For today’s bank executives, strengthening security, ensuring compliance with mandates, and delivering optimised digital services all represent vital mandates. Risk-based authentication and behavioural biometrics are emerging as critical capabilities in helping banks achieve these goals.
This article offers a detailed look at risk-based authentication in the banking sector, and describes how banks can employ risk-based authentication and behavioural biometrics in order to secure their online services and offer a better customer experience.
Strengthening security and ensuring compliance: Banks need to address urgent imperatives
Today’s banks and their consumers are under constant attack. Guarding against these attacks and mitigating their damage continues to represent an urgent imperative for security teams in the banking industry. Consider just a few statistics:
With these kinds of statistics, it’s no surprise that bank leadership teams are clear on the challenges they face. After polling banking executives across the US on their top challenges, Computer Services (CSI) found that “managing compliance” (28,7%) and “mitigating fraud/cyber security” (18%) were two of the top three, with compliance only slightly trailing “driving growth and profitability” (29,3%).
When the CSI surveyed bank executives on their top security concerns, “Fear of data breaches” received the highest response, 79,2%. “Social engineering schemes” and “mobile device security” were the next highest rated answers, with responses of 49 and 47,9% respectively.
These security threats continue to be compounded by concerns around compliance with regulatory mandates and the need to deliver services like online banking while safeguarding data privacy. As the CSI writes in its report: “The multitude of high profile data breaches over the last couple of years has brought cybersecurity front and centre with regulators, and their concern has trickled down to institutions by way of more scrutiny at exam time.”
Need to address consumers’ expectations for convenience, flexibility, and mobility
In many ways, banks have become technology companies. More than ever, the quality of their technology determines the quality of the services delivered, the efficiency of internal operations, and the degree of success realised in the market. Increasingly, consumers are choosing banks based on the quality of their technology. CSI also reported on a study of consumers and found that “Roughly 50% of the consumers surveyed said that technology was a key factor in selecting where they bank.” 
Given their increasing role as online service providers, banks need to continue to innovate to remain the preferred vendor for their customers’ payments and transfers.
Tech-savvy customers are showing an increasing willingness to leverage banking services of emerging FinTech firms as well as IT and technology companies, which is already leading to customer churn for many banks. As the financial services market continues to see more market entrants and grow more competitive, banks will need to continue to deliver always-on, convenient, and cost effective online services. Further, the emergence of instant payments, which is being hastened by a revised payment services directive (PSD2) in Europe, will require banks to further accelerate their technical innovation. Within today’s markets, it is specifically the support of digital channels, including web and mobile services that are emerging as critical imperatives. Banks need to deliver fast, easy digital services in order to boost customer satisfaction and loyalty.
The risk-based authentication imperative
Given the heightened threats outlined above, it’s clear that banks have to continue to re-assess and innovate their ongoing approaches to security. This is especially relevant as banks expand and enhance their services through online and mobile channels and extend support for instant payments. The challenge is that these same digital channels are the primary targets for fraudsters, which raises the potential for banks and consumers to face even more significant risks of cyber-attacks.
Consequently, today’s bank executives are facing a conundrum: How can they implement strong security across all their digital channels, while providing a smooth and simple user experience to their customers?
Introduction to risk-based authentication
To establish effective defenves against the threats they face, banks need to employ strong, adaptable, multi-layered security approaches, including end-point protection, authentication and transaction signing, fraud management, encryption and key management. It is only by employing defences in all these areas that banks will establish the persistent, adaptable defences needed to guard against today’s sophisticated attacks.
Risk-based authentication is a key component in the range of security mechanisms available to banks. In addition, when they institute near real-time payment systems, banks have to contend with less time that is available to do fraud analysis. Given these instant payments are irrevocable, it will be increasingly incumbent upon banks to establish strong customer authentication to ensure the right levels of security are adhered to.
Elements of risk-based authentication
Risk-based authentication assesses a wide range of factors and produces a risk score of any given transaction or action. At the same time, the bank determines a list of rules that is used to generate an assurance level. If a transaction generates a risk score that meets the assurance level, the user can carry out the action. If, on the other hand, a transaction or activity generates a risk score that does not meet the assurance level, additional security mechanisms may be triggered to ensure that the activity is safe.
Risk-based authentication can use a wide range of attributes and data to assess the risk score of any given transaction or activity. Following are some of the factors that can be leveraged:
These factors can be used to calculate a risk score that can shape the authentication experience and access controls that are applied to a given transaction. The risk score is assessed against the accepted assurance level determined by the bank. If the assurance level is met, the action can proceed. If the assurance level is not met, the bank can decide whether additional authentication may be required.
It is important to recognise that the bank has complete control over the parameters that comprise a risk score and the assurance level. A risk score can be calculated based on all factors or a subset of them, depending on the customer’s banking profile and the use case. In addition, a different weight can be given to different parameters, so that they contribute more significantly to a par ticular risk score. This granularity means that the bank can apply different scoring rules to different regions and users based on the specific circumstances, enhancing the bank’s ability to provide an optimal user experience while maximising safeguards.
In addition to the above criteria, which can be leveraged without any knowledge or actions on the part of the customer, there are additional security mechanisms that a bank can require the user to perform if the transaction does not meet the accepted assurance level. This can include requiring a user to conduct authentication via a number of methods:
Risk-based authentication: platform requirements
To realise maximum security and value from their risk-based authentication initiatives, banks should look to employ authentication platforms that offer the following attributes:
Advantages of risk-based authentication
By instituting effective risk-based authentication, banks can offer simple, efficient, and tailored user experiences to their customers, while establishing a high level of security and meeting regulatory requirements. Instead of representing contrasting objectives, security and convenience can be addressed in a seamless fashion, with safeguards proportionately and appropriately applied to any transaction or access request.
Through risk-based authentication, banks can deliver an experience that is as convenient as possible, but when users or circumstances dictate the need for added precautions, they can be employed automatically. Risk-based authentication allows banks to mitigate fraud, address consumers’ needs and expectations, and enhance their reputation and brand.
Establishing strong, intelligent risk-based authentication represents a vital imperative for banks today. Through risk-based authentication, banks can effectively address their security and compliance objectives, while at the same time ensuring customers receive a convenient, tailored experience when they use the organisation’s digital channels. By leveraging solutions such as Gemalto’s, banks can reap the maximum benefits of risk-based authentication. These solutions enable banks to harness complete, pre-integrated solutions that deliver all the critical capabilities needed to implement and operate risk- based authentication. As a result, banks can address their security, compliance, and customer service objectives, while minimising operational costs and effort.
Contact Mark Warren, Gemalto Southern Africa, Tel 011 088-8518, email@example.com