Wachovia Corp. plans to give customers more control over their online security preferences.
In a continuing upgrade to comply with regulators' security guidelines, the Charlotte banking company has teamed with a vendor to evaluate customer transactions for signs of fraud. In the project's next phase, Wachovia will ask customers to tell it what to look for.
"We are the ones, through our risk scoring, that identify what is normal behavior," said John Watkins, Wachovia's online services director. "But we also want to give our customers the option, going forward, to say 'I would like greater security on access to my account.' "
Observers said that enlisting customers' help would make it far easier for banks to tell which transactions had a strong likelihood of being fraudulent. Instead of having to make an educated guess drawing from customers' and criminals' past behavior, banks could block transactions that customers told them in advance would be abnormal.
Wachovia has been monitoring transaction data for several years, using in-house tools to spot activities that are inconsistent with customers' habits. Last month it began using software from EMC Corp.'s RSA Security Inc. for this type of work.
It also joined RSA's eFraudNetwork, an information-sharing system for banking companies.
Wachovia, which had long used its own security tools, turned to a vendor because it recognized it would be easier to buy than build something along the lines of the eFraudNetwork, Mr. Watkins said. "We strive to bring in vendors who specialize in this area, because it's changing so fast."
He said the next phase will get under way sometime this year. "We would like to have it happen sooner than later, and we started working on it in parallel with our Phase 1 rollout" of RSA's tools, he said.
Wachovia currently assigns a risk score when it evaluates transactions and red-flags suspicious transactions.
Mr. Watkins said the software that will bring customers into the process is still in development, but the basic idea is behavior identification. For example, a customer could indicate he would be very unlikely to initiate a large transfer, so if anyone tried to do so from that customer's account, the transaction probably would not be legitimate.
That does not mean Wachovia would block all large transfers on the customer's accounts. It would assign extra weight to such transactions in the risk scoring.
Customers will be able to ask for tighter controls on various types of transactions but will not be able to ask Wachovia to be looser with other banking activities, even those that are not unusual for a given customer.
Wachovia plans to improve its risk-scoring system overall, Mr. Watkins said. "As we get smarter with our forensics and can more quickly identify threats, we will probably introduce different challenges as a customer falls outside of a risk score that has been created," he said.
That risk score might vary for the same transaction according to "the customer's behavior, location, time of day, and so forth," he said.
Some of these features, such as altering the risk score by time of day, can be implemented with RSA's technology, but Wachovia is also using its own software in this project. "Online security is an ongoing effort," Mr. Watkins said.
George Tubin, a senior analyst at TowerGroup Inc., a Needham, Mass., unit of MasterCard International, said that letting customers set stricter limits on online transactions is a good idea. "Banks find typically it's the customer who identifies fraud before the bank does," he said.
Wachovia's decision to modify the software it purchased from RSA is appropriate for an outfit of its size, Mr. Tubin said. "The top banks will likely work with multiple vendors in this space for different things," as well as develop software on their own, he said.
A smaller bank may be satisfied with a vendor's standard offering, but large ones should not be, he said.
"As fraud migrates and changes from simple phishing to more devious types of attacks, it will be the big banks' customers that are likely to get hit with it first," he said.
Avivah Litan, a vice president and research director at Gartner Inc., a market research firm in Stamford, Conn., said banks increasingly allow customers to set up personalized early-warning systems for fraud. Many let their customers configure their online banking systems to send customers alerts whenever specific events occur, though it is generally up to the customer to notify the bank when an alert could signal a fraudulent transaction.
But these alerts are not well used, Ms. Litan said. She estimated that less than 5% of the people eligible to use alerts sign up for the service, and she said alternative approaches to using customers in the fight against fraud might get more participation.
"You'll see, in 2007, more banks trying to put consumers in charge of their accounts," she said.
