For example, every time a mortgage customer forgets his or her password to access account information online, it can costs the lender up to $50 to go through the process of issuing another one. Additionally, ten percent of customers need their passwords to be reset every six months.
It is inconvenient and a hassle for customers who already feel that they have to jump through hoops to gain access to basic information or perform simple transactions. Customers often resent having to remember additional personal information in order to authenticate the changes which have to be made to their password and pin information.
The problem is compounded by the many different ways of interacting with a financial services organization. Different procedures and authentication information may be required depending on whether a customer is using Internet banking, telephoning a call center, using a WAP phone, accessing an ATM machine or even visiting their branch. A typical retail bank might require a permutation of pin, password, memorable data, sort code and account number dependent on the channel; and often there are different length passwords for access to different services.
It is difficult to imagine how revolutionary ATMs would have seemed to customers in the late 1960s. Yet they were an immediate hit with the public who, for the first time, had round the clock access to ready cash.
Financial services providers know that this state of affairs is not acceptable and know all too well that customers show little signs of loyalty if service is poor and cumbersome. The problem is that they have to balance ease-of-use with high levels of security. Automation, however, is a difficult proposition as many of these channels have been built piecemeal and often there is little or no integration between the different channels.
As this business model has evolved, financial service providers have built ad hoc identity and entitlement management systems to control customer access to their accounts. Often this security infrastructure involves using various proprietary products that require manual administration procedures and often duplicate information between the various channels.
Managing a customer's identity is therefore a headache. He or she may have more than one account; or they may also hold joint accounts with a spouse or partner. Additionally, a lender may wish to offer different levels of authority across the different channels and back end systems. Also, you may want to require an account to be authenticated by more than one user, thus spreading the risk during high value transactions.
Additionally, the financial institutions will have to ensure that an effective audit trail is generated to guarantee that information is never changed with proper authority, either deliberately or through human error. This is, in most circumstances, a regulatory requirement. In the UK, the Data Protection Act 1998, the DTI Code of Practice for Information Security Management, The Computer Misuse Act 1990, and ISO TR 13569 all contain guidance for financial service providers on how to ensure security is maintained.
Be that as it may, it makes sense that companies should undertake a risk analysis and formulate a security plan that will enable them to provide effective and appropriate security controls to which all staff must adhere. In practice this means employees should only be able to access account data on a 'need to know' basis – this is a basic banking principle. Additionally, passwords must be encrypted at every point in the system.
Authentication and Authorization
Authentication is essentially a two step process to confirm that a person is who they say they are. Firstly, the financial institution needs to ensure that the individual is who they claim to be. This is typically done with a unique identifier such as a user name, ID card or a token.
Secondly, you have to verify the identity of the user. This usually involves a second piece of information known only to the individual, such as a password or secret information. With the growth of digital identity fraud, this process of authentication can never be underestimated or overvalued.
Authorization is the control, tracking and management of a customer's access to particular services. But it should not just be seen as a way of locking out low-end customers of premium facilities. It gives all your customers a secure method of doing business on their terms – while considerably reducing your administration burden.
Most technologies have some form of built-in authorization. Often, it is dictated by the legacy system or service being accessed. Each channel interface, for example Internet, must be designed to fit this fixed method of authorization. But these authorization systems are rigid and difficult to set up or modify and are therefore cumbersome and frustrating for customers.
This rigidity only serves to exacerbate customer churn. Today's consumers will not tolerate high levels of complexity and may well decide to move to a provider who better meets their needs. Your system must therefore be flexible enough and be consistent through each distribution channel.
Also - a caveat. Access control is often considered to be synonymous with authorization, but in reality access control refers to a type of identity management that lets users in or locks them out. It simply is not flexible enough to enable the detailed allocation of privileges which modern consumers demand. To put it simply, access control divides your customers into crudely defined groups and prohibits the development of customizable and richly tailored products and services.
Additionally, access control policies are typically implemented at a channel level. For example, on the Internet channel the policy will state the URLs that the user is allowed to access. This approach results in channel specific policies which often produces inconsistencies. In contrast, a multi-channel authorization policy is a centrally defined policy that defines the business transactions a customer is allowed to complete. This policy may stipulate variations across different channels, but it is managed centrally for all channels.
In a modern banking environment, security has to be delivered securely but seamlessly through the various distribution channels. This invariably entails using multiple systems with its own set of controls to keep data secure. You need to integrate these systems into a single solution and have centralized control – thereby halving the time it takes to set up, change or delete an account.
Principally, this means operating a unified customer log-in process – irrespective of the various systems or channels. This inevitably necessitates a single integrated solution which will allow the management of authentication and authorization levels, whatever channel or back end system used. It should also be interoperable and flexible enough to allow the incorporation of new distribution channels as they become available – a prerequisite in an unpredictable business future.
Thus banks and building societies will be able to minimize the complex and costly processes involved in administering accounts – such as setting up new users, changing access rights and resetting passwords. A unified approach will ensure that costs do not rise exponentially when new channels come on stream. As your company grows, your security is able to grow with it.
An audit trail is essential for ensuring privacy, integrity of data and non-repudiation. This also means ensuring sensitive account data is not leaked, either to competitors or into the public domain.
Financial enterprises can achieve this by controlling who can access information; and by tracking when and how it is accessed and what effect it has on the quality of the information. There has been a merger and acquisition frenzy in the last thirty years. This has inevitably led to multiple databases being collated.
Financial institutions make critical business decisions based on their customer data. They therefore need to be sure that the information they hold has not been changed and that all access to the data is fully tracked. Traditionally, audit systems log all transactions. However, this is only part of the story. You must be able to prove who made the transaction, through which system and whether or not the transaction records have been subsequently altered.
Although much of these data requirements are enshrined in data protection and consumer protection regulation, if you are to stick out from the crowd and prosper, you will need implement a model that allows you to meet the requirements of increasingly demanding customers.
With new channels such as mobile, interactive voice recognition and digital TV emerging, it is inevitable that customers will interact a lot more with their banks, building societies, insurance companies and other financial services providers. Those that can deliver a streamlined and integrated solution will not only keep their customers satisfied but save money as well.
Naturally, it is a question about what you should do to increase customer satisfaction and reduce administration costs – without compromising security. Ultimately, this is your business goal. It is a complex puzzle, but one which needs to be solved.
Steve Keohane is CEO at ASPACE Solutions