The Future of Finance: Identity, Instant, Intelligence

Trusted digital identity across borders (regulatory-grade digital ID, stronger KYC/AML, and privacy-first verification).
Instant settlement as the default (24/7/365 credit transfers, programmable rails, wallet-native UX).
Intelligence everywhere (AI in onboarding, risk, fraud and ops—balanced by new rules, model governance and human-in-the-loop controls).

Add in tokenised assets, open finance, central bank digital currencies (CBDCs), and deepfake-level fraud, and you get a decade in which operating models, controls and customer journeys will change more than they did in the previous twenty years.

Goal: Time-to-first-use ≤ 3 minutes for high-assurance onboarding.

This measures how fast a new customer can complete a full, regulator-grade signup (e.g., ID + liveness + device binding) and actually use the product (e.g., make a payment, view balance, or receive funds). Three minutes is the sweet spot: short enough to prevent drop-off, long enough to run proper checks. To achieve it, pre-fill data via document/NFC reads, run sanctions/PEP checks in parallel, cache risk scores, and push heavy investigations to post-onboarding monitoring if the real-time risk is low. Track the full path median (P50) and tail (P90/P95) and fix the slowest segments (image capture, address verification, step-up flows). Don’t “cheat” by deferring mandatory checks—design a fast + compliant path instead.

Fraud: ≥ 40% Year-over-Years (YOY) reduction in successful APP scams with stable false positives.

Authorised Push Payment (APP) scams happen when customers are tricked into sending money. Reducing successful cases by 40% year-on-year—while keeping false positives flat—proves your controls prevent loss without blocking good customers. Drive this with dynamic pre-send warnings (contextual to the payee), Confirmation of Payee, behavioural analytics on the authorising session, mule-account detection, and rapid post-event recovery playbooks. Measure prevented vs attempted cases, loss per 1,000 active users, and customer-initiated complaints. “Stable false positives” means your decline/hold rates and customer friction don’t rise to hit the target.

Payments: ≥ 99.5% instant transfer success within 10 seconds.

This is end-to-end performance on instant rails: from user authorisation to beneficiary PSP confirmation (Payment Service Provider). 99.5% in ≤10s ensures instant really feels instant and keeps support tickets down. Achieve it with 24/7 screening caches (low-latency sanctions/AML), resilient payment orchestration (provider failover, idempotency keys), and tight SLAs with counterparties. Monitor by corridor and by PSP, alert on latency creep, and separate user-side delays (e.g., SCA step – Strong Customer Authentication) from network or counterparty bottlenecks so engineering fixes are targeted.

Governance: 100% in-scope models inventoried, monitored, and override-capable.

“In-scope” covers any model (including scoring tools, risk engines, and automated rules that help decide or flag things) that can affect customers, compliance, or financial outcomes (onboarding risk scores, fraud interdiction, credit, collections, marketing eligibility). A full inventory with owners, purpose, data lineage, limits, and review cadence is the foundation. “Monitored” means drift checks, stability metrics, and outcome QA are live with alerts; “override-capable” guarantees a human can pause or overrule a decision and record the rationale. This protects customers, satisfies auditors/regulators, and speeds model iteration because you can prove control. Avoid vanity governance: test overrides in drills, sample decisions weekly, and track mean-time-to-detect and mean-time-to-mitigate for issues.

Below is your field guide—what’s changing, why it matters, concrete controls to implement, and a 12-month roadmap you can start tomorrow.

1. The four tectonic shifts (and why they’re compounding)

Shift A — Digital identity becomes infrastructure.
The EU’s revamped eIDAS framework (Regulation (EU) 2024/1183) puts a European Digital Identity Wallet on a formal track, with technical specs and certification rolling out via Implementing Acts. The aim is cross-border identity, high assurance, and selective disclosure—think “prove only what’s needed.” That’s a profound shift for onboarding, payments SCA, and age/eligibility checks.

Shift B — Instant payments as baseline.
The Instant Payments Regulation (EU) 2024/886 makes euro instant credit transfers mandatory in phases beginning January 9, 2025 for receiving, and continuing through 2025 and beyond for sending—driving 24/7/365 liquidity and new fraud pressures (confirmation of payee, sanctions screening in real time).

Shift C — Intelligence (AI) regulated and required.
The EU AI Act entered into force on August 1, 2024; obligations phase in over the next 1–3 years depending on system risk. Financial-grade explainability, data governance, and model monitoring are no longer “nice to have.”

Shift D — Tokenisation, stable value and CBDCs.
MiCA is live in phases (2024–2025) for issuers and service providers, clarifying crypto-asset supervision. In parallel, the Eurosystem’s digital euro is in a preparation phase through October 2025, with an issuance decision tied to the legislative process; experiments continue on rulebooks, infrastructure and offline payments.

Why it compounds: Verified identity reduces false positives; instant rails reduce friction; governed AI reduces manual toil; tokenisation reduces reconciliation pain. Together they reshape unit economics.

2. The identity layer: from “KYC as a document” to “KYC as a protocol”

What’s changing?

“KYC as a document” is giving way to “KYC as a protocol.” Firms increasingly validate cryptographic credentials rather than stockpiling photos of documents. Two pillars drive quality: assurance and minimisation.

What changes?

Digital ID wallets and selective disclosure (e.g., revealing age>18 without sharing your birthdate) reduce data sprawl and speed onboarding while keeping assurance levels high.
FATF guidance on digital identity supports a risk-based approach to remote onboarding and authentication when assurance levels and governance are strong.

Why it matters?

Higher identity assurance at onboarding propagates throughout the lifecycle—fewer false positives, lower manual review, better SCA pass-rates, and leaner AML alert volumes.

What good looks like?

Assurance-tiered on-boarding: route users by risk profile and evidence strength (government credential + device binding + liveness).
Attribute minimisation: request only attributes required for the service; store hashes or verifiable credentials where possible.
Continuous KYC: monitor identity risk drift (compromised devices, leaked credentials, credential revocations) rather than re-KYCing by calendar.

Also read our blog relating to AI, Audit Trails and Accountability – Why Human Confirmation Remains the Core of Governance.

3. Instant payments: speed is fabulous—until fraud is faster

The regulatory shove
By Jan 9, 2025, EU PSPs must be able to receive instant euro transfers; sending obligations follow later in 2025 and beyond. Instant rails also mandate sanction list verification and IBAN/name checks with parity pricing vs standard transfers.

The fraud reality

UK Finance reports show £1.17bn lost to fraud in 2023, with APP (authorised push payment) scams the stubborn category; online platforms remain the dominant origination channel. Mid-2024 updates show declines in some APP metrics, but volumes remain huge.
Supervisors warn about rising romance and purchase scam patterns; the FCA recently criticised firm controls as insufficient.

Controls that work for instant rails

Pre-send warnings contextualised to the payee risk (dynamic, not generic banners).
Confirmation of Payee + behavioural biometrics on the authorising device.
24/7 sanction screening with low-latency negative list updates.
Post-event recovery playbooks with inter-PSP escrow and rapid recall APIs.

Board question: Can we evidence that our warnings change behaviour? Track message variants, abandonment rates, and prevented losses per variant.

4. Fraud goes synthetic: deepfakes, voice clones, and fabricated IDs

The new threat surface

Reports from supervisors, consultancies and industry bodies describe 700%+ YoY increases in deepfake incidents in some fintech segments, rising synthetic identity activity, and regulator alerts specific to deepfake media penetrating onboarding and servicing.
Case studies include large-ticket video-call deepfake executive scams triggering multi-million transfers—illustrating how social engineering + AI can bypass legacy controls.

What changes in your control stack

Multimodal liveness (face + voice + motion cues) hardened against presentation attacks.
→ This means checking that the person on camera is real and alive — not a photo, video, or AI-generated deepfake. The system looks for small natural signs such as eye movement, head turning, or voice consistency to confirm it’s a live human during verification.
Cross-session device intelligence (secure device binding, sensor attestations, emulator/root detection).
→ The goal is to be sure the same trusted phone or computer is being used every time. The system recognises the device through cryptographic “fingerprints,” verifies that its security settings haven’t been tampered with, and blocks access from cloned or emulated devices.
Content forensics (frame-level artefact analysis, voiceprint anomalies).
→ The goal is to be sure the same trusted phone or computer is being used every time. The system recognises the device through cryptographic “fingerprints,” verifies that its security settings haven’t been tampered with, and blocks access from cloned or emulated devices.
Out-of-band confirmations for high-risk events that require a fresh factor (e.g., in-app cryptographic challenge) instead of a re-used second factor. → For especially risky actions (like transferring a large amount of money), the user must confirm the transaction through a separate secure channel — for instance, by approving it inside their mobile app instead of just clicking a link in an email. This prevents fraudsters from reusing stolen passwords or one-time codes.

Metrics that matter

Presentation Attack Detection (PAD) false accept rate at the scenario level → This measures how often the system is tricked by a fake or manipulated image during an identity-check video or photo.
A false accept means a spoof (like a printed photo, mask, or deepfake) was mistakenly approved as real.
Tracking this by scenario — for example, phone selfie, webcam, or kiosk — shows where your defences are weakest and where extra liveness checks are needed,
Synthetic ID catch rate before first credit/limit issuance → This shows how many fake, stitched-together identities (made from real and invented personal data) you detect before you give them access to credit, limits, or accounts.
A high catch rate means your onboarding and KYC controls are stopping fraudsters early, before any financial loss occurs.
Average time-to-contain for suspected APP scams.
→ This measures how long it takes your fraud or customer-protection team to spot and freeze a fraudulent Authorised Push Payment (APP) case after the money is sent.
The shorter this time, the higher the chance you can recover funds or stop additional transfers.
It’s a practical way to test how fast your monitoring, alerts, and response playbooks really work.

Also read: AI and Corporate Governance – Vision, Technology and Trust in a Connected World

5. AI in finance: from pilots to governed production

The rule of law arrives
The EU AI Act imposes risk-based obligations (data governance, documentation, transparency, human oversight) with staged applicability: prohibited systems first; general-purpose AI next; high-risk uses later. The Commission has publicly held the line against delaying enforcement.

Your operating model

Treat model risk like credit risk: inventory, rating, controls, monitoring, and independent validation.
For customer-facing automation (onboarding decisions, transaction interdiction), implement challengeable decisions and clear appeal routes.
Capture model cards (purpose, data, limitations), and log explanations shown to staff/customers.Maintain a model inventory, with risk ratings and owners.

6. Open finance: consented data as a competitive moat

Payments has already been reshaped by open APIs; the next wave is broader data access under the payments package (PSR) and forthcoming PSD3—debates continue on fraud liability sharing, data rights, and passporting. The direction of travel is clear: richer data portability with stronger controls.

Implication: The winners will stitch identity + payments + data rights into effortless journeys: instant onboarding, precise risk pricing, and proactive financial health nudges—without hoarding data.

The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance The Future of Finance

7. Tokenisation and regulated crypto: clarity over hype

MiCA harmonises regimes for issuers and service providers; Level-2/3 measures have been landing through 2025 (RTSs on whitepapers, complaints handling, record-keeping, etc.). Expect Europe’s regulated token markets to grow where utility and settlement advantages are real.

Practical near-term:

Stable value for wholesale settlement and cross-border B2B, if compliant.
→ This means using digital tokens that keep a steady value (often linked to a real currency such as the euro) to move money between companies or banks.
When properly regulated, these “stable” digital currencies allow instant settlement across borders — reducing the delays and costs of traditional bank transfers, while staying within financial-supervision rules.
On-chain collateral with clear custody segregation and reconciliation.
→ “On-chain collateral” means assets such as cash or securities that are recorded on a blockchain.
Clear custody segregation ensures each client’s assets are held separately and cannot be mixed or reused by mistake.
Reconciliation means regularly matching the blockchain records with internal ledgers and bank balances, so the totals always agree — just like a traditional audit trail.
Audit-ready controls: wallet proofing, key ceremonies, travel rule, market abuse surveillance.
→ These are the safeguards that make digital-asset operations trustworthy and verifiable:
- Wallet proofing confirms that each blockchain wallet actually holds what it claims.
- Key ceremonies are formal, witnessed processes for creating and storing cryptographic keys securely.
- The Travel Rule requires identifying who sends and receives crypto transfers, helping prevent money laundering.
- Market-abuse surveillance monitors trading activity for suspicious patterns or insider dealing.

Together, these controls let auditors and regulators confirm that all digital-asset transactions are legitimate and properly governed.

8. CBDCs & programmable money: from papers to pilots

The digital euro preparation phase runs through October 2025; rulebook work, infrastructure selection and offline prototypes continue. Across the BIS network, API-first CBDC designs (e.g., Project Rosalind) show how central bank ledgers could expose safe capabilities to private-sector apps.

What to prepare now

CBDC-ready wallets (UX, privacy modes, offline fallbacks).
→ This means designing digital wallets that can safely hold and use a central bank digital currency if it’s introduced.
The UX (user experience) should make payments quick and intuitive, similar to today’s banking apps.
Privacy modes allow users to choose how much information is shared for small everyday payments versus larger, reportable ones.
Offline fallbacks ensure that people can still make or receive payments even when their internet connection is down — important for resilience and accessibility.
Merchant acceptance layers with instant settlement economics.
→ Businesses will need payment systems that can accept a CBDC just as easily as cards or mobile apps today.
The merchant acceptance layer is the technical and commercial setup that lets shops, platforms, or service providers receive digital euros (or another CBDC) instantly.
Instant settlement economics means the payment clears right away, without waiting for intermediaries — reducing transaction costs and improving cash flow for businesses.
Fraud/risk engines tuned to CBDC transaction signals (a live procurement theme in Europe).
→ Once CBDCs are introduced, new types of transaction data will become available (for example, digital-euro payment identifiers or usage patterns).
Fraud and risk engines — the systems that detect unusual or risky activity — need to be adapted to read these new signals.
In Europe, regulators and central banks are already exploring how financial institutions can integrate such capabilities, often through pilot projects or technology-procurement programmes.

Design principles

Rotate credentials as lifecycle events change (PEP/sanctions, address, income).
→ People’s circumstances change over time — they might move, get promoted, or appear on a politically-exposed-person (PEP) or sanctions list.
Ask-only-what-you-need (and prove it cryptographically).
→ Collect only the minimum personal information required for a transaction or verification.
Instead of storing copies of passports or full data files, you can use digital proofs — for example, a system that confirms someone is over 18 or lives in the EU without revealing their exact date of birth or address.
This reduces data storage risks and keeps customer privacy intact while still meeting regulatory requirements.
“Rotating credentials” means updating or re-issuing their digital identity information whenever something important changes.
That way, your customer data always reflects current reality, and compliance checks remain accurate without re-collecting everything from scratch.
Privacy budgets in analytics; sensitive features only with explicit governance.
→ When analysing customer data, set clear limits (“privacy budgets”) on how much personal or sensitive information analysts can access or combine.
This keeps insights useful but prevents accidental exposure or misuse.
If particularly sensitive data — such as health, ethnicity, or political donations — is ever analysed, it must be approved and logged through a formal governance process.
The idea: data science should empower decisions, not compromise privacy.

10. Finance operations in the age of industrialised fraud

Synthetic identity abuse is climbing; deepfakes are now a routine vector in account opening and customer service fraud, per FinCEN alerts and industry surveys.
Enterprise playbooks must fuse fraud, AML and cyber: many scams straddle all three.
Human factors still matter: where deepfakes trick staff (e.g., “CFO on a live call”), out-of-band policy must be cultural muscle, not a PDF. Real cases show the cost when it isn’t.

Control accelerators

Step-up orchestration that can insert extra checks just for suspicious contexts (new device, atypical beneficiary, language change in chat).
Explainable interdiction so agents can confidently deny or delay a payment and defend the action.
Cross-firm intelligence: shared signals and consortium models (especially for mule detection).

11. Compliance horizon: what’s on the regulator’s desk

AI Act timelines: banned uses (already), then GPAI, then high-risk in 24–36 months. Expect Codes of Practice and sectoral guidance to keep evolving.
Instant Payments phasing across 2025–2027 for different obligations and participants.
PSD3/PSR: council/Parliament negotiations have stretched into 2025; fraud reimbursement and data access scope remain hotspots.
MiCA: secondary measures continue to go live across 2025; watch ART/EMT regimes and service-provider RTSs.

12. Twelve-month transformation roadmap (practical and sequenced)

Quarter 1 — Identity and payments readiness

Instant readiness: meet receive-side obligations; implement confirmation-of-payee and 24/7 sanctions sync.
Fraud baselines: instrument metrics (PAD FAR, synthetic catch rate, APP-prevention effectiveness).
Map assurance: catalogue onboarding flows; add high-assurance path (document + NFC chip + liveness + device binding).

Quarter 2 — AI governance and fraud hardening

Model inventory & risk ratings per AI Act expectations; create model cards and set up challengeable decisions.
Deepfake controls: deploy multimodal liveness + voiceprint anomaly detection; write an OOBA (out-of-band) policy that trumps hierarchy.
Customer-centric warnings: personalised pre-send prompts proven to reduce APP losses (A/B test content and timing).

Quarter 3 — Open data, token rails, CBDC prep

Consent layer: unified consent UX and audit across data sources (open finance & bank data).
Token pilots: on-chain collateral with compliant custody; start wallet proof-of-reserves and travel-rule integrations.
CBDC-ready UX: prototype in-app offline flows; build merchant acceptance spines for instant settlement.

Quarter 4 — Operating model & culture

Three Lines refresh: embed AI/identity/instant competencies into Line 1 processes; equip Line 2 with adversarial testing skills.
Resilience drills: red-team a deepfake CFO scam; time the containment and recovery. Use lessons to tune controls.
Disclosures & reporting: build dashboards aligned to emerging AI and payments obligations, ready for regulator queries.

13. KPIs & “north-star” outcomes

Time-to-first-use post-onboarding ≤ 3 minutes (high-assurance path).
APP scam prevention: ≥ 40% reduction in successful cases YoY with stable false positives. (Benchmark against UK Finance trends.)
Model governance: 100% of in-scope models with current cards, drift monitors, and human-override.
Data minimisation: ≥ 60% reduction in stored sensitive attributes via verifiable claims/selective disclosure.
Instant payment success: ≥ 99.5% success within 10 seconds; sanction screening latency < 200 ms.

14. Governance checklist (board-ready)

Strategy: Instant, identity, and AI are core; tokenisation and CBDC are options with clear value cases.
Risk: Deepfake/synthetic ID included in risk taxonomy; fraud, AML and cyber are jointly accountable.
Compliance: AI Act & Instant Payments mapped to control owners and milestones; internal audit has a forward plan.
Data: Minimisation and purpose limitation by design; verifiable credentials where possible.
People: Train every frontline employee to recognise social-engineering + deepfake signals; codify out-of-band escalation.
Metrics: Publish PAD FAR, APP-prevention rate, model override stats, instant payment latency.

Closing argument: trust will be your ultimate product

Tomorrow’s finance brands will compete less on price and more on credibly orchestrating trust: verifying identity without hoarding it, moving money instantly without inviting loss, and using AI without surrendering accountability. Do that, and the future of finance gets simpler for customers and safer for everyone else.

FAQs for boards & audit committees

Q1. Are instant payments worth the fraud headache?

Yes—provided controls are dynamic. Instant rails reduce friction, cost, and cash-flow uncertainty; the new regulation requires parity pricing and better confirmation-of-payee.

Fraud risk rises if you don’t adapt pre-send warnings, device binding, sanctions checks and mule-account controls. Build the stack before expanding limits.

Q2. How quickly do we need to comply with AI rules?

The AI Act is in force; obligations roll in by category over the next 12–36 months.

Start with a model inventory, risk-rating and governance templates. Prioritise customer-impacting models (onboarding, fraud interdiction, credit).

Q3. Do digital identity wallets replace KYC?

No—they upgrade it.

You still perform CDD within AML frameworks (FATF), but with higher assurance, less data sprawl, and faster UX via verifiable credentials and selective disclosure.