How to enhance access to digital banking with risk management

Last updated: 23 November 2020

In my previous blog, I discussed why risk management services should be combined with document verification and facial recognition to enhance the digital onboarding process. But that is just the start of the customer journey.

Once your new customer has signed up, they will be able to access their accounts online at their convenience and make transactions quickly and securely. Having a good multi-factor authentication solution in place is vital, which is something we have advocated for decades. Nowadays customers have come to expect that a second factor is added when accessing their online bank account, be it a fingerprint or face recognition authentication on a mobile app, an OTP token or another solution.

Customers trust their financial institution to keep their account secure, but at the same time they want a frictionless experience. While new stricter regulations, such as PSD2 in the EU, are putting high pressure on financial institutions to introduce Strong Customer Authentication (SCA), they also focus on user experience and thus allow exemptions when the risk level is low.

And this is where risk management comes into play to enhance user access. By adding smart risk management services to the access phase, the risk level of every single customer transaction is analysed and a recommendation on the most appropriate authentication method is given. This can help mitigate account takeover (ATO) fraud and with risk-based authentication (RBA) you can define continuously adaptive policies based on customer segmentation, customer preferences and use cases. These RBA authentication techniques are running silently in the background to provide the best end user experience.

Risk based authentication

Let’s have a look at the risk management techniques that can be used to detect fraud attempts when a user accesses and uses their bank account.

  1. IP Intelligence. Parameters such as geo-localisation, device trustworthiness, IP addresses, VPN usage, or the use of a TOR browser (The Onion Router) are some attributes that can be analysed. For example, if the user connects from an unusual country or if an abnormal travel distance between two transactions is detected, the risk score will increase.

 

  1. Device profiling. There are many pieces of information and signals that can be collected, both on PC and on mobile devices, to determine if the device which is used to perform a transaction looks healthy and if the context around the transaction is normal. Device fingerprinting will let you know if the user has a new device, which makes it riskier. And if you detect multiple connections from the same device, this could mean that it has been compromised.

 

  1. Customer profiling. Knowing how a customer usually interacts with digital channels allows financial institutions to counter even the most sophisticated social engineering attacks. Behavioural biometrics make it possible to evaluate if the person executing a transaction is who they claim to be by silently analysing in real-time the way they’re typing on the laptop keyboard or the way they are using their mobile device. With transactional behaviour you look at the user’s spending pattern to identify when a fraudster makes an unusual transaction.

 

  1. Cyber threat detection. This tracks malware trojans, RAT (Remote Access Trojan), overlay and bots’ access. If the device used is infected with malware it is a clear indicator that the risk is high.

 

  1. Consortium intelligence. Fraudsters replicate their attacks with different entities. Relying on the knowledge acquired by other financial institutions makes your fraud detection stronger. If the same device was already spotted pursuing fraudulent operations with another bank or a merchant, a warning flag should be raised.

Collecting all this information from several different sources and integrating them into your authentication process can be difficult. For this purpose, a Policy Manager is needed that can combine all incoming data into one global risk score and decide the next course of action; allow the transaction if the risk is low, challenge with an additional layer of authentication when a risk has been identified, or block if the risk is deemed too high. This way the authentication flow can be orchestrated in a flexible and dynamic way, making it harder for fraudsters to predict and plan an attack. The step-up challenge can vary depending on which multi-factor authentication options the financial institution has implemented, be it FaceID or fingerprint on mobile, or a dedicated hardware device to generate one-time passwords (OTP).

Preventing fraud is of course top priority, but equally important is the user convenience you provide by adding risk management. The objective is to differentiate between users who pose a risk, and the vast majority that do not. The customers who do not pose a risk should have a frictionless experience when accessing their account and not be bothered with unnecessary cumbersome authentication steps.

Detecting account takeover from phishing/vishing/SIM Swap

We strongly recommend that you take a holistic view, a risk management solution should be used both for onboarding new customers as well as to protect them while they access and use your services online. Click here to learn how we can help you secure and enhance onboarding and access to your digital banking services, or contact us directly with your questions.

Leave a Reply

Your email address will not be published. Required fields are marked *