With fraudsters rapidly growing in sophistication, the Financial Ombudsman has announced “it’s not fair” to automatically blame customers for falling victim to banking fraud. With more and more stories surfacing where scammers have been able to bypass simple security checks and move a victim’s money around freely, what can banks do to better protect their customers from the risk of fraud?
Regulations like Open Banking and PSD2 have been put forward as an innovative way to deliver an improved service and better deals to banking customers. Part of the legislation calls for a strong authentication process whenever a payment is initiated, or remote account access is requested. This process, known as SCA (strong customer authentication), is intended to reduce online payment fraud and try to help banks converge on the authentication and fraud controls.
However, whenever new regulations are introduced, the whole industry is placed under considerable pressure to comply, which drives some organisations to push-back on the regulator. This discourse often leads to exceptions for organisations that can show they are managing the risks within certain constraints; allowing them to avoid the initial risks around non-compliance, without having to make large investments and risk impacting their customers. This means that for every change to these regulations going forward, the organisation will have to react accordingly, forever being one step behind regulatory changes.
And yet, a reactive approach isn’t necessarily the cheapest. It’s been proven time and time again that taking a reactive approach to regulation means that resources and technologies have to continually be stretched to meet requirements. Not to mention if there’s ever a non-compliance issue, there’s a risk of fines and loss of customer confidence, and you end up having to implement the maximum standards anyway. There is a risk that over time banks will begin to suffer from regulation fatigue, seeing more and more regulation coming into place without the benefits being recognised, they may start to look for the cheapest implementation to combat this.
By taking a short-term view, organisations can often end up taking a costlier route over time, than if an initial investment has been made at the beginning. Often the impact this has on customer experience can be considerable, as they encounter more friction due to a standardised catch-all approach taken to security. Whilst the compliance team might be happy, the CISO and the operations teams are paying the price with continued fraud risks and lowering customer satisfaction.
It’s certainly a paradox – how do you comply with regulations without increasing the risk of fraud whilst simultaneously maintaining a positive customer experience – and prove it? When it comes to banking, we understand there is a conflict of interest; consumers want to get on with their digital lives without unnecessary layers of security every time they click through a payment journey, however, they also want to know their money is safe and secure and are willing to take the necessary steps to ensure this. A simple code sent to the consumer to verify their identity just isn’t enough in today’s world, as demonstrated by banking lobbyists UK Finance who reported £731.8m lost in unauthorised financial fraud last year.
Banks need to be able to intelligently decide when to add additional layers of security, by combining the benefits of both hard and soft biometrics with machine learning, they can be truly confident the person moving money is who they say they are. Technology that learns the unique behaviours of customers, such as typing or swiping techniques, online habits and facial recognition will help determine whether someone’s behaviour is within their normal pattern. Where these identifiers throw up anomalies the bank then knows to introduce further tests. Also, consumers need the freedom to choose their identification method, eliminating the risk of isolating an entire demographic due to technology or restrictions on ability. Combined, this approach avoids a static rules-based method that we have seen can be easily replicated by the bad guys.
Financial services firms must also take advantage of better intelligence. This way, banks can protect their customers while still providing the seamless, friction-free service they expect from their digital experiences. Advances in Artificial Intelligence and Machine Learning means tools have been developed which can remove the need for additional authentication methods by utilising Secure User Authentication methods. Rather than asking the user for information, this system relies on learning the customer’s patterns and behaviour, including location – where is the access request being made; device – is the access request being made from an authorised device; and behaviour – assessing the user’s interaction through the log-in process, from key strokes to the ‘style’ of their swipe.
With each individual interacting with their device in a different way, this forms a second-layer of unbreakable authentication. Although we’re not quite ready to say goodbye to passwords completely, we are well on our way to a world where we can more intelligently and securely identify each individual – facilitating the move towards a solution that finally reduces fraud. By investing in the right tools, the identity paradox is solved, placing banks and their customers in a much better position. It’s clear there’s a third option when it comes to compliance around regulations, one that helps grow a business rather than just defend it.