Safety by Design in Payment Systems - Completing the Design Trinity

1 August 2025

By David O'Mahony, Business Analyst, AusPayNet and
Toby Evans, Head of Economic Crime, AusPayNet
 



The digital highway paradox

The digital revolution has affected every aspect of 21st century life, transforming how we communicate, socialise, purchase goods and services, and make payments. It has also created efficient marketplaces to support the global 24-hour economy.

But while bringing efficiency and speed benefits, increasing digitation has also created a perfect climate for criminal exploitation that risks eroding digital trust, undermining consumer confidence and threatening the foundation of our digital economy. With criminals now identifying and socially engineering their victims via digital and telecommunications platforms, the payments industry has effectively become a gatekeeper and the last line of defence against fraud and scams.

Fast Payment Systems (FPS), digital onboarding and ecommerce have revolutionised transaction speed, but these innovations have also been weaponised by organised crime. While scams represent less than 1 per cent of all transactions — roughly 1 in every 25,000 payments, according to Westpac (1) — their impact is devastating.

The lack of a consistent response to, and timely solutions for, scams across the digital economy has prompted regulatory intervention. In Australia in 2025, the Scams Prevention Framework (SPF) was introduced, and will establish enforceable obligations on relevant business sectors requiring them to take proactive steps to prevent, identify and stop scams. 

This blog examines how our approach to combatting scams must evolve in the digital age to address this growing threat.
 

The missing principle

Modern payments infrastructure has long embraced two foundational principles: 

  • Privacy by Design, which protects customer data and transaction information.
  • Security by Design, which defends against cyber-attacks and technical vulnerabilities such as account takeover.

The recent explosion in the volume of scams has revealed a critical gap. We need Safety by Design (SbD) to complete a trinity of protective principles.

SbD offers a paradigm shift. Just as Privacy by Design and Security by Design transformed data protection and cybersecurity, SbD embeds user safety considerations into payments system architecture from conception to deployment.

Australia’s eSafety Commissioner has developed an SbD framework of principles and guidance that provides a robust foundation for the digital economy (2).
 

Three pillars of SbD in payments

1. Service provider responsibility

Central to the principle of SbD is that the burden of safety should not rest solely with the end-user. Service providers must take preventative steps to minimise the risks of harm to end-users (including fraud, scams and other illegal or inappropriate behaviours) while using their services.

Examples that have been successfully retrofitted over the years include:

  • in-application security: banks are moving away from vulnerable SMS text messaging systems and implementing in-application verification backed by biometric device technologies. This creates secure communication channels that criminals cannot easily infiltrate while enhancing both bank and customer verification to mitigate account takeover and bank impersonation scams.
     
  • risk scoring and machine learning: advanced systems analyse transaction patterns, device biometrics and behavioural indicators to generate real-time risk scores. These scores can be shared between institutions, strengthening fraud detection across the ecosystem.
     
  • strategic transaction limits: risk-based transaction limits and first-time payment holds are essential safeguards. Prevention is always better than cure, especially when recovering funds from offshore jurisdictions. 
 
2. User empowerment and autonomy

This principle promotes the inclusion of tools and technical features that enable users to take steps themselves to mitigate risk and harms. It also promotes service providers adopting a design process that ensures risk factors are mitigated before products or services are publicly released. 

Account name verification services have proven transformative in mitigating payment misdirection scams and mistaken payments. According to the Commonwealth Bank of Australia, its ‘NameCheck’ solution has prevented over A$370 million in mistaken payments and A$40 million in scam losses in the year to June 2024 (3).

The effectiveness of general warnings about scams or high-risk transactions, referred to as warning fatigue, has been questioned for some time. Some banks and Payment Service Providers (PSPs) are leveraging behavioural science to further improve user empowerment and thereby improve user outcomes. The ability to identify at-risk transactions and reduce false positives by requiring users to answer questions when initiating high-risk transactions has benefitted both users and PSPs. While historical industry consensus assumed customers would resist friction in their transactions, consumers have come to accept and adapt to appropriate risk-based frictions that keep them and their money safe. 

Effective transaction questioning serves a dual purpose:

  • It helps potential victims pause and reconsider whether to proceed with a payment.
  • It enhances fraud risk scoring systems that enable risk-based payment holds and targeted interventions by trained staff.

Westpac's ‘Verify’ system exemplifies intelligent questioning that leverages behavioural science. As of August 2024, this system had challenged 200,000 payments, resulting in A$194 million in abandoned (likely fraudulent) transactions. Westpac’s ‘Verify’ was also preventing 300 mistaken payments daily (4).


3. Transparency and accountability

This principle promotes embedding end-user safety into organisational culture through appropriate staff training and practices. It requires PSPs and/or payment system operators to be transparent by publishing metrics that demonstrate product performance against safety objectives, and to foster continuous improvement.

Australia has cultivated a culture of developing and sharing risk mitigants across industry. The National Anti-Scam Centre, the Australian Financial Crimes Exchange and other forums, such as the Economic Crime Forum, are prime examples. But the next phase is global coordination. There is work underway and a drive to make scams a G20 priority to overcome global data sharing and coordination challenges.
 

Strengthening the foundations

The digital payments landscape continues to evolve, with agentic AI-driven ecommerce and cross-border interlinking of fast payment systems. Each development presents both opportunities and risks. Products within the digital economy must be designed to encompass the three foundational principles of privacy, security and safety, forming the trinity of design.

Importantly, SbD offers a framework for navigating this complex environment. By embedding safety considerations into the development process, payments systems will retain their utility while continuing to be innovative, secure and safe. 

The choice for the digital economy is clear. Continue playing catch-up with criminals who exploit system vulnerabilities, and face an increasingly onerous regulatory burden, or proactively design systems that make exploitation significantly harder and that are safe for consumers. Given the risk of lost funds, damaged trust, lost productivity and reduced innovation, the cost of inaction is simply too high.

In an increasingly connected global payments ecosystem, SbD isn't just a nice-to-have feature; together with privacy and security, it must become the foundation upon which the future of digital finance is built and maintained.

For more on Safety by Design, read the following paper



(1) Westpac (2024), 'Stopping scammers before they scam you'. Available at <https://www.westpac.com.au/news/money-matters/2024/08/scams-the-view-from-the-frontline/>. 

(2) eSafety Commissioner, ‘Safety by Design’. Available at <https://www.esafety.gov.au/industry/safety-by-design>. 

(3) Commonwealth Bank of Australia (2024), ‘Anti-scam measures cut scam losses for CommBank customers in half’. Available at <https://www.commbank.com.au/articles/newsroom/2024/08/cba-cuts-scam-losses-for-customers.html>.

(4) See Westpac (2024).