Improve the Security Experience for Financial Services Customers
Authentication and security aimed at preventing account takeover, card fraud and more are often top of mind for financial services organizations — particularly with approaching deadlines for Secure Customer Authentication (SCA) in Europe. Approaches are often the result of a trade-off between customer experience and security that may be noticeable to those who use services from multiple providers or across multiple countries. This was evident in the low uptake in markets like the US of 3D Secure for online card payments — where ecommerce merchants were willing to pay higher interchange fees to avoid customer inconvenience and cart abandonment. 3D Secure 2 (3DS2) should be a good test of the success of extra investment in security aimed at improving customer experience and may hold lessons for other forms of user security for banking services. 3DS2 leverages additional data provided from the merchant to the issuer to determine the riskiness of a transaction and the need for security verification such as multi-factor authentication.
Nevertheless, it can still feel as if customer experiences are at the mercy of the relative strengths of the risk team vs. that of the customer or digital officer in the financial services organization security decision making process. Some of the considerations for teams planning to implement or refresh security services in their banking channels are discussed below.
Complex authentication or validation steps for online banking access or transaction approval may present a hindrance to those not easily able to execute actions across multiple devices in a short window of time. Accessibility should be a key consideration and align to the nature of the bank’s customer base. Consideration should also be given to reporting metrics like false positives across segments of the customer base.
The customer experience after an anomaly is detected is often ignored but can be critical — particularly in circumstances where overall true & false detection rates are high. Sometimes these experiences get less attention as the provider’s focus is on risk management. Consider the customer journey after anomaly detection, along with how accessible touchpoints are and options for further digitizing the process.
The opportunity customers are given to be proactive in preventing potential false positives can also be important. Most banks that have implemented some form of geo-fencing for banking services sign-in or card use have started providing self-service in-app routes to notify the bank about intended travel. But more sophisticated capabilities are rarer. In the same way that advanced analytics is used to aid in detection, those analytics can potentially be wrapped into capabilities that allow customers to help improve the accuracy of these models by selectively providing well-timed inputs.
The way identities and security processes are integrated into other services — for example documents that need to be shared securely with a business or retail customer — is often sub-optimal. If some form of authentication or identity validation takes place to open a statement, proposal or other confidential communication how is this approached? Many times the experiences here seem to be mixed and support across devices is not always consistent. For business banking and insurance services handling these types of documents can be more important. Where a portal is provided for document delivery, are documents extracted from the portal sufficiently secure?
For business banking and insurance services single sign-on is being adopted by some early movers. In some cases insurers have led the way in this regard with services to intermediaries. Single sign-on may bring convenience and, depending on the implementation, potentially better security. There is also an opportunity to empower business banking security administrators within the customer with more details on the activity of their users and potential risks.
The general profiling of anomalous customer behaviour that may inform some of the points of risk detection mentioned above can also be leveraged in numerous other ways — assuming this is done so that data is handled in a way that has been communicated to the customer and is to the customer’s benefit. Uses may extend to service optimization suggestions, personal financial management recommendations, targeted offer presentation, early detection of financial distress for a borrower and more.
Managed identity and security services from cloud providers can provide a comprehensive set of advanced features:
· Highly available authentication services
· Multi-factor auth delivered in white-labelled apps, on wearables and more
· Threat protection capabilities
· Cross-platform email/document security
· Single sign-on for business banking and partnering / intermediary needs.
Such solutions are starting to attract attention from banks and insurers.
A final dimension worth considering is insurance against cyber risks. At the bank or insurer level this may demand a certain standard of operation, threat detection and reporting. These requirements are worth proactively considering during solution planning.