Digital banking today is not merely a matter of convenience but an ongoing battle against sophisticated cyber threats. OTP Bank reveals how it protects and educates its clients in the world of digital risks
In conversation with Rosanda Milatović Skorić, we learn how this institution approaches security in the digital environment. The focus is on current cyber security challenges, user education, and cooperation with regulatory bodies to ensure client protection and financial system stability.
Digital banking today involves a continuous struggle against complex cyber threats. How does OTP Bank respond to these challenges, and what measures does it take to protect its clients?
— We face increasingly complex cyber threats, ranging from phishing and malware to attacks on mobile applications and cloud infrastructure. Banks are frequent targets of cybercriminals, with potential consequences including financial losses, erosion of trust, and reputational damage.
For this reason, OTP Bank invests in cutting-edge technologies and multi-layered protection. We implement a Zero Trust architecture, where no access is trusted by default; every access attempt is verified and limited. We use multi-factor authentication (MFA), which requires, in addition to a password, an extra code or biometric verification, making unauthorised access much harder. Data is protected by encryption both in transit and at rest.
We also employ artificial intelligence and machine learning to detect threats in real time, allowing automatic responses to suspicious activities.
In accordance with DORA, OTP Bank is enhancing processes for monitoring, reporting, and exchanging information on cyber incidents with competent authorities and other institutions, thereby further strengthening the resilience and stability of the financial system
Employees undergo regular training to recognise phishing attacks and other frauds. We conduct security audits and simulate attacks (cyber drill exercises) to improve crisis response. Although incidents do occur, we have a detailed plan for swift threat isolation, user notification, and system recovery.
User education is often the weakest link in the digital security chain. How does OTP Bank inform and empower clients to recognise and avoid potential online scams?
— User education is key, as even the best systems cannot prevent misuse if users carelessly share their data. Therefore, OTP Bank runs the ongoing ‘Safe ONLINE’ campaign through social media, the website, emails, and SMS messages.
We provide clients with practical advice on recognising phishing, fake surveys, social media scams, and safe use of cards and ATMs. Video clips, infographics, and guides tailored to everyday situations are available. The bank clearly warns it will never request confidential information via email, SMS, or phone. When new scams emerge, we promptly inform clients and the public, as was recently the case with fake investment ads on social media, alongside taking legal action against fraudsters.
OTP Bank is also part of sector initiatives such as FIN-CSIRT, which facilitate threat information sharing and joint actions to strengthen the financial sector’s resilience, including user education.
Enhancing cyber security requires collaboration between banks, regulators, and other financial system actors. What joint initiatives does OTP Bank participate in, and what is their tangible impact on the market?
— Cyber security demands cooperation with regulators, banks, fintech companies, and other stakeholders. OTP Bank actively participates in working groups with the National Bank of Serbia, other banks, and IT experts, exchanging experiences and developing standards for risk management, resilience testing, and incident reporting.
Over the past year, we have placed particular focus on implementing the DORA regulation (Digital Operational Resilience Act), which from 2025 sets strict requirements for financial institutions in the EU and their subsidiaries.