What ticked me off to write this article, is our recent engagement with an EMEA bank, that was bragging about its digital channels capabilities! but when we evaluated its overall capabilities and maturity, we’ve uncovered huge pitfalls in its security measures!

We’ve all been witnessing recently a massive initiative by banks towards, digitization in general, and providing customers seamless immersive journeys, in what’s known today by customer experience or CX. But, most technical and business professionals thought that they can compromise security to gain the customer experience and smoothen up their customer journey.

It’s critical to understand, that we are talking about the customer journey, and the same thing goes for the bank’s compliance and security, it’s another journey in parallel with the CX journey. Therefore, the compliance and security teams should architect a list of scenarios to cover the potential risk for each and every possible transaction.

For example; banks can easies up some of their main transactions to enable the customer to do minimum capabilities with almost no friction, as long as it doesn’t have a massive financial risk to the bank. On the other hand, such banks should increase their security, by architecting a complete smooth auditable trail for their customers when transacting. Such transactions shall have the complete capabilities to validate their known customers, and potential customers as well. Here are some scenarios that most bankers need to consider when architecting their customer’s journey:

Scenario 1; Customer onboarding shall have two journeys, the customer journey, and the security and compliance journey as well. Those two journies should run in parallel, and not one without the other. This is a great opportunity to meet and get to know your customers, so why do you want to short-change such an opportunity?

I believe this is a great opportunity to capture the identity of your unknown customers, and re-validate the identity of your known customers as well.

So, in this scenario the bank can collect their customer’s ID, Biometrics, their device information and their signature as well. Ultimately, this information should be saved in a CMS, or a CRM such as: MS Dynamics, SalesForce, or an CMS such as LaserFish, or MS SharePoint.

Scenario 2; When customers opt to send a large financial amounts via wiretransfers, this is another great opportunity for the bank to re-protect itself from many possible vulnerabilities, especially for those who their system / mobile has been compromised. In this case the bank can request for the user to re-validate their biometrics, such as Facial recognition 3D scan or Live Scan, and compare the resulted facial features, against the clients saved ID photo.

Some might argue that using an SMS messaging is safe enough, well it all depends on wither the mobile was compromised / injected with a malware or not. Addionally, in some cases if the client is connected to an open WiFi network, they can be vulnerable to a MiTMA (Man in the middle attack). So, when adding such biometrics and comparing it against your client’s ID photo, then you are protecting both the client and the bank at the same time. This way, you are not compromising the customer’s overall journey, but protecting their belongings. Moreover, some clients might be travelling, and their SMS is not available due to their roaming data packages.

Scenario 3; Account takeover, is a known term when a hacker takes over an account and breach its information. In this case, your system should be able to freez up their account, and hold the account into this state, until the client re-instate himself. But, to make this journey seamless for your clients, you will need to have a state of the art system (you can contact us for an advise). In this case, you can send a link to your customer to re-validate their identity.

Such system will need to be capable to get the following information from the customer; Who, When, Where, and what he or she are doing? for example, it’s essential to have the ability to geolocate the customer, plus to identify the user behavior via machine learning and predictive analytics, and what they are trying to do and the full identity of the custmer. In such case, the system shall be able to take-over this account, and prevent the haker from over-taking it.

Scenario 4; It’s critical to have a smooth customer journey when it comes to the customer’s Account re-instating / re-activating. This scenario could be done for both dormant or hacked accounts. Therefore, such scenario should include biometrics validation, such as facial recognition, and comparing such features with the client’s ID, his behavior, location, coupled with the SMS or push notification, such as Firebase messaging.

Conclusion:

I believe it’s critical to have a full cohesive solution to validate the customer’s identity, yet such solutuion shouldn’t compromise the client’s overall journey and experience. For example, this solution should have; a fast time to market type of solution, future proof for upgrades, intelligent, secure, yet flexible, simple and easily integratable with the firm’s solution.

 

Digital Analytica Inc. is a business partner with OneSpan Inc.

By: Nasser Zagha

Referrences:

https://medium.com/advancing-justice-aajc/facial-recognition-technology-the-need-for-robust-civil-rights-protections-790f26d5a1b9 , Dec. 5, 2021

http://OneSpan.com , Dec. 5, 2021