Holding customers accountable for authentication

As banks and other financial institutions look for improved ways to authenticate transfers and transactions, can they ever shift the onus of fraud risk to customers or should the focus switch to education?


In a world where transaction fraud and online scams are more sophisticated than ever, banks and financial institutions face hefty bills for losses when customers fall prey to criminals. 

Due to a mix of legal obligations and voluntary codes, stolen money is usually refunded in full, but with such crimes on the rise, is this sustainable? 

New, more secure authentication solutions to prevent fraud and theft in the first place are now coming online, but if the human factor can’t be planned for, could we ever see customers bearing more of the risk profile?

Faced with everything from traditional passwords, two-factor authentication and one-time password codes sent by text, to the likes of voice recognition, face recognition and fingerprint scanning, it’s easy to see why people get confused or become frightened about using authentication. 

Such wide-ranging techniques are one reason why Nick Maynard, lead analyst at Juniper Research, doesn’t think a shift in onus is likely. “We believe it is unlikely banks will be able to discriminate against customers who do not use certain technologies, given regulatory constraints. 

“Banks will continue to introduce authentication technologies and encourage their use, but directly passing on risk concerns is unlikely to be something a regulator would consider permitting or the bank would want to do, given the negative reception such a move would generate.”

Andrew Shikiar, executive director at FIDO Alliance, a global consortium working on the creation of open standards for simpler, stronger user authentication, agrees. “The banking industry invests huge proportions of its IT budgets to protect its customers. Unfortunately, bank and IT solutions are largely helpless on their own against one of the biggest threats that people face: social engineering. These attacks are often successful due to the fact that the point of failure is ultimately human,” he says.

“Introducing strong authentication without frustrating customers will prove to be a competitive advantage for the banks that get it right. It is a major selling point to any customer that cares about their money or is fed up with increasingly convoluted processes getting in their way of simply accessing financial services.”

Education is crucial to the future of authentication

Many experts advocate the need for far more education among consumers on all forms of authentication by the banks and financial institutions.

This could be especially important given future authentication ideas include a greater level of biometrics, document-centric identity proof, government-issued IDs with a corroborating live selfie, automated risk-management tools, device authentication and geolocation.

Another advance could be continuous behavioural biometrics, as explained by Gus Tomlinson, general manager at identity management, location intelligence and fraud prevention company GBG. “This is all about how we type, how we hold our phones and even our speech patterns. This is the hardest thing for fraudsters to try and do, and will be the best customer experience for users without compromising their security at all,” she says. 

“In the event of suspicious activity, real-time alerts are sent to support the customer’s authentication process, eliminating the ability for fraudsters to hijack this process.” 

Craig McClure, director of relationship management for Chargebacks911 and Fi911, also believes education is critical. “Banks have a duty to look after their customers’ money. To get customers to move to new and more secure ways of paying requires patience, education and reassurance,” he says. “We can never expect customers to be responsible for fraud unless they have acted with gross negligence.”

One area where education could now be vital is amid the growing use of multi-factor authentication techniques. With passwords and texts seen as weak links, banks and other financial institutions now use two or three levels of authentication for making transfers or payments. 

Strong customer authentication is on the way

Indeed, this year sees the UK rollout of strong customer authentication (SCA), part of the open banking European Union payment services directive PSD2. It is due to go fully live from September, regulated through the UK’s Financial Conduct Authority, to ensure payment service providers, gateways, emerchants and technology providers have more robust payment processing security techniques.

Industry body UK Finance describes it as “a new set of rules that will change how you confirm your identity when making purchases online”.

Three independent factors are featured, with a minimum of two used: something the user knows (passwords and security questions), something the user possesses (phone, token or card reader) and something unique to the user (biometrics).

But Daniel Cohen, chief product officer for anti-fraud at RSA Security, believes the UK faces a clash of regulations between the General Data Protection Regulation (GDPR) and PSD2. He explains: “The European Banking Authority won’t accept commonly used SMS as a ‘strong authentication’ factor, so banks must add a second layer of behavioural biometrics, for example voice, keystroke or signature dynamics. 

“Under GDPR, behavioural biometric data requires end-user consent. But what if consent is not provided? Banks cannot then authenticate the user in line with PSD2.” 

However, Niamh Muldoon, global data protection officer at OneLogin, argues SCA could be what marks the beginning of a shift in risk profile. “I believe SCA is a foundational step made by the financial and banking industry to transfer the responsibility and accountability of protecting their payment cards on to individuals,” she says. 

“With it, the industry has enabled individuals to make informed risk-based decisions. Now individuals need to stay conscious and aware, choosing to only use service providers that protect their finances and identity with strong authentication or multi-factor authentication.”