Data Protection – a Key Risk for Banks

By Tim Ayling, VP EMEA, buguroo

GDPR has helped make data protection a key risk for financial services companies. Leaking sensitive data can result in online banking fraud, not to mention the huge fines of up to 4% of global turnover or €20m– whichever is higher – that can be incurred as a result through non-compliance.

Now, new regulation in the form of PSD2, which again focuses heavily on consumer protection, is just around the corner, and banks must adapt again.

PSD2 aims to do three things: promote new players in an open banking landscape, reinforce the cybersecurity of payments and online fraud prevention, and empower consumer rights. In order to comply whilst retaining customers and continuing to attract new customers, financial services companies must work out how to create the right balance between a high level of security and a frictionless user experience, especially as currently most new customers are attracted digitally.

And where a company’s fraud detection methods are not sufficiently comprehensive, this new regulation will create huge friction in the user experience for their customers, as Strong Customer Authentication (SCA) will be required every time the customer attempts to pay online or access their online banking services, and when they initiate an electronic payment transaction over the value of €30.

SCA is when the payer must be authenticated by a Payment Service Provider (PSP) through at least two of these three factors: something you know (PIN number or password), something you have (a credit card or SMS One Time Passcode (OTP), and something you are (something that is inherent to you such as your fingerprint or behavioral biometrics).

To remove this extra friction for the end-user, financial services companies need to invest in a comprehensive anti-fraud solution that not only protects them from fraudsters, but actively enables compliance with financial regulation and simultaneously improves user experience.

Therefore, it is crucial to find ways to authenticate the user in the quickest and least obtrusive way possible. Most methods of authentication require some level of user interaction, for example the One Time Passcode (OTP) received in an SMS. One way to remove this extra step is through the use of behavioural biometrics, which can – in some instances – offer continuous analysis of thousands of parameters about each and every banking customer. These include, for example, the way in which they hold their phone or move the mouse.

Behavioral biometrics allow authentication to occur constantly and invisibly, having absolutely no impact on the customer. In fact, it renders their online experience more straightforward by removing the need for them to do anything except login whilst enabling the bank’s compliance with PSD2. The customer’s security is maintained and increased through continuous authentication during their session and the bank can access higher levels of customer acquisition through their offering a frictionless banking experience.

It’s not always practical to use SCA for every transaction, and there is an instance where SCA isn’t deemed necessary: low risk transactions, for example those that are under €30. If banks do not want to enforce SCA on such transactions, there is another option.

In this instance, PSD2 instead requires a Transaction Risk Analysis (TRA). This is where the risk of a transaction is measured by a solution that can provide a risk value in real time. Detecting malware in a user’s online session is required by PSD2 in building the risk score provided by this system, if they want to be exempt from enforcing SCA.

This is tricky, as banks cannot tell customers to install anti-virus software on their devices and it is not easy to find an agentless solution that has the ability to detect unknown malware. To comply with this element of PSD2, banks should seek out fraud prevention vendors providing solutions capable of detecting malware that is injecting or modifying code during a user session, as well as malicious apps or software that cybercriminals may have installed onto the user’s device.

Behavioral biometrics once again has a role to play here that can help customers to comply, enabling banks to analyze the user’s real-time behavior with parameters such as their historical behavior patterns and actions, characteristics of the device and the network they typically use, their geolocation data and many other types of information. Together, this information can generate a risk score that helps the bank to make an informed decision about the validity of the transaction being carried out.

We can see that regulators have made fraud prevention a cornerstone of PSD2, and how banks will need to turn to vendors who can help them comply with new regulation in the most comprehensive way possible.

Solutions involving behavioral biometrics and deep learning make it easier for fraud controllers to do their job, and to demonstrate that all avenues to mitigate fraud have been explored.

Criminals will always look for the path with the least resistance. Employing behavioral biometrics as part of a comprehensive security strategy means that businesses can reduce friction in the end-user experience through its invisible authentication factor. And as some anti-fraud solutions which employ behavioral biometrics do not use customers’ personally identifiable information (PII) in order to counteract banking fraud effectively, they can remain compliant with GDPR as well as PSD2.