Consumer-bank monogamy is a thing of the past. With the proliferation of third-party mobile apps, eWallets and proprietary “Pays,” this is hardly news.
While very few customers are managing their finances exclusively on a mobile device, more and more of them are taking a mobile-first approach and using whatever tools enable them to do so, whether they obtain them from their trusted financial institution or, more often, a third-party provider.
That’s also not news. Really, despite its complexity, the state of the payments and finance industry is well understood among participants, and most players have a general sense of the direction they must move in order to keep pace. However, they could be doing a better job of it – and experts say they must.
Karen Webster recently conducted a webinar with Carol Alexander, senior director of product marketing for CA Technologies, and Al Pascual, SVP of research and head of fraud and security at Javelin Strategy & Research.
CA Technologies and Javelin jointly conducted a study to help them better understand the industry needs, challenges and disconnects that must be addressed to best serve customers by giving them both what they want (in terms of convenience) and what they need (in terms of security).
Consumers, said Pascual, have options when it comes to mobile payments and banking. That can lead banks to compromise on risk management in order to deliver the user experience that will encourage customers to choose their platform over a third-party competitor like Venmo.
Pascual believes it’s no longer enough to just provide the best security. Consumers want the whole package. Even the biggest financial institutions in the country know they need to do more, he said.
“They’re saying they don’t have the balance right; they need better tools,” Pascual noted. “You can only imagine what smaller institutions and issuers are contending with.”
So, what’s missing? Alexander said that the industry has been talking about guaranteeing transaction safety, ensuring that consumers can do business without friction, and fighting fraud in conjunction with individual entities.
However, she believes there needs to be more communication between merchants, issuers, FinTechs and the financial services industry at large.
“We work in pockets,” Alexander said, “but customers want to think about cross-channel fraud protection and leverage the data they’re collecting from online commerce in the real world. We’re better as a group.”
It’s Complicated
Merchants can be a bit of a grab bag for issuers, said Alexander. Issuers don’t know how those merchants will be managing fraud and risk. Will they leverage the latest and greatest machine learning technology, or will they rely heavily on manual review? This dramatically changes the level of risk that an issuer takes on by choosing to do business with that merchant.
The ecosystem contains millions of merchants, which can create a lack of visibility and inconsistent controls, Alexander said. That leaves financial institutions to solve for the lowest common denominator and puts a heavy burden on the issuers.
Some are rising to the occasion, but many are still using antiquated controls for identity verification – relying on static username and password combinations, the last four digits of customers’ Social Security numbers, their last purchase or the answers to questions like “What is your mother’s maiden name?”
Any of those challenges could be answered with information that criminals can easily access online, said Alexander. It’s a gaping vulnerability in the mobile payments world, and it has been neglected for too long as mobile commerce fraud took the spotlight.
“Adoption and use of mobile payment tech has been in fits and starts,” said Alexander. “Even if they were taking a high percentage of hits on this, the numbers were still small. But at some point, they’re going to have to come back to this.”
The rate of technology innovation isn’t slowing down – so, as Webster noted, the challenge of blending a seamless experience with a secure one will only grow more complex as time goes on.
The Top Of The Wallet
As Pascual said, it takes more than good security to become the top-of-wallet card (and stay there), but consumers do say that security is their number one priority when choosing a bank or credit card issuer.
Eighty percent choose their cards based on fraud fears, the study found, with factors like rewards programs and no overdraft fees playing a smaller role than expected (though they certainly do pull some weight).
Interestingly, debit cards seem to be stickier than credit cards. The study showed that 40 percent of customers who experienced fraud closed their credit card account after the incident, while only 30 percent of debit card holders did the same.
Customers do want security, but too much can be a deal breaker, said Pascual. False positives can prevent customers from using their card when they need it, which can lead them to abandon it, or simply to use it less often – relinquishing its top-of-wallet slot to another.
“Customers will say, ‘I trusted you to mind my money and now I can’t access it; you’re not doing a good job because you can’t even tell if it’s me,’” said Pascual. “It’s a relationship killer and a top-of-wallet killer. You’re not just losing an interchange, but a relationship, which is worth so much more.”
It’s bad for everyone when good transactions get declined. The customer can’t pay his bill; the merchant isn’t making money. In short, said Alexander, it doesn’t support the economic environment. Financial institutions must find ways to enable transactions and thus support the economy, while also making good on the trust customers have in them by protecting consumers from fraud.
Mitigating Mobile Payments Fraud
Everyone knows the static username and password are about as secure as scotch-taping your front door shut. Not everyone, however, is willing to say so out loud. It can be hard to do away with the old ways because people are comfortable with them – and comfort can create a sense of security, well-deserved or otherwise, said Pascual.
Consumers see fingerprint readers as the most secure form of authentication. The technology is indeed good, but Pascual said part of the reason for that trust is familiarity: Thanks to smartphones and other products that are already leveraging this biometric identifier, consumers have an inflated sense of its security.
Conversely, according to the study, people take a lower opinion of facial recognition, voice recognition and eye scans, which are less familiar. In fact, static passwords still ranked higher in consumers’ minds, despite all evidence to the contrary.
Whatever banks choose to replace passwords, it doesn’t have to be exotic, said Pascual. Simply layering the technology that’s available today can be very effective while keeping friction to a minimum.
A one-time code sent to the consumer’s device for validation is a fairly simple, low-friction way to authenticate his identity, and as long as steps are taken to ensure that no forwarding is going on, this strategy can outperform static identifiers like mother’s maiden name.
The impact of such a strategy on the consumer’s journey is minimal, while the appearance of a challenge lets him know the bank is working to keep him safe. That is exactly the balance that financial institutions should be looking to strike.
Bottom line, said Alexander: “You’ve got to make security invisible, or the risk will actually increase.”