The surge in organised online crime, now industrialised under the banner of Fraud-as-a-Service (FaaS), is exposing deep cracks in the security methods long relied upon by banks. This escalation in digital threats demands more than a technical patch or a stronger firewall. It calls for a fundamental rethink of how financial institutions protect their customers, and how the law holds those institutions to account. The most effective response lies in adopting the Zero Trust security framework, not merely as an internal IT strategy but as a public, regulatory standard for assigning responsibility and safeguarding consumers, much as has been achieved in Canada.

 

At the heart of Zero Trust is a simple rule: never trust, always verify. In the context of banking cybersecurity, every access attempt or transaction, whether initiated by an employee, a connected system or a customer, must undergo continuous verification and multi-level authentication. This approach abandons the outdated perimeter-based security model, focusing instead on protecting the data and resources themselves. In practice, all users are treated as potential threats until they are proven otherwise, at every stage of access.

 

For Jordanian banks, implementing this shift requires a structural overhaul. Mandatory multi-level authentication, real-time behavioural analytics and micro-segmentation must become standard measures rather than optional enhancements.

 

A Zero Trust environment dramatically reduces the success of social-engineering attacks. When every step demands renewed verification, the theft of a single one-time password is no longer enough to execute a fraudulent transaction. The burden of safeguarding customer assets therefore shifts towards the institution, reducing the long-standing tendency to fault customers for falling victim to deception.

 

Yet, in many jurisdictions, Jordan included, customers are often expected to shoulder part of the loss, supposedly due to negligence in protecting their data. The Canadian model offers a compelling counterpoint. There, consumer-protection laws oblige financial institutions to assume far greater responsibility for fraud losses, unless clear evidence of gross negligence on the consumer’s part is established. This framework recognises that banks, not individuals, have the resources and expertise to deploy state-of-the-art protection. Consequently, the institution bears the greater portion of the risk associated with digital transformation.

 

Such legislation creates a powerful incentive for banks to invest in Zero Trust systems rather than retreating behind claims of customer error. Two central principles emerge from the Canadian experience and could significantly strengthen digital consumer protection in Jordan: first, that the burden of proof rests squarely with the institution, and second, that customers must receive prompt and guaranteed compensation, through clear procedures and strict timelines.

 

Translating these principles into practice requires banks to deploy self-defending security systems, systems capable of identifying and halting suspicious activity even when the customer has been misled. It also demands a regulatory shift: the establishment of a national compensation mechanism, the mandatory adoption of Zero Trust across all banks as a regulatory requirement (with liability for compensation linked to compliance), and deeper, real-time cooperation with the Cybercrime Unit.

 

The fight against digital fraud is undoubtedly a shared responsibility, but accountability must not be diluted. Financial institutions cannot continue to shelter behind allegations of customer negligence while criminal networks exploit vulnerabilities that modern security frameworks could have prevented. Digital security should be recognised as a consumer right, one that institutions are obliged to guarantee. Without this, the trust underpinning Jordan’s digital financial services will erode.

 

Investing in Zero Trust and enacting the legislation to support it is not merely a technological upgrade. It is an investment in the future of the national economy, and a shield that protects citizens’ savings from the mounting dangers of organised digital crime.