Dr. Hamza Alakaleek

The rise of organized online crime, known as Fraud-as-a-Service (FaaS), is exposing serious weaknesses in the security methods banks have traditionally relied upon. This major escalation in digital threats requires us to fundamentally rethink how financial institutions interact with their customers. We are no longer facing a simple technical problem that can be fixed with a better firewall; instead, we need a complete overhaul of both legal and security rules. The most effective way to fight these international criminal groups is by adopting the Zero Trust security framework. This approach should not just be used internally by banks, but must become a robust, public system for assigning responsibility and ensuring maximum protection for consumers, much like the successful models seen in countries like Canada.

The foundational principle of Zero Trust is Never trust, always verify. In banking cybersecurity, this means every access attempt or transaction—whether by an employee, a connected system, or the customer—must undergo comprehensive, continuous verification and multi-level authentication. This methodology abandons the outdated perimeter-based security model, focusing instead on the direct protection of valuable resources and data. The core idea is to treat all users as potential threats until proven otherwise at every step of access or transaction execution. Implementing this profound methodology requires Jordanian banks to overhaul their systems to include Mandatory Multi-Level Authentication, Real-Time Behavioral Analytics, and Micro-segmentation.

Adopting Zero Trust with this depth not only enhances security but significantly reduces the vulnerability to social engineering. By demanding continuous control and additional authentication at every step, stealing a single OTP becomes insufficient for executing a fraudulent transaction. This shift raises the bank’s responsibility for protecting customer assets to the maximum extent technically possible, moving the focus from blaming the customer to hardening the systems.

In many jurisdictions, including Jordan, customers are often held partly responsible for fraud losses under the pretense of negligence in protecting their data. However, the advanced Canadian experience offers a model that heavily favors consumer protection. In Canada, consumer protection laws require financial institutions to bear significantly greater responsibility for fraud losses, particularly when there is no conclusive evidence of gross error or negligence on the customer's part. This legal framework ensures that the financial institution, which possesses the resources and expertise for applying state-of-the-art security, assumes the greater share of the risks associated with digital transformation.

This legislative framework creates a powerful incentive for banks to invest heavily in Zero Trust systems, rather than resorting to customer blame. The Canadian model reinforces two key principles for elevating digital consumer protection in the Jordanian market: The Burden of Proof is on the Institution—meaning the bank must prove the customer’s sole, significant negligence—and Instant Compensation and Guaranteed Recovery via clear and swift compensation protocols, guaranteeing the customer’s recovery of defrauded funds within a tight timeframe.

Implementing Zero Trust and reinforcing the legal framework translates into banks being obligated to deploy self-defending measures capable of identifying and stopping suspicious activity, even if the customer has been deceived or tricked. This regulatory shift elevates banks' security expectations and mandates consumer protection as an investment priority. The necessary response must be proactive and comprehensive, resting on effective digital governance. This necessitates Establishing a National Compensation Mechanism, Mandating the Application of Zero Trust Principles across all banks as a compulsory regulatory requirement (linking compliance directly to liability for compensation), and strengthening effective and continuous cooperation with the Cybercrime Unit to exchange real-time threat intelligence.

The fight against digital fraud is a shared responsibility, but accountability must be non-negotiable. Financial institutions cannot remain shielded behind customer negligence while criminal organizations exploit vulnerabilities that Zero Trust systems could have detected and bypassed. It is time for digital security to become a digital right for the consumer, a right that institutions are obliged to guarantee, lest the bridge of trust linking citizens to advanced digital financial services in Jordan collapses. Investing in Zero Trust and enabling legislation is an investment in the national economy's future and an unbreakable shield protecting savings from escalating organized crime risks.