Why Fintechs Still Pay for Failed Verifications

By Sipan Babertsyan, CEO at TopMessage

“Your code is 2026. The code will expire in 5 minutes.”

Every time this message is sent, something quietly happens in the background. The fintech company pays for that SMS whether the user verifies instantly, retries three times, or the message never arrives at all.

For companies processing tens of thousands of verifications daily, this is not a minor inconvenience. For high-volume fintechs, verification can become a visible and sometimes painful line item in operating costs.

How the Industry Arrived Here

To understand why, some context helps.

The adoption of SMS as an authentication channel was reasonable at the time. Before one-time passwords became standard, institutions relied on static passwords, while some explored paper-based code sheets as an alternative. Email authentication struggled as a second-factor option because it shared many of the same security risks as internet-based login flows and was often too slow for real-time transactions.

As mobile penetration grew in the mid-2000s, SMS offered a compelling mix of speed, reach, and separation from internet-based attack vectors. It became the natural choice for out-of-band authentication. At the time, digital transaction volumes were still modest enough that the cost model attracted little scrutiny.

Over the years, 3D Secure became mandatory, digital transactions scaled massively, and verification volumes grew into the billions. But the commercial model changed far less than the technology around it. The industry continued to price verification largely as message delivery, not as successful authentication.

Where the Money Goes

The technology to reduce failed or abusive verification traffic already exists. The most advanced CPaaS platforms offer fraud detection, bot filtering, and traffic analysis tools designed to stop bad requests before they trigger billable messages.

In practice, however, the outcome depends heavily on the size and resources of the fintech company.

For large enterprises, these tools can be highly effective. Many have the internal teams needed to monitor traffic patterns, tune fraud rules, optimize routing, and build fallback logic. Some have already built in-house optimization systems and now use CPaaS infrastructure mainly as the final mile of message delivery.

For small and mid-sized fintechs, the story is different. They may pay for sophisticated fraud tools, but often lack the specialist teams needed to manage them properly. When fraud spikes, traffic quality drops, or carrier pricing changes suddenly, they are exposed.

As an insider who monitored this for years, I remember pacing my apartment at 2:00 AM, staring at server logs and invoices. In one case I saw, verification costs had increased by more than 300% in a single quarter, driven by carrier price changes and relentless OTP spam bots.

That 2:00 AM moment is not unique to me.

The deeper issue is not only technical. It is commercial. Most players in the chain benefit from message volume, but rarely share responsibility for whether that volume creates value. A sent message is billable, even if the user never receives it, never enters the code, or was never a real user in the first place.

A Different Model

One model now being explored by some European fintechs and infrastructure providers is outcome-based pricing: companies are charged only for verifications that are successfully completed.

Undelivered messages, expired codes, repeated failed attempts, and abusive traffic fall outside the billable event.

The logic is simple, but the execution is not. It requires a provider willing to absorb delivery and conversion risk, which in turn demands stronger routing infrastructure, better fraud controls, and a different commercial relationship with carriers.

When this model is discussed by European fintech companies, the initial reaction is often scepticism. That is understandable. The expectation of paying for every sent message, regardless of outcome, has become deeply normalised across the industry.

But the question fintechs should ask is straightforward: are we paying for authentication, or just for message attempts?

For institutions that have never modelled this, the numbers are often surprising. For those that have, many are already quietly restructuring their verification infrastructure.

Fintechs do not need to abandon SMS overnight. But they should stop treating every sent code as a success.

What Fintechs Should Be Asking

Whether or not outcome-based pricing becomes the industry standard, now is a good time for fintech companies to pressure-test their assumptions.

Questions Worth Asking:

• What percentage of OTP attempts result in completed verification?

• How much spend is caused by retries, expired codes, undelivered messages, or abandoned flows?

• Which countries, routes, or carriers create the most failed attempts?

• How much traffic is likely to be bot-driven or abusive?

• Who absorbs the cost when fraud or pumping traffic spikes?

• Are we paying for message delivery, or for successful authentication?