BANK OF THE FUTURE

Open Banking (PSD2) - Fraud risk exposure and mitigation

 
February 26, 2019

Customers and financial institutions have a continuous back-and-forth on their finances and how to better manage the same. However, third parties invariably come into the picture. When they do, the risk of fraud increases manifold. Filtering through layers of complex transactions to ferret out the harmful ones and protect their customers is an arduous task for financial institutions. Customers conduct transactions from numerous platforms instead of being limited to a financial institution’s online portal and/or application, making their visibility to organizations more suspect.

The implementation of Strong Customer Authentication (SCA) by the Financial Conduct Authority (FCA) has incentivized financial institutions to protect their customers, failing which they would need to refund any losses incurred by customers during unauthorized transactions through third-party providers. Multilayer authentication will be a step in this direction, with financial institutions making the use of multiple authentication processes that currently exist, such as biometrics and PINs.

What Financial Firms Must Do

In the light of increasing emphasis on digital channels, a full arsenal of fraud prevention tools is necessary, with the knowledge of what works and what doesn't being paramount. There are several analytical techniques to detect fraud such as classification of data to find patterns, validating entry times to track suspicious activity, calculating statistical parameters such as averages and standard deviation for finding outliers to reveal fraud, combining random diverse sources to find matches in personal information such as names and addresses where there shouldn't be any commonality, and finally, graph analysis for better fraud detection.

While considering the suitable SCA mechanism, financial institutions must consider parameters such as customer age, level of technology adoption by customers, and customers with disabilities, among others. Additionally, organizations must adopt solutions that don’t disrupt customer experience while addressing all of the aforementioned requirements.

Financial institutions must therefore look to implement adaptive/step-up multifactor authentication (MFA) in combination with current identity security solutions, and ensure re-evaluation of the same on an ongoing basis.

An adaptive MFA leverages the contextual and behavioral information such as location of the transaction, device fingerprint (device ID, browser cache, and so on), time of the day, and the network IP, among other factors to decide whether the transaction requires a step-up authentication approach or not. The automated risk engine through its inbuilt intelligence decides whether the behavior is normal to the customer or not, and attempts to mitigate the risk with step-up authentication only when there is a deviation from the normal.

When the first-factor authentication (typically a password or a PIN) gets cleared, then the authentication procedure will check for the contextual data to proceed further. Whenever there is an information mismatch viz. a vis. the current transaction, only then the additional factor authentication will be invoked for security. As the contextual checks are carried out with zero visibility to the customer, there will be no hindrance to the customer in carrying out with the transactions.

Implementing adaptive or step-up authentication will minimize the impact to the customer experience by eliminating the ‘always on’ additional authentication procedures, while addressing the SCA requirements for a financial institution. Big banks in the UK have been advised by regulators to pilot SCA before the rest of the financial institutions go for it. Every financial institution in the UK will be planning to invest in technology to implement SCA. This would be the ideal time to choose adaptive MFA instead of ‘always on’ MFA, considering the need for investment in technology is already felt.

Adaptive MFA solutions could either be hosted on the cloud or on-premise solutions. Although both options are viable, we recommend the on-premise solutions as they are more cost-effective than the pay-per-transaction cloud-hosted model, in the longer run, in light of the growing number of transactions. Furthermore, the success of implementing such a solution lies in choosing the right platform partner and the right choice of MFA which suits the customer base of the financial institution. For instance, millennials prefer tech-savvy MFA whereas the elder population would prefer traditional MFA. This will also reduce the number of calls to contact centers for password resets.

Chalking out the Way Forward

An open banking environment will understandably attract fraudsters., Adaptive authentication is poised to transform the approach of financial institutions in the open banking environment and drive transactional success. Above all, it will help financial firms adhere to regulatory requirements, control costs, prevent revenue loss, increase consumer confidence, and enhance customer experience. Some of the leading cybersecurity platforms available in the market are capable of providing adaptive authentication and cross-channel protection with options like biometrics, knowledge-based authentication (KBA), transaction signing, OTPs, emails, among others. Vendors are also available to implement the adaptive authentication platform, maintain it, and if required, operate a managed service model. The need of the hour is for banks to adopt adaptive authentication to safeguard customers’ experience while enforcing SCA requirements. An agile and intelligent approach deep-seated in new-age analytical methodologies is the key to detecting fraud in an open banking environment.

 

Bashyam Selvaraj is a domain consultant with the Financial Crimes Compliance CoE of TCS’ Banking, Financial Services, and Insurance business unit. He has over 14 years of experience in banking and financial services with core expertise in fraud risk, AML, and KYC. Selvaraj has led multiple consulting, process enhancement, and transition projects related to fraud risk and AML operations for TCS’ clients the world over. He has a Bachelor's degree in Computer Science, Master’s degree in Information Technology, and a Master’s degree in Business Administration from Bharathidasan University, Tamil Nadu, India.