Banks are focusing on customers, not criminals, as they seek to improve security outside of traditional branch banking.
Security experts say it's logical — and technologically possible — to make customers the first line of defense.
"The reality is that no one cares more about banking transaction security than the customer," said Madhavi Mantha, head of banking research at Novarica, a division of the bank consultancy Novantas LLC in New York.
Arming consumers with tools such as alerts, which they set for things such as balance thresholds and transaction amounts, loops customers in continuously and makes them aware much earlier about fraud, she said.
Mantha said banks should also continuously analyze consumer behavior behind the scenes and look for fraudulent behavior across channels and silos before fraud occurs. "Customers may not even be aware of this activity before you contact them," she said.
Bob Shiflet, a fraud prevention executive at Bank of America Corp., concurs: "The industry has spent 15 to 20 years evolving models that look for transactions that look like fraud. … Where we are moving now is to model customer behavior, and understanding our individual customer behavior to see if the transaction is typical for them."
Avivah Litan, a vice president and distinguished analyst at the research firm Gartner Inc. in Stamford, Conn., has broken out best practices for online banking into five technical priorities, most of which revolve around the consumer as opposed to the perpetrator.
The first phase starts with stronger front-end verification of the customer. That might include standard password authentication, but it might also involve client device authentication, coupled with out-of-band transaction verification.
She said banks should also use client session protection, applying predictive analytics and forensics. On the back end, systems must be engineered to look for account takeover fraud, and to search across silos for multiple forms of fraud and criminal behavior.
Litan advocates banks engaging the customer directly in security measures, which would at least make security seem less of a heavy-handed annoyance. "This is not a one-size-fits-all approach; this can be tailored by the customer," Litan said. She said one way banks could make consumer security more effective would be by giving consumers tools to individualize their security.
An example of this is the creation of "white lists," companies and individuals the consumer has told the bank it is acceptable for the customer to transact with.
"The customer could tell the bank, 'These are the only ones you can pay on my behalf. Anything beyond this threshold, ask my permission,' " Litan said.
To get to this level of interactivity, however, requires significant upgrades to current systems.
"All the technologies exist and are out there today to facilitate this level of customization," said Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC in Boston.
However, McNelley said few banks have gotten past the experimentation phase working with such technology. "One question mark is what level of control will be placed in the hands of the consumer, versus what level the financial institutions will retain for themselves," McNelley said.
The burgeoning mobile banking channel, with its always-on connection, arguably poses the biggest security challenge for banks. But it is also one where some of the most useful consumer innovation is taking place.
For example, Deepak Jain, the president and chief executive of DeviceFidelity Inc., a Richardson, Texas, contactless payment technology company, is working with MasterCard Inc. and Visa Inc. to secure mobile payments.
DeviceFidelity has designed a memory card for smartphones, equipped with a security chip, that lets consumers set controls not only for commercial transactions but also for mobile banking.
The cards can be loaded with pertinent customer log-in information but, based on the levels the banks can set, can also allow customers to customize their security settings.
Bank of America is testing the technology with Research In Motion Ltd.'s BlackBerry, which lets customers decide if they want to password-protect an electronic wallet stored on the phone.
"The bank controls the superset, but the user can choose among the different options of what he wants to turn on or does not want to use," Jain said.
Customization in the mobile banking environment might also include turning on extra levels of security when the mobile phone user is traveling, which the user could then turn off when home. "Consumers can configure the service to their liking," Jain said. "They can turn on the preferences and the alerts they need."
High technology being impersonal, banks still have to reach customers on an emotional level, the experts say. "There is a reputational risk to the bank for catastrophic loss, but there is also the question of what my customer's experience will be based on our management," Shiflet said. "Can I do this in a way that will delight my customers?"
This story has been reprinted with permission from
