Well, here we go again. As Covid-19 cases continue to surge and local officials impose restrictions, brick and mortar companies are once again limited in their ability to deliver their services forcing them to double down on their remote location strategies. From curbside pickup, to Uber eats, to an “Amazon Prime” Christmas, the surge in the last 90 days has exacerbated an already difficult business environment. And banking has been no exception. In fact, the consequences have been more significant given the nature of in-person banking…just imagine the difficulties inherent in bringing that service curbside. So, what exactly has the pandemic done to banking?
Customers galore
With in-branch services limited, less digitally-savvy, first time, digital customers have made the jump to online banking products like Klarna for real-time loans, and digital-only bank account offerings like Starling Bank, Atom Bank, and Monzo. The move has been a digital consumer bonanza for online financial institutions which, while happy with the new customers, are left with the daunting task of determining who they are and whether to trust them.
Who are these people?
Unquestionably, the transition to digital banking has brought positive benefits to first-time users such as greater convenience and transparency, but it has also resulted in a less than desirable outcome: increasing levels of fraud and sophistication in attacks. The reality is that many of these nascent digital customers have very little on-line transaction history and virtually no digital identities as a reference point for identity and verification. Consequently, with more and more of them moving their banking online, traditional methods of determining “who is on the other end of a transaction” have been tested, and in many cases become less effective or completely obsolete. And here’s the rub; with little to no digital identities, limited transaction history, and never before seen devices, financial organisations are defaulting to more draconian verification methods…stepping up customers, challenging them with KYC questions, and generally increasing transaction friction.
Go easy on them
Yet, before we castigate the institutions in question, a degree of understanding is warranted. After all, the tsunami of new online transactions represents a significant challenge. And what’s a bank to do? If a bank falsely deems a transaction fraudulent, they are ruining a customer’s on-line experience by creating unnecessary friction which predictably leads to transaction abandonment. On the other hand, if the bank defaults to no friction and allows all of these new transaction to run, it could be a fraudster’s paradise…”free loans, credit cards, and other financial instruments on isle 3!” So, determining the person on the other end of the transaction is paramount to a customer’s experience as well as the future success of a financial institution in maintaining account holders and preventing fraud losses.
Fraud fighting is a full-time, real-time business…and it isn’t cheap!
Fraudsters learn, adapt, share insights, and then repeat the cycle. Always searching for vulnerabilities, they create new and complex methods to circumvent detection. For example, during the pandemic, banks and other on-line business are seeing a significant increase in spear phishing, cross-site scripting, and man in the middle attacks. Tack on impersonation scams, scary intrusions like the SolarWinds hack that has left government and commercial organizations scrambling, and incessant BOT attacks and its clear the velocity and diversity of attacks add a whole new level of complexity…and the dollars start adding up quickly! Not only do these attacks result in higher costs for financial organisations but they create significant brand blow back. Online businesses, especially banks, need to rethink their identity verification protocols landing on those that balance digital identity solutions that factor in identity, context, and behavior. Context is a key element to ensure a balanced approach and mitigate overreactions. Because with fraud currently surging, there is a danger that financial institutions over-correct and prevent customers from completing legitimate transactions. Organisations need to resist the urge to implement stringent measures or checks and instead they need to be smarter in rooting out fraudulent purchases in the first place.
Harmonizing Identity…the only real verification
Effective identity verification starts with harmonizing all of a customer’s disparate digital personas into one digital identity. Every customer has multiple digital personas with which they transact in the online world. For example, assuming email as the common credential denominator (along with an appropriate password), a customer may use Gmail to access Lloyds Bank, Yahoo for a Gumtree ad, and Hotmail to place a Tesco grocery order. While each of these are all different digital personas, they represent the same customer. Understanding the collective personas and associating them with one harmonized identity provides the necessary confidence as to the integrity of the identity. Next, understanding the context derived from prior transaction history, device information, location, and intent data like searches and outcome data, allows organizations to also add a predictive element to the analysis. Together, these factors help build confidence that the customer is legitimate and, equally importantly, whether to trust the customer within the context of the transaction.
The Time Space Continuum
Context can help interpret behavior that would otherwise be immediately flagged for fraud. Consider a customer that has just purchased a jacket at John Lewis using a London IP address and then immediately purchases a package tour from an IP in Reykjavik. Relying solely on the IP signals would flag the second transaction as likely fraud. However, if the person routinely uses a VPN while making transactions and using the Reykjavik IP is a known transactional attribute, then the time distance conundrum is nonexistent because the 1173-mile journey is just a quick digital hop…it’s likely legitimate and hasn’t broken the laws of physics. If it’s also determined that the customer has been searching for Iceland trips and subsequently books a flight, the tour purchase becomes even more credible because every transaction that uses those elements is mapped to that digital identity and strengthens the association between that specific transactional element and the identity’s behavior.
While one imaginary purchase is certainly not the whole picture, financial institutions need to make these decisions around fraud in an instant. Without the proper contextual information, banks and other organisations can easily flag a genuine purchase as fraudulent and is so doing, aggravate the customer and because of transaction abandonment, hand market share to their competitor. The only solution that fits the bill is to harmonize digital identities. Armed with a verified identity, deterministic facts (the customer is in London) and probabilistic measures (the customer is planning on visiting Iceland) the transaction assessment will be accurate and eliminate friction.
The Solution?
Use digital identities that are:
- built on global consortiums that provide a global view of a customer
- harmonized to ensure no single digital persona is compromised or acting anomalously
- provide both deterministic and probabilistic insights
- and most importantly, built on consented and permissioned data
COVID-19 and the subsequent increased use of digital banking products have opened the door to fraud. While fraudsters try to take advantage of the current situation, financial institutions can ruin their schemes by ensuring that they work with the best data partners in order to provide the context needed to verify transactions and reduce friction.
About the Author
Frank Teruel
Chief Operating Officer
Adara