Bank fraud is on the rise. In fact, according to a recent KPMG survey of 43 major banks around the world,1 it’s not just the number of fraud cases that is going up; so, too, is the value of fraud overall.
In large part, this increase in fraud is the result of identity theft scams. Indeed, rather than attempting some sort of high-stakes virtual bank heist for all the gold in the vault, most online thieves seem content simply stealing money from every-day customer’s accounts when they aren’t looking. And, to do that, they employ a wide range of social engineering scams, from phishing and spear phishing emails through to pretexting and baiting scams.
In response, most banks have doubled-down on security, stepping up their controls in an effort to improve their customer authentication processes. Two-factor authentication (2FA) and multi-factor authentication technologies have been deployed.
Real-time fraud prevention and detection tools are being adopted. New limits and step up authentication protocols for higher risk transactions have been implemented.
The problem is that — in an era increasingly characterised by competition around customer convenience and experience — adding more layers of security only introduces more friction into the customer journey. And experience suggests that, while bank customers want to be confident their money is being held securely, they do not seem to want to invest a lot of time or effort into jumping through hoops to authenticate themselves.
Imagine a world where users are only peripherally involved in the customer authentication process: no sign-ins; no passwords; no text verification codes — customers simply open the app or login to the website and conduct their daily banking.
Yet, in the background, complex algorithms are working away, continuously ensuring that the person using the device is who they claim to be.
The algorithms check keystroke patterns on keyboards and examine the way the user swipes their screen when using apps. It measures the pace at which the user is walking, the height at which they are holding their phone, the rate at which they speak. It looks at the last few places the user has been and where they are right now. It conjures up dozens of other data points about the device user and decides if anything is out of the ordinary.
If a number of data points seem fishy compared to ‘normal’, the algorithm steps up the authentication process. Perhaps the user is asked to take a selfie to allow the facial recognition software to verify their identity. Maybe they are asked to provide their thumbprint. And two-factor authentication could always be used at this point to add an extra layer of security.
In this world, the user experience is frictionless and fluid. Security and confidence in customer authentication is high and continuous. Incidence of fraud and theft are reduced. And resources are used more efficiently (just think of how many work hours could be saved just by eliminating password resets).
Fintechs and challenger banks recognise there is no use replicating the traditional authentication processes they are about to make obsolete.
Our work and our research suggest that some financial institutions and tech firms are already well on their way towards stitching together the technologies and tools required to make this type of intelligent authentication a reality.
Absent legacy authentication technologies or processes, many fintechs and so-called challenger banks are taking the opportunity to embed intelligent authentication into their operating models from the start. It’s not just that intelligent authentication is generally cheaper, more user friendly and more secure than traditional approaches; it’s also that it is clearly the direction that technology and customer demand is going. Fintechs and challenger banks recognise there is no use replicating the traditional authentication processes they are about to make obsolete.
Not to be left behind, many traditional banks are now starting to invest. In fact, two thirds of the respondents to our survey of banking leaders reported that their organisation is already investing into physical biometrics technologies such as voice, fingerprint and facial recognition. More interesting still, a third say they are already investing into more sophisticated behavioral biometrics as well.
While cool new gadgets and tech will certainly play a role in enabling a more intelligent approach to authentication, our experience implementing leadingedge systems at fintechs and traditional banks suggests there are five key elements to developing a strong and customer-friendly approach to intelligent authentication.
Based on existing regulations and recognising that most intelligent authentication processes do not collect personally identifiable information, many suggest that privacy is of little concern here.
Given the direction technology innovation is taking towards smarter, more adaptive and more user-friendly experiences — it seems clear that customers will soon come to expect more intelligent forms of authentication from their banks. Those that move quickly will be able to turn their leadership into a security and innovation advantage. Those that wait will only be playing catchup within the next few years.