Image by MF3d from Getty Images Signature

WBG
Securing the future of fast payments: The cybersecurity conundrum

Harish Natarajan, Dorothee Delort, Holti Banka, Nilima Ramteke & Guillermo Galicia Rabadan


 

This is part two of a 2-part blog series, Securing the future of fast payments. Part one: The open-source debate.


The first blog in the series of  Securing the future of fast payment covered the topic of open-source technology.  In this second blog of the series, we cover cybersecurity aspects related to Fast Payment Systems (FPS). With great speed comes great risk. While fast payments come with many advantages, their instant nature and increased relevance for the digital economy has also made them a prime target for cyberattacks. Addressing risks to cybersecurity is crucial to ensuring fast payments remain safe, efficient and scalable.

Denial of service attacks, ransomware, and phishing scams are no longer rare events, but growing threats that can disrupt digital financial services, including payment services, and erode trust in financial systems. According to the International Monetary Fund (IMF), the financial sector has experienced more than 20,000 cyberattacks in the last 20 years, with operational losses of approximately USD 12 billion.

Key Risks and Mitigation Strategies

The recently published World Bank’s  technical note on cybersecurity under Project FASTT (Frictionless Affordable Safe Timely Transactions) highlights key risks that FPS operators and regulators must address. These include:

  • Systemic Risk. A cyberattack on one FPS participant can quickly cascade through the entire financial system.
  • Fraud & Data Breaches. Fast-moving transactions create opportunities for bad actors to exploit system vulnerabilities before detection.
  • Third-Party Risks. Many FPS rely on cloud-based or third-party service providers, which, if compromised, can introduce new attack vectors.

To counteract these risks, FPS operators need to adopt robust cybersecurity frameworks that incorporate international best practices. This means implementing secure design principles, strong authentication mechanisms, real-time fraud monitoring, and well-tested incident response plans. Regulators also have a crucial role to play in ensuring FPS participants uphold these security standards and in contributing to sector-wide resilience.

FPS operators, regulators and stakeholders may consider the following strategies.

Adopt a Robust and Holistic Cybersecurity Framework. Implement comprehensive cybersecurity policies that encompass risk assessment, incident response, and continuous monitoring. Effective governance structures with clear roles and responsibilities are essential for cyber risk management. Operators align their cybersecurity strategies with international best practices, such as the Principles for Financial Market Infrastructures (PFMI) by BIS and standards like ISO/IEC 27002:2022 and the NIST Cybersecurity Framework.

Regulatory Flexibility and Principles-Based Frameworks. Regulators prioritize the safe and continuous operation of FPS and adopt principle-based cyber regulatory frameworks, sometimes supplemented with specific security requirements. Regular updates to regulatory rulebooks address risks introduced by emerging technologies.

Strengthen Collaboration Among Stakeholders. Foster partnerships between government entities, financial institutions, technology providers, and international bodies to share threat intelligence and best practices. Collaborative efforts enhance the collective defense against cyber threats.​ FPS operators should maintain situational awareness by leveraging threat intelligence capabilities. Information-sharing arrangements facilitate communication of threats and incidents among financial sector participants.

Conduct Regular Security Audits and Assessments. Perform periodic evaluations of security measures to identify and rectify vulnerabilities. Continuous improvement is vital in adapting to the evolving cyber threat landscape.

Incident Response and Business Continuity. FPS operators implement robust recovery mechanisms to ensure safe and uninterrupted operations in case of a cyberattack. Regular tabletop and crisis-simulation exercises test the effectiveness of business continuity and disaster recovery plans.

Strengthen Cyber Awareness and Transparency. A well-informed workforce and educated consumers are essential to securing fast payment systems. Regular cybersecurity training ensures staff can recognize and respond to emerging threats, while public awareness campaigns equip users with the knowledge to identify and avoid fraud. Additionally, transparency in incident disclosure helps maintain trust—FPS operators must openly communicate cyber incidents and the corrective measures taken to prevent recurrence, reinforcing confidence in the system.

Moving Forward: A Secure Future for Fast Payment Systems

Cyber threats targeting FPS can lead to significant financial losses, operational disruptions, and erosion of public trust. As the global adoption of fast payments continues, policymakers and industry leaders must make strategic choices that balance security, cost, and innovation.

Cybersecurity must be a top priority—FPS should incorporate international security frameworks, frequent testing, and real-time threat monitoring and work in close cooperation with authorities on a sectorial approach to cyber resilience.