BankMobile will soon vet new customers by checking their identities against 18 data sources, tracking the location of the applicants' phones and determining if their phones have been jailbroken.
These layers of security go beyond those we've seen from other banks. They are part of a larger revamp the $9.6 billion-asset Customers Bancorp will unveil for BankMobile, its digital-only unit for millennials and technolophiles, in January.
"We decided we did not want to stay awake at night thinking about these issues as much as a lot of our competitors and colleagues have been doing," said Dan Armstrong, BankMobile's chief digital officer. "Our chairman and our management team decided they'd like to move a couple of generations ahead in security."
Many financial institutions are stepping up their mobile and online security, because account takeover and account origination fraud are on the rise. In a survey conducted this summer by the information and analytics firm Neustar, 63% of financial institutions said they've been victims of account origination fraud and 55% had experienced financial losses, productivity losses and customer attrition as a result.
In late November, Bank Leumi announced it would secure its Leumi Card app by constantly monitoring the user's finger size, finger pressure and device habits to see if they match those of the account owner. This week, American Express announced its acquisition of Inauth, a provider of security including device identity and device integrity screening. It plans to embed the security in its mobile app early next year.
BankMobile's Technology Do-Over
Since its January 2015 launch, BankMobile has run on mobile and online banking software from Malauzai that's also used by several hundred banks and credit unions. The bank wanted more flexibility, especially the ability to prove and manage customers' identities its own way and create its own customer onboarding process for BankMobile, which now has 2 million customers.
"About a year and a half ago we set up a software services division to rebuild everything in-house," explained Armstrong. "So we had the ability to rethink everything we'd like to do in-house and with third parties."
The biggest concern securitywise was and is the threat of fraudsters taking over customer accounts and committing fraud or creating new accounts with synthetic identities.
To vet new customers, the bank's developers built a "committee voting structure" that conducts data and identity checks against 18 different sources, including traditional ones like Lexis/Nexis and Experian. Another data source will be the customer's geolocation data. (If the user's phone is in the Ukraine, for instance, she will not be able to enroll as a customer.) A third check will determine if the phone has been jailbroken. A fourth type of check is against the four major telecom operators, to make sure the phone's SIM card matches the user's identity. Experian Fraudnet conducts fraud checks against the user's Social Security number, date of birth and other identity points. If any of the user's data points are associated with a known bad actor or fraudulent or synthetic identity, it raises a red flag. Other banks may rely on as few as two data sources.
"We've integrated a load of these data sources, more than any other bank I've heard of, and turned and tweaked that data to provide a 360-degree view of fraudulent possibilities," Armstrong said.
Getting the onboarding and digital identity logic right is important because BankMobile has been focused from the beginning on a demographic that's underrepresented in traditional credit-check sources: "thin file" people who have little or no credit history, millennials and people who are underbanked. Plus, the bank never meets these people face to face.
"As a digital-only bank, it's our duty to provide a completely secure environment because we don't have branches and can't sit down with anybody, so data is our core link to our customers," Armstrong said. "Protecting that data is a stronger priority for us than for a lot of traditional branch banks."
Prospective customers who are very young or new to this country can get in, he said. "We do a lot of other checks we think are appropriate for younger people, as well as for seasonal labor and other individuals who are not traditionally in credit systems like TransUnion or Experian," he said.
Along the way, Armstrong's team has been rethinking what defines an individual user. In some cases, it's an individual with her own account and phone. In others, it's an individual who has access to a joint account. In still other instances, a person may be an individual within a family account that's tied to multiple shared devices.
Armstrong estimates the total cost of all this identity proofing at somewhere under $10 per customer. "The account takeover fraud, ACH fraud and check fraud we've seen without doing those checks is a far more expensive proposition," he said.
After the Customer's Onboarded
In addition to the extra care in onboarding, Customers is adding security features that protect transactions. For instance, it will generate one-time passwords sent to the registered phone.
"We think this is a huge barrier to account takeover," Armstrong said.
Software from Vasco, with whom Armstrong worked when he was at Rabobank, will provide device identity and device location verification, as well as end-to-end encryption on up to 10 devices per account. It will provide ongoing device geolocation checks if the customer opts into that.
The Vasco software will detect if a customer's phone has been jailbroken or rooted. (In other words, the software restrictions imposed by the Apple or Google operating system have been removed.) Typically users will jailbreak or root a phone in order to download software Apple and Google haven't approved. In so doing, they make their phones far more vulnerable to malware and hackers.
But such phones are not a dealbreaker for BankMobile.
"Our loss prevention and risk group are the people who argued for it strongly," Armstrong said. "They said if you want to give access to people you've got to allow it, because tons of these young people do it."
However, the bank does red-flag jailbroken and rooted phones and combines that data with other fraud concerns.
"We think it's fine to jailbreak your phone," Armstrong said. "We just think if you're doing a lot of other things and you're jailbreaking your phone, then it should add to reasons why we couldn't originate your account."
Extra security checks will be run when what Armstrong calls "social engineering and data change moments" occur — for instance, when someone wants to get a debit card sent to another address or change the phone number on an account. The bank will do geolocation and telco checks, for instance. "Our real-time ability to create different data sources helps us be more agile and when changes occur, blocking or holding those changes for manual review," he said.
Armstrong feels the bank is giving its best security effort. "There's no perfect security, we know that," he said. "There's no business case for perfect security because it's also unusable."
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.