Accountability depends on the jurisdiction, but the article shows a clear trend toward shifting more responsibility to the institution when OTP-based fraud succeeds. That means policy, control design, customer communication and evidence retention all become part of the accountability chain, not just the authentication method itself.
Why This Matters for Security Teams
SMS OTP fraud is no longer just a fraud operations issue. Under newer rules, accountability increasingly follows the institution that designed the authentication flow, set customer expectations, and retained the evidence needed to prove what happened. That matters because OTP failure is often a compound control failure: weak channel security, poor step-up design, delayed detection, and inconsistent dispute handling all interact.
Security, risk, and compliance teams now have to treat OTP as part of the broader identity control stack, not as a standalone safeguard. Guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls reinforces that authentication must be paired with monitoring, logging, and incident response. NHIMG research on the Ultimate Guide to Non-Human Identities shows how often identity controls fail when governance is fragmented, and the same pattern appears in OTP fraud: the control is not enough if the surrounding process is weak.
In practice, many teams discover the accountability gap only after a customer dispute, regulator inquiry, or loss event has already forced a post-incident reconstruction of the authentication trail.
How It Works in Practice
Accountability usually turns on whether the institution took reasonable steps to prevent predictable abuse and whether it can prove those steps were operating at the time of the fraud. That includes the choice of authentication method, the delivery channel, fraud detection thresholds, customer notification language, and the quality of event logging. In many cases, the question is not whether the OTP was technically valid, but whether the design made interception, SIM swap abuse, or social engineering too easy.
Practical controls should focus on evidence and decision quality:
- Record the authentication path, timestamps, device or session signals, and any step-up decisions.
- Retain logs long enough to support dispute resolution and regulatory review.
- Use channel risk scoring so SMS OTP is not treated as equally trustworthy in every context.
- Document when stronger methods were offered, failed, or bypassed.
- Define escalation rules for high-risk transactions and repeat fraud patterns.
Current guidance suggests that institutions should also align fraud operations with security engineering, because control ownership is often split across teams that do not share a common evidence standard. The Schneider Electric credentials breach illustrates how identity compromise can cascade when monitoring and response do not keep pace with attacker behaviour. For control design, NIST SP 800-53 Rev 5 Security and Privacy Controls is the clearest reference point for logging, access control, and incident handling expectations.
These controls tend to break down when SMS is the only viable second factor in high-risk jurisdictions because the institution cannot meaningfully reduce interception risk without changing the authentication architecture.
Common Variations and Edge Cases
Tighter OTP control often increases user friction and operational cost, so organisations have to balance fraud reduction against conversion, accessibility, and support burden. Best practice is evolving, and there is no universal standard for when SMS OTP becomes unacceptably weak; the answer depends on transaction value, customer profile, and local regulatory expectations.
Some edge cases shift accountability further toward the institution: repeated fraud after a known SIM-swap pattern, failure to warn customers about SMS risk, or insufficient evidence to show that the OTP was tied to the real user session. Other cases are less clear, especially where the customer ignored explicit warnings or used an untrusted device, but even then the institution usually still needs to demonstrate proportional controls and clear communication.
For governance teams, the key question is whether policy, control design, and retention can survive scrutiny. NHIMG’s research base on identity weakness shows how often organisations underestimate that burden, and the same lesson applies here: when identity assurance fails, accountability usually follows the party that controlled the system design, not the fraudster who exploited it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Covers authentication and access decision quality for fraud-prone channels. |
| NIST SP 800-63 | AAL2 | SMS OTP is relevant to assurance level debates and weak-factor limitations. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity governance lessons apply when credentials or factors are abused in the flow. |
| NIST AI RMF | Accountability depends on governance, transparency, and ongoing risk management. |
Treat OTP-related authentication assets as governed identities with rotation, logging, and revocation controls.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org