European Payments: Breathing a Sigh of Relief (For Now)

European Payments: Breathing a Sigh of Relief (For Now)

In our recently published report on Top Trends in Retail Payments we quoted a European payments professional:

“If the publication of PSD2 gave the industry a headache, then the publication of draft RTS gave it a heart attack.”

Of course, he was talking about the draft regulatory technical standards (RTS) that the European Banking Authority (EBA) has been tasked to develop for how the industry should implement Payment Serivces Directive's (PSD2) requirements for strong customer authentication and secure communicationThe draft RTS published in a consultation paper last August was indeed rather draconian. One of the key proposals was "not to propose exemptions based on a transaction risk analysis performed by the PSP” and to keep “the authentication procedure […] fully in the sphere of competence of the ASPSP [Account Servicing Payment Service Providers, i.e. banks].” The draft RTS has united the industry to an extent rarely seen before – representatives from payments, cards, e-commerce, small merchants, digital technology, telecoms, travel and industries have expressed concerns that the EBA’s standards implemented in their current form would “make online shopping much more onerous than it is today and have a wider and chilling effect on the Digital Single Market.”

Thankfully, it appears that the EBA has been listening. The final standards have not yet been published, but yesterday, Andrea Enria, Chairperson of the EBA gave a speech at the Westminster Forum, and has given the clearest indication yet that the EBA is open to changing the RTS. Specifically, according to the speech, the RTS when published will:

  • Introduce two new exemptions, one based on "transaction risk analysis" and the other for payments at so-called "unattended terminals" for transport or parking fares. Transaction risk analysis exemption will be linked to maintaining predefined fraud levels and will be reviewed after 18 months.
  • Contain some changes to the existing exemptions, such as increasing from EUR 10 to EUR 30 the threshold for remote payment transactions. However, there will be no further exemptions for e.g. corporate payments.
  • Outlaw the current practice of third party access without identification (e.g. ‘screen scraping’) once the transition period under the PSD2 has elapsed and the RTS applies.
  • Maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. A requirement has been added requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability.
  • Remove references to ISO 27001 and other specific, technological characteristics, to ensure technology-neutrality and allow for future innovations.

It will be important to review the details when the final RTS is published, and of course, much work will still have to be done by the industry to ensure compliance. Yet, it seems that the payments professionals in Europe may breathe a sign of relief – the heart attack may have just been averted, at least for now.

Setting Out a Vision for Customer Authentication

Setting Out a Vision for Customer Authentication

We all know that "passwords suck", as my colleague Bob Meara stated clearly and succinctly in his recent blog. But what's the alternative – is the answer biometrics or something else?

We do believe that biometrics is part of the answer. However, our vision for authentication – security measures banks take when providing customers access to their services – is broader than that. Mobile devices will play a key role, but for them to be effective tools for authentication, a strong binding between customer identity and the device is essential – unless this step is done correctly, all subsequent authentication efforts are pointless.

We also contend that authentication must be risk- and context-aware. It should take into account what the customer is trying to do, what device they are using, how they are behaving, etc. and assess the risk of fraudulent behaviour. Depending on that assessment, the customer could either gain access or be asked to further authenticate themselves. And while biometrics can and will play an important role, the banks' authentication platforms need to be flexible to support different authentication factors.

We outline this vision in more detail in the report published yesterday by Celent, Security, Convenience or Both? Setting Out a Vision for Authentication. In addition, the report discusses:

  • The upcoming PSD2 requirements for strong authentication.
  • The rise of biometrics, including different modalities and device-based vs. server-based implementations.
  • An overview of various standard-setting bodies, such as FIDO alliance and W3C Web Authentication Working Group.

Also, yesterday we launched a new Celent Digital Research Panel survey, this time focused on Authentication and Identity management. The objectives of this survey are to assess amongst the US financial institutions:

  1. Investment drivers for customer authentication and identity management.
  2. Current state and immediate plans around authentication and identity management.
  3. Perspectives on the future for authentication and identity management.

If you already received an email invite, we do hope that you will respond before our deadline of August 8th. If you represent an FI in the US, and would like to take part, but haven't received the invite, please contact us at info@celent.com. We will publish the results in a Celent report, and all respondents will receive a copy of the report, irrespective of whether they are Celent clients or not. We look forward to hearing from you!

Passwords Suck – Bring on Biometrics!

Passwords Suck – Bring on Biometrics!

Now that I have your attention. Let me be clear: I hate passwords, particularly when they are increasingly required to be longer, more complex and frequently changed. Apparently, I am not alone in this sentiment.

At a conference in 2015, a small start-up, @Pay, a low-friction mobile giving platform, offered attendees a free t-shirt in return for seeing a brief demo. I must confess that I was more interested in the t-shirt than @Pay’s product demo. The line went out the door! Here is the t-shirt.

@Pay's Sought After T-shirtWorking from a home-office means t-shirts are staple part of my daily wardrobe. I have tons of them. None of them, however, engender such predictable responses from complete strangers than the one above. Responses range from a simple thumbs up or high-five, to an occasional, “You got that right!” Passwords do suck.  I have so many to manage, I use Trend Micro’s Password Manager to ease the pain.

That’s why I am excited to see more institutions migrate to biometric forms of authentication. Dan Latimore blogged about the rapid increase in the number of US financial institutions employing biometrics within their mobile apps here.

Banks shouldn’t stop there, however. In a June 21 New York Times article, Tom Shaw, vice president for enterprise financial crimes management at USAA was quoted as saying, “We believe the password is dying. We realized we have to get away from personal identification information because of the growing number of data breaches.”

I agree with Tom’s sentiment, but if passwords are dying, it appears to be a very slow and painful death. Here’s one example of why I say this. The chart below shows surveyed likelihood of technology usage in future branch designs as measured by Celent’s Branch Transformation Research Panel in late 2015. More than two-thirds of surveyed institutions thought the use of biometrics in future branch designs was “unlikely”.

Branch Tech Usage Liklihood

Authentication and identity management may always involve a trade-off between security and convenience, but the industry’s overreliance on personal identification information is failing on both counts.

  • At ATMs – it contributes to skimming fraud
  • In digital customer acquisition – it contributes to unacceptably high abandonment rates
  • In the mobile channel – it contributes to its slowing rate of utilization growth
  • In the branch – banks deny themselves the ability to delight customers with improved engagement options made available by skillful digital/physical integration

We’ll be looking into the topic of authentication and identity management in our next Digital Banking Research Panel survey in the coming weeks. If you’re a banker and would like to participate in this or future Digital Panels, please click here to fill out a short application

Top trends in corporate banking webinar

Top trends in corporate banking webinar

Please join me on Thursday, April 21st at noon EST for an overview of the 2016 edition of our Top Trends in Corporate Banking report, which was published in March.

2016-04-18_15-40-50

Corporate banks continue to place an enormous focus on investing in digital channels to meet the ever-increasing demands of clients for enhanced tools while boosting security and fraud prevention. Despite this investment, corporate banking has lagged in terms of adoption of innovative technologies. To improve that performance, corporate banking lines of business are undertaking a broad set of initiatives to overcome the inertia that has left clients behind in terms of innovation. Among the top trends, we will examine the opportunities in trade finance and customer onboarding for improving efficiency and enhancing client satisfaction.  Other top trends include fintech partnerships, distributed ledger technology and open APIs and adapting liquidity management strategies.  I look forward to having you join us on Thursday! 

Click here to register

 

 

 

Reconciling TouchID with Bank T&Cs

Reconciling TouchID with Bank T&Cs
Apple’s TouchID is brilliant – I now use it not only to unlock my phone, but also to log into my Amazon account. I can also use it to log into my Amex app and my bank’s mobile banking app. And of course, it is the way to initiate Apple Pay transactions. The only trouble is that none of those providers can be assured that it is really me doing all of this. TouchID allows registering up to 10 different fingerprints, and authenticates the user locally by matching his or her fingerprint to the registered templates. However, authentication is not the same as identity – banks and other apps know it is someone authorised to use that phone, but they don’t know it’s me, Zil Bareisis. It is likely to be me, but it could also be my wife or my kids. It could even be a total stranger if in some bizarre bout of insanity, I allowed them to register their fingerprint with my phone. The Telegraph reported last week that the UK banks are very much aware of this issue and have decided to take a hard stance:
“Banks have warned customers that if they store other people’s fingerprints on their iPhones they will be treated as if they have failed to keep their personal details safe.
This means the bank can decline to refund disputed transactions or refuse to help where customers claim they have been victims of fraud.”
According to the paper, “the banks’ position is typically buried in the detail of bank account Ts & Cs”, something as we all know that most people accept without reading in detail. I can appreciate the banks’ concerns, but I wonder if they are somewhat overblown. Although this will change in time, most of Apple Pay transactions in the UK are still capped at the contactless limit (£30). Any of my family members today can take my contactless card and use it as contactless without any PIN. I haven’t heard too many suggestions that I should keep my card locked away from my family members. However, if this were to happen, I should be prepared to accept my family’s transactions and not report them as fraud. I am no legal expert, but it doesn’t feel like inserting protective statements within T&Cs is the way forward. First, it’s not very transparent. Second, if the issue were to arise, it is something that would not be easy for banks to prove. Could consumers just delete all the other fingerprints in case of a dispute? Finally, it’s just poor customer service. Instead, banks should invest into educating consumers about digital technologies and how to use them safely and responsibly. Even if it’s as basic as, “don’t allow strangers to register their fingerprints on your phone” and “be prepared to accept your family’s transactions and not dispute them as fraud.” As the value of Apple Pay transactions grows, banks ought to consider deploying additional techniques, such as behavioural analysis to authenticate the users and minimise fraud. As with most security, multi-layered approach is likely to work best.

Biometrics: the next generation of corporate digital banking authentication

Biometrics: the next generation of corporate digital banking authentication
Corporate treasury departments initiate and approve millions of dollars in high-value payments on a daily basis. As an example, in May 2015 the average amount of a US Fedwire transfer was $5.7 million. Because of the dollar value of these transactions, banks were early adopters of enhanced authentication for corporate online banking applications. Many banks continue to offer one-time-password authentication (on top of traditional username and password) using RSA SecurID or Vasco DIGIPASS hardware tokens at both login and payment initiation. When Celent published its report “Corporate Mobile Banking Update: Adoption Conundrums and Security Realities” in September 2014, it highlighted alternatives to traditional two-factor authentication for corporate online and mobile banking applications. Alternative methods include voice, pattern and biometric authentication methods. As discussed in the Celent Banking Blog “Logging Into Your Bank in a Heartbeat”, several banks have rolled out Apple’s Touch ID fingerprint authentication technology for consumer online banking login authentication. However, as quickly demonstrated by clever hackers, Touch ID is vulnerable to various hacking methods. For this reason, banks are turning to more sophisticated biometric authentication methods for its corporate online and mobile banking applications. The focus remains on layered, multi-factor authentication, but combines authentication technologies in unusual and unique ways. Barclays Bank’s offering combines biometric and digital signature technology in an offering called “Barclays Biometric Reader.” To overcome limitations with traditional fingerprint scanners, Barclays is implementing Hitachi Europe’s Finger Vein Authentication Technology (VeinID) which reads and verifies the user’s unique finger vein patterns. The latest authentication announcement comes from Wells Fargo who is combining facial recognition with voice biometrics. Wells Fargo is working with SpeechPro to pilot the new bi-modal security solution (VoiceKey.OnePass) and fine-tune the biometric authentication features. The solution uses a standard smartphone microphone and camera to capture a facial image and voiceprint. Wells Fargo is also working on authentication using eye vein scanning (as opposed to typical retina scans). Biometrics New authentication technologies, from a slew of relative newcomers to the financial services space, could eventually replace traditional hardware tokens and eliminate multiple authentication hoops throughout the digital corporate banking experience. Watch this space.

Logging Into Your Bank in a Heartbeat

Logging Into Your Bank in a Heartbeat
Apple may not always come up with the idea in the first place, but by throwing their weight behind they can take the idea mainstream. Biometric authentication has existed for years, but it was Apple that really brought it to everyone’s attention when it first launched TouchID, and subsequently demonstrated with Apple Pay how biometrics can be used to authenticate a payments transaction. Now financial institutions are looking for ways to use biometrics to authenticate customers for other things, such as logging into online and mobile banking. Everyone agrees that the situation where we all have to remember a plethora of passwords and PINs has become unmanageable and is now a serious security concern. In the UK, RBS and Natwest have announced in February that their customers can now log into their mobile banking app with Apple’s TouchID available on the iPhone 5s, 6 and 6 Plus. The critics of biometric authentication point to a number of shortcomings – for example, TouchID was hacked soon after launch by using a fake finger from a photograph of a fingerprint left on a glass surface. If your password gets stolen, you can change it; it is a lot worse if the record of your fingerprint is compromised. And the extreme scenarios bring up the Hollywood-style scenes of cut-off fingers and loose eye balls. True, no security is perfect, so layering and balancing is important. For example, even after the log-in, RBS and Natwest require further authentication for some payment transactions. You also might want more assurances if you are getting access to a private banking account with high balances. Some banks are also experimenting with more sophisticated biometrics technologies. Last year, Barclays have trialled a special fingerprint scanner which uses infrared lights to scan blood flow in the veins of a person’s finger, and was planning to roll out the scanner to commercial customers. Incidentally, using the “vein profile” solves the “cut-off finger” challenge. Halifax, another UK bank, is trialling the technology from a Canadian firm Bionym. The bracelet called “Nymi” measures the intricate “cardiac rhythms” unique to every person, which can be used not only to log into a mobile banking app, but also potentially for many other applications, such as gaining access to the office, unlocking a car, or even boarding the plane and crossing borders. As always with new technologies, there is lots to learn and work out. But it seems that the future of logging into your bank account with a heartbeat (quite literally!) is not that far away.

Wearable devices and the future of authentication

Wearable devices and the future of authentication
There is a lot of hype around wearables (smartwatches, fitness bands, etc.) and they may have all kinds of interesting potential. This potential, particularly for banking is still to be determined. However, I believe that there is a great opportunity for certain wearable devices to provide strong authentication and enhance the user experience (see this blog entry). Examples are starting to trickle out:
  • RBC recently announced that it has partnered up with a firm called Bionym. Bionym offers a wearable device, the Nymi Band, that can be used for authenticating you to all kinds of products, devices and services (see this video for potential use cases). The device will take the user’s electrocardiogram and use it for authentication purposes. RBC and Bionym are going to test ECG authenticated payments at the point of sale. Sounds pretty cool to me! The Nymi band is a $79 product that can be ordered on Kickstarter.
  • Last week, at the AFP Conference, Online Banking Solutions (OBS) showed me a demo of how they are using a smartwatch to authenticate corporate online banking transactions. When the user performs a certain function, an alert is sent to the smartwatch (the demo was shown to me on a Moto360). The user then has to interact with the watch in order to confirm or reject the transaction.
Much of this is obviously still experimental. It is however highly innovative, and a step in the right direction to killing the password.

Wearables – banking hype or opportunity?

Wearables – banking hype or opportunity?
Lately there has been much fanfare around wearables. From Google Glass to smartwatches, there has been no shortage of press releases, articles and hype surrounding these devices. I must say that I personally find all of this stuff amazingly cool, and love trying out new things. I am also super excited about the Moto 360 smartwatch and will likely pick one up when it launches. My interest in these devices however has absolutely nothing to do with banking. Don’t get me wrong, I think it’s critical for banks to try out new technology in order to understand how devices are evolving and how consumers will use them. In other words, banks should proactively throw stuff against the wall in order to see what sticks! Will wearables be the next big “channel” or consumer touchpoint? I have a hard time believing that consumers are going to want to “bank” using these devices – there is a lot of hype here that needs to be filtered. Wearables, specifically smartwatches, will act as more of a companion to a smartphone. There are however a couple of specific areas where wearables can have an impact on banking:
  • Alerts and notfications. The alerts that pop up on a watch should in theory be the same ones that appear on your smartphone. Most day to day banking alerts may not be that critical, however there are some that the user may want to have access to at a glance. Security at the point of sale is also a possible use case. If a credit card is swiped an alert can be sent – it’s simpler and faster to have this appear on your wrist then in your pocket.
  • Authentication. These devices, particularly the smartwatch, represent an interesting authentication alternative. The Android platform can be configured to allow for a “trusted device” to unlock the phone or an app. In other words, the phone or app can be unlocked if the device detects the presence of a smartwatch. If the device is lost or not in the hands of the user, the smartwatch won’t be detected and the user will be prompted for a password. The Moto X smartphone currently has this software feature incorporated into its build of Android, and it can be used to unlock the device. Celent believes that devices like the smartwatch can act as a solid form of authentication and enhance the user experience. Additionally, banks have been challenged to come up with new methods of providing authentication for mobile banking, particularly since classic multifactor authentication involves something you know and something you have.
The mobile world is rapidly evolving and there is much to look forward to. Please weigh in with your thoughts and comments.

It’s so easy for bank marketing to take a wrong turn

It’s so easy for bank marketing to take a wrong turn
Yesterday I came home to a strange voicemail from ING Direct Canada. I decided to phone back right away because I noted the following 3 things about the message:
  • The toll free number provided was nowhere to be found on the bank’s web site
  • The message left was with regards to “my profile and information”
  • The reference number left on the voicemail was my online banking user ID
I called back the main toll free number provided on the bank’s web site. After a brief hold I was transferred to an agent who looked me up in their system. I was told that I had to be transferred to another department and that yes, the message that I received was legitimate. The person I was transferred to was polite and friendly and wanted to sell me an investment. WHAT??? The good news for the bank is that they got me to call back right away. The bad news is that I don’t even know or care about what she offered because I was so thrown off by the voicemail. I had questions. Why was I being directed to a toll free number that I can’t find on the bank’s web site or through a Google search? Why were the details of the voicemail so mysterious? Why was my user ID being divulged over the phone as a reference number? All of my comments were noted and the rep apologized. Granted I’m not a typical customer, but it’s customers like me that can help make a difference when it comes to these issues (or so I would hope!). There’s a lot that banks can learn here – on the security front and on the marketing front. This is particularly relevant in an age where banks are so focused on marketing and offers that are based on data:
  • You can have great data, but it’s useless if you don’t master things like privacy and security
  • Customers should always be directed to call back a primary telephone number that can be easily validated. Banks are so cautious about email communication with clients – they should be just as cautious with telephone communication
  • Under no circumstances should a user ID ever be divulged. It’s a key piece of an authenticated login. It of course takes a couple of other pieces to login but that’s not the point – why give away any pieces of the puzzle? Furthermore, if a bank or customer were to suffer a breach, a fraudster could attempt to gain access to other account credentials by leaving a convincing voicemail containing a user ID (that obviously did not happen here).
I welcome your thoughts and comments. UPDATE 4/7/2014: I was contacted by ING Direct last week. They have informed me that they will no longer use a user ID as a reference number. Kudos to them for reacting quickly and switching around the process.