Digital ID Verification
Digital identity: The key to navigating the new normal in remote banking
Identity and authentication issues are front and center in today’s remote world. Banking consumers are increasingly turning to online and mobile channels now that there is more perceived risk with in-person branch visits. Robust customer identity verification and authentication capabilities are essential for delivering a secure and trusted customer experience in our new reality – from onboarding to day-to-day banking.
Join our webinar on October 8th, 2020, as Zil Bareisis, Head of Celent’s Retail Banking practice, and OneSpan discuss how COVID-19 is creating challenges for retail banks to attract and retain customers, and how digital trust will be the glue that holds remote banking processes together. Live Q&A to follow.
- Rahim Kaba, VP Product Marketing, OneSpan
- Zil Bareisis, Head of Retail Banker, Celent
- Mike Sisk, Contributing Editor, American Banker and Credit Union Journal
Improving the digital customer experience – account opening
Research shows that 37% of all consumers, and more than 50% of millennials, prefer to open a new account online, but the vast majority of them end up abandoning an online application before they complete it. Learn about trends and best practices for reducing application abandonment.
Making Digital Account Opening Simple Secure and Seamless
Check out this infographic and learn about the risk of fraud for financial institutions and how to secure a digital account opening process.
To see the complete infographic,
Digital Account Opening: How to Transform and Protect the Account Opening Journey
The process a customer goes through when opening a bank account can directly impact long-term customer loyalty, profitability, and retention.
Today’s customer expects a fully digital account opening experience – available online and on mobile. Banks, credit unions, and other financial institutions (FIs) need to offer customer-centric, mobile-first account opening and customer agreement experiences to convert customers and drive growth. Yet, remote identity verification remains one of the most challenging processes to digitize.
This white paper highlights key trends, best practices, and technologies to overcome this challenge.
Delaware bank's tech overhaul shifts into higher gear
By Ken McCarthy
WSFS Financial in Wilmington, Del., has a greater sense of urgency for upgrading its digital platform.
The $12.3 billion-asset company was one of the first banks to vow to funnel cost savings from a large acquisition into technology upgrades when it announced an agreement to buy Beneficial Bancorp in August 2018. That deal closed last March.
While it was a novel concept at the time, other merging banks have followed with similar plans. For instance, tech upgrades were a big rationale for the megamerger of BB&T and SunTrust Banks that created Truist Financial.
WSFS, as a result, has expedited the timeline for its overhaul from five years to three years. And it plans to spend nearly half of the $32.5 million it earmaked for digital upgrades this year.
“The pace of technology is moving very quickly and we want to be in a position where we can continue to respond and innovate and provide what our customers are looking for,” Chief Technology Officer Lisa Brubaker said during the company’s recent earnings call.
WSFS spent much of 2019 laying the groundwork for its tech strategy.
The company closed or sold 25 of the 30 branches it planned to shutter, freeing up funds. It hired its first chief digital officer and worked with PricewaterhouseCoopers to assess the tech landscape and how the bank might fit in.
“People want their experience with their bank to be like when they're shopping on Amazon or using Uber," Rodger Levenson, the company’s chairman, president and CEO, said in a recent interview. “We had a great digital product offering, but things are changing rapidly."
The assessment found several areas where WSFS needed to improve, including its platform for letting new clients open accounts online. An upgrade is planned, keeping in mind that customers want a sign-up process to take five steps or less.
“It takes a lot more than five taps for our online account opening," Levenson said.
WSFS has also found more supporters since announcing its approach to tech.
The company’s initiative will accelerate its investments in technology and infrastructure, targeting the customer experience with peer-to-peer payments and personal financial management, said Russell Gunther, an analyst at D.A. Davidson.
“In today’s environment, banks need to try, and yes fail, at implementing many technologies to learn what their customers want and what will drive future growth,” said Jeff Marsico, an executive vice president at the bank advisory firm Kafafian Group.
Such endeavors require open-minded leadership and a long-term vision. Marsico noted that many banks make strategic investments only if they can recoup the costs quickly.
WSFS looked outside the company for leadership, hiring Corynn Ciber in August as its chief digital officer. Ciber, who is working with Brubaker, was the lead infrastructure project manager for Barclaycard US.
Community banks must avoid the temptation of taking on too many projects or being too aggressive in their efforts to keep up with fintechs and bigger banks, said Jim Adkins, managing partner at Artisan Advisors. Smaller banks must be selective and remember that branches still provide a marketing advantage, he said.
While accelerating its upfront investment, WSFS is content to sit back and let fintechs spend more money on research, Levenson said.
"We're not trying to replicate everything they're doing," he said.
Having strong ties to local markets should help WSFS hold its own against national banks as it works on its online and mobile offerings, industry observers said.
“Banks will figure out how to keep up” with tech, Marsico said. ”The advantage is knowing that most WSFS deposits will be deployed in Wilmington and Philadelphia and the surrounding area.”
The idea to revamp the tech platform originated in 2016 when Mark Turner, Levenson’s predecessor, returned from a three-month tour or visiting financial institutions, fintech firms, traditional retailers and medical device companies.
Along the way, WSFS determined that it needed to make some changes.
WSFS, for instance, realized that WSFS Everyday Pay, its own payment app, had lost favor among people who preferred Venmo or Zelle. The company signed on with Zelle last fall.
The company plans to incorporate integrated architecture into its data and workflow platforms, focusing on areas such as enterprise document imaging and back office automation. Cyber security, fraud oversight and integrated internal control monitoring also need a closer look.
Other new programs include myWSFS, a highly personalized messaging app that securely connects customers to personal bankers, and WSFS iQ, an interactive mobile platform focused on financial education.
WSFS also plans to improve its online and mobile account opening processes later this year.
“We've got customers to serve and others to attract, and we're ready to execute,” Brubaker said during the quarterly call.
Digital Account Opening
Research shows 57% of millenials prefer to open an account online. Banks that make new customers take unnecessary manual steps to open an account make it more likely an applicant will abandon the process altogether.
Watch this video and learn how secure agreement automation, digital identity verification, e-signatures, and intelligent fraud detection can be used to make mobile account openings faster and easier while reducing application fraud.
Adaptive Authentication: Superior User Experience and Growth through Intelligent Security
Fraud continues to grow while consumer patience for additional authentication layers dwindles. Intelligent Adaptive Authentication allows financial institutions a way to solve both issues.
In this white paper, you will learn:
- How to equip your bank to better combat fraud through real-time risk analytics
- Top solution requirements to look for, including open architecture, AI/machine learning, and advanced rule sets
- The importance of authentication orchestration, risk analytics and mobile app security in achieving a fully optimized digital banking experience
Case Studies: Moving to Software Authentication
These three North American banks migrated from hardware to software authentication. Learn their strategies, challenges, and successes in this mini case study document and learn how your institution can provide a safe, modern experience for your clients.
How to Drive Growth with Intelligent Adaptive Authentication
In this video, industry expert David Vergara discusses how financial institutions can use intelligent adaptive authentication to
- Improve fraud detection and prevention
- Meet strict compliance requirements
- Drive growth goals by creating a better digital experience for customers.
PayThink: Security will pull AI laggards off the fence
By Mark Crichton
The past year has brought dramatic changes to the financial services industry. From the introduction of new regulations like PSD2 in Europe, to disruptive new technologies transforming the way consumers conduct banking and payments, the landscape is constantly changing. Facing the accelerating pace of technological change, financial institutions are left wondering what 2020 will bring.
I believe that one of the most significant technology trends that will impact the financial services industry in 2020 will be the growing adoption of artificial intelligence (AI). However, even as financial institutions, issuers and payment companies increasingly embrace AI, I anticipate they will need help learning how to use it to its full potential.
Surveys of financial institutions show that the majority (75%) of banks with more than $100 billion in assets are currently implementing AI strategies. Yet, even with growing adoption, most financial institutions are still holding back from providing enough data to use AI in its most complete form.
Often, this is due to the complexity of their own infrastructure and legacy systems. Most banks today have siloed data pools scattered across their operations, making it difficult to pull, aggregate and analyze the data at scale. But by moving to more agile processes and bringing their back-end infrastructure into the digital era, financial institutions will be able to start taking full advantage of AI and the benefits it can bring.
One of the best applications of AI in financial services lies in the area of cybersecurity, particularly in risk assessment, fraud prevention and dynamic authentication. The fight against fraud relies heavily on analyzing vast amounts of real-time data. New, risk-based technologies powered by AI and machine learning (ML) enable financial institutions to analyze transaction, device, geographical and behavioral data to make real-time security decisions, detecting and preventing fraud as it happens.
For example, we’re beginning to see financial institutions leverage AI to create intelligent adaptive authentication processes, which analyzes the risk of a situation based on real-time data and then intelligently adapts the security and required authentication accordingly, whether that be biometrics, device analysis, geolocation, a PIN, or a combination of a number of methods. Intelligent adaptive authentication helps financial institutions better safeguard their data and stem the tide of cyber attacks without compromising user experience or needing to manage and maintain an infinite number of static policies.
Over the next year, as more financial institutions and payment companies update their back-end legacy infrastructures, I believe it will become rare to see banks not using AI in an efficient way. When complex fraud detection models are able to be read and understood by people, and when security measures are made intelligent and adaptive so as not to inconvenience legitimate users, then I believe we will see the power of AI shine through across the financial services industry.
Mark Crichton Senior director of product management, OneSpan
In a digital world, regulators and innovators need to team up to beat fraud
by Vanita Pandey
Innovation in payments has moved rapidly over the past decade, with companies of all sizes and industries diversifying their payment methods and incorporating network tokens.
Furthermore, the development of app-based payment models has led to a massive decrease in the use of plastic and cash, and the ubiquity of authorized push payments and mobile devices has resulted in consumers expecting to be able to make payments securely at the click of a button.
The race to satisfy the demand for frictionless, real-time payments has produced impressive technological innovation, however it’s also allowed fraudsters to slip through traditional payment fraud detection methods, leaving consumers open to abuse. Payment industry regulators have made well-intentioned efforts to better defend consumers against fraud and abuse, with recent safeguards including those that protect consumers from inadvertently signing up for costly subscription schemes (which also force merchants to provide opt-out clauses and notifications).
Still, in the quest for consumer protection regulators can be too narrow in their approach and lack a comprehensive understanding of the implications of new data protection rules. For example, current data privacy laws mandate that merchants remain unable to access information that might be used for secure and quick user authentication.
Fraudsters, on the other hand, who aren’t bound by regulation, can access this information and therefore have an advantage over merchants in targeting consumers. In fact, data protection laws have the ability to benefit fraudsters even further if they’re committed to playing the long game, as fraudsters can easily return to attack previous victims after their data has been deleted.
Balancing consumer data privacy with effective authentication and fraud prevention certainly creates challenges for both businesses and regulators. Complicating matters even further is the long-standing impact of COVID-19 on the payments landscape.
With businesses having to revamp their entire operations, pivot towards online revenue streams and integrate contactless payment methods, the volume of digital transactions stands to continue to skyrocket. This will provide an even more effective smokescreen for fraudsters, allowing them to avoid detection due to the increased volume of legitimate traffic.
To safely transition into what’s becoming an increasingly cash-free world, businesses must prioritize identity management not just when a customer onboards, but throughout the entire customer life cycle. Because money movement happens in real-time and fraudsters can easily hijack a payment before any involved parties become aware, a multi-pronged approach that leverages behavioral biometrics, device heuristics and other fraud mitigation tactics is essential.
By applying such an approach as the first line of defense earlier in the attack life cycle, businesses and their payments partners can better understand underlying intent, identify telltale signals of fraud, segment traffic based on its risk profile, and better distinguish between bots, human fraud rings and legitimate users.
While employing technical best practices like identity management and targeted authentication is crucial, overcoming the drastic rise in payments fraud also means fostering greater collaboration between all the participants in the payments ecosystem. Businesses should consider sharing their data on known bad actors so they and their peers can devise more effective fraud prevention strategies.
Furthermore, a close collaboration between leading payment innovators and regulators could help regulators better understand the direction the industry is headed. This would ultimately enable regulators to incorporate risk-based machine learning techniques and deliver more customer-friendly, fraud-focused regulation — a critical component in the fight against payments fraud and abuse.
How to fight fraud with machine learning
Greg Hancell, Manager of Global Consulting at OneSpan, talks about how financial institutions can fight fraud using machine learning. The interview also contains insights on why explainable artificial intelligence is important and how banks can get started with continuous monitoring and contextual authentication.
Defending Against Coronavirus Phishing and Malware Attacks
At OneSpan, we have been concerned and saddened by the impact of the coronavirus (Covid-19). We commend the health and service professionals working to contain the outbreak and wish a speedy recovery to those afflicted.
Beyond the immediate health threat, we have also noticed a new fraud trend. With the widespread media attention around the coronavirus, attackers are already using the topic to bait victims into opening malicious attachments. In this blog, we’ll take a closer look at these phishing attempts and explore security solutions that could identify and help prevent coronavirus-related phishing attacks.
Coronavirus Phishing Attacks
Researchers at IBM X-Force have identified several campaigns where attackers are sending out infected email attachments disguised as instructions around the coronavirus. When opened, the file will silently install an Emotet downloader in the background. Right now most of the messages found appear to be in Japanese, which is due to the outbreak being concentrated in Asia. However, with the fear of the virus being so widespread, we can expect similar tactics to be used in the rest of the world soon enough.
Similarly, Kaspersky just published a blog reporting that the company’s technologies “have found malicious pdf, mp4 and docx files disguised as documents relating to the newly discovered Coronavirus. The file names imply that they include virus protection instructions, current threat developments, and even virus detection techniques.”
While criminal hackers routinely use natural disasters and viral news topics to launch attacks, the coronavirus theme has the potential to affect businesses directly because of China’s role in the global economy. For example, many companies are being asked if their supply chains will be interrupted because of shipping issues with China. An audience hungry for information is an audience ripe for hacking attacks. As a result, we expect to see phishing emails posing as:
- Delivery companies, such as Fedex or UPS, and online sellers, such as Amazon, with messages about goods sourced from China
- Brokers and investment firms with a message about markets crashing
- Targeted attacks from suppliers saying goods cannot be delivered or will be delayed
- Urgent updates from government and global health agencies on how to avoid infection
Now is the time to be extra vigilant, as attackers will be looking to take advantage of the fear and attention around the coronavirus outbreak.
How Banks Can Protect Customers against Coronavirus-themed Attacks
Financial institutions (FIs) should deploy additional safety precautions because of the heightened risk of phishing, social engineering, and malware attacks. Attacks will affect both corporate and retail banking customers as criminals take advantage of the situation.
FIs with fraud detection and prevention systems generally rely on a rules engine to manage fraud. Not all anti-fraud systems are equal, however. Expert rules engines give FIs an advantage by providing the flexibility to activate extra fraud rules during heightened risk periods such as Christmas, Black Friday, and natural disasters when customers have an increased chance of being compromised. Such periods of increased risk demonstrate the need for banks to have dynamic fraud prevention solutions in place to allow them to respond to the fast-paced nature of fraud.
It is also important that fraud detection systems be capable of quickly toggling different controls or operating at a lower level of trust during times of increased risk. Similarly, temporarily changing thresholds for the scoring model and allowing a larger number of false positives in favor of fewer false negatives is also a good practice. When the surge in the coronavirus phishing period comes to an end, reconfiguring the detection will allow the bank to reduce the workload on the fraud team.
Fighting Malicious Attacks with Machine Learning and Risk Analytics
In addition to expert fraud rules, fraud detection systems that make use of risk analytics and machine learning will be better prepared to respond to the changing fraud landscape. With machine learning, the fraud detection system can gather and immediately analyze data from all externally facing access points (i.e., a user’s phone). Comparing each user’s behavior against their history then allows the risk engine to identify abnormal user behavior.
In fact, by continuously monitoring the entire banking session (rather than a single event such as a payment), an advanced risk engine with machine learning can also evaluate data points such as the length of the session, time of the day, and spending patterns – as well as the actual sequence of user actions, which may indicate abnormal user behavior. Should a phishing attack occur, it will be identified by the system in real time, prompting an increase in protections.
What’s more, when the influx of attacks subsides, the risk analytics technology continues to analyze the fraud risk, in real-time, for each individual transaction. Leveraging this more precise security ensures the best user experience, as friction is removed for low risk transactions, and only riskier transactions trigger additional security steps. In this way, a financial institution not only improves the user experience, but automates fraud management, which dramatically reduces the manual efforts of the fraud team.
Finally, modern risk analytics tools may also be equipped with a phishing early warning sign. The machine learning algorithm can detect the likelihood of the HTTP referrer being a phishing page. This can be supplemented by pre-defined expert rules governing how the system should respond to the phishing attack scenario.
Combatting Phishing and the Coronavirus
Sadly, attackers will play upon any fear to increase the impact of their phishing campaigns. In that way, the coronavirus attacks we have been seeing are just the next iteration in an ongoing effort. Vigilance by your fraud team, bolstered by the ability to dynamically adjust fraud rules and enhance your existing anti-fraud tools with real-time risk analytics, is key both to stopping this wave of phishing attacks as well as the ones to follow.
Banks grow wary of Zoom meetings
By Penny Crosman
By pushing business meetings out of conference rooms and into the virtual world, the coronavirus pandemic has given bank security teams one more thing to worry about: the threat of so-called Zoombombings and other types of online intrusions.
The videoconferencing service Zoom has surged in popularity amid the public health crisis. The company said Thursday that it has 300 million users, up from 10 million in December. And the rate of Zoom installations on Windows devices in financial services grew 92.94% over the past four weeks, according to Forescout Research Labs.
Yet Standard Chartered Bank has reportedly banned employees from using Zoom videoconferencing because of security concerns, and survey data suggests other banks are starting to scale back or stop using the service.
“When in-person meetings are virtually impossible, video calls are the only channel for meetings, interviews and companywide announcements within organizations,” said Kyum Kim, co-founder of Blind, an online community of 3.5 million technology and financial services professionals. “Security vulnerabilities in conference calls raise concerns because often, if not always, confidential and private information about the company, employees and candidates are shared through these meetings.”
In a recent poll conducted by Blind, 28% of financial employees said they were worried their information may have been compromised through a videoconferencing tool. About 12% said they have stopped using the popular Zoom tool, and 10% said they have decreased use of it over hacking concerns.
Card company employees seem to be especially worried: 56.6% of Visa employees said they have completely stopped using Zoom, as did 55.6% of American Express staff.
More than a third of Goldman Sachs employees who took the survey said they fear data compromise with the use of Zoom, as did 27.8% of JPMorgan Chase staff and 20.7% of Capital One workers.
Several banks have experienced Zoombombings in which hackers have broken into a meeting and shown porn or flashed themselves.
“That has happened quite a few times, and we're collecting lots of stories on that,” said Steve Hunt, senior analyst at Aite Group.
There is no profit motive — they do it “to get their jollies,” he said.
These kinds of Zoombombings are not necessarily targeting banks. Sometimes people just type a random string of numbers into a zoom.us URL and get into an active meeting, Hunt said.
A Google search for URLs that include "Zoom.us" can turn up the unprotected links of meetings that anyone can jump into.
“It's hit or miss, but if you stumble into a meeting, you might not have any idea of whose the meeting is, but you can still have a little fun,” Hunt said.
Another way hackers could break into meetings is by buying Zoom account credentials on the dark web. Security researchers have found about 500,000 sets of Zoom usernames and passwords. Some belong to users in financial services and are for sale, with some of those priced at less than 1 cent each.
What are the risks?
Cybercriminals who find their way into an executive or board meeting could obtain sensitive information, which could be a serious threat to banks.
“I can imagine some bad guys targeting that,” Hunt said. “But it takes some luck and skill to pull that off.”
The cybercriminals would have to obtain some knowledge of scheduled meetings, perhaps by breaking through with a spearphishing campaign first.
In late March, security researchers reported vulnerabilities in Zoom that hackers could use to take over a Mac user’s camera and microphone. However, Zoom quickly issued patches for this problem, and Macs are not commonly used in financial services.
Zoom also routes traffic through Chinese servers to maintain resilience, according to Forescout, a practice antithetical to banks' risk management policies. According to a Zoom spokesperson, mainland China datacenters no longer function as secondary backup bridges for users outside of China.
Another issue with videoconferencing tools is they tend to use weak encryption, according to David Gurle, founder of Symphony, a provider of videoconferencing software that according to the company has stronger encryption and is used by 123 banks, mostly on Wall Street. Symphony’s main technology, instant messaging, is used by more than 300 banks.
Zoom did not respond to a request for an interview. In a press release on Wednesday, the company said it is upgrading to a stronger, 256-bit encryption standard to protect meeting data in transit and provide resistance against tampering. This will be enabled on May 30.
A spokesperson said the company is issuing product updates, providing resources to educate users on how to secure their meetings and conducting a review with third-party experts and users. Zoom says it is also shifting all engineering resources to focus on trust, safety and privacy as well as launching a council of chief information security officers to discuss best practices.
“Major financial institutions around the globe are continuing to use Zoom to keep their trading operations running and to continue their important work with their clients and colleagues on a daily basis,” the spokesperson said.
Are the fears overblown?
Hunt says the concerns around videoconferencing security have been overblown.
“Companies are blacklisting Zoom, but not for the right reasons,” Hunt said. “I think it's paranoia.”
Zoom meeting security can easily be improved by using the software’s basic security settings, for instance by setting passwords for meetings and blocking people who have been kicked out of a meeting from coming back in, Hunt said.
One way to keep uninvited guests from joining Zoom (or Cisco Webex or BlueJeans) meetings is to authenticate users.
“Putting strong authentication on an online meeting is not rocket science,” Hunt said. “I imagine Zoom will soon offer an app for two-factor authentication.”
The company may have made a few missteps in the early days of the pandemic, but this is understandable, he said.
“Zoom was a niche application just a few months ago,” Hunt said. “It was something kind of cute and nice that we use to make our lives a little better. It was never designed for 200 million concurrent users. And to see a company go through a huge spike in popularity is generally a good thing. The fact that while doing so, it has a little trouble catching up from a security and privacy point of view is completely normal."
Account Takeover Fraud Challenges and Solutions
Account takeover is one of the top concerns for financial institutions, FinTechs and e-commerce merchants. Julie Conroy, research director at Aite Group, discusses the rise in account takeover fraud and how financial institutions can detect and prevent attacks.
4 Essential Things to Look for in a Fraud Detection Solution
Finding the best fraud detection and prevention solution for your organization can be challenging. Requirements from internal stakeholders and vendor fact sheets can give an overwhelming impression that your solution needs to have it all and then some. In reality, your choice should simply tick all the boxes on your must-have list and cover your business use cases. It should contain most of the necessary features out-of-the-box, to minimize the need for time- and resource-consuming customizations.
What should a fraud monitoring tool include to be able to meet your needs? To start, an ideal solution should be able to identify and respond to a wide array of fraud scenarios, both industry-known and specific to your organization. However, it’s also essential for the tool to be able to react to unknown and perhaps surprising fraud occurrences. It should provide a versatile mix of features to collect and analyze the data, draw correct conclusions, take actions based on results, and finally produce comprehensive reports. It should be able to integrate in your existing ecosystem and, at some point, this tool should become something your fraud team cannot imagine living without.
Clearly, that’s a tall order for fraud detection software. Not every fraud detection solution on the market lives up to this standard, so it is crucial that organizations do their research and find a tool that can provide comprehensive fraud monitoring.
To help you evaluate the key requirements, our Buyer’s Guide to Evaluating Fraud Detection Tools explains the top nine capabilities that a fraud monitoring tool must provide in order to meet the needs of modern financial institutions. Here’s a preview with four of the top nine capabilities we recommend evaluating.
Key Functions of a Fraud Detection Tool
1. Detect a wider range of fraud by combining machine learning with an advanced rule engine.
An advanced rule engine with a proper set of rules will filter out the fraudulent events meeting specific criteria. For example, the rule engine will catch transactions whose time, place or amount values deviate from a normal scenario. It can also help with detecting more sophisticated cases, like phishing attacks or transactions to mule accounts. Think about it as a system of filters that blocks transfers, allows them down the pipeline or alerts the system to step-up authentication.
But your solution should not rely solely on rules. A rule-based system can no longer keep up with fraud attacks that evolve in complexity, speed and automation. Rule libraries keep on expanding, which puts pressure on the system, slows operations and increases the false positives rate. In order to provide ultimate capabilities to combat a wide array of fraud attempts without affecting the processing speed, think of a combination of rules with machine learning algorithms.
Machine learning lives up to the hype. With the capability to analyze an incredible amount and variety of data, it is an indispensable element of your fraud detection mix. It can easily extract value from data with little human input.
Choose a machine learning solution that implements different algorithms and, with support from your vendor’s experts, pick the best algorithm for your situation. Look for a machine learning implementation that will provide insights into the analysis process as well as evidence about why a transaction was declined or accepted.
2. Prevent fraud out-of-the-box.
You should expect your anti-fraud tool to be able to detect fraud right from the start. Make sure it supports your business continuity requirements and, as such, ensures a smooth transition from the existing fraud processes. You cannot afford any freeze in your anti-fraud and risk analytics efforts, so it’s important to find a solution that will provide a sufficient level of protection out-of-the-box, from day one. A turnkey package should be available for you to analyze transactions through a combination of a rule engine and machine learning. Both should work on deployment even without reference data.
Of course, while out-of-the-box is a good start, the solution should be flexible enough to customize it to your own needs and data.
3. Apply a dynamic approach to your authentication flows.
The fraud monitoring framework should be able to integrate with existing and future multi-factor authentication options. It should constantly evaluate the risk of a particular event and, based on this evaluation, orchestrate the authentication flow. It should dynamically trigger the most suitable authentication method for a given situation, according to its risk level. For example, if a certain transaction is evaluated as suspicious, due to unusual timing, location of the user, or significantly larger amount than before, your solution should be able to step up the authentication criteria instead of simply rejecting the transaction or putting it on hold for manual review.
4. Be prepared for the challenges specific to the mobile channel and explore the full potential of data.
The mobile channel brings additional challenges that distinguish it from the standard internet banking experience. Your fraud monitoring solution should recognize these distinctions.
Monitoring of the mobile channel needs to take into account, among others, diversity of devices, operating systems or the fact of no control over what else is installed on these devices. Without recognizing the specifics of the mobile channel, the tool may not collect all the data points and therefore draw incorrect conclusions. Because mobile phones in general provide much richer context and enable more advanced analysis, leveraging the broader context of the mobile channel is essential for fighting mobile fraud.
Your fraud monitoring framework must provide analysis based on a wide array of data collected from your users’ devices. This data can include for example device health, detecting, among others, if the device has been jailbroken or if there has been any suspicious activity. Insight can also be provided for authentication and biometrics, for example face recognition score or PIN strength. General device information is another example from a wide array of mobile-specific intelligence, and can include the version of the operating system, device model, etc.
But these data points are only valuable if they are valid. This means that you should make sure that both the data collection and the transfer between the mobile device and the server are safe. A secure communication channel independent from other existing communication protocols will ensure that the device security status can be trusted upon arriving to your fraud monitoring system.
Additional Key Requirements for Your Evaluation
The ultimate goal of an anti-fraud framework is to stop criminal activities while streamlining the legitimate ones. Simple tools are no longer enough. Fraud keeps evolving simply because it has a huge profit potential for criminals, therefore your anti-fraud weapons must evolve as well.
Download the Buyer’s Guide to Evaluating Fraud Detection Tools to get the top nine requirements for a modern, effective fraud solution – from machine learning to the ability to orchestrate the authentication flows.
Online lenders confront deepfake threat
By Penny Crosman
Online lenders are inviting prey for crooks who hope to score quick money by disguising themselves from afar as legitimate loan applicants.
Some online lenders — including Elevate Funding and Credibly — are saying not so fast. They are taking a number of innovative security measures, including the deployment of technology that can spot fabricated photos, so-called deepfake videos and legitimate images that have been falsely tied to an incorrect date, time or location.
It is an important step because fraudsters try to trick lenders into thinking they have property, licenses, assets, equipment and more that they do not possess.
Traditionally, online lenders have used site-inspection companies to verify the existence of a business customer or its assets. These companies charge a fee to send a person in their network to take pictures on-site at a business.
This process takes time, which is antithetical to the high-speed world of online lending, where credit is typically more expensive but quicker and easier to obtain than traditional bank loans.
“Depending on how remote the merchant's location is, it can be a long wait” for the site-inspection company to do its work, said Ryan Rosett, founder and co-CEO of Credibly, which makes data-driven loans to small businesses.
It made more than $350 million in loans in 2019. Its average loan size is around $55,000. Loan volume has been growing 30% year over year, the company says.
“For somebody in Alaska, it might take 48 hours," Rosett said. “In the rural areas we're working in, time kills deals. These merchants need the money right away.”
It can also be intrusive to have a stranger walk into a business establishment and start taking pictures. Employees may start wondering if the business is in trouble and if they need to look for new jobs.
“A lot of businesses don't want their employees to know that they’re taking out a cash advance,” said Ken Peng, director of marketing at Elevate Funding, which provides working capital to small-business owners with a history of financial hardship or poor credit. It lends about $1.5 million a month and funded 1,400 merchant advances in 2019.
The one- to two-day turnaround time of human site inspectors can also anger sales referrers who might miss out on a commission, Peng said.
“It was just a huge thorn in our side,” he said.
These lenders and others now use software to verify the authenticity of photos submitted with online loan applications.
When Elevate receives an application for a merchant advance, its underwriting team assesses the risk based on the merchant's background and cash flow. Elevate might project that a company will do $14,000 in sales over the next three months and offer to advance $10,000 of that. Once the borrower accepts an offer, there is a post-underwriting process that includes a series of verifications.
Any loan over $10,000 requires a site survey, which includes taking photos of the business and its license to prove that it is legitimate, open and operating. Elevate uses technology from Truepic to do these site surveys.
Elevate sends a text to potential borrowers with a link to the Truepic interface, which instructs them to take pictures of specific things like their credit card terminal, signage, inventory, business license, transportation license and physical surroundings.
The photos get routed to Truepic, which runs 22 fraud detection tests. These include an analysis of the phone used, to see if it has been jailbroken or rooted, processes that could allow a phone to be manipulated.
A compromised phone “doesn't necessarily mean you're a bad actor, but it certainly means that you have access to different tools on your device that could let you do bad things,” said Craig Stack, founder and co-CEO of Truepic.
Truepic forces users into a controlled-capture environment, so they cannot upload an existing photograph or video — they have to take a new one. Truepic captures the genuine location of the user’s device and the actual time.
“The millisecond they push that shutter button, we're grabbing that image and our server records the universal time and date and pings local cell towers and Wi-Fi networks for the location,” Stack said. “So if you're trying to spoof that metadata, we immediately flag it as a mismatch.”
It produces a report on which photographs or videos passed its tests, which failed and why, and sends it to Elevate within 10 minutes.
The fast turnaround “has helped our referral partners be really excited about being able to fund a deal potentially the same day, versus having to wait an extra day,” Peng said.
In Elevate applications, Truepic has flagged several photos that were taken of other photos that already existed online, such as Google images. It has found some that were not at the borrower’s stated location, but at a business down the street.
In such cases, Elevate will go back to the merchant and ask questions.
“We don't just outright say, ‘Hey, you are committing fraud,’ but a lot of times we'll approach them and ask for an explanation, and then they'll just not respond or they'll give us some excuse,” Peng said. “Then we'll let them know that, due to risk factors, we will not be moving forward with the file.”
Like Elevate, Credibly used to rely on human site inspections to verify physical locations and assets and recently began using Truepic. It typically gets a response within 10 minutes.
Physical site inspections used to cost $75 each, but Credibly pays $50 for each Truepic check.
The occasional borrower who does not know how to use smartphones struggles with Truepic, Rosett acknowledged.
“But for anyone who can navigate a phone, it's super intuitive,” he said.
A fintech for fintechs
Stack started Truepic five and a half years ago with the idea that seeing is no longer believing when it comes to the internet.
“This was a bad problem then,” he said. “It's gotten much worse over the past five years, and it's trending to get even worse as time goes on. Deepfake technology is a runaway train.”
Thousands of apps help people seamlessly manipulate an image, he said.
It's "not just Photoshop editing," but "changing the metadata of an image,” Stack said. “Think time, date, location. This is not a big deal if it’s an image of your kids playing around on Instagram. It’s a really big deal if you're a business looking at a photograph and spending dollars associated with that photograph.”
The company has nine patents and another eight pending on its technology, Stack said.
“We think the current third-party site-inspection process is broken,” he said. “It's slow, it's expensive to the enterprise, it's not customer-centric. In a world where we're all addicted to Amazon Prime, Uber and Postmates, nobody wants to hear, 'Be home next Thursday as we send a stranger with muddy boots to your home,' or 'drive your car with the cracked windshield 20 miles to our preferred auto body shop.' "
Truepic began by working with the insurance industry. Several carriers use the technology to make sure applicants are in possession of an item, and that it is in the condition they say it is in, before the company issues a policy.
“There's a certain threshold where a lot of insurance carriers will roll the dice and hope that the insured is telling the truth about a scenario,” Stack said. “Now they're able to push our technology out via text message and know for sure.”
From insurance, Truepic expanded to working with warranty companies and automotive original equipment manufacturers.
A year ago, the company began working with alternative lenders, and that has become its fastest-growing segment. It is onboarding two or three per week, according to Stack.
Adapted from an article that originally appeared on American Banker.
Embracing a mobile culture: How to satisfy customers without compromising security
Digital technology is completely revolutionizing banking interactions. While the mobile channel is already yielding tremendous success, the pandemic has given mobile banking a new spotlight. Yet one of the biggest roadblocks is concern about the security. Fortunately, FIs can take simple steps to reduce the risk of fraud to better protect both their customers and themselves.
Citi has stayed ahead of the curve when it comes to innovations for mobile banking, both in the functionality of their mobile apps, and the security measures in place. Join our webinar on September 21, 2020 and learn how mobile is an opportunity for banks to differentiate by modernizing the corporate client experience as well as best practices for gaining adoption in the mobile channel.
- Samuel Bakken, Sr. Product Marketing Manager, OneSpan
- Steven Cody, Product Manager, Treasury and Trade Solutions, Citi
- Mike Sisk, Contributing Editor, American Banker
Biometric Authentication: Five Myths Busted
Biometrics are increasingly being used in mobile banking apps to secure the digital banking process while providing a convenient user experience. The technology is especially useful in the current COVID-19 era, as there has been a tremendous shift to mobile and online banking due to shelter-in-place orders. Recent surveys show that consumers are increasingly comfortable using biometric authentication to secure their digital banking transactions, with 65 percent of Americans saying they are willing to provide biometric information to their bank. Although consumers are embracing biometrics for digital banking, there are still some misconceptions about the technology, which can easily be dispelled.
Here are five common myths related to biometrics, and the truth that financial institutions and consumers alike should know:
Myth: Facial and fingerprint recognition are easily fooled by a static fingerprint or photo
Reality: Today’s sophisticated biometric authentication systems include liveness detection capabilities to fight presentation attacks, or “spoofs” which could include 3D-printed models, masks, images, or video. Liveness detection can be active – requiring a user to blink or turn their head; or passive – running behind the scenes using algorithms to analyze biometric samples for signs that it is not from a live person, such as detecting paper, digital screens or cutouts in a 3-D printed mask.
Active liveness detection methods are more visible and easier for an attacker to study and circumvent, whereas passive liveness detection is faster, less intrusive and includes more advanced techniques for determining live presence. For sensitive use cases such as mobile banking, a third-party solution that combines multiple anti-spoof and liveness detection methods is an ideal fit.
Myth: Biometric authentication provides a lower level of trust than login credentials
Reality: Biometric authentication can provide a higher level of trust than credential-based methods because biometrics cannot easily be shared. In contrast, traditional authenticators such as passwords, PINs and consumers’ personally identifiable information (PII) are sharable and have also been leaked or stolen in high profile data breaches and made available for sale on the dark web. Moreover, biometric authentication with active and passive liveness detection and anti-spoofing technology offers additional trust because the fingerprint, face, or other biometric is presented live and connected to the in-the-flesh individual.
Myth: Biometric authentication is an invasion of privacy
Reality: Facial comparison and recognition technologies used in mobile applications are opt-in use cases, where a consumer willingly enrolls in the system to allow easy account login or add an additional layer of security. This is different from facial recognition technologies often reported in the news, where the technology has been used in public spaces, and people have not given consent to being monitored.
More importantly, one-to-one facial recognition does not store raw photos for purposes of identification but rather creates a mathematical representation of the face. That representation, which is kept on file for comparison when the user logs in, is typically encrypted and essentially useless to an attacker.
Biometric authentication does not rely on the secrecy of biometric traits but instead on the difficulty of impersonating the living person. What’s most important is effective spoof detection, which can be lacking in many device-native biometric systems.
Myth: Biometrics aren’t practical over the long run because technologies like facial recognition or fingerprint scans won’t work as a person ages and their features change
Reality: Biometric markers like a person’s iris remains pretty stable over time, while a person’s face or voice may change slightly over time. The timespan over which significant changes to a person’s biometric markers will occur makes it a non-issue for most user authentication applications, as most consumers are authenticating more regularly and small changes in their features will be noted and updated with the application over time.
Some biometric authentication solutions are dynamic and regularly update the consumer’s stored fingerprint template so that they are mapping any changes as they happen. Often, users can also register a second fingerprint in case the first fails. A layered approach to security with multiple authentication factors is always the best approach.
Myth: Biometrics are only applicable if the user is already known
Reality: Behavioral biometrics, which analyze the way a person interacts with the mobile device, can be used to strengthen security and fight fraud even when the user is not yet known to the organization. In the case of an unknown user, like when someone applies for a new bank account, behavioral biometrics can compare the consumer’s behavior to what is typical for a wider population. In this way, behavioral biometrics can be used to evaluate the probability that a new applicant is performing the actions of a legitimate user. The greater the similarity score, the less the organization has to worry about the user’s identity or intent. The lesser the similarity between a consumer’s behavior in comparison to similar populations justifies additional layers of risk and fraud detection.
Biometrics are a cornerstone technology enabling the future of digital banking, but they can be daunting to those unfamiliar with them. By dispelling the myths and misconceptions of biometrics, organizations such as financial institutions can help their customers feel more comfortable utilizing this technology to securely and conveniently conduct important transactions in digital channels in the COVID-19 era and beyond.
Mobile security—delivering the mobile experience customers want with the security they need
Banks and financial institutions have reached a Catch-22 when it comes to delivering great user experiences on their mobile platforms. Consumers are demanding the ability to perform more types of transactions on their mobile devices. At the same time, though, growth in mobile banking applications has unleashed an increase in both the volume and sophistication of mobile cyberattacks.
In this podcast, OneSpan’s mobile security expert, Sam Bakken, explains new tools that can help you deliver the mobile experience customers want with the security they need.
Selecting the best authentication method for a mobile transaction
The big challenge for financial institutions is that they want to provide a wonderful user experience while still demonstrating to customers that their experience is secure.
‘Screen scraping is not evil’: Bankers, fintechs, aggregators face off
By Penny Crosman
The Consumer Financial Protection Bureau held a gathering this week of bankers, fintech executives, consumer advocates and others to tackle a key data-sharing issue facing the bureau, and the event provided the parties an opportunity to have it out over a longtime bone of contention: screen scraping.
Part of the CFPB’s objective behind the event in Washington was to get input on what it should do about a clause in the Dodd-Frank Act (Section 1033) that gives consumers the right to access a portion of their bank account and transaction data in a usable electronic format. There was a broad consensus in the room that consumers should be in control of their data. But what that means, how it should be executed, who is liable if something goes awry and many other related questions lead to heated debate.
The bankers at the event, unsurprisingly, had harsh words for screen scraping, the method in which a lot of customer data is collected today. Consumers share their online or mobile banking usernames and passwords with a third-party fintech, that fintech or a data aggregator logs in as them and copies the latest data on their accou
“Screen scraping has reached its peak of benefit,” said Natalie Talpas, senior vice president and product group manager for digital at PNC Financial Services Group. “The consent is not clear. Screen scraping enables financial applications to collect all the data a customer would access. And we have a lot of security concerns about that. A more secure, efficient way would be through [application programming interfaces], which is what many of us are working towards.”
Lila Fakhraie, senior vice president of digital banking APIs at Wells Fargo, compared screen scraping to “giving your house key to a house painter and saying, 'Just go in my bedroom and paint that one wall, that's all I want.' And then the house painter has your key forever and they come and go as they please and they look at things and take things if they want.”
Wells Fargo has signed agreements with several data aggregators and offers Control Tower, a dashboard where consumers can turn data access off and on for third-party apps.
Nick Thomas, co-founder and chief technology officer at the data aggregator Finicity, defended screen scraping.
“I think we all agree that that credential access to financial data is not the best approach, but it has served us really well for 20 years,” he said. “There have been issues, and we have as an industry worked through some of those issues through the years. But generally speaking, consumers have spoken, they want access to their data, and screen scraping has been the only way that that data has been made available.”
He described screen scraping as taking an HTML page and deconstructing the tables in HTML to get access to the data.
“We need to make sure that we as an industry and as regulators and lawmakers understand that screen scraping is not evil,” he said. “We want to move to tokenized access, but there is a long tail of financial institutions, and it's going to take time for these API standards to proliferate.”
Christina Tetreault, senior policy counsel at Consumer Reports, said that while screen scraping may not be evil, “it is dangerous for consumers.”
Screen scraping also leads to data inaccuracy sometimes, she said.
“The web page changes, they pull the wrong data, and it’s inaccurate,” Tetreault said. “We've seen instances where screen scraping has caused changes to an account and mistakes to happen to accounts because there's not a lot of controls over it.”
Becky Heironimus, managing vice president of customer platforms, data ethics and privacy at Capital One Financial, elaborated on others' concerns that screen scraping gives data aggregators unlimited access to customer data in all accounts.
“The problem today with credentialed screen scraping is that they have access to all elements in the account,” she said. “The consumer really doesn't have control.”
She broke account data into three buckets. One is the basic account transaction data, which can be shared. The second is sensitive data like personally identifiable information, including account numbers, which could be used by fraudsters to harm the consumer. The third is proprietary data — a bank’s specific product terms, features and functions — “that today we don't see a need in the industry to be shared.”
John Pitts, policy lead at the data aggregator Plaid, immediately countered that when banks talk about proprietary data, they are talking about their rates and fees.
“It's in fact in the CFPB principles that those are the types of things to which the consumer has the right to access,” Pitts said. “And yet we hear sometimes that that fee, because it was derived from a proprietary method, is itself proprietary and the consumer doesn't have the right to share it. I'm troubled by that as a definitional line. If you can see it when you log in to your web interface or if it's essential to the functioning of the account, that is what you should have the right to access and share with a third party of your choice.”
Heironimus responded that there is a difference between sharing data one-on-one with a customer and providing it en masse to a data aggregator.
“There's a distinction between the right for the consumer to directly have it and the right for the consumer to hand that to a party that's collecting it on a scale of millions and millions of elements of data across the U.S. or the world,” she said.
Steve Boms, executive director of FDATA N.A., a trade group for fintechs and aggergators, said that data aggregators' attempts to pull bank account data fail 40% to 48% of the time.
This is because of technical challenges, the use of multifactor authentication, and in some cases financial institutions restricting access to data aggregators, Boms said.
James Reuter, president and CEO of First Bank Holding Co. in Colorado, noted that smaller banks are dependent on their core providers to help them create data-sharing APIs.
“But screen scraping is not the way we want to do business," and multifactor authentication is strongly encouraged by the regulators, he said.
“We use it frequently when we see activity that's suspicious,” Reuter said. “One of the things we face today are credential-stuffing attacks, and they look a lot like screen scrapers coming in, because they're machine-generated logins. We need to get to the API standards, and it's going to take a while with the core providers. But we're on the journey. We'll get there.”
Pitts pointed out that consumers have already decided they want to work with fintech apps that need to consume their bank account data.
“We are not talking about a future state where consumers might do this,” Pitts said. “Consumers have already voted with their thumbs that this is something they want and these third-party services are important to their life. Our shared objective is to make sure that having made that decision, the consumer is safe and can be confident in that decision.”
He said that banks, fintechs and aggregators are working on this through the Financial Data Exchange, where they are developing a common API standard.
But he also said it is important to make sure that as banks, aggregators and fintechs move from screen scraping to the use of APIs, consumers’ choices should not be restricted.
“One of the risks is that if every player is independently deciding which app is OK for their customers to use, they may override a decision that a consumer has already made,” Pitts said. “The consumer may have already said this is something that I want to use. It helps me in my life. It benefits me. And the consumer shouldn't have a different set of apps and services that they can use based on where they bank.”
Talpas argued that there are issues today around the way consumers give consent to use their bank account data.
“Consents are not consistent, they're not transparent, and they're not clear, unfortunately,” she said. “The Clearing House conducted some research in the fall that demonstrated that consumers don't understand what they're agreeing to. They don't know that there might be an intermediary or a data aggregator that's also collecting the information. We need to improve that consent experience as quickly as possible.”
Pitts said Plaid has rolled out a consent screen it provides for every customer who wants to use one of its customers’ apps. It introduces Plaid to the consumer and identifies Plaid's role in data sharing.
“I think there are still improvements that we need to make,” Pitts said. “We all want to make sure consent is the right for the consumer.”
Whitepaper: Behavioral Biometrics–Frictionless Security in the Fight Against Fraud
Behavioral biometrics is an excellent tool supporting the fight against application fraud and account takeover fraud.
Fill out the form to download this whitepaper to learn how continuous, frictionless user analysis using behavioral biometrics can prevent fraud while improving the mobile authentication experience. You'll also learn why confirming the user’s identity in a continuous, transparent way is more effective than one-time authentication at the beginning of the banking session.
Behavioral Biometrics–Securing Digital Banking without Compromising on User Experience
By Samuel Bakken
Digital banking has grown rapidly in recent years. Juniper Research forecasts that by 2021, one out of every two adults in the world will use a smartphone, tablet, PC or smartwatch to access financial services. Unfortunately, fraudsters always follow the money, so as consumers conduct more of their financial transactions through mobile banking apps and smart devices, cybercriminals are increasingly targeting the mobile channel. Mobile malware nearly doubled in 2018 and mobile account takeovers increased 79 percent. As a result, financial losses are on the rise. Global fraud losses are estimated to have cost banks more than $31 billion at the end of last year.
Facing these growing cybersecurity threats and fraud losses, financial institutions are seeking to strengthen their user authentication methods in digital channels. The rise in application fraud and account takeover fraud means it is no longer sufficient to only authenticate users at the start of their digital banking session – financial institutions need continuous multi factor authentication. However, at the same time, today’s consumer has high expectations for a frictionless and convenient digital banking experience and mobile users do not want to be burdened by additional, cumbersome, authentication steps. Financial institutions need strong security to ensure they’re dealing with a legitimate applicant or customer, but without negatively impacting the user experience. To solve this challenge, they are increasingly turning to the emerging technology of behavioral biometrics.
What Are Behavioral Biometrics?
As explained on BiometricUpdate.com, traditional biometric authentication techniques, such as fingerprints and facial recognition technology, have been commonplace in digital banking for several years now, but behavioral biometrics are the next frontier and are poised to transform FinTech. Whereas traditional biometrics authenticate customers using static biometric markers (e.g. a fingerprint or retina pattern), behavioral biometrics analyze the way a user interacts with their mobile device. It compares the information to a previously developed user profile, or “behavior fingerprint”, to continuously authenticate the user throughout the entire digital banking session.
Behavioral biometrics can measure and analyze a variety of user behaviors, from the way they hold their mobile device, to finger pressure, swipe patterns, keystroke dynamics and more. It can look at the user’s navigation behavior both within the application and on the device, examining their typical speed of browsing and accuracy of movement. Behavioral biometric data can also be combined with server-side analytics, enabling the financial institution to draw insights from data collected from different sources, including groups of other users, events and third-party partners.
Behavioral analytics — a different concept — uses data from multiple sources to understand when and how a user normally interacts with their bank account – such as the time of day they normally log in, the typical transaction amounts and more. Any deviations from the user’s typical behavior are detected in real-time by comparing that behavior to historical data. By combining behavioral biometrics and behavioral analytics, the financial institution is able to create a multi-layered, context-aware approach to authentication and risk assessment. This, in turn, helps the organization’s risk analytics engine decide whether the user should be allowed, challenged (by requesting additional authentication measures), or blocked, when deviations from the user’s typical behavior are detected.
Because behavioral biometrics is continuously working behind the scenes and is invisible to the user, it is often described as passive. As opposed to active methods of authentication, behavioral biometrics do not require any additional actions from the user, which improves the customer’s digital banking experience. At the same time, there are no privacy concerns because a user’s behavioral data is converted to a mathematical representation within their profile, which is meaningless to criminals.Behavioral biometrics is one of the most disruptive new technologies in identity management. Any organization that needs strong identity verification and multi factor authentication without hindering the digital customer experience should look to add behavioral biometrics as part of a multi-layered approach. It offers financial institutions an excellent opportunity to enrich their risk analysis with user-specific data. By performing continuous, real-time analysis in the background, behavioral biometrics ensure a positive digital experience for legitimate users while detecting and stopping fraudsters.
How E-Signatures Are Changing the Commercial World (Q&A)
This interview with Sameer Hajarnis, OneSpan RVP of Sales in North America, was originally published on BetaNews.com, a US-based tech news website, the week of July 20, 2020.
The idea of electronic signatures has been around for a while, but their importance has been highlighted by recent changes brought about by the COVID-19 pandemic, meaning signing documents in person may be difficult.
We spoke to Sameer Hajarnis, RVP Sales for North America at OneSpan, to find out more about adopting e-signatures in the current business landscape, what businesses need to look for and how these technologies can securely enable efficiencies, improve processes, ensure legal compliance and deliver an improved customer experience.
BetaNews: Are there any particular standards for e-signatures that businesses need to adhere to?
Sameer Hajarnis: The legal and regulatory requirements for e-signatures vary globally and to certain extent by use case as well. At one end of the spectrum some countries have implemented regulations which are extremely prescriptive and tell you what type of identity proofing you need to do, what is the level of assurance required for that, what type of authentication requirements you need and what kind of cryptography.
On the other hand we have seen common law countries like the US, Canada and the UK are quite permissive in the sense that they allow you to run it, the law basically says you've got to be able to show consent, you've been able to show intent on the signature and then capture the evidence for it.
There are also specifics that each industry has. In the US for example there's an $800 billion aid package for small businesses and this is backed by the Small Business Administration, the SBA has its own checklist and requirements for lenders if they want to comply with e-signatures.
BN: How easy is it for enterprises to tie e-signatures into their existing back office systems?
SH: From an implementation perspective, at vendors like OneSpan we've really simplified this. We've done the regulatory framework requirements, we've created products which comply with the standards, and then what we make available to our customers is a cloud based service. With a few clicks and a few simple API calls, any customer today could embed this into their applications, so they can use standard RESTful API calls used by most SaaS vendors today.
At the back end there is obviously a system of record, once a transaction is completed at the front end you push it to the system of record, whichever platforms you use to store these documents on from a compliance perspective. We've created connectors to these third-party cloud application vendors, whether it's Salesforce or Microsoft SharePoint, all of these components have connections available where a user who's using those platforms with a click of a button can send the documents for signing.
BN: So it doesn't really matter then what format the signature is in whether it's a fingerprint or squiggle on a touchpad or something else?
SH: That's right, it's something that you can ask as the sender, so that if I'm sending this to somebody and I want it to be signed in a certain way, or if I'm sending it to somebody else and I want them to just to pick the signature, you can define that as the sender.
BN: What are the big advantages of e-signatures for businesses?
SH: What's really driving this is customer experience. How do I get more and more of my business to the online and mobile channels? Both from a customer acquisition perspective and in the onboarding applications that come through, or even from an ongoing maintenance perspective customer experience is the biggest driver.
The other thing is back office efficiencies, when you do a digital transaction it's going to ask you for the signature and it's not going to let you proceed if some required fields are not completed, so it really ensures that documents on good order and that signatures are clear and legible. This means you’re automating more of the process and you’re reducing costs.
For banks, financial services companies, insurance companies, governments and so on it makes it much easier to ensure compliance with their regulatory frameworks.
BN: The big question everybody would want answered is, is it possible to forge an e-signature?
SH: That's a good question and we get asked that quite often. When you install the software you may be just clicking to sign something that perhaps doesn't really matter much -- like accepting a package. But when you're looking at a contract or financial agreement between two entities there are implications and you want to make sure of that, especially with multiple signatories involved. You want to make sure that the document that you signed hasn’t changed in between signing individuals, that the signature was not used by somebody else, and there are various ways we do this.
The first level is we use technology to tamper seal a document after every signer has signed or initialed a document. So instead of waiting for all three signatories we would have two digital signatures embedded in that audit trail and we are happy that we are sealing the document after every one. So, if it comes from me to you, you would know if the document was tampered with or changed between your and my signing signatures happening. What that does is bring trust in the signing process if you are signing off on a document, you know it is clean and is in line with what the intent was, so that's one way.
Besides that, we also capture an evidence trail or audit trail. That’s in case there's any regulatory questions or compliance questions that come up we can provide backup documentation.
We also help people meet their regulatory requirements. So if it's a simple use case in person at a branch when someone's coming in I can send them a document to just sign on their phone, I can just send it via email. If it's a remote transaction and I need a verification I can do a two factor authentication. If I want to take a photograph I could ask them for it at the time of signature, I could ask them for a document ID or government issued ID and verify against them taking a selfie. Sometimes you can do a third party bank ID check, where if I'm applying for a loan or something I could log into my bank as proof.
There are a host of options available for our customers to build these things together and provide assurance based on the requirements for a particular use case.
Beyond Business Continuity: The New Normal in Remote Banking and Insurance
The COVID-19 pandemic accelerated trends toward remote banking, digitization, and remote work as the world embraced new technologies and processes to keep our financial institutions, businesses, and society functional. People now rely more than ever on digital solutions for interactions and transactions that have traditionally a face-to-face meeting. The new normal is here, and electronic signatures are key to continued success.
Regions' big investment in digital is paying off
By Penny Crosman
Regions Financial is pouring a lot of money into digital banking, and it says the effort is beginning to pay off.
The Birmingham, Ala., company is spending $625 million on technology this year — 42% of that is on investments in new technology, such as digital improvements to speed up credit decisions, vet loan applicants’ identities and simplify online mortgage lending.
Regions says it had 2.7 million digital users at March 31, up 5% from a year earlier. Moreover, it claims big gains in several key metrics over the same period: checking account openings (49%), credit card sales (16%) and mortgage applications (112%). Regions declined to disclose totals in those three categories and has not reported them to investors.
Yet Emmett Higdon, director of digital banking at Javelin Strategy & Research, says the $128 billion-asset Regions seems to be making good progress. The 5% growth in users is on par with the rest of the industry as adoption of mobile banking has slowed along with growth in smartphone users — most people have all this by now, he said. But increases in account opening and credit card sales stem from hard work and creativity at the company, he said.
“They have clearly put a lot of effort and investment behind their digital account opening processes, both for online and for mobile,” Higdon said.
Regions has created a guided experience for consumers who apply for credit cards on its website, and it could appear on its mobile app eventually.
“If you're not really sure which of the 47 credit cards you want, they have a little questionnaire that helps you through the process,” Higdon said. “Unfortunately, they don't have that on the mobile side, but they're thinking carefully about that process.”
The company is launching a digital feature that lets existing customers determine in less than a minute if they qualify for a credit card; only a small amount of information has to be supplied. Customers who qualify can accept an offer in as little as 90 seconds.
Andy Hernandez, chief digital officer at Regions, credits its digital banking growth to a handful of things: agile development methods, an accelerated customer sign-up process, customer research, process re-engineering, and an online mortgage portal that keeps customers updated on the status of loan applications.
“I think as an industry we've underachieved in terms of getting customers to open accounts online,” Hernandez said. “The customer of 30 years ago wanted speed, ease of use and convenience. It's what they want today. But they've raised the bar; they've redefined, as is their right, what those terms mean.”
Regions began adopting agile methods four years ago; the term refers to an approach to software development that relies on collaborative, cross-functional teams to divide a task into small parts and be dedicated to flexibility and continuous improvement. Developers, analysts, product owners, scrum masters, compliance officers, legal experts, risk specialists can all participate.
“The hardest part of agile is, you have to be dedicated,” Hernandez said. “You can't say this is going to be someone's part-time job. You've got to pull top talent and put them on these teams, and have everybody lock arms on the objective.”
The agile teams work side by side, and they dress more casually than traditional bankers. A couple of teams were given the full-time job of picking apart the digital account opening process for checking accounts, mortgages and other loans, and making it faster and simpler.
Their goal was to open new online and mobile accounts within 10 minutes. Currently the process takes five to seven minutes.
“When we started doing this years ago, the industry just took the paper application and said, let's throw it online,” Hernandez said. “And there are a lot of steps, fields and pages that just don't make sense in a digital world and the advent of fully legal e-signatures.”
The agile teams removed steps and data fields from the sign-up process, often “asking questions of our friends in legal compliance that we didn't know were fair to ask,” Hernandez said.
The teams were also tasked with making sure all features available on the online banking site were accessible in the bank’s mobile app.
“Even though our applications have been mobile responsive or mobile optimized, we didn't have certain things accessible directly in our app,” Hernandez said. “Prior to some of these enhancements, you had to go to regions.com. You could go from your smartphone or tablet and it would look clean and nice on the screen, but it wasn't in the app. We have a growing percentage of customers, as all banks do, using the mobile app.”
Regions partnered with an authentication technology provider to automate identity verification and security. Hernandez declined to say which one.
Soon the bank plans to offer useful customer insights about things like upcoming bills that might strain a customer’s cash flow. This will replace the early generations of personal financial management software.
“Those software applications were very difficult to use and in hindsight, it's not surprising that they had low adoption,” Hernandez said. “We’ve finally reached a point where there's no heavy lifting done on the customer's part.”
Hernandez says Regions was one of the first banks in the industry to offer a true end-to-end digital mortgage. Higdon backs this up.
More recently, the bank launched an online Mortgage Status Portal, which gives customers real-time updates on the status of their applications. They can receive these updates through text messages or emails if they prefer. Through the portal, people can upload documents and complete other steps.
Regions brought its mortgage loan officers into the online loan process, too. It created personalized web pages for each mortgage loan officer that can be shared with potential borrowers, so the loan officers can direct people specifically to their site to apply online. Having unique URLs connecting to the online applications ensures the right person gets credit.
“Our mortgage loan officers are very good at what they do,” Hernandez said. “Now they have a digital presence, removing what we used to call channel conflict. They're now speaking digital.”
The ease and speed of the online mortgage application are other reasons for the increase in digital mortgage applications. Regions markets the digital mortgage throughout the regions.com website.
Regions also lets users save any kind of loan application they’ve started on its website or mobile app, so if they get interrupted, they can go back to it later.
According to Higdon, less than 25% of the top 25 banks let customers save an application in the mobile channel.
Serving Customers in Times of Crisis: 5 financial processes to digitize (Part 1 of a 2 part series)
In these unprecedented times, digital banking and other financial services have become crucial for millions sheltering at home. Around the world, people now rely more than ever on online banking portals, mobile banking apps, and other remote banking channels – even for interactions that would traditionally involve a visit to the branch or a face-to-face meeting with an advisor.
In an ideal state, this increased volume of digital interactions, applications, agreements, and transactions would flow straight through digitally. The challenge many banks and financial institutions (FIs) now face is that while some core processes have been digitized, many others are not yet automated end-to-end. From account opening to small business loans, much of what starts out through an online portal or mobile app still involves manual, paper-based processing.
These gaps in the digital chain hamper the “right here, right now” service needed in times of crisis. In response, banks and FIs are rapidly adjusting their digitization efforts to meet customers in their moment of need. To help prioritize these efforts as the world settles into a new normal, we are publishing a two-part blog series that explores the top banking processes to focus on.
1. Commercial and Small Business Lending
Governments around the world are issuing economic stimulus and relief packages for businesses affected by the outbreak. From the EU, where the European Investment Fund will guarantee loans to help “provide liquidity to at least 100,000 European SMEs and small mid-cap companies” – to Japan, where SMBs are being offered interest-free loans and large corporations have access to crisis lending programs. Many businesses need these funds as quickly as possible. FIs can support their business clients now, when they need it the most, with an expedited digital process.
At the same time, government agencies must also find ways to digitize their processes and deliver the necessary resources to businesses through their designated intermediary lenders. In the U.S., for example, the Office of Management and Budget released a memo instructing government agencies to “leverage digital forms and electronic signatures to the fullest extent practicable.”
One federal bank, the Business Development Bank of Canada, integrated e-signatures with their mobile app to enable entrepreneurs to complete a loan or financing application in 15 minutes. “E-Signatures transformed the customer experience, because now we can get the client the help they need, in the time they need,” says Jorge Oliviera, Director of IT Solutions Delivery at BDC.
Security tip: Banks are experiencing increased fraud attacks in lending and need to be on heightened alert. Fraudsters are actively trying to exploit the current situation in various ways, including via application fraud (loan origination fraud). This is where a criminal applies for a loan as a net-new customer by submitting a new application based on fraudulent identity details such as stolen or synthetic identities. To help prevent this type of fraud in your digital channels, the first line of defense is digital identity verification security – notably, ID document verification with facial comparison.
2. Consumer Lending
Large-scale lockdowns and business closures are affecting household finances significantly. As a result, some banks are offering immediate relief for loan payments. The Wall Street Journal reported on examples such as Goldman Sachs “allowing borrowers who have personal loans from its consumer bank, Marcus, to sign up to delay their payments for a month.”
Despite short-term relief and government programs, financial pressures on workers, solopreneurs, and small business owners are expected to lead to increased demand for emergency personal loans, bridge loans, and debt consolidation loans. According to American Banker, “Many banks are also working to identify emergency borrowing needs – and using digital platforms to provide advice and process loan applications.”
One area that banks, alternative lenders, and student loan providers are re-prioritizing is the mobile channel. With so many customers transacting through their personal devices from home, the speed and efficiency of mobile-first lending is gaining momentum. As developers pivot to build out and enhance lending workflows in mobile banking apps, two technologies will be important to consider: mobile e-signatures with digital audit trails to quickly capture signatures while maintaining compliance and mobile app shielding to protect the banking application from cyberattack.
Security tip: With more customers transacting through a mobile banking app, banks also need to strengthen their mobile app’s resistance to intrusion, tampering, reverse-engineering, and malware. Mobile app shielding technologies can fortify banking apps against mobile threats without hindering the customer experience.
3. Remote Bank Account Opening
In times of crisis, banks and FIs are focused on supporting their existing customers. More so right now with loan applications than deposit accounts, due to the current economic shutdown.
However, new customer acquisition remains a growth priority for many banks. Even in the current environment, prospective customers are trying to open new bank accounts, especially as well-served customers refer family and friends to FIs offering better digital services. This new growth is at risk among institutions that still rely on manual identity verification and/or signature in the branch.
According to a Litico survey from mid-March 2020, 82% of consumers are hesitant to visit bank branches during the outbreak. However, the same survey reveals that 63% are more inclined to try an app.
This is good news for banks and FIs that already offer a mobile account opening experience or that are in the process of building or enhancing it. In a recent ISMG banking industry survey, 68% of FIs surveyed had already identified digital account opening as a priority initiative for their institution this year. Nearly all (99%) confirmed level or increased budgets to invest in digital ID document verification, machine learning, and electronic signatures. These projects are being fast-tracked now, as technologies that securely service new and existing customers via remote channels are needed more than ever.
Security tip: Ensuring an applicant is who they say they are is critical in this time of low-touch/no-touch interaction. When a bank can’t have a physical meeting with the customer, this increases opportunities for fraud. Used together, facial biometrics and digital ID document verification can help the bank ensure an applicant or user is in fact the person they claim to be. Combining these with strong mobile application protection gives banks an advantage over criminal hackers.
4. Account Maintenance
Banking customers tend to go to the branch to manage changes to existing accounts. Many such changes require a signature. Some, like adding a new spouse to an existing account, also require that the bank verify the new joint account owner’s identity. But with branches limiting hours and customers unable to visit due to restrictions or heath concerns, FIs need to adapt these processes quickly with e-forms, e-signatures, and digital identity verification, so they can be securely and easily executed online.
Security tip: Fraud prevention is a top consideration when automating any financial process. Industry analysts at Aite Group have reiterated that financial institutions need to be particularly aware of online fraud during this time. "Bad actors thrive in times of chaos and uncertainty, and they have been quick to capitalize on the fear that surrounds the global outbreak of COVID-191". One of the top security challenges facing banks is account takeover attacks. Account takeover attacks happen when criminals infiltrate a user’s digital account. Once this has occurred, the attackers can attempt to steal funds in multiple ways – including adding new account payees or changing the account owner’s contact information or address to facilitate the theft. Fraud detection platforms can continuously monitor account activity to block – among other things – fraudulent attempts to change the account holder’s name, address, and contact information.
5. Employee-facing Processes
For all essential services providers and businesses operating in the current environment, the top priority is maintaining operations in a way that is safe for employees. Some of the rapid actions that banks and FIs have taken to protect their front-line teams include virtual meetings and web chats for customer interactions.
Similarly, FIs are protecting back-office and work-from-home employees by removing the need to manually handle paper. There are still a number of back office processes across all lines of business, including in fraud and disputes, legal, compliance, risk, and others, that require paper. Like cash, paper documents carry bacteria and viruses. Considering all of the forms and documents printed solely for signature, banks are acting decisively to digitize the paperwork that their employees process by introducing e-signatures.
For organizations that need to move quickly, there is no need to wait for e-signatures to be integrated with internal systems or an employee portal. Employees can be up-and-running in minutes with an e-signature service that enables users to prepare and send documents for e-signature. Pre-built integrations or e-signature connectors to popular third-party back-office applications like Salesforce, nCino, and Pega also significantly reduce go-live time.
Security tip: Historically, banks have generally resisted implementing work-from-home policies due to data security risks. That has changed virtually overnight. We recommend FIs do the following:
- Educate employees on how to spot and respond to phishing and social engineering attempts (then implement random internal testing to track employee performance and identify needs for additional training)
- Develop a backup security access plan for all staff and be prepared to provide secondary forms of authentication
- Replace SMS authentication with out-of-band technologies like push notifications, Cronto, or a mobile authenticator app to help prevent phishing
- Ensure workers handling sensitive data or having customer-facing discussions have disabled devices connected to the Internet of Things in their home office space
For more information, visit OneSpan: https://www.onespan.com/blog/financial-processes-to-digitize-part-1