Balancing a customer’s online banking authentication process with a user’s channel experience is no simple equation for financial institutions. In other words, too tight banking security may lead a consumer to say, “Forget this,” and the channel abandonment could cost banks money.
That concern was at the heart of a recent conversation Bank Innovation had with Ben Knieff, director of fraud product marketing at NICE Actimize, a provider of financial crime, risk and compliance solutions.
“Every time you push the authentication to the user, there’s some level of inconvenience,” Knieff tells Bank Innovation.
If that inconvenience is particularly high, the ensuing headache may drive a customer to abandon the channel for a more costly one, like a bank’s call center. “If the bar is set too high for legitimate users, it might keep the fraudsters out, but it might drive [legitimate] consumers to the IVR,” says Knieff. “Process and controls must be agile and adaptable.”
Ultimately, what security levels a bank puts in play should depend on the customer’s risk level. “Not all retail [or commercial] clients should be authenticated in the same way,” Knieff says.
Banks’ security fears aren’t just disturbing certain customer experiences; they are also discouraging some banks from offering customers deeper mobile banking functionality.
“Most institutions manage the risk by reducing the functionality available on the device,” he says, pointing to how most banks allow their customers to do bill pay through their mobile devices, but first require them to enroll in the service through online sessions as an example of a functionality inefficiency.
“Reduced [mobile] functionality is probably not something institutions will get away with for long,” Knieff says. “Customers will demand it.”
Still, in the face of ever-increasing threats, tighter — and more fluid — security practices are of utmost importance.
When addressing the recent guidance from the Federal Financial Institutions Examinations Council (FFIEC), which supplements the 2005 Internet Banking Environment Guidance, Knieff recommends institutions take stronger security stances than the document outlines. Why? The guidance is less powerful and potent when detailing authentication alternatives that, in his company’s experience, fail to fend off some of the sophisticated fraud that has been occurring within the industry in the past nine to 18 months. In conversations with FIs, Knieff identifies the “most insidious” attack as Trojan malware like Zeus, which allows fraudsters to capture keystrokes and users’ names within banking sessions and modify the transaction the customer is entering.
Why the guidance is not sufficient has a lot to do with timing.
“A lot of details that the guidance provides are out of date,” Knieff says.
The guidance is behind the times for an obvious reason: Fraudsters easily outrun the government in changing tactics, as they have no red tape hurdles. “It takes so long for regulators to put guidance together,” he says.
That’s why Knieff is encouraging FIs to embrace the spirit of the guidance and do better than it.
“The spirit is strong,” says Knieff.