Accountability should sit with the teams that own authentication policy, fraud monitoring, and customer reimbursement, because those controls now influence the same outcome. If the bank allows a weak factor in a high-risk flow, governance should treat that as a shared control decision, not a narrow IAM issue.
Why This Matters for Security Teams
OTP-based flows sit at the intersection of authentication, fraud controls, and customer harm. When a fraudster successfully drives a one-time passcode challenge, the failure is rarely confined to a single team. It can reflect weak step-up policy, poor transaction-risk scoring, insufficient device binding, or reimbursement rules that reward exploitability. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it frames security as an enterprise outcome, not just an IAM function.
The accountability question matters because OTP is often treated as “good enough MFA” even when the flow is used for high-value payments, account recovery, or beneficiary changes. That is exactly where fraud teams, product owners, and identity teams need shared control ownership. NHI Management Group’s Ultimate Guide to Non-Human Identities shows how weakly governed credentials and overexposed access become business risk, not merely technical debt. In practice, many security teams encounter OTP fraud only after disputed transactions have already been reimbursed, rather than through intentional control design.
How It Works in Practice
Accountability should be mapped to the control that failed, not just the channel that delivered the OTP. If the authentication policy allowed OTP alone for a high-risk action, the identity or access owner is accountable for that policy choice. If the fraud model did not flag an anomalous device, destination account, or session pattern, the fraud team owns that gap. If reimbursement decisions create weak incentives, the business owner of that policy shares accountability.
Operationally, strong programmes separate three layers:
- Authentication policy: what assurance level is required for login, reset, or transfer approval.
- Fraud decisioning: what behavioural, device, and transaction signals trigger step-up, hold, or deny.
- Loss handling: who approves refunds, chargebacks, and customer remediation.
This is consistent with the direction of current guidance in the NIST Cybersecurity Framework 2.0, which encourages clear governance and outcome ownership. It also aligns with NHI Management Group research on credential abuse, including the Ultimate Guide to Non-Human Identities, where exposed secrets and weak lifecycle controls repeatedly translate into downstream loss. The practical control pattern is to require risk-based step-up, bind the challenge to the device or session, and record which policy decision permitted the transaction so accountability is auditable later.
These controls tend to break down in high-volume consumer environments where product teams optimise conversion first and fraud ownership is separated from authentication ownership.
Common Variations and Edge Cases
Tighter OTP controls often increase friction, requiring organisations to balance fraud reduction against customer abandonment and support cost. The hard cases are usually not simple login events, but account recovery, SIM-swap exposure, call-centre overrides, and payment approval flows where the OTP is only one signal among several.
There is no universal standard for this yet, but current guidance suggests that accountability should follow the decision authority for the risky action. For example, if customer service can bypass OTP, that exception process must have its own owner and logging. If a third-party identity platform sends the code, the bank still remains accountable for the control outcome because outsourcing the channel does not outsource the risk. The same logic appears in NHI governance: ownership stays with the organisation that authorises the credential and the business process it protects, not the vendor that transmits it.
Fraud through OTP also becomes more complex when the passcode is paired with device posture, biometrics, or push approvals. In those cases, the accountable party should be the owner of the full authentication journey, not the single technology component. In practice, mature teams assign a named control owner for step-up policy, a separate owner for fraud rules, and a final owner for reimbursement decisions, because that is where disputes are resolved after the loss.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Clarifies enterprise outcomes and ownership for fraud-related control decisions. |
| OWASP Non-Human Identity Top 10 | NHI-01 | OTP flows rely on credentials and access paths that must be governed as sensitive identity assets. |
| NIST AI RMF | Risk governance is needed when authentication decisions affect fraud and customer harm. |
Assign a named owner for OTP risk outcomes and tie fraud, auth, and reimbursement into one governance model.
Related resources from NHI Mgmt Group
- Who is accountable when fraud happens through a compromised identity flow?
- Who is accountable when a retail customer account is compromised through a partner system?
- Who is accountable when an AI platform exposes data and behavioural controls through backend flaws?
- Who is accountable when agent-based identity controls miss an application?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org