Bank fraud is on the rise. In fact, according to a recent KPMG survey of 43 major banks around the world, it’s not just the number of fraud cases that is going up; so, too, is the value of fraud overall.
In large part, this increase in fraud is the result of identity theft scams. Indeed, rather than attempting some sort of high-stakes virtual bank heist for all the gold in the vault, most online thieves seem content simply stealing money from every-day customer’s accounts when they aren’t looking. To do that, they employ a wide range of social engineering scams, from phishing and spear phishing emails through to pretexting and baiting scams. In response, most banks have doubled-down on security, stepping up their controls in an effort to improve their customer authentication processes. Two-factor authentication (2FA) and multi-factor authentication technologies have been deployed. Real-time fraud prevention and detection tools are being adopted. New limits and step up authentication protocols for higher risk transactions have been implemented.
The problem is that — in an era increasingly characterized by competition around customer convenience and experience — adding more layers of security only introduces more friction into the customer journey. And experience suggests that, while bank customers want to be confident their money is being held securely, they do not seem to want to invest a lot of time or effort into jumping through hoops to authenticate themselves.
A better way
Imagine a world where users are only peripherally involved in the customer authentication process: no sign-ins; no passwords; no text verification codes — customers simply open the app or login to the website and conduct their daily banking.
Yet, in the background, complex algorithms are working away, continuously ensuring that the person using the device is who they claim to be.
The algorithms check keystroke patterns on keyboards and examine the way the user swipes their screen when using apps. It measures the pace at which the user is walking, the height at which they are holding their phone, the rate at which they speak. It looks at the last few places the user has been and where they are right now. It conjures up dozens of other data points about the device user and decides if anything is out of the ordinary.
If a number of data points seem fishy compared to ‘normal’, the algorithm steps up the authentication process. Perhaps the user is asked to take a selfie to allow the facial recognition software to verify their identity. Maybe they are asked to provide their thumbprint. And two-factor authentication could always be used at this point to add an extra layer of security.
In this world, the user experience is frictionless and fluid. Security and confidence in customer authentication is high and continuous. Incidence of fraud and theft are reduced. And resources are used more efficiently (think of how many work hours could be saved just by eliminating password resets).
Competition heats up
Our work and research suggest that some financial institutions and tech firms are already well on their way towards stitching together the technologies and tools required to make this type of intelligent authentication a reality.
Absent legacy authentication technologies or processes, many fintechs and so-called challenger banks are taking Fintechs and challenger banks recognize there is no use replicating the traditional authentication processes they are about to make obsolete the opportunity to embed intelligent authentication into their operating models from the start. It’s not just that intelligent authentication is generally cheaper, more user friendly and more secure than traditional approaches; it’s also that it is clearly the direction that technology and customer demand is going. Fintechs and challenger banks recognize there is no use replicating the traditional authentication processes they are about to make obsolete.
Not to be left behind, many traditional banks are now starting to invest. In fact, two thirds of the respondents to our survey of banking leaders reported that their organization is already investing into physical biometrics technologies such as voice, fingerprint and facial recognition. More interesting still, a third say they are already investing into more sophisticated behavioral biometrics as well.
© 2021 R.G. Manabat & Co., a Philippine partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.