The Power of (Some) Friction

For Austin Capital Bank’s high-yield savings account, adding friction and slowing things down is by design. 

The account, announced in July, is called Fort Knox, named for the U.S. Gold Bullion Depository in Kentucky. “What we built with Fort Knox is a bank at the end of a one-way street with a vault,” says Erik Beguin, CEO and founder of Austin Capital Bank, the $485 million digital banking subsidiary of Austin, Texas-based Greenback Fincorp. “And the only place that money in that account can go is back to you.” 

It’s not intended to be the customer’s primary transaction account. Instead, it’s an attractive product for those looking to keep a significant amount of money safe. Fort Knox requires the account holder to have a checking account with another bank; money from the Fort Knox account can only be transferred to that external account. That prevents the customer from transferring funds directly to a fraudster and can be the difference, he says, between losing roughly 60 days of money in a primary checking account versus the life savings held in Fort Knox.

It’s a level of friction not commonly seen in financial services today. An increasingly digital environment means accounts can be opened in mere minutes, and payments are almost instantaneous. But that also means it’s harder for banks to slow down processes to ensure customers or transactions are legitimate. 

In response, banks must weigh competitive concerns against their risk appetites. A zero-tolerance approach to this risk could keep a bank from offering instant payments capabilities to their customers or limit online account opening; that institution could lose out on customers who are seeking those capabilities. “If you can’t make a fraud decision in milliseconds, that’s going to be disrupting the customer experience,” says Andy Lapp, senior director of fraud and managed services at CSI. 

Chris Mastrangelo, chief risk officer at New York-based Grasshopper Bank, doesn’t believe the $1.4 billion subsidiary of Grasshopper Bancorp has to sacrifice fraud prevention for customer experience. “I think we can achieve our goals for both,” he says. That means being realistic about risk and understanding that some fraud will get through, and that the bank will get complaints when an account or loan has been denied due to the bank’s risk criteria.

Some friction can be good, and banks and credit unions could do a better job of explaining how slowing the process makes customers safe. Financial institutions “should be positioning themselves as the experts on security … by saying, ‘We’re going to ask you some questions that are going to slow the process down a little bit, but we are doing this because we care about your security, we care about your money, we care about your identity,’” says Steve Sanders, chief risk officer and chief information security officer at CSI. “Friction slows adoption, but it also protects your customers and decreases fraud. If you aren’t hearing any complaints, you don’t have enough friction.”

Mastrangelo says it’s not uncommon for fraudsters to have the audacity to call into Grasshopper’s call center to complain, which makes it important for the bank to stick to its fraud decisioning. “You don’t want to be closing good accounts, but you have to go off of your fraud prevention,” he says. “We quickly know why that account was closed.” 

That means following the data. Grasshopper sets risk tolerances for approval rates, fraud rates and dollars lost to fraud, and tracks those key performance indicators. “If you don’t know your fraud exposure … it makes it very hard to continue to improve your prevention tactics,” he says. Mastrangelo adds that board members understand that a certain level of fraud losses should be expected. 

“Most banks have a risk tolerance that I would call moderate to moderately low. They don’t want a lot of fraud,” says Sanders. “What’s concerning is that their investments and controls don’t always match that low risk tolerance.” 

Offering digital account opening is a good example of a service that can provide ease of use to the customer but can also open the bank up to potential fraud. “A majority do not open accounts digitally out of their footprint, including very large banks,” says Tommy Nicholas, CEO at Alloy, an identity and fraud prevention platform. Opening an account or moving money requires an institution to confirm the legitimacy of that customer or transaction; increasingly, automation and data analysis is helping organizations do that in near real time. Still, three-quarters of banks and fintechs reported in Alloy’s 2025 State of Fraud Report that more than 25% of new account applications triggered a manual fraud review.  

Executives at Grasshopper want to keep that number low, which requires examining which steps in the verification process are triggering further review, and testing and tweaking the rules in that waterfall. “Being able to use retroactive data to test rules to say, ‘OK, this would improve our pull-through rate by x percent, and yet it would only impact our fraud rate by this much,’” says Mastrangelo. “You’re running those tests on fraud results to get an idea of how many customers would likely be flagged as fraudulent versus not” based on changes to those steps. 

Further, customers are grouped for further action — manual review, longer holds or higher limits, for example — based on certain characteristics, such as the length of their relationship with the bank, says Mastrangelo. Grasshopper also leverages technology partners and consortiums to create layers of security for identity verification, business verification, behavioral biometrics, and investigations and suspicious activity reporting. “If a customer has committed fraud at another bank,” he says, “you’d have that consortium data to auto blacklist those customers.”

Many of Fort Knox’s security features are “proprietary,” Beguin says, but safety measures include a lockdown mode that freezes the account, two-day delays to withdraw money and various biometrics that replace the traditional username and password. There are no real-time transfers of money at Fort Knox; no simple logins. “If your bank is using a username, password and one-time passcode delivered via text or even app, it’s just not secure,” says Beguin. He’s referencing two-factor authentication; many banks rely on that tactic to control fraud, according to Alloy’s fraud report. 

Spoofing a bank’s website can be an easy way for fraudsters to trick customers into giving up their account credentials. In 2024, the FBI reported 193,407 complaints tied to phishing or spoofing, in which a fraudster uses email, texts or phone calls to pretend to be a legitimate organization — such as a bank — to gain login credentials or other personal information. 

To combat this, both Grasshopper and Austin Capital’s Fort Knox brand use a .bank web address, which is a verified domain dedicated to banks. “That helps prevent spoofing,” says Beguin. Austin Capital also generally avoids sending links or one-time passcodes to verify a customer’s identity. That’s because criminals can use these same tools to trick customers into entering information into a spoofed website.

“And then [the fraudster] can take all the money. It is that easy,” Beguin adds.