With the advancement of online and mobile channels, there is concern that private banks may fail to keep pace
Private Banks have a responsibility to protect the financial assets and information of customers who demand privacy and security, but they must also deliver a simple and easy user experience. User authentication lies at the core of this challenge.
A balancing act
Private banking clients tend to be reluctant about adopting digital banking channels, especially for high-risk transactions. A younger cohort expect the integration of social, payments and banking digital platforms due to speed and convenience. Banks are therefore under increasing pressure to simultaneously streamline digital interactions while ensuring that their security measures do not expose their customers to fraud.
In addition to maintaining the delicate balance between customer expectations and strong security measures, banks are grappling with the latest regulatory challenge in the form of PSD2. In Europe, the revised Payment Services Directive (PSD2) heralds an era of open banking which aims to promote competition and customer-centric innovation. Banks will be mandated to share the information they have become accustomed to hoarding; a new era of transparency and innovation is envisioned. Of course, with these changes come new hurdles, especially regarding security.
Open banking will require stronger user and transaction authentication. But the perceived friction inherent in two-factor authentication is a concern to private banking security groups, which are reluctant to institute additional steps to their user authentication process at risk of sacrificing usability.
Is technology the answer?
Biometrics is a leap forward in usability but the approach is not, on its own, much more secure than the old-fashioned password. A biometrics-protected mobile app does not transmit the record for server-side matching; it simply attests that the fingerprint or voice pattern has been matched on the device. The concern is that fraudsters can very easily attest the same thing – without matching anything at all.
Machine learning technology has seen significant advancements with the ability to now produce data on user behavior and the state of devices used. This approach is attractive to banks because the data it requires to make a risk assessment is collected without the users’ direct involvement. This could allow them to access at least some digital services with low to no friction.
There are, however, risks associated. A false positive could result in an account breach; a false negative in a declined transaction. Card issuers are suffering major losses as consumers turn to competing institutions’ cards out of frustration caused by clumsy risk-based authentication.
Biometrics and transactional risk analysis can play valuable roles in a layered security approach, but step-up authentication must be in place to secure high-risk transactions. Not only is a 2FA approach necessitated, but in addition, regulators are endorsing methods that rely on fully out-of-band modes of authentication.
The cryptographic capabilities and rich user interfaces of the mobile phone offer so much more in terms of both security and ease of use. Many financial institutions are now embracing the potential of this device as they respond to changes in consumer preferences, fraud vectors and regulations.
Heading the global pack in adopting this approach to secure their mobile and online banking channels is the United Kingdom’s private banks. They’ve caught on to consumers demanding hassle-free, on-the-go access. Coutts and Investec have lead the charge by embracing the change required by PSD2, and have managed to stay ahead of the pack by embracing the power of mobile and adapting their security approach. Entersekt has been crucial in helping these banks translate stringent regulations into a highly secure, seamless authentication experience.
For institutions contemplating the changes that lie ahead, selecting an authentication solution that combines the best security with low user friction will allow for the smoothest possible navigation. The answer lies in deploying digital certificate technology to the mobile phone for out-of-band, multi-factor authentication, encrypted communication and advanced app security. In short: a highly sophisticated solution that appears deceptively simple to the end-user.
By: Frans Labuschagne, country manager United Kingdom and Ireland, Entersekt