Ask any group of digital banking leaders whether their users have ever sent an OTP to someone they thought was from their bank, clicked a phishing link, or been coached by a fraudster to approve a transaction, and almost every hand goes up. Today, these are regular operational realities.
In this same environment, customers expect their financial institutions to expand self-service options, to offer both speed and control. They don’t want to call their branch to update a phone number or make a loan payment. Similarly, institutions want the cost reduction that comes with digital efficiency. The tension between securing digital banking sessions and offering a seamless user experience during those sessions is where retail banking strategy in 2026 can get complicated.
The cost case for self-service is stark
Cost per transaction plummets when institutions offer self-servicing options. Consider these routine requests and their associated costs, based on industry cost benchmarks and internal analysis:
Updating contact information
An address, phone number, or email costs between $4 and $10 per request at the branch, $2.50 to $6 through the call center, and $1.50 to $4 via a back-office web form. Fully digital self-service brings that cost down to roughly $0.15, requires zero staff time, and completes in real time. That’s a 97% cost reduction compared to branch handling.
Making a loan payment
Costs $4 to $10 at the branch, $3 to $7 through the call center, and $2 to $5 via back-office processing, which also carries the added risk of lost payment via mail delivery and a processing window of one to three business days. Fully digital self-service costs as little as $0.05, processes in real time, and eliminates the operational risk entirely. That’s a 99% cost reduction versus the branch.
The math compounds as volume scales. Every routine request a user handles themselves is a call or branch visit that never happens, and those savings accumulate continuously.
The adoption gap
The challenge for most institutions is that many of their users remain unaware of these self-service options. Features get deployed but don’t get marketed, and users default to calling because calling is what they’ve always done.
Closing that gap requires active promotion, such as highlighting remote deposit capture on teller and ATM receipts or promoting eStatement enrollment through paper statement messaging.
Financial institutions must audit which self-service features are enabled versus which are actually being used, and target outreach toward the gap.
These are communication investments, and they drive a meaningful adoption lift without requiring any new capabilities.
The harder design question is where self-service should have guardrails. Not every action carries the same risk profile. Making a routine payment is low stakes. Adding a new wire payee or changing account ownership is not. The right answer isn’t to restrict self-service broadly, but to calibrate it. Low-risk actions get frictionless self-service. High-risk actions get stronger authentication requirements before proceeding.
Social engineering Is the dominant threat
Retail banking’s fraud landscape continues to evolve. The technological threats of the past have morphed into social threats of the present and future. Fraudsters are convincing users to click on phishing links, share one-time passcodes, install remote access tools, and surrender control of their device. They are also manipulating account holders and frontline staff into resetting credentials or removing account protections. These tactics allow fraudsters to bypass traditional authentication controls, gain access to online banking sessions, and operate as though they were the legitimate account holder.
These attacks are effective precisely because they bypass technical controls. MFA doesn’t protect against a user who’s been persuaded to share their code. Fraud alerts don’t guard against a user who’s been coached to say ‘yes, that was me.’ The attack surface is now human beings instead of platforms, which means the defensive layer has to be one that doesn’t depend on users making the right decision under pressure.
Behavioral intelligence as the defense layer
Unlike legacy fraud detection platforms, behavioral intelligence is built to defend against both technological and social threats. Lumin’s integration with BioCatch applies a behavioral risk score to distinct events within sessions based on how a user is interacting with the platform and regardless of whether they successfully authenticated. Signals such as typing cadence, navigation patterns, device handling, and session flow are continuous, invisible to a fraudster coaching someone over the phone, and independent of whether the user did what they were told.
The value of that intelligence runs in both directions. When behavioral signals are consistent with a genuine user, friction stays low. When signals diverge—a session that looks coached, a navigation pattern inconsistent with the account holder’s history, behavior consistent with remote access tool usage—the system can apply friction, escalate review, or block the activity before a loss occurs. Genuine users move through seamlessly. Suspicious sessions face intervention before damage is done.
Lumin clients using BioCatch prevented $16.57 million in fraud over a six-month window from May through October 2025.
Behavioral intelligence stops these attempts at the session level, in real time, even when fraudsters possess valid credentials or have bypassed traditional authentication controls.
Building the right balance
The institutions finding the right balance between self-service expansion and fraud control are approaching it as a deliberate calibration rather than a binary choice. Self-service gets expanded where the risk profile is manageable and the operational savings are clear. Stronger authentication and behavioral monitoring are applied where the risk is higher. And the flexibility of the platform’s rules allows institutions to adjust those thresholds as their fraud landscape evolves.
That calibration is an ongoing practice, informed by data on where fraud is concentrated, where servicing costs are highest, and where user friction is creating unnecessary drop-off. The institutions treating it as a continuous process are the ones seeing both cost reduction and fraud prevention move in the right direction at the same time.
Self-service and security aren’t competing priorities in retail digital banking. They’re the same priority, approached from different angles. The platform’s job is to make the right path easy for legitimate users and difficult for everyone else, without asking users to become their own fraud prevention layer.

David Ringler
Principal Product Manager, Lumin Digital

Jill Thomas-Aviles
Senior Product Manager, Lumin Digital

Justin Hochmuth
Manager, Threat Analytics, BioCatch
