Enabling secure customer transactions in banking

Trust us, we’re a bank

In a world where the bad guys get way more publicity than the good guys do, it’s easy to keep looking over your shoulders expecting the worst. Cybercrime has generated nervousness among ordinary people about how exposed they may be whenever they connect to the internet.

When they’re connecting to do anything with money, they feel that they might be in the sniper’s cross-hairs with every click they make. Can you blame them? It has been reported that financial fraud costs the UK £2 million a day. Banks, therefore, are faced with a two-fold challenge. Firstly, they have a responsibility towards customers and the data they hold on their customers’ behalf. That’s plain and simple. By regulation they must protect data. By GDPR standards, they must raise their game, but so must everybody.

The second challenge is trickier. Banks have to keep their customers calm. This is a new essential ingredient in delivering improved customer experiences. Trust is in the foreground of bank-customer relationships. Any discussion of anything to do with customer security and data protection is now essentially contextualised by GDPR. Some organisations see it as a little onerous. Others understand the opportunities it can bring. A recent DXC blog discusses the duality of data, and GDPR pressures: “GDPR: Not just compliance”.

“Hi, it’s me”

Between these two challenges there can be a slippage in perception from customers. This is where any approach to a security issue that is seen as huge by customers, but actually not too disturbing by banks, requires sensitivity in how it’s handled.

Regardless of the precautionary measures that online or telephone banking may require (FCA regulations require that access is secure), they can only get the customer trust vote if they at least match the best solutions that any other bank employs. That they need to be robust and reliable to combat the possibility of fraudulent account access is a given. That customers understand where such measures sit on the fraud spectrum is less clear, and it would benefit any bank to be explicit about where it can help, and where it can’t. If customers drop their guard, despite a bank’s best efforts to ensure authentication when accessing accounts, it doesn’t always fall to the bank to rectify losses.

Again, that’s a tricky one when a bank is judged and valued by the trust it engenders. Customer education, however, is important. People are always looking over their shoulders. There is often an ill-founded perception that it’s the role of the bank to do so as well, or even to look over people’s shoulders for them. Sometimes there’s little a bank can do to block a fraudulent transaction if the fraudster has gained access to the bona fide account holder’s name and details, account number and even password (you’d be surprised…no you wouldn’t). In cases like this, the fraudster becomes the bona fide account holder. This is where levels of authentication come in. It’s also where biometrics will eventually play an important role, although it’s early days yet.

Is it really you?

Essentially, authentication measures are designed to enable the bank to know that it is talking to the right person. They involve one of three methods: single-factor authentication (SFA), two-factor authentication (2FA) and multi-factor authentication (MFA). It can be assumed that the more factors that are involved, the more reliable the authentication; SFA is a check, 2FA is a double-check. MFA, well, you get it.

Any authentication procedure is designed to give access only to the right person once it has been confirmed that the bank is talking to the right person (there’s a subtle distinction); to verify that they are who they say they are. The introduction of sophisticated processes in the online channel is facilitated by both bank and customer sharing the digital environment for the interaction. Both parties are in communication through the same medium so codes can be sent and reacted on between devices; everyone’s tooled up.

Not all customers come in this way, armed with their devices and dexterity; the majority do, perhaps, but not all. All customers must be catered for. This is a strategic imperative for banks serving older customers or where the predominant demographics do not highly align to digital lifestyles. This may apply to the heart of a traditional bank’s customer base, or traditional retail operators’ banking arms.

Call centres, for example, ask for the first line of a customer’s address. This is not as robust as sending a one-time code to verify a log-in request. Bank’s need to address this area and ensure that consistent authentication processes are used across channels; one cannot be a poor cousin to any other. If call centre transactions for the non-digital customer cannot be elevated to the multi-factor perimeter protection of the digital world, perhaps authentication requirements should be modulated in accordance with the nature of the transaction.

Have you ever called your bank wanting to ask a simple question only to have them embark on the security questioning process? You need to be forceful but if you can derail the operative from their script you can get your message in: “I only want my branch’s post code!”. I say this to illustrate that not all access by an account holder of their account is high level stuff. Sometimes it’s just to check balances, or transfer money between identically named accounts, or to order statements.

Know your customer

Perhaps a pre-stage could assess the level of authentication required? Then, as the requirement enters serious territory, so too can the identity validation measures. Customers cannot conceivably find this an imposition since they understand the exposure risk. If a bank feels that they may not have this understanding then, once again, educate them.

Frictionless security

The goal of all these considerations, the varying levels of authentication, the driving of consistency across all channels, and the potential calibration of required authentication by risk level of transaction type, is frictionless security. It makes life easier for the customer. It makes banking convenient. It reinforces trust.

Frictionless security removes any challenge from the customer interaction and thus makes the customer experience better. Open Banking and PSD2 will bring authentication further to the fore. See one of my colleagues’ blogs on Open Banking Standards: Forcing the gates of the walled garden open.

There remains the issue of consistency across channels. There is a limit to what customers can do over the phone. The optimum approach is to evaluate the true nature of call centre services and how they fit within a customer’s lifestyle. Ultimately a single mechanism for authentication is the ideal; a single central source for authentication. The balance is to reassure customers over the phone, even though they cannot undertake significant transactions. The key, once again, is education. The goal, everywhere and for every bank and every customer, is trust.