decisions?

LEE McNABB: Great question. The ethical side of AI is critically important—for us and the industry. The growth in AI is incredible, but potentially overwhelming. We’ve used AI for years—our chatbot, Cora, helps millions of customers. It’s not new tech, but its capabilities are growing fast.

That said, we follow an AI code of conduct with strict principles around transparency, fairness, and customer control. It’s about using customer data to benefit them, not manipulate them. The goal is always to provide a better experience—but with clear boundaries and accountability.

Stablecoins and the evolving role of traditional banks

THOMAS TARANIUK: At Money20/20, stablecoins and tokenized money are major topics. How should traditional banks think about their role in this evolving ecosystem—and the compliance frameworks that come with it?

LEE McNABB: It’s a hot topic internally. I lead a lot of our innovation efforts at NatWest. We’re involved in initiatives like the UK Regulated Liability Network and Project Agorá—exploring how distributed ledger tech (DLT) can improve existing money movement.

Stablecoins aren’t new—they’ve been around for a decade—but their growth is explosive. Something like $240 billion moves through stablecoins now. Big—but compared to RTGS systems doing $850 billion a day, still small.

THOMAS TARANIUK: But the real-world application is growing?

LEE McNABB: Absolutely. The blend of agentic AI and stablecoins could fundamentally change commerce. Think AI doing real-time, intelligent shopping for you. And stablecoins are solving real problems—especially in cross-border payments. Today, most stablecoin use is in USD, essentially digitizing the dollar’s global dominance.

Will we buy our coffee with stablecoins? Probably not soon. But the infrastructure needs to be ready—banks will still be needed to get money in and out of that system. That’s the piece we’re working through.

Innovation blockers in banking

THOMAS TARANIUK: We don’t have a crystal ball, but we’ll revisit next year. Let’s shift to innovation. What tends to kill promising ideas in banking before they reach the customer?

LEE McNABB: Good question. I recently said this on stage: you need to be comfortable being uncomfortable. That’s key. Traditionally, we define a business case, then build the tech. But in this space, everything moves so fast—sometimes you’re doing everything at once.

As a heavily regulated bank, that’s tough. But we need to work within the boundaries while still pushing forward. Otherwise, we’ll never deliver meaningful innovation. You always have to hold onto the end goals: customer outcomes and commercial viability.

Predicting the next wave of global banking innovation

THOMAS TARANIUK: The market is always changing—expectations shift, and fraudsters get smarter. So, sounds like you’ll be busy for more than just the next year?

LEE McNABB: Definitely more than a year. I was here last year and AI and cross-border were the big topics. This year it’s stablecoins. Hopefully, by next year we’ll have regulatory clarity—especially in the UK. Always something new.

THOMAS TARANIUK: What do you think will be the most innovative global development over the next year?

LEE McNABB: I believe we’ll start to see real credibility emerge in the DLT programmability space—it’s no longer just about stablecoins. There’s growing momentum around how central banks are positioning themselves with central bank digital currencies (CBDCs). The key challenge will be addressing fragmentation in this digitised ecosystem and ensuring full interoperability.

That said, I don’t think there will be a single defining moment or solution. Rather, it will be a convergence of several elements. As I mentioned earlier, the fusion of agentic AI with existing technologies—like open banking—or digital payment innovations such as stablecoins, which in many ways represent the kind of ‘internet-native money’ we never built, is incredibly powerful.

Who will ultimately lead in this space? It’s hard to say definitively, but some clear frontrunners are starting to emerge.

Central bank digital currencies and future roles

THOMAS TARANIUK: CBDCs are an interesting part of that conversation too.

LEE McNABB: Definitely. We work closely with the UK Central Bank, which is focused on retail CBDC. We’re a couple of years from sandbox testing, but we have a few use cases in mind.

Suggested read: Regulatory Sandboxes—a Bridge Between Regulators and Business Innovation

The real challenge lies between public policy and regulatory priorities. Central banks want monetary control and stability. Governments want innovation and growth. Sometimes they pull in different directions, even though they’re on the same team.

As a commercial bank, we’re trying to position ourselves to serve customers regardless of where that balance lands. Regulation, utility, and customer benefit all need to align.

Building for adaptability and AI-first thinking

THOMAS TARANIUK: So future-proofing is the key—being flexible, but with a framework for growth?

LEE McNABB: Exactly. It’s about building tech that’s adaptable to whatever comes next. That’s why APIs are so important.

THOMAS TARANIUK: And will NatWest be moving toward AI-first?

LEE McNABB: We’ve just partnered with OpenAI—first UK bank to do that. So yes, I’d say we’re leading there. We’ve used AI for years—it’s just more visible now. It’s like protein in the food industry. It was always there, now it’s just labelled.

There’s a lot of hype—but underneath that, we’re focused on practical, ethical AI applications that are genuinely helpful for customers.

THOMAS TARANIUK: I completely agree with you. Lee, thank you so much for joining us here at Money20/20. Fantastic insights—great to meet you.

Thank you for joining us on this special episode of “What The Fraud?” We hope you enjoyed these conversations from Money20/20 Europe in Amsterdam.