As more businesses digitally transform, cybersecurity has become more important than ever. For banks, this threat is particularly imposing, as breached data exposes opportunity for immediate and future theft. Rapid adoption of the Cloud, the increasing connectivity of IoT devices and the exponential growth of data collection means a bigger threat to companies and people. In 2015, the number of cyber attacks per week had tripled since 2010.
As this number and danger are expected to rise, financial institutions face a paradoxical challenge: How can companies in the middle of digital transformation keep information secure, while keeping the customer experience as friendly and simple as possible?
According to Intel, the average person has 27 passwords, and more than a third of people forget at least one password per week. More complex passwords are not the answer. However, today’s institutions are adopting different strategies in multi-factor authentication, biometrics and behavioral analytics to stay ahead of cyber-fraud. Understanding new developments in authentication and cybersecurity, as well as new expectations for customer experience, are necessary for your digital transformation.
The Changing Notion of Security
Even when companies aren’t liable for negligence or wrongdoing, the costs are real. In June of 2017, Anthem, Inc. agreed to a $115 million settlement to resolve its 2015 cyberattack that affected 78.8 million people. The almost routine occurrence of cyber attacks exposes the problem of collecting data and keeping that data safe. As the stakes rise for security, the expectations of customer experience are changing too. Inspired by frictionless companies like Netflix and Amazon, digital customers expect excellent user experience in every journey.
One of the fundamental problems with passwords is the challenge of keeping a password database secure. In 2004, the FDIC concluded that passwords alone were no longer adequate for authenticating a secure environment. Banks complied with multi-factor authentication, a requirement for two or more identifiers for account access.
The most common example of two-step authentication is a bank card and a bank pin; something you have, and something you know. Now, with new technology, banks are adopting biometrics into their multi-factor authentication portfolio—that is, something you are, such as a fingerprint or a retina scan. Many banks select a combination of solutions that work together for appropriate security. The FDIC lists a variety of authentication examples, including:
- Shared Information — Secret information or images shared between the customer and the bank
- Device Identification — A profile of the connecting device that can be used to authenticate the user in future transactions
- Geolocation — Establishing the geographic location from which the customer is connecting
- Internet Protocol (IP) Intelligence — Using the customer’s unique IP address
- Encrypted Cookies — Bits of data placed on the customer’s computer to assist in authenticating the customer
- Out-of-Band Communication — A call or text to a cell phone or an e-mail sent to an account for further verification
As the rigor of security and authentication has evolved, so has the notion of identity. The problem is no longer as simple as identifying real people, but financial institutions have the added challenge of identifying devices, services, applications and systems. Account fraud and synthetic fraud (a blend of real and fake information) continue to grow. This larger network of identity access management (IAM) sees this as a shift from personally identifiable information to concept-driven identification. As processes around security and identity become increasingly complex, the nature of customer experience matters more than ever.
Security and Customer Experience
The role of customer experience has changed significantly as digital banking has grown. According to Equifax, the typical customer banks through a digital channel four times as often as they do with a physical representative. What’s more, when customers visit a branch, the physical channel itself is supported with digital tools. Customer experience in banking means striking a balance between usability and security. The more a bank knows about your devices, your accounts and you, the better a bank can create quality digital experiences and keep your investments secure.
By collecting and using data to understand the norms, financial institutions can use data to recognize anomalies. To do this, banks must connect back-end systems to collect and share data that enables accurate decisions. Ken Allen, the SVP of Identity and Fraud Strategy at Equifax, explains how a layered approach can balance the responsibility of regulations, expectations, environments and fraud while remaining a good experience for the customer. Answering the following three questions can help you decide how to implement multi-factor authentication that isn’t overbearing, off-putting or too expensive.
1. Identity — Who is the user? Even though the majority of account access requests are legitimate, the first line of defense is to establish a relationship with the user. By creating a profile of who and where the user is, what the user wants to do and what device the user typically logs in from, the database has a lot of information that can be used to establish predictive analytics. Using typical multi-factor authentication techniques like passwords, pin numbers, secret questions and studying geolocation and IP addresses can help secure this first level of access.
2. Fraud — Should I do business with this user? A quality customer experience is created when a system is enabled with the tools to keep asking questions, when necessary. If a user has deviated from their norm, then additional caution may be necessary. The system must be able to decide if doing business with the user is a good idea, especially if the user is engaging in suspicious activity. Some additional tools for this may be knowledge-based authentication, one-time use passcodes or certificate log-in, device recognition and biometrics. Again, these steps do not require more of the customer experience at first, but are prompts to guide the systemic decision-making process.
3. Compliance — Can I do business with this user? Another significant part of the authentication process is compliance. A system that can verify its user must also be able to determine if what the user wants to do is legal. Based on personal and behavioral data, a system that can determine if the nature of the transaction adds another line of defense to security. This may require an analyst’s review, portfolio monitoring or case management. Success is possible when systems and humans can work together, which is only possible when an integrated system is designed to escalate cautiously, requesting extra identifiable information when necessary.
Allen points out that collaborative decision-making is the key. Historically, as systems have evolved, decision making has evolved into silos. Certainly, fraud has become more complicated and affects organizations of different sizes differently. While debit and credit card fraud remains the largest loss line, application fraud and synthetic fraud is projected to increase steadily in the coming years. By connecting the dots, complementing behavioral data, internal data and third-party incremental data, financial institutions analysts can make a decision when a systemic decision can’t happen.
Striking the Right Balance
Not only is the attention to a digital customer experience new for most financial institutions, but customer experience teams are also beginning to select and fund new fraud prevention programs. The Aite Group suggests that nearly 70% of financial institutions have cross-functional teams working to improve customer experience, and over 10% of these teams have decision making and buying power.
Because of the importance of digital onboarding, the stakes of customer service have reached an all-time high. Inspired by services with easy and inviting onboarding processes, consumers expect an effortless sign-up everywhere. And with the large volume of choice available, banks can’t afford to have a difficult or confusing onboarding process. The Aite Group study reports that 70% of financial institutions agree that every new business feature is examined for its potential impact on the customer experience. Additionally, as more banks open self-service tools across more channels, more opportunity emerges for organized cybercrime. Fintechs like Acorns and Simple, and new products from big banks, like Zelle, are evidence of a shift toward excellent customer experience with easy onboarding.