More than a quarter of all malicious cyber attacks are directed at banks and financial organisations. The industry is under constant attack, and the barrage is showing no sign of easing off.
Along with efforts to protect itself from increasingly prolific bad actors, the financial services industry is just that – a service industry. Moreso than most, it is starting to feel the squeeze when it comes to exceeding customer expectations for faster, simpler and more secure digital services.
Today, clients expect to arrange a car loan through their phone, download bank statements on the web and complete their daily banking transactions fuss-free. With expanding digital opportunities comes the need for greater digital precautions, and this obstacle is anticipated to become more pronounced as the industry edges closer to realising Web 3.0.
Matthew Moynahan, president and CEO of digital agreements security company OneSpan explains: “Financial organisations need to rethink their prevention strategies to safeguard customers without burdening them with more security.” The parameters are changing and security will need to be all-encompassing in digital environments. “Security has traditionally focused on protecting the company’s laptops, networks or payload. But now we have to look at the customer as the enterprise attack surface and how we protect every step of that customer journey,” he says.
Moynahan predicts that banks will soon be dealing with millions more consumers through digital services. However, the pandemic has given rise to a new breed of customer that is reluctant to access financial services on-premise, instead opting for digital access. “We are seeing lots of trends and factors come together to drive digital service consumption – Covid-19, increased automation, a desire to cut costs, and a mass movement online. That massively increases your digital attack surface,” he says.
As expectations change, financial organisations need to be actively developing authentication identity verification systems that provide appropriate regulatory compliance and security at every stage of the customer journey. This means assuring the identity of non-customers making contact for the first time, right through to the point of closing an account. Each user should know that their associated data and transactions are secured appropriately. “The market is moving towards continuous identity verification and authentication. It’s not good enough to prove once that the customer is who she says she is. Just because the customer is verified once doesn’t mean it’s necessarily them the next time given the prevalence of identity and credential theft.”
As digital and virtual experiences take over, validation technologies need to evolve. “We need to validate the customer, and the customer needs to validate us because there are so many spoof and fake services around, and we can all see the impact that has,” Moynahan says. He cites the example of the recruitment industry, which faces an increasing threat from false candidates applying for remote roles through a digital side door.
Similarly, if someone applies to extend their mortgage and speaks to an advisor virtually, how can both parties be sure they’re speaking with the right person?
While post-Covid consumers might prefer digital to in-person experiences, the nature of service industries dictates that when things go wrong, customers still expect a person to be available on demand. For businesses selling high-value products like mortgages or cars, the assumption is that customer satisfaction will be embedded in the process. Finding ways to add a human into the loop, securely but virtually, is essential to meeting customer demands when problems strike.
“I believe we’re going to see this notion of integrating security throughout all stages using digital ID verification and authentication, not only in the physical and digital worlds but potentially also in the metaverse,” says Moynahan. “Introducing people into virtual encounters is perhaps one of the biggest challenges around authentication when no one looks the same.”
These security checks must be carefully designed to create a seamless user experience, while also meeting regulatory and compliance requirements. “We’ve all had that experience of logging into one system to make a transaction, then when you have to log in again or provide another set of identity data, we drop off the transaction because it’s too much hassle,” says Moynahan.
Ultimately, delivering the coherent, personalised user experiences that Web 3.0 enables will take industry-wide collaboration involving financial organisations and governments. “Historically, companies have competed for profit and revenue, but I hope we will see significantly more cooperation in future between entities,” says Moynahan. With digital wallets, payments and identity, there is greater opportunity for sharing across a broad set of initiatives in financial services. In turn, user experience can be optimised. Banks are also in a position to profit from integrating customer journeys across platforms but will take a level of cooperation that has yet to be seen.
By adopting user-centric authentication and e-signature technologies, banks have the potential to transform the user experience. Today, when a customer makes a transaction with their bank, their identity is attached to that specific bank. If the customer then wants to make another transaction with a separate institution, there are new hurdles to overcome to prove their identity again.
Moynahan believes that banking could become an almost invisible fabric over which multiple services run, using a single, continuously authenticated identity with the right cooperation. “Just because my mortgage is with Bank of America and my checking account is somewhere else, why can’t I have a single great experience across financial services?” he says. “I think the banks should leverage their trust and act as a fabric for the user experience and the identity of the end user rather than existing as islands.”
This more connected banking ecosystem is poised to go beyond delivering enhanced user experiences. Banks would also benefit because this type of authentication makes compliance more achievable and has the potential to reduce operating costs.
As financial organisations turn their attention away from internal threats to protecting and authenticating digital services for customers, approaches to technology are in need of appraisal. Customers have become the attack surface in this Web 3.0 world, where previously employees posed the greatest enterprise risk. Delivering truly compelling user experiences starts without sacrificing security and is the seminal challenge in our new world.
For more information, visit onespan.com