Consider a scenario where I am an existing customer of the bank for the last 6 years. I have been using a salary savings account with the bank for past 4 years. I have been paying rent to my house owner every month in the first week without fail for the past 15 months. I have been using the same laptop for accessing my internet banking for the last 24 months. Now when I do the online funds transfer for the rent payment this month, does the bank need to challenge this transaction through the additional authentication (e.g. one time password they have sent to mobile)? Probably not!
The bank in this case has got all the information and positive indicators to come to a conclusion that this is genuine routine transaction. Then why does the bank need to challenge this obvious low risk transaction leading to degraded customer experience and additional costs for the bank itself? The bank in this case lacked a knowledge based software system which can provide this right intelligence at the time of transaction processing.
On the other hand, consider the scenario where a fraudster had stolen the bank account credentials of a customer and guiled the bank and customer to steal the passwords. He then changes the mobile number registered for that bank account; adds new payee and performs funds transfer immediately to one of his bank accounts leading to a sweep of balance in the customer’s account. Fraudster could do this despite additional authentication challenges given by the bank’s internet banking system during the transaction processing despite each of these financial and non-financial transactions performed by the fraudster being risky.
The reason for such frauds could be the predictability of the fraud monitoring systems in place. Many banks around the world have implemented 2-factor authentication software that triggers additional second factor authentication for financial transactions performed by the customer through direct channels. After a careful study of the systems, the fraudster could understand the authentication measures taken for a particular transaction irrespective of the fact that who is doing the transaction. What the bank lacks in such scenarios is the intelligence that can deduce account/customer behavior patterns and forecast the risk associated with a transaction and can take the right action (challenge/decline/allow) at the right time. How handy would a system that can balance the three crucial aspects of cost, customer experience and risk when processing financial and non-financial transactions. This where the advanced risk based authentication systems gain favor. Advanced risk based authentication software can provide the real-time fraud risk intelligence for every transaction considering the customer/account behavior patterns and advice whether to allow, decline or challenge the transaction.
Enterprise wide implementation of advanced risk based authentication software for all direct channel transactions is critical for banks to fight rampant menace of identity fraud and account takeover fraud across the world. This is all the more vital for banks in countries and environments where customer’s knowledge of fraud and fraud schemes is lower.
Figure 1 is an illustrative diagram that depicts the functional framework for a typical Risk Based Authentication solution
Such an enterprise wide advanced risk based authentication software would be able to monitor the transaction real-time, assess and detect the risky transactions and decide the course of action the bank should take for that particular transaction. The system will consider customer/account transaction history, behavioral patterns, access patterns and the bank specific knowledge of the fraud scenarios for the fraud risk assessment and decide the transaction’s course of action. Based on the decision policy of the bank, the bank can decide what kind of additional verification method should be used at various risk levels.
In the payment cards industry, card network associations have introduced 3D secure based additional payer authentication for combating cards not present fraud. This has been widely adopted by card issuers across the world. Adoption of this technology has been mandated for adoption by RBI for online payment gateway transactions in India. Even in such a context, there is scope for enhanced fraud risk protection by considering account, device and wallet level information and trigger additional cardholder authentication only when required rather than triggering for each online payment transaction.
Hence this migration from a ‘”one size fits all” authentication methods to a dynamic risk based approach, which uses all available customer, account, payment and device data to manage fraud and risk across the enterprise, is going to a vital cog in the wheel for fraud risk management.
How do you envision the authentication measures to combat enterprise fraud at your bank? Do let us know your views-we’d love to know.
- By Jayaprakash Kavala
Jayaprakash Kavala is Product Manager at CustomerXPs.
He can be reached at firstname.lastname@example.org
CustomerXPs offers real-time, intelligent products that empower banks with instant insights enabling influenced outcomes of deeper customer engagement and fraud-free transactions.