.jpg)
Imagine waking up one morning to find that your identity has been taken over by someone who has destroyed your credit rating, damaged your personal credibility and taken control of what you need to continue with your normal everyday life. And the nightmare may not end when the perpetrator is apprehended. It is now common for identity theft to persist after the criminal has been caught — there have been cases in the US where fraudsters were able to continue to use identity details while in prison. In this respect, identity theft is comparable to a serious personal or physical attack with victims saying “I thought I would never get them out of my life”.
One aspect of identity management is reducing fraud losses and protecting banks’ customers. Peter Bove, sales director of fraud products, EMEA, Fair Isaac, says that fraud is a “time bomb waiting to happen” from a customer service perspective. He added that the banks have been slow to move on prevention measures because the financial losses from fraud have been relatively low and the return on investment isn’t there.
Yet identity theft is undercutting customers’ trust in banks because of its personal nature and growing prevalence. While the introduction of technologies like Chip and PIN are reducing credit/debit card fraud (down 24% in the UK according to payments association APACS), this has pushed the fraudsters online and they are becoming more creative in developing ways to obtain personal information. Common tactics include phishing, such as sending emails claiming to be from a bank asking for personal and security information, and Trojans, which are installed on a customer’s PC and records security and log-in details.
Compounding the problem, the big banks are sending out the wrong messages to their customers regarding online fraud, according to Paul Smith, programme manager at BT. “What the banks are finding is that customers have a reluctance to do business online because of the perceived risk of fraud. Obviously linked to that, Barclays has recently announced that you can’t transfer more than £1,000 out of your account online. So the major stakeholders have come out to say that the market at the moment isn’t secure online and because of that they are not getting the take-up on the online channels,” he says.
In the last few months, banks such as HSBC, Barclays, Lloyds TSB and Alliance & Leicester have been putting in place two-factor authentication security and are rolling out password tokens in order to prove their commitment to protecting their online customers against fraud. But tokens carry a high price tag. Paul Meadowcroft, head of transaction security, Thales e-Security, comments: “Rolling out a stronger authentication to your corporate clients where you might have up to 200,000 end users is one thing, but rolling out stronger authentication to your retail customers where you might have two million or more is an order of magnitude more complex and costly.” Most banks are still grappling with finding the right technology at the right price and the right ease of use for their customers.
Identity management is also about proving to the financial services regulators that the institution is complying with regulations, such as Know Your Customer and Anti-Money Laundering. The big challenge for financial institutions is creating an identity management system that can determine that someone is who they say they are and where they say they are.
Conrad Steinmann, vice president of global payments, Citigroup Global Transaction Services, considers identity verification as a critical element of a remittance service. “In order to initiate a funds transfer transaction you need to know your customer and make sure that the purpose of the payment is a legitimate purpose, that there isn’t any money laundering. So there are a variety of controls and risk mitigants that banks have put in place for any sort of funds transfers. There is regulatory screenings, such as know your customer and due diligence on account opening, and ID verification is really another form of this process,” he says. “This is no different from what banks have been doing for many years.”
Citigroup offers a wholesale outsourcing service to other banks or remittance service providers, which includes a technology solution to capture the appropriate fields of identity information of the remitter for each country and then sends it off to an independent agent or third party for verification in compliance with the KYC and anti-money laundering regulations.
A number of security vendors, such as RSA, Norkom and Fair Isaac, create profiles of end-user behaviour as part of their identity management systems to dive deeper into KYC. To create a profile, the system monitors every customer interaction, then starts to build a picture of each customer’s normal pattern and uses that to detect when that customer goes out of that pattern. Having a greater understanding of who each customer is can benefit a financial institution by creating a better, more unified customer identity regardless of the channel by which they are communicating.
Andrew Moloney, senior product manager at RSA Consumer Solutions, points to an increasing level of cross-channel phishing, where the fraudsters exploit the loopholes between two channels. The business sense of creating a unified view of the customer is clear. “To be able to unify your view of a particular person or a particular identity — given that is could be a fraudster who has hijacked that identity — you need to get a common view as to their behaviour, what they are doing, where they are doing it, did they just withdraw money from their internet bank account and then call telephone banking and try to transfer money and those types of things. So the more you can unify that experience, the more you can automate the process of tracking and detecting potentially fraudulent behaviour,” says Moloney.
The Bank of Montreal is using Norkom’s technology to look across its systems for compliance, as well as card and walletless matching. BoM wanted an enterprise-wide vision to leverage customers’ information, not only within product silos but across products and channels. Standard Chartered Bank also chose software from Norkom as part of an international programme for regulatory compliance and money laundering risk management. Norkom’s anti-money laundering and watch list management technology is to be installed across the bank’s operations in more than 50 countries to provide transaction monitoring and real-time sanctions filtering.
But it is not just anti-money laundering and KYC regulations that are going to make the banks re-think their identity management strategy. Richard Baker, IT management consultant at BT, outlines the effect that the Single Euro Payments Area will have on identity management. “There is an industry requirement to move to real-time clearance in October 2007. The reason that strong authentication becomes important there, and particularly not just authentication of access to the website but also the authentication of transactions, is that because the transaction will happen in real-time and the money will move in real-time, the banks will actually lose that window they have got to check for fraudulent behaviour before the transaction takes place.”
“If you look at the popular press, they complain about the three day window and three days of interest that the banks are making, but what they don’t actually talk about is that the banks are using those three days to track fraudulent transactions. They are not going to have that opportunity in the future because the money will have already moved. If it moves in real-time then it can move from the recipient bank as well. The fraudsters could get the money far away quite quickly and so there isn’t much opportunity to reverse the transaction,” he says.
Banks are facing an operational issue that slows their ability to create an end-to-end unified experience on different channels and across disparate networks. Historically, financial institutions are structured around silos with expertise in those different channels. A global architecture team is needed who are worried about security and will struggle to bring this together in a cohesive strategy across those channels. Another issue is the trend towards consolidation in the banking industry, with highly acquisitive banks such as Santander or UniCredit, making the possibility of creating the unified identity management infrastructure incredibly tricky.
Many believe that this is leaving room for non-bank competitors that don’t have the same legacy systems. When asked, Citigroup’s Steinmann didn’t seem too worried: “Banks are suited to being a retail customer interface. There are non-banks that offer a retail interface, but ultimately it is the bank that moves the money.”
Moloney agrees in some respects but believes that the banks have some work to do to keep their business. “Fundamentally, banking at this level is just like being a retailer. At our conference, a gentleman from HSBC said ‘What is the difference between retailing and selling if you are a merchant of whatever type?’ He believed that retailing is about the ability to really understand your customer and place in front of the customer the goods and services that they want. The banks in the past haven’t been very good at this,” he says.
No comments:
Post a Comment