Zia Hayat, CEO Callsign
Earlier this year, the Financial Ombudsman proclaimed that “it’s not fair” to automatically blame customers who find themselves as a casualty of banking fraud. The organisation came out with this statement as reports of scammers were soaring through the roof, as fraudulent techniques and tactics become ever more complex. If fact, scammers have reportedly been able to side-step standard security measures and use a victim’s money as they please on multiple occasions. So, how can banks respond to the Financial Ombudsman with new strategies and technology to keep their customers safe?
Fortunately, there have been efforts made to improve services and increase the range of deals available to banking customers in the form of regulation like Open Banking and PSD2. A subsection of the legislation requires banks to offer a new, stronger authentication process when their customers initiate a payment or request remote account access. Strong customer authentication, or SCA as it has come to be known, is designed to diminish online payment fraud as well as encourage banks to share their learnings and technology regarding fraud controls and authentication methods.
Unfortunately, SCA has fallen into a similar trap to that witnessed whenever a new piece of financial regulation is introduced – organisations are pushing back on the regulator because they are under too much press to comply and don’t have the capability and/or resources to do so in the given timeframe. The outcome of this is that exceptions are often made for organisations who can illustrate how they are handling the risks within certain guidelines. Consequently, these companies have the ability to bypass the early risks associated with non-compliance, without having to invest a considerable amount of time and money or affecting the service being delivered to their customer base. The knock-on effect of this is banks will always be on the backfoot in terms of regulatory changes because for each incremental change to regulations going forward will require a corresponding internal reaction.
Taking a reactive methodology can also be costly. There have been multiple cases when banks have chosen this approach only to find that when the time comes to comply, they do not have sufficient resources or technological capabilities to meet the new conditions. These organisations also put themselves at huge risk of fines and reduced customer confidence in the face of a non-compliance issue. In these scenarios, the company in question will need to then fulfill the required standards regardless.
It’s common for businesses to end up going down the costlier route by taking a short-term view and not accepting that a reasonable investment at the outset would be more fruitful over time. Customer experience can also suffer a detrimental impact through this approach because companies are forced to take a standardised catch-all approach to security which, in turn, increases friction during the transaction process. Yes, it important to keep the compliance team content, however, this shouldn’t be at the detriment to operations teams and CISO, who are left picking up the pieces of ongoing fraud cases and customer complaints.
Are we seeing banks caught in a Catch-22? On one hand, they must comply with the latest legislation without leaving their customers vulnerable to new types of fraud, while on the other, prove that they can maintain a positive customer experience. Furthermore, consumers prerogatives are also at loggerheads – they want to continue their digital lives by having a streamlined, user friendly banking experience without multiple security questions every time they want to conduct a transaction. Yet, at the same time they want to be rest assured that their money is protected and are keen to take the necessary steps to guarantee this is case. With a reported £731.8m lost in unauthorised financial fraud last year, it is clear that existing layers of security are not enough to protect consumers in this day and age.
So, what other layers need to be incorporated into the identification process? By uniting the benefits of both hard and soft biometrics with machine learning, banks are empowered to decide what methods are most suitable on a case-by-case basis. There is technology at hand which can analyse data about people’s behaviour, including facial recognition, typing or swiping techniques, and online habits, which when combined, has the ability to determine if someone’s behaviour is normal. If irregularities in the data are identified, then the bank is alerted so they can implement additional security measures. This form of identification has the added benefit that consumers can pick their preferred method of identification, removing the possibility of excluding a whole demographic as a result of restrictions on ability or technology. As a result, the static rules-based method that is regularly exploited by fraudsters can be circumvented.
Improved intelligence must also be utilised by financial services firms because banks will have a greater ability to protect their customers while concurrently offering the frictionless service they expect from a digital experience. As developments in Artificial Intelligence and Machine Learning technologies skyrocket, there a more tools than ever which can eliminate the requirement for additional means of authentication by utilising Secure User Authentication. Normally, users are asked to enter their personal details when conducting a transaction, but with this system, customer’s patterns and behaviour, such as their device (is the access request being made from an authorised device?), their location (where is the access request being made?), and behaviour (evaluating the user’s interaction via the log-in process, from the ‘style’ of their swipe to key strokes) is relied upon instead.
Banks have one thing on their side which offers a second-layer of unbreakable authentication – every individual interacts with their mobile device completely differently. That’s not to say that passwords are completely redundant, they will always have a place in the authentication process, however, we are now able to draw on more reliable and intelligent data points in order to identify people. Overall, we are making great steps towards a solution that decreases the amount of fraud, but it is the responsibility of banks to invest time and money to make sure they can break their Catch-22, leaving them more compliant without negatively impacting the overall user experience.