By Fernanda Sottil, Senior Director of Strategy at Incode
Money20/20 Europe returned to Amsterdam this June, bringing together banks, fintechs, regulators and technology providers to discuss the trends shaping the future of financial services. Across the three-day event, conversations centred on the rise of AI, the growing threat of increasingly sophisticated fraud, digital identity, payments innovation and the evolving regulatory landscape. As financial institutions look to balance stronger security with seamless customer experiences, trust emerged as one of the industry’s defining challenges.
Following the event, we spoke with Fernanda Sottil, Senior Director of Strategy at Incode, to discuss her key takeaways from Money20/20 Europe. From the growing scale of deepfake attacks and the need for layered fraud prevention to the emergence of agentic AI and the future of digital identity, Sottil shares her perspective on how financial institutions can prepare for the next generation of fraud while maintaining customer trust.
In June, the industry’s leading Financial Services innovators came together to connect and create the future of money in Amsterdam at Money 20/20 Europe. What was the biggest takeaway for you?
The biggest takeaway for me was that trust in financial systems breaks in two directions at once. Organisations lose money to fraud and at the same time, when protections against fraud cause too much friction, they also lose good customers too.
Today, most institutions only measure the first. However they’re missing out on the larger conversation which is: how can we protect our customers, while also prioritising their experience? The conversion losses from over-blocking are harder to measure, but if I had to guess, I imagine they’re probably larger than the fraud losses in many cases. Without quantifying both sides, they’re adjusting thresholds without the full picture.
You spoke at Money 20/20 about how banks need to be at the forefront of fighting deepfakes. What makes this type of fraud more challenging?
During my session, we talked about how HSBC was seeing between 300 and 500 deepfake attempts per day. This scale is unlike anything we’ve really seen before, and it’s the technology that makes it possible. With this in mind, the conversation needs to be reshaped. We’re no longer talking about just the problems or the technology of today, we’re also talking about future risk and how we can manage it.
What is your advice for banks trying to tackle deepfakes and complex fraud?
My advice would be a layered defense. We know this approach works because each layer fails independently. Device integrity, session behavior, document authenticity, biometric liveness, deepfake detection, network signals, cross-customer intelligence. It buys your system more time to respond because an attacker who defeats one layer, hasn’t necessarily cracked the next layer let alone all of them. That structural independence is what makes it hard for best in class fraudsters to beat at scale.
I’d also say, keep an eye out on digital IDs. They are gaining popularity, particularly in Europe. And while they reduce the document attack surface, they don’t close the problem. The biometric binding step, where individuals match a live selfie to the eID at enrollment, still requires liveness and deepfake detection. While the document verification side gets stronger, the biometric verification stays exposed if organisations don’t address it.
What role does AI play in all of this?
At Money 20/20 Europe, the moment agentic AI was brought up, the energy in the room shifted. Everyone was engaged and eager to learn more. Agentic AI has completely changed the game. The entire verification stack was built assuming a human on the other end. Agents don’t have faces or government IDs. The question shifts to who owns the agent, what they’re authorised to do, and whether the session is still within that scope.
We also know that regulators are behind. Governing bodies and governments are just now getting up to speed on electronic signatures and eIDs but are very far away from agentic interactions and agentic fraud. The regulatory frameworks being built today are already a generation behind the threat. The institutions waiting for regulatory pressure to act will be in a difficult position.
What’s your prediction for this industry in the next 5 years?
In five years, I believe that the gap between attack sophistication and institutional readiness will get worse before it gets better. Attackers move in days, banks move in quarters, regulators move in years. The organisations building the right infrastructure now will be in a fundamentally different position from the ones that wait.