Digital banking: Balancing security & convenience – without getting creepy!
Banks are leading the way in adopting new technologies such as smartphones and analytics to deliver their services to customers in more convenient and personalised ways – but what is the impact on security? Can personalisation become creepy?
Personal banking customers conduct more than half of their banking transactions through digital channels. The good news for banks is that not only does this generate cost savings for the bank, it improves the customer experience as research by Bain - Company found that mobile channels are far more likely to delight, and less likely to annoy, than a branch or call centre experience.
The advent of Internet of Things (IoT) – particularly wearable technology such as smart watches – takes the convenience of digital channels to a whole new level. In 2013 Westpac New Zealand released the first integrated mobile banking app for a SmartWatch device (the Sony SmartWatch). And ASB was the first bank in New Zealand to release apps that let you do quick transfers on both Apple and Android smartwatches. Meanwhile, across the ditch, many Australian banks including CommBank, Westpac, St George, Bank of Melbourne and Bank of SA offer the convenience of banking strapped to your wrist.
Is the convenience of IoT safe? In C.S. Lewis' Chronicles of Narnia, one of the characters was asked if Aslan the lion was safe. The response was, “Course he isn't safe. But he's good.” So it is with IoT – it isn't safe, but it is good. In this case it provides a more personalised, simple and convenient mobile banking experience. But IoT does create a whole new set of cyber vulnerabilities. Just as viruses and other malware may be used to attack a personal computer, any device that has a microchip and is connected to the Internet is vulnerable to similar cyber-attacks.
So how can banks offer such convenient services without compromising security? In today's world of hyper connectivity and sophisticated cyber-attacks we must accept that attacks will happen and some attacks will be successful. Assume that even your internal environment is hostile territory. In fact, Unisys Security Insights research found that 50 percent of New Zealanders surveyed in 2015 said that they expected a data breach at the bank they deal with in the next year.
What is key is ensuring that the impact of such breaches are minimised. And some of the onus must be put onto individual consumers too. For example, CommBank says it will cover any loss should someone make an unauthorised withdrawal on your account using their Cardless Cash feature, provided you protect your phone, watch and passwords and immediately notify the bank of the loss, theft or misuse and any suspicious activity.
The good news is that sophisticated security measures, such as using biometrics to confirm identity, are becoming mainstream. Fingerprint biometrics on smartphones probably represent the greatest immediate growth area in biometric applications – not just for accessing the phone, but also for authentication for applications accessed via the phone.
The largest biometric systems have traditionally been the realm of the public sector for law enforcement, border control, identification systems, driver licenses and so on. But banks and other financial services organisations will be the industry driving biometrics rollout over the next few years.
Nonetheless, banks today recognise that some criminals will find ways to defeat or circumvent “front line” identity-based security measures. As a result, banks are also investing in enhanced anti-fraud systems as a “final line” to detect and minimise financial fraud. These solutions use predictive analytics to detect suspicious transactions in real time or data leakage by analysing the behaviour of customers via transactions and other data – regardless of what service channel they use.
But digital banking isn't just about customer convenience and security. With big data analytics, the move to digital banking channels also provides banks with a treasure chest of revenue-generating information about their customers. And banks can augment this data with even more information about their customers from social networking and other publicly available sources. With the right analytical tools, this data can be used to develop customised services that can be offered to specific customers.
Just as some grocery chains use “reward cards” to capture the spending details of individuals and then offer them specials based on their previous purchases, banks can analyse transaction data to offer customers appropriate products such as insurance and loans. For example, a bank may share information on new home loans with Customer Jane after she tweets that she is expecting a baby soon. Or send information on automobile loans to Customer Bob after detecting increased frequency of payments to auto repair shops. And with automation and intelligent analytics much of this can be automated to be delivered via a virtual channel or used as a prompt for bank staff dealing with customers in person or by phone.
Such personalisation initiatives must tread a fine line lest they be seen as invasive or even creepy. This may depend on where the information is obtained from as well as how it is used. For example, the Unisys Security Insights research found that the majority of New Zealanders supported the use of monitoring social media such as Twitter, Facebook and LinkedIn for the greater good such as detecting potential terrorist activity (73%), to identify issues of public concern (66%), or to do background checks to evaluate job candidates for positions of trust (65%). However there was very low support (only 30%) to monitor social media for targeted advertising or offers.
So it will be interesting to see how banks balance offering personalised and convenient services without crossing the perceived line of personal privacy. The key is likely to be via informed consent (whereby the consumer is told how the information will be used and given the right to “opt out”) and data protection (steps taken to ensure the data is not disclosed to individuals or organisations without authorisation of the consumer). This will help banks avoid being perceived to abuse their position of trust.