Is Mobile Account-Opening Safe?

ab052716opening.jpg

Editor at Large

The next step in the evolution of digital banking has begun: mobile onboarding, or letting consumers open accounts entirely through their smartphones.

ABN Amro and Radius Bank have been doing so for several months, and a large U.S. bank is rumored to be on the verge of taking the leap.

It is early in the process, and many security, technological and other questions remain, but the momentum is clearly building.

"We're seeing more clients trying to do either mobile-first or mobile-mostly enrollment," said Joram Borenstein, vice president of Nice Actimize, which sells risk management and compliance software.

Customers, especially millennials, will increasingly come to expect this. Banks like the idea of the lower costs of mobile sign-up as compared with more labor-intensive, hands-on work in branches.

Some banks want the technology to solve problems with "soft declines," in which people will start to fill out an application online or on mobile devices, but when it comes time to present identification, the bank asks them to go to the local branch with their identification documents.

"At which point the person says, I'm out. I don't want to do that," said Jim DeBello, CEO of Mitek. "That's why I signed up through my phone." He estimates such soft declines account for about 20% of failed enrollments.

But the technology is new and banks will need to proceed with caution.

"We live in a world where the tolerance for friction is extremely low and the indignation for failure is very high," observed Richard Parry, principal at Parry Advisory. "There's always a correlation between the market going into customer-service overdrive and an increase in fraud. The demand for speed and low friction will dominate until the threat vector becomes unpalatable."

Given the recent rise in new account fraud using stolen or synthetic IDs (more on that in a future column) and the hundreds of millions of consumer records that have been stolen already, is mobile onboarding safe?

One Bank's Experience So Far

For answers, we looked to ABN Amro, which began offering mobile onboarding in November to ease the sign-up process for prospective customers.

"In the traditional way we identify new customers, we take a lot of their time," said Frank Verkerk, its chief digital officer. "They have to visit our branch, they have to bring all kinds of documents." It generally takes about an hour. "We wanted to make it easier for people who decide to become a customer of ours," he said.

On the other hand, compliance with know-your-customer regulations remains important. "We designed a process in such a way that on our side, we still do the same checks we used to do, but we set them up in a different way," he said.

ABN Amro is using technology from Mitek through which customers scan their IDs (the Netherlands issues official identification to all residents) and take pictures of their faces using their smartphones. The Mitek software reads and compares the data in the QR code on the back with what's printed on the front. It also matches the photo on the ID document with the selfie. In the background, the bank performs its normal new customer identity and fraud checks.

The bank for now only offers mobile onboarding to a targeted group: adults who want to open a single account. Several hundred people have signed up.

They can now do so in less than 10 minutes.

Later, the plan is to offer it to more customer groups.

Verkerk is pleased with the program so far but says the process has room for improvement, on the bank's side and Mitek's side.

"There are all kinds of technological developments that could make it even more efficient, so we keep investing and improving," Verkerk said. For instance, certain manual identity checks could be automated.

The bank hasn't yet encountered fraud among mobile enrollment users. "We monitor that very thoroughly because we of course want to be sure things work out," Verkerk said.

The bank has caught people testing the system. "We come across a lot of funny and impossible pictures of people trying to find out if the process really works," Verkerk said.

Before implementing the technology, Verkerk said his team worked with Mitek to improve the quality of the ID and facial imaging.

"It sounds like an easy thing to scan your document and make a selfie, but of course the scan and selfie need to be good," he said. "If you take a selfie while in front of your window and sun is shining," quality will take a hit. "We provide a lot of feedback and help for customers to understand what they really have to do."

If a customer struggles and cannot make it work, the bank helps through another channel, such as the call center.

So Is It Safe?

In addition to Mitek, the Andera unit of Bottomline Technologies offers a similar mobile enrollment technology that Radius Bank uses. It also uses image capture to translate smartphone photos of ID documents into text.

Are such mechanisms safe, or are there security and privacy holes waiting to be exploited by fraudsters?

Technology that can compare the QR code on the back of a license with the information printed on the front "is a highly instructive indicator that the data on the front hasn't been tampered with," Parry said. "That's a critical first step." It's also something branch staff cannot easily do.

Likewise, facial recognition software that compares the head shot on the government-issued ID with the selfie potentially could do a better job than a person. "Humans rarely make good judgments on physical attributes," Parry observed. Mitek's software also checks for "liveness" by looking for movements such as blinking, other eye movements and mouth movements. This is to ensure someone does not just take a picture of a photo.

If a criminal manages to sign up for an account using a legitimate selfie along with a doctored or stolen ID document, he commits his face to that identity and thereby limits his ability to conduct fraud. If he tries to use his face to pose as multiple identities, he makes himself vulnerable to detection.

But banks' ability to use facial recognition is also limited, Parry noted, because they can only check photos against their own databases.

"Nothing exists, so far as I know, in the civilian world that allows you to look up the entire population," Parry said. "The [cybercriminal] has a good chance of thinking they're not going to look for this face anywhere else. That's a problem with [the Fast Identity Online authentication standard] in its present form, which stores biometrics on the device. That doesn't prevent me from pretending to be someone else or pretending to be multiple people, so long as I register them with different phones. You can register with 40 different phones and have the same face be in 40 different banks with 40 different accounts. These are the issues that have to be filtered out."

Eventually, the technology will be beaten by cybercriminals, he predicts ominously.

Many banks will back up these verification methods with offline background checks, such as address and Social Security lookups and U.S. Office of Foreign Assets Control checks, as they always have done.

And some will add device IDs. "People definitely are looking at ways to validate things like the device that is used in the enrollment, and there are partnerships and discussions between banks and mobile carriers about how to vet that kind of data," Borenstein said.

The catch with device recognition is that people tend to change mobile devices every two or three years. "But you could still draw inferences about the phone number associated with the device and the location of the individual, which gives you some level of comfort," he said.

In the bigger picture, biometrics are becoming an increasingly important part of identity. Banks and governments continue to experiment with face, iris, eyeball vein, and fingerprint scanning and voice recognition.

"We're going to end up with biometrics — I think they're unstoppable," Parry said.

Biometrics, of course, can be gamed. Fingerprints, for instance, can be stolen relatively easily with a gummy bear or Silly Putty and associated with a different identity. Some software programs examine whether fingerprints said to be from the same person are just slightly different; if they are identical, that suggests foul play.

So even stronger biometrics may have to be backed up with other identity checks. And to prevent hackers breaking into the databases where biometrics are stored and linking their own names to other people's biometrics, blockchain registries may be used in the future.

In the end the decision whether to go with mobile-only onboarding will come down to each bank's tolerance for risk. Some may go all in. Others may offer it only in a limited way, the way some restrict the amount consumers can deposit through a mobile app. A few may decide they want to meet their new customers, at least once, live and in person.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Data security Digital banking Mobile banking Consumer banking
MORE FROM AMERICAN BANKER