Technology
The Fourth Generation of Account Verification Has Arrived
By Daniel Haisley, EVP Innovation | Apiture
I have a bad habit, and I suspect I’m not alone.
You know that brief period each morning when you’ve only partly opened one eye, because anything more than that even the dimmest light seems brighter than a magnesium fire? It’s in that moment each day that I reach over and check my phone for the first of many, many times. It’s the absolute first action I take, every day of my life.
Normally, this is much ado about nothing … but today from a hotel bed while out on the conference circuit, I saw a missed text message. The message from my wife said simply, “We’ve been hacked.” She had my attention.
It turns out, it was just some fellow of questionable scruples in Chile who managed to get access to my Netflix credentials so that he could binge watch a bunch of Spanish-language Japanese anime cartoons. (Who knew such a thing existed?) A simple password reset, and it was almost like it never happened. Nevertheless, it got me thinking about how much worse it could have been. Inevitably this fine, upstanding chap purchased a list of credentials from who knows which system breach and began credential stuffing across major platforms until he found one that would work. Netflix is one thing — but what happens when it’s my banking credentials that are compromised? It’s much easier to clean up from Netflix’s next movie recommendation algorithm, not understanding why I had an apparent spike in Catalonian cartoons, than from my savings account being liquidated.
In banking, our habits have been just as bad. We’ve built up an infrastructure that relies upon undue risk acceptance from accountholders related to the handling of some of their most sensitive data — the usernames and passwords to online banking systems.
According to (PYMNTS, 2021), 80% of U.S. consumers have provided their banking credentials to a third-party service as part of managing their financial lives in one way or another. This often happens when using popular tools like personal finance managers, P2P payment providers, or investment applications.
The banking industry is currently in the third generation of processes for validating and connecting bank accounts with third parties. The first generation was the classic notarized printout on bank letterhead. We couldn’t get away from this fast enough, though mortgage originators still leverage this relic from time to time. Second came microdeposits, where accountholders would wait to verify two small deposits after giving the ACH network two days to run its course. The last 10 years have availed the third generation where today, to move money or share transaction history from your bank with a third-party application like Mint or Cash App, you’re asked to select your bank, then provide your username and password to verify access. Likely, you’ll need to confirm a one-time passcode delivered via SMS or email, and possibly even select which of the nine boxes contain images of something to confirm you’re not a robot. While this process may be an experiential improvement from the days of microdeposits, it relies upon end users willingly exposing their credentials to what can often be multiple third-party systems.
It doesn’t need to be this way. While the industry shifted away from microdeposits in favor of APIs for verifying external accounts, the next revolution is upon us.
Enter oAuth, stage left.
For the massively improved fourth generation of account verification, financial institutions are actively moving to “Open Authorization,” or oAuth, to give end users direct access to their data via third-party applications. In this scenario, as the bank customer attempts to link their bank account from within the third-party application (like Mint or Cash App), instead of providing their credentials to an aggregator for handling, the login page of their bank is invoked and the customer can provide their online banking credentials directly to their bank, thereby removing all third parties from the data stream. Additionally, when the customer subsequently logs into their digital banking solution, they’re able to see and manage the third parties with whom they’ve chosen to share their data. In a world where straddling the lines between customer experience, data security, and system performance are paramount, oAuth checks each of these boxes.
So, What’s Next?
Before this customer-led utopia of fourth generation account linking can really take shape, financial institutions have a few actions to take.
First, they must enable their systems to be accessed via oAuth. The largest institutions may opt to build these endpoints and data management services themselves, but for most financial institutions, this will be best accomplished by engaging with a partner like Apiture or MX. Partners can empower financial institutions to bring massive value to clients in a short span for relatively little effort.
Second, financial institutions must engage with their end users to educate them about these changes. Customers need to be active participants in the management and security of their financial data, and their bank or credit union is the trusted advisor to guide them along this path.
In a world where Open Banking is blurring the lines of banks, fintechs, and non-financial-oriented service providers, banks and credit unions are best positioned to lead these discussions. Consumers ultimately trust their bank when it comes to security and therefore are open to leveraging this resource for financial wellness and security education. Hold webinars, arm branch and support personnel with talking points, create purpose-driven collateral to set client expectations, and in so doing, further deepen the bank or credit union’s stance as a sage financial steward.
The largest financial institutions have a head start and are steadily availing their oAuth services to the various system integrators, forcing traffic that direction to avoid the historic screen scraping of yesteryear. It is time for the remaining institutions to act quickly to dramatically improve data security processes, system performance, and customer-led data control.
If they’re anything like me, bank customers may still perpetuate the bad habit of groggily checking their phones with the first alarmed tones of morning — but the banks themselves can rest assured they’ve put their clients in a better position to avoid the dreaded “we’ve been hacked” notification.
Works cited
PYMNTS. (2021, November 10). 80% of Consumers Have a Third-Party Financial AppConnected to Their Bank Account. Retrieved from PYMNTS.com: https://www.pymnts.com/digital-first-banking/2021/80-pct-of-consumers-have-a-third-party-financial-app-connected-to-their-bank-account
-
Top Stories3 days ago
Australia’s ANZ Group to settle credit cards class action for $37.4 million
-
Top Stories3 days ago
Analysis-Spain’s battle of the banks as BBVA narrows gap to Santander
-
Top Stories3 days ago
Talgo’s top shareholder in talks with Stadler over takeover bid, report says
-
Top Stories3 days ago
Google, Apple breakups on the agenda as global regulators target tech