Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO.
Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.
For example, 51 percent of North American banks are still asking customers to prove their identities by visiting branches or posting documents when opening digital accounts. This also applies to 25 percent of mortgages or home loans and 15 percent of credit cards opened digitally.
“The pandemic has forced industries to fully embrace digital. We now are seeing North American banks that relied on face-to-face interactions to prove customers’ identities rethinking how to adapt to the digital first economy,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO.
“Today’s consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations. Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult.”
Identity verification process issues
The study found that only up to 16 percent of U.S. and Canadian banks employ the type of fully integrated, real-time digital capture and validation tools required for consumers to securely open a financial account online.
Even when digital methods are used to verify identity, the experience still raises barriers with customers expected to use email or visit an “identity portal” to verify their identities.
Creating a frictionless process is key to meeting consumers current expectation. For example, according to a recent Consumer Digital Banking study, while 75 percent of consumers said they would open a financial account online, 23 percent of prospective customers would abandon the process due to an inconsistent identity verification process.
Lack of automation is a problem for banks too
The lack of automation when verifying customers’ identity isn’t just a pain point for customers – 53 percent of banks reported it problematic for them too.
Regulation intended to prevent criminal activity such as money laundering typically requires banks to review customer identities in a consistent, robust manner and this is harder to achieve for institutions relying on inconsistent manual resources.
Fortunately, 75 percent of banks in the U.S. and Canada reported plans to invest in an identity management platform within the next three years.
By moving to a more integrated and strategic approach to identity proofing and identity authentication, banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.
A large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online, FICO reveals.
As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.
Do you use a password manager?
The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and 4 percent use a single password across all accounts.
Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high risk strategies such as writing their passwords down in a notebook. If you’re a security leader and your organization is still not using a password manager, find out how to evaluate a password management solution for business purposes.
“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO.
“Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”
A forgotten password can affect online purchases
The study shows that consumers struggle with maintaining their current passwords as 28 percent reported abandoning an online purchase because they forgot login information, and 26 percent reported being unable to check an account balance.
Forgotten usernames and passwords even affect new account openings, 13 percent said that it has stopped them from opening a new account with an existing provider.
This is a notable trend as consumers are more willing than ever to do business digitally. The study found that the majority of respondents would open a checking (52 percent) or mobile phone (64 percent) account online, while an overwhelming majority of respondents (82 percent) said they would open a credit card account online.
Consumers trusting physical and behavioral biometrics
However, while there is significant room to improve how consumers protect their login credentials, the survey also found that Americans are becoming more trusting of using physical and behavioral biometrics to secure their financial accounts.
The survey found that 78 percent of respondents said they would be happy for their bank to analyze behavioral biometrics – such as how you type – for security and 65 percent are happy to provide biometrics to their bank; while 60 percent are open to using fingerprint scans to secure their accounts.
Additionally, when logging into their mobile banking apps, respondents are now considering alternative security measures beyond the traditional username and password. The five most widely used security alternatives are:
- One-time passcode via SMS (53 percent)
- One-time passcode via email (43 percent)
- Fingerprint scan (39 percent)
- Facial Scan (24 percent)
- One-time passcode delivered and spoken to mobile phone (23 percent)
“Digital services are currently playing a critical role in daily life. It is a good time to evaluate how we protect ourselves and our information online,” said Lasher.
“Customers have been happy to adopt security such as one-time passcodes, and are now showing that they are willing to adopt additional options, such as biometrics, to protect their accounts.
“There are no magic bullets and the ability to layer and deploy multiple authentication methods appropriate to each occasion is key. Financial services organizations and consumers need to continue to keep security best practices top of mind to help combat fraudsters now and in the future.”
The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks.
FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase.
Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent saying they expect a moderate rise in fraud.
“While the convenience of real-time payments is great news for customers, increasingly, banks have zero time to clear a transaction or payment. AI can’t slow down the clock, but it can help create systems that are radically quicker to recognize a transaction that smells likely to be fraudulent,” said Dan McConaghy, president of FICO in Asia Pacific.
“Banks will need to move beyond passwords and OTPs and add biometrics, device telemetry and customer behavior analytics to keep up with the changing payments landscape.”
Authentication and identity tech
When asked which identity and authentication strategies they used, the majority of APAC banks have a strategy of multi-factor authentication (84 percent). They increasingly use a wide range of authentication methods including: biometrics (64 percent), normal passwords (62 percent) and in last place behavioral authentication (38 percent).
Interestingly, nearly half of the respondents (46 percent) are currently only using 1 or 2 of these strategies, potentially leaving them more exposed to attack vectors such as identity theft, account takeovers, cyberattacks.
“Why try to crack a safe when you can walk in the front door?” explained McConaghy.
“Criminals are trying to fool banks into thinking they are new customers or stealing account access by tricking people into making security mistakes or giving away sensitive information. When they are successful, criminals are making use of real-time payments to move funds quickly through a maze of global accounts.”
The survey bore this out with 40 percent of banks naming social engineering as the number one fraud concern when it comes to real-time payments. Account takeovers were ranked second, with false accounts and money mules also rated as problems.
New forms of biometric, multi-factor and behavioral technologies allow banks to stop payments being made, even if an account appears to be using the correct but stolen password or entering the right, but intercepted, one-time-password.
“Beyond this type of account take over, we also have authorized push payment fraud, such as when a customer is tricked into paying what they think is a legitimate invoice like a fake school bill or payment to a tradesperson,” said McConaghy.
“This type of social engineering is harder to stop but better KYC, link analysis to find money mule accounts and behavioral analytics to flag new accounts for a regular payee, are all examples of how to tackle it.”
Mitigating criminal behavior
Further to stopping fraud in real-time payment platforms, crimes such as drug trafficking, human smuggling, tax evasion and terrorism finance are also attracted to the irrevocable nature of instant payments.
The lack of visibility between jurisdictions has seen regulators encouraging banks to move quickly in this cross-border payments space to ensure payments are compliant and secure.
In terms of mitigating this criminal behavior, more than 90 percent of APAC banks surveyed thought that convergence between their fraud and compliance functions would be helpful in defending transactions on real-time payments platforms.
“We estimate that there is about an 80 percent overlap in software functionality between legacy fraud and anti-money laundering systems,” added McConaghy.
“To tackle fraud and money laundering schemes that exploit real-time money movement you need to leverage all the available technologies, automate as much as you can and introduce models that can identify outlier transactions and customer behavior so your teams can spend their time investigating the riskiest of the red flags.”