Security and trust are not the same thing, although the words are often used together. Security is the set of mechanisms that keep money and data safe: cryptography, authentication, authorisation, monitoring, and rotation. Trust is the customer's belief that the bank will look after them, given those mechanisms exist. A bank can be very secure and still lose trust through a single botched dispute. It can also feel trustworthy and be insecure underneath, until it is not. Both jobs are real, and design is responsible for both.
Authentication, calmly
Authentication is the front door. The customer should pass through it as easily as the policy allows, no faster. Three ideas help. First, prefer device-bound signals: a registered phone with biometric unlock and a hardware-backed key store is a stronger gate than a static password and an SMS code. Second, escalate friction with the value of the action. Logging in to view a balance is one risk profile. Adding a new beneficiary and sending AED 50,000 abroad is another. Third, accept that customers will lose access. Recovery is part of authentication; design it as carefully as the happy path.
OTPs deserve their own attention. They were a useful invention in 2010 and have been stretched far beyond their fitness for purpose. They are easily phished, easily intercepted, easily socially engineered. Where they remain (regulation often requires them), they should be presented with the transaction context they authorise, in copy that prevents the customer from believing the OTP is a "verification" rather than an authorisation. Modern signing flows that use device-bound keys, like the bank's smartPASS-style mechanisms, are stronger and should expand wherever possible.
Risk signals visible to the customer
A bank knows a great deal about each customer's normal: where they log in from, what time they pay rent, which beneficiaries they have used for years, which devices they trust. Some of that knowledge can be turned outward. A "you are signing in from a new device" panel that the customer can confirm or reject is a small, useful trust-building moment. A "this beneficiary is new to your account, transactions over a certain amount will be reviewed for the next 24 hours" message reframes friction as protection. A "we paused this transfer because it matched a pattern we have seen recently in scam attempts" disclosure, calmly written, often saves a customer from a loss they were about to authorise.
The principle is consistent. Make the bank's vigilance visible at the right moments, then get out of the way. Make the customer feel watched over, never watched.
Recovery and dispute, the moments that matter
The most important screens in a banking app are the ones a customer never wants to use. The dispute initiation flow. The "I lost my card" path. The "I think someone has access to my account" emergency. These flows must be quick, dignified, and visible at three in the morning. They must not make the customer fill out a form that reads like an interrogation. They must offer a real-person path and a clear timeline. The CPR/CPS lays down the bones of dispute response timeframes; design fills in the flesh.
The vocabulary of trust
Banks use language that sounds neutral and legal but reads, to a customer in distress, as cold. Words like "transaction reversal", "fraud filter rejection", "blocked counterparty", "recovery initiated". Each has a place in compliance documentation. None should be the first thing a customer sees on their worst day. The work of writing security copy is to find the human equivalent that does not lie about what is happening: "We are returning the money", "We stopped this transfer because it matched a recent scam pattern", "Your card has been blocked, here is what we are doing next". Plain language is not a luxury; it is the difference between a customer who calls support and one who calls the regulator.
Long-term trust is institutional
Single screens cannot do all the work. Trust accumulates from consistency, from communications during quiet times, from the dignified handling of public incidents, from the tone of the bank's social channels, from the integrity of every employee a customer encounters. As a senior designer, your job is to argue for that consistency across the surfaces you do not own as much as the ones you do.