Eight seconds. That's all it took for Sarah to transfer RM5,000 to what she thought was her bank's fraud department. The caller sounded official–knew her account details, referenced "suspicious activity," created just enough panic to bypass her better judgment.
By the time she realized the "urgent security alert" was a scam, the money was gone–vanished into a mule account she'd never be able to trace. Her bank's seamless, one-tap transfer feature had worked exactly as designed. And that was precisely the problem.
For Sarah's bank, this isn't just one customer's loss–it's a reputation risk that compounds exponentially. Malaysia just recorded its worst year for financial scams on record: RM2.77 billion lost in 2025 alone, nearly double the RM1.28 billion lost just two years earlier. Recovery rates remain dismal–around 2% in most cases.
The speed that makes legitimate banking convenient is the same speed bleeding users dry, and once money moves through real-time payment rails, it's gone for good. In Southeast Asia's fintech race, speed has become the ultimate selling point. One-tap checkouts, instant transfers, minimal verification–these are the features plastered across app store descriptions and marketing campaigns.
But here's the uncomfortable truth: the industry's obsession with "frictionless" experiences is quietly fueling a security crisis. As scams surge across Malaysia and the wider region, a counter-intuitive strategy is gaining ground among savvy product teams–introducing intentional "positive friction" into digital finance journeys. Not to frustrate users, but to protect them.
When "Seamless" Becomes Risky
The fintech industry has spent years stripping away every possible barrier between users and their money. It makes sense on paper: fewer steps mean faster transactions, happier users, better conversion rates. Except we're now seeing the other side of that equation play out in real time. When a payment journey has zero friction, a scammer doesn't need to hack your system; they just need to socially engineer your user for a few seconds. The seamless design does the rest of the work for them.
A 2025 survey of 1,000 Malaysian adults found that 85% had encountered a scam, and 73% actually fell victim–losing an average of RM4,844.70 each. Even more troubling: 82% of those scammed were highly educated, and 78% were millennials, groups that presumably know better. Three-quarters of respondents said they face scams monthly, primarily through phone calls, messaging apps, and social media.
Yet despite 75% claiming confidence in spotting scams, the losses kept piling up. When a user can authorize a major transfer in seconds–often while distracted, rushed, or under pressure from a convincing caller–there's no time for second thoughts. Speed bypasses critical thinking, and conversion optimization starts looking like a security liability.
This isn't just a Malaysian problem. It's a regional pattern emerging wherever real-time payments take off. The trade-off is stark: maximize speed and watch fraud losses climb, or introduce safeguards and risk being labeled "clunky" by users conditioned to expect instant everything. But here's where the conversation gets interesting–not all friction is created equal.
Bad Friction vs. Good Friction: What's The Difference?
Let's be clear about what we mean by friction–the word carries baggage. Bad friction is the stuff that drives users (and product teams) up the wall: apps that crash mid-transaction, forms that force manual formatting or block paste functionality.
These are technical failures masquerading as user experience–obstacles that serve no purpose except to waste time and erode trust. Then there's good friction–the intentional, strategic kind. This is friction by design, not by accident. It shows up as:
- Cognitive pauses: Confirmation screens that create a beat of reflection. Research shows that a brief pause of around one second helps users make better decisions without feeling intrusive, while longer delays (around 2.5 seconds) start to increase cognitive conflict and irritation. That sweet spot matters.
- Biometric challenges: Requiring a fingerprint or Face ID for high-value transactions adds a layer of verification that feels secure, not obstructive.
- Cooling-off periods: Delay mechanisms that kick in when something looks off—a first-time payee, an unusually large amount, a login from a new device.
- Contextual verification: Security questions that only pop up when behavior deviates from the norm, not every single time.
The difference? Good friction feels purposeful. It creates a moment for users to pause and ask themselves: "Is this transaction actually legitimate?" It's not about making things harder–it's about making them safer in ways that users can understand and appreciate.
Positive Friction in Action: SEA Examples
So what does this look like in practice? Several Malaysian and regional players are already weaving positive friction into their products–and the results speak for themselves.
Bank Negara's "Kill Switch" policy is one of the most visible examples. By introducing a cooling-off period for new device and payee registrations, it gives users a critical window to spot unauthorized changes before money moves. It's not instant, but that's the point. The delay acts as a safety net.
The shift away from SMS OTPs is another telling move. SMS interception has become trivially easy for scammers, so major Malaysian banks are pivoting toward app-based authentication and biometric verification. Instead of a code that can be phished or intercepted, users now approve transactions directly within secure apps–adding friction that actually strengthens security rather than weakening it.
Then there are the super apps–Grab, Touch 'n Go, Maybank–all quietly layering in friction points that most users barely notice until they need them. Transaction limits that require additional verification for large amounts. Geo-location checks that flag unusual activity. Mandatory delays for first-time large transfers.
These aren't bugs; they're features. Slight inconveniences that significantly reduce fraud, deployed in ways that don't disrupt the majority of legitimate transactions. The pattern is clear: these aren't obstacles. They're safety nets that rebuild user confidence in systems that were moving too fast for their own good.
The Business Case: Trust as ROI
Here's where the conversation shifts from security to strategy. Positive friction isn't a conversion killer–it's a retention strategy.
Think about Customer Lifetime Value (LTV). Users who trust your platform stick around. They transact more, refer friends, upgrade to premium features. But one major security breach–one viral story about someone losing their savings through your "seamless" app–can erase years of UX optimization and marketing spend.
Given the dismal recovery rates and heavy financial losses we've seen, when users experience that kind of loss–or even hear about it happening to someone they know–they don't just delete your app. Word spreads fast in a market as connected as Southeast Asia, and one bad story can torch your app's reputation overnight. Meanwhile, competitors who've invested in positive friction can position themselves as the "safe and fast" option, not just the fast one.
There's also the regulatory angle. Proactive friction may prevent mandatory interventions down the line. If banks and fintechs don't self-regulate with smart safeguards, regulators will step in with blunt instruments that might be far more disruptive than a well-designed one-second pause.
And finally, competitive differentiation. In a market flooded with apps competing on speed alone, being genuinely secure becomes a differentiator. Users are getting smarter. They're asking harder questions. The product that can say "we're fast and we've got your back" is the one that wins long-term loyalty–especially when 74% of Malaysians are encountering scams every single month and are actively looking for platforms they can actually trust.
The Path Forward
Speed without safety is a false optimization in SEA's high-risk fintech environment. We've learned this the hard way, with users left wondering how their "secure" apps failed them.
The future of fintech UX isn't about removing all friction–it's about designing intentional friction that protects users while maintaining the efficiency they expect.
For product leads and CTOs navigating this shift, the question isn't "How fast can we make this?" It's "How can we make this fast and trustworthy?"
In a region where scams evolve daily and users are growing warier by the month, positive friction isn't a feature you bolt on later. It's a foundation you build from the start.
