Most cyberattacks succeed because of weaknesses in people, processes, controls and operations. This is the definition of operational risk. Therefore, it makes sense to tackle cyber risk with the same tools you use to manage operational risk.
We continue to prove that the approach of the IT department managing cybersecurity is not working. Cyber risk is typically treated in parallel with other technology risks; the IT department is motivated to focus on securing the vulnerabilities of individual system components and proffers a micro view of security concerns.
My new Celent report on “Treating Cyber Risk as an Operational Risk: Governance, Framework, Processes and Technologies”, discusses how financial institutions are advancing their cybersecurity practices by leveraging their existing operational risk frameworks to centralize, automate and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity.
The report identifies and examines the steps required to achieve a risk-based approach to a sustainable and, ultimately, a measurable cyber risk management strategy:
1. Establish a long-term commitment to drive a top-down, risk-based approach to cybersecurity.
2. Recognize that the traditional approach of the IT department managing cybersecurity is limited and that most cyber risks are weaknesses in people, processes, controls, and operations.
3. If you have not already, consider deploying the NIST cybersecurity framework and tailor the framework to fit your individual cybersecurity requirements. The framework lets you take advantage of your current cybersecurity and operational risk language, processes and programs, industry standards and industry best practices. Both cyber and operational risk should be informed by and aligned with the institution’s enterprise-wide risk management framework.
4. Move your organization along the cybersecurity maturity curve by building dynamic risk models, based on shared industry data and assumptions, to measure and monitor cyber threats and pre-empt those attacks.
5. Stop throwing money at the problem. Educate decision-makers on why and how breaches happen. Do not purchase in siloes or under pressure, select the right expertise to identify the issues and carry out due diligence on products.
6. Use the NIST’s five functions to navigate and manage cybersecurity technology requirements and purchases.
7. Know what technology you want from your vendors; know what advice to seek from your consultants.
8. Acknowledge that cybersecurity is the responsibility of every employee and human behavior is the most basic line of defense. Institutions cannot hesitate in the goal to educate their employees, third parties and customers.
Now that I have your attention. Let me be clear: I hate passwords, particularly when they are increasingly required to be longer, more complex and frequently changed. Apparently, I am not alone in this sentiment.
At a conference in 2015, a small start-up, @Pay, a low-friction mobile giving platform, offered attendees a free t-shirt in return for seeing a brief demo. I must confess that I was more interested in the t-shirt than @Pay’s product demo. The line went out the door! Here is the t-shirt.
Working from a home-office means t-shirts are staple part of my daily wardrobe. I have tons of them. None of them, however, engender such predictable responses from complete strangers than the one above. Responses range from a simple thumbs up or high-five, to an occasional, “You got that right!” Passwords do suck. I have so many to manage, I use Trend Micro’s Password Manager to ease the pain.
That’s why I am excited to see more institutions migrate to biometric forms of authentication. Dan Latimore blogged about the rapid increase in the number of US financial institutions employing biometrics within their mobile apps here.
Banks shouldn’t stop there, however. In a June 21 New York Times article, Tom Shaw, vice president for enterprise financial crimes management at USAA was quoted as saying, “We believe the password is dying. We realized we have to get away from personal identification information because of the growing number of data breaches.”
I agree with Tom’s sentiment, but if passwords are dying, it appears to be a very slow and painful death. Here’s one example of why I say this. The chart below shows surveyed likelihood of technology usage in future branch designs as measured by Celent’s Branch Transformation Research Panel in late 2015. More than two-thirds of surveyed institutions thought the use of biometrics in future branch designs was “unlikely”.
Authentication and identity management may always involve a trade-off between security and convenience, but the industry’s overreliance on personal identification information is failing on both counts.
- At ATMs – it contributes to skimming fraud
- In digital customer acquisition – it contributes to unacceptably high abandonment rates
- In the mobile channel – it contributes to its slowing rate of utilization growth
- In the branch – banks deny themselves the ability to delight customers with improved engagement options made available by skillful digital/physical integration
We’ll be looking into the topic of authentication and identity management in our next Digital Banking Research Panel survey in the coming weeks. If you’re a banker and would like to participate in this or future Digital Panels, please click here to fill out a short application
Earlier this year, I had the pleasure of moderating a panel discussion on the topic of omnichannel customer onboarding sponsored by Kofax. It was a heavyweight panel, including:
- Jim Marous, Co-Publisher/Author, The Financial Brand
- JP Nicols, Director, Next Bank
- Brant Clark, Sr. Director, Mobile Solutions, Kofax, Inc.
Kofax is making a recording of this informative panel here.
It’s worth a listen. Why?
Customer acquisition is obviously important because it is a prerequisite to top line sales growth. Offering a low-friction digital capability is increasingly important because customers are becoming increasingly digitally-driven. Omnichannel customer acquisition matters because multiple channels – digital channels in particular – are influencing consumer’s choice of banking relationship. Banks therefore need to close the deal whenever and wherever customers make the decision to onboard. To do otherwise is inconvenient for potentially profitable prospects, and disadvantageous for institutions wanting them as customers.
The problem is, omnichannel customer acquisition remains largely aspirational for most North American financial institutions.
I’m looking forward to sharing two forthcoming research reports devoted to this important topic in the coming weeks.
Banks have worked hard to manage the different risks across their institutions. It has been and will remain costly, time consuming and a top priority. Celent profiles two award-winning banks who have modelled excellence in their use of risk management technologies across their banks.
- Degree of innovation
- Degree of difficulty
- Measurable, quantitative business results achieved
ALFA-BANK: SETS THE STANDARDS FOR BASEL COMPLIANCE IN RUSSIA
Alfa-Bank built a centralized and robust credit risk platform to implement Basel II and III standards, simultaneously, under very tight local regulatory deadlines. The bank decided to centralize all corporate credit-risk information onto a single platform that connected to front office systems and processes. Using Misys FusionRisk, Alfa-Bank was able to implement a central default system with a risk rating and risk-weighted asset calculations engine. The initiative is seen as one of the most important initiatives in the bank’s history. The successful completion of the project has placed Alfa-Bank at the forefront for setting standards and best practice methodologies for capital management regulations for the Russian banking industry and Central Bank.
USAA: SECURITY SELFIE, NATIVE FINGERPRINT, AND VOICE SIGNATURE
The game-changer for USAA is to deliver flawless, contextual customer application services that are secured through less intrusive authentication options. The use of biometrics (fingerprint, facial and vocal) to access its mobile banking application positions USAA to be able to compete with Fintechs across the digital banking ecosystem and offer exceptional service to its military and family members.
USAA worked with Daon Inc. to provide biometric solutions paired with its “Quick Logon” dynamic security token technology, which is embedded in the USAA Mobile App for trusted mobile devices. Biometric and token validation focus on who the user is and who the verifiers are and it addresses increasing concerns around the high level of compromise of static user names, passwords, and predictable security questions from sophisticated phishing attacks, external data breaches, and off-the-shelf credential-stealing malware.
For more information on these initiatives, please see the case study abstract on our website.
Credit unions are almost twice as likely to change vendors as banks, with competitive churn rates of 7.6% compared to 2.7% for banks. Churn Rate measures the number of institutions in a given time period that either change or drop a vendor contract. Churn is broken down into two components: competitive churn, which measures the rate at which institutions are opting to change vendors, and consolidation churn, which measures uncontrollable factors like acquisitions or liquidations. The figure below (powered using data from FI Navigator) references total churn for the year ending March 31st, 2016.
The figure reveals significant differences in churn between banks and credit unions. But why is this difference so large? There are two possible drivers:
- Customer centricity: A focus on the customer could be a driver for higher churn. Banks and credit unions operate differently, and Celent has explored the variations in blogs and publications. The mission statement of the credit union market has historically revolved around extreme customer centricity. Over the last decade, mobile has become a critical component in quality customer service. Emphasizing the needs of the customer could be driving credit unions to take more concerted efforts to maximize mobile/ digital, exploring competitive options more frequently than banks. Credit unions are low margin businesses that often give higher interest rates for products like auto-loans or deposit accounts through non-profit tax breaks. Being member-owned, most of the smaller profits also go back into the business. This creates a natural incentive to streamline the back-office, and credit unions have adopted cost effective technologies at higher rates. Thin margins combined with a focus on customer service could mean credit unions are more likely to evaluate provider options more frequently.
- Solution providers: Another perspective is that it’s the vendor market, not the CUs that are driving the churn. The vendor spectrum for credit unions in the US is much more diverse, with 43 vendors compared to 22 selling to banks. This would reinforce the argument that competitive dynamics are more intense, and it would be reflected in sales cycles. With cost pressures that originate from their smaller size and lower margins, credit unions are more likely to look for alternative ways to provide products and services, leveraging mechanisms like Credit Union Service Organizations (CUSOs) to enhance the business. Other similar joint ventures leverage cooperative arrangements to develop homegrown software products. Consortiums not present in the banking market would introduce more competitors into the market, and as a result impact competitive dynamics.
Credit unions skew much smaller than banks (the mean credit union asset size is $200 million vs. banks with around $2.5 billion), leading to a noticeably higher consolidated churn. Celent examined the pressures on credit unions here. As minimum viable institution size continues to get bigger, smaller institutions will be challenged to stay afloat. Vendors will face the risk that their customers are becoming targets for M&A activity resulting in more vendors competing for a shrinking demographic.
Credit unions need to think about how to best streamline their operations to remain viable. This includes a mix of cost-effective customer service technologies like mobile banking. Vendors need to have a better understanding of the competitive landscape into which they sell, as competition is intense. Better data and detailed benchmarks can help vendors plan their strategy.
Celent is collaborating with FI Navigator to analyze the mobile banking market in financial services (in fact, FI Navigator wrote a great piece about credit unions and banks last year). FI Navigator assembled a platform that leverages a proprietary algorithm to track every financial institution offering mobile in the US, as well as nearly 50 vendors. Beginning with the first report at the end of April, Celent will be releasing a biannual examination of the mobile market. FI Navigator will also be making the platform available for further custom reporting and data analysis. For more information on the nature of the collaboration and availability of data, go here.
Digital banking is so hot right now – for good reason. The recently published research sponsored by the Federal Reserve, Consumers and Mobile Financial Services 2016, reported that 87% of the U.S. adult population has a mobile phone and 77% of them are smartphones, up from 71% in 2014 and 61% in 2013. Admittedly, it is getting hard to find a phone that’s not internet-enabled. But consumers are acquiring them for a reason – and it’s not telephony. The same report documented the rise of mobile banking: 43% of all mobile phone owners with a bank account had used mobile banking in the past 12 months, up from 39% in 2014 and 33% in 2013.
Digital Banking Not surprisingly then, the significant majority of US financial institutions now offer digital banking capabilities to their customers. But, most were designed to migrate transactions away from the more expensive branch channel to lower-cost self-service mechanisms. A worthy objective, but it misses the point (more on that later).
Celent has research in the field now designed to understand just how far US banks and credit unions have come in achieving digital channel adoption targets. The short (however preliminary) answer: not very far. It’s not for lack of trying, however. Two-thirds of responding institutions said they have specific, measurable digital channel adoption goals.
Beyond Transactions More recently, a growing number of banks and credit unions are thinking beyond transactions toward digital sales and service. Another worthy objective, particularly among the large number of institutions that are, frankly, desperate for revenue growth. A minority have specific , measurable goals to increase digital customer acquisition. We expect that to change as more banks embrace the imperative for omnichannel delivery. Institutions thinking beyond transactions are paying close attention to the state of digital customer acquisition – for good reason. About three-quarters of banks in Celent’s survey track completion rates, but far fewer systematically follow up on incomplete applications. This is a problem! The apparent disconnect seems to reflect a bias towards digital delivery. If cost reduction is the primary objective (it rarely is) than good. But if revenue growth and customer engagement are what banks are after (I believe that to be the case) then many are missing the point.
In my opinion, the objective of omnichannel banking shouldn’t be tied to migrating an arbitrary percentage of customer interactions to the digital realm – whether transactions or sales. Consumers are becoming increasingly digitally-driven without bank’s involvement! The point of omnichannel delivery is to offer customers consistent and convenient ways to engage with your bank whenever and wherever they so choose, not to achieve some arbitrary channel mix.
The fact is, most consumers don’t want to open accounts on their mobile devices, even though they are very likely to be researching banking products and services online. That’s why banks need to offer a variety of low-friction ways to engage with customers and prospects. Click-to-call and digital appointment booking are two examples. Digital appointment booking (DAB), in particular, has emerged as “low-hanging fruit” among banks seeking to better integrate digital and in-person engagement. Although impressive results can be obtained from relatively modest effort, few institutions have taken this step.
Digital Appointment Booking First and foremost, DAB is not about driving branch traffic or somehow prolonging its relevance as some have suggested. Rather, DAB is about improving omnichannel customer engagement. Best practices suggest it is not a silver bullet either, but one of many customer engagement mechanisms that leading financial institutions are learning how to orchestrate to better serve customers. DAB is also not simply about booking appointments. When integrated with lobby management systems, DAB solutions help customers efficiently and effectively accomplish what they want and when they want it. Done well, DAB is very much a win-win. This is the point, isn’t it?
I’ll be presenting on best practices in digital appointment booking at American Banker’s Retail Banking 2016 in Las Vegas on Wednesday afternoon April 6th. The presentation is part of Innovations for Credit Unions from 1:00 – 4:00 in the afternoon. If you’re planning to attend, feel free to stop by and say “hello”!