Setting Out a Vision for Customer Authentication

We all know that "passwords suck", as my colleague Bob Meara stated clearly and succinctly in his recent blog. But what's the alternative – is the answer biometrics or something else?

We do believe that biometrics is part of the answer. However, our vision for authentication – security measures banks take when providing customers access to their services – is broader than that. Mobile devices will play a key role, but for them to be effective tools for authentication, a strong binding between customer identity and the device is essential – unless this step is done correctly, all subsequent authentication efforts are pointless.

We also contend that authentication must be risk- and context-aware. It should take into account what the customer is trying to do, what device they are using, how they are behaving, etc. and assess the risk of fraudulent behaviour. Depending on that assessment, the customer could either gain access or be asked to further authenticate themselves. And while biometrics can and will play an important role, the banks' authentication platforms need to be flexible to support different authentication factors.

We outline this vision in more detail in the report published yesterday by Celent, Security, Convenience or Both? Setting Out a Vision for Authentication. In addition, the report discusses:

  • The upcoming PSD2 requirements for strong authentication.
  • The rise of biometrics, including different modalities and device-based vs. server-based implementations.
  • An overview of various standard-setting bodies, such as FIDO alliance and W3C Web Authentication Working Group.

Also, yesterday we launched a new Celent Digital Research Panel survey, this time focused on Authentication and Identity management. The objectives of this survey are to assess amongst the US financial institutions:

  1. Investment drivers for customer authentication and identity management.
  2. Current state and immediate plans around authentication and identity management.
  3. Perspectives on the future for authentication and identity management.

If you already received an email invite, we do hope that you will respond before our deadline of August 8th. If you represent an FI in the US, and would like to take part, but haven't received the invite, please contact us at info@celent.com. We will publish the results in a Celent report, and all respondents will receive a copy of the report, irrespective of whether they are Celent clients or not. We look forward to hearing from you!

There are *exactly* 608 US firms offering banking fingerprint authentication

Biometrics are hot. Fingerprint authentication (Apple’s version is Touch ID) is one of the most common forms of biometric verification. So, quick – how many American banks let customers log on to their accounts using this method? Based on the press, you might optimistically think a few thousand, right? And, in fact, ApplePay just activated its 1000th bank (adoption is another story, and the subject of another post). Well, as of January 31, the actual number (not an estimate, not an extrapolation, and not a piece of data from Apple) was 608. That’s 9.52% of the 6,388 FIs offering a mobile banking application. How does that compare to three months ago, at the end of October 2015? At that point just 252 FIs were offering it. That’s an increase of 241% in a quarter, certainly a sign of robust growth. Some of the increase comes from clients implementing from their hosted solution provider. Others (generally bigger banks) are developing it in-house. And yet, it’s not as popular with the large banks as one might think (of the 21 with more than $100bn in assets, only 8 offer fingerprint authentication; 3 of the top 4 have it). Bucketed Adoption Does fingerprint authentication pay off? By one measure, something we call “feature lift,” it does indeed make a difference for customers. Banks whose customers have installed fingerprint authentication have an uplift of 53% in enrolled customers per deposit account relative to banks who don’t offer it. While this is correlation, not causality, it shows that the banks who offer this feature have more customers enrolled in mobile banking than those who don’t. We’re looking forward to analyzing many more mobile banking features to see which ones offer the biggest impact on customer enrollment. Uplift How did we access this information? I’m very excited to say that Celent is collaborating with FI Navigator to analyze the mobile banking market in an unprecedented depth of detail. FI Navigator has assembled a database of every US bank and credit union offering retail mobile banking, together with the vendors who host them. We’re feverishly analyzing this trove of data to bring you a report at the end of April. It’s different from, and additive to, work made available to our existing clients; you can find the particulars here. To let you in on how the sausage is made, we originally tried to find out how many banks offered fingerprint ID by doing a standard search (which turned up press releases and the like) and by contacting a few vendors. We were able to arrive at roughly 250 banks in total, including several dozen from one vendor (from whom it was difficult to get precise answers in terms of commitments, scheduled go-lives, and actual implementations). It turns out that we undercounted by more than half. The beauty of the FI Navigator data is that it’s derived from a variety of sources – on a monthly basis – that let us deduce and infer a huge amount of actual information about the entire US retail mobile banking population, not just a subset. By integrating unstructured website data and conventional financial institution data, FI Navigator expands the depth of peer analytics and the breadth of market research to create vertical analytics on financial institutions and their technology providers. So, in addition to my excitement at this new and powerful data source, I have three takeaways about fingerprint authentication:
  1. The gap between hype and reality for fingerprint authentication is big, but shrinking;
  2. Banks don’t have to be large to do this; and
  3. More banks should be offering fingerprint authentication.
Why is your bank or credit union not offering your customers the chance to authenticate with their fingerprint?

Mobile in the time of digital

Bank of America recently announced that it would triple spending on its mobile app. While no exact dollar amount was given, it made me wonder: what exactly does that entail? In the past, Celent has praised the Bank of America mobile banking apps as some of the best out there. The bank has been going strong with its digital strategy for years, even closing branches and reducing overhead to drive adoption. Bank of America recently added features like touch ID, debit card toggling, two-way fraud alerts, and more to its app, and has been outspoken about the desire to personalize the digital experience. Its commitment to new features and functionality is reflected in the comments and ratings on iTunes and Google Play. Shown in the graph below, the bank´s mobile banking adoption has been steadily growing, with a growing share of deposits. Pictureforblog                     Source: BofA Annual Reports/ Investor Presentations So again: what does “tripling” mean when talking about an app that has obviously been well-funded for quite some time? As digital assumes a larger role with the business, the funding required to build a digital customer experience will extend beyond the reaches of mobile. The capabilities many consumers demand can be difficult if not impossible without significant effort on the backend to align technology. Banks are starting to realize this, building out unified digital platforms that streamline the architecture and better position institutions to offer truly modern, data-driven, and value-added consumer experiences. These kinds of initiatives can often run in tandem with larger cultural and multi-channel efforts. In the press release for the announcement, Bank of America said it was launching a digital ambassador initiative which, similar to the Barclays Digital Eagles program, will see front-line branch staff reskilled to be able to assist with digital channels. The bank is also launching cardless ATMs later this year. I´m assuming the coincidence of these announcements is anything but, and that the funds for “mobile” will largely be dispersed over (or fit into) a wider array of strategic digital initiatives. Institutions need to create a solid digital base within the institution, bringing in culture, personnel, and technology across all channels and lines of business to start transforming digitally. Banks are being challenged by the notion of “becoming digital.” Many have reached the point of recognizing the inevitable digitization of the business model, and are in the throes of decision making that will determine how equipped they are to appeal to the new digital consumer. Most institutions are experiencing these growing pains, and very few have committed to digital at the level demanded by customers. If Bank of America is indeed tripling its budget just for mobile, then I´ll be very interested to see the kind of features the bank develops over the next few years. Yet there´s a lot that goes on to make the front end look good and spending more on the front will mean more spending on the back. Mobile banking is a significant part of digital banking, but remember that it’s only ONE part. While new functionality gets the headlines, it’s what’s under the hood – culture and backend – that truly matters.

It’s not us, it’s you – why breaking (it) up is so hard

The UK Retail Banking is undergoing yet another review of competition, with the initial conclusions released a few weeks ago. The full report is in excess of 400 pages – I must confess that I’ve not yet had chance to read it, but one has to assume that the press release is indicative of the tone and content. Which is worrying. At first glance… it’s frankly shocking, and shockingly poor at that. Before I start a war with the CMA (Competition and Markets Authority), who are conducting the review, let make sure we’re clear on the lens that I am using. I cover payments, not banking per se, so I’m looking at this through the eyes of a consumer. Remember, this is the very group that CMA is trying to help. As predicted, the new and improved switching service provided a brief, temporary lift, but has pretty much reverted to the same level of switching that has existed for the last 10 years. My thinking has always been that the switching wasn’t the issue, but the fact that few consumers perceive there is little benefit to be gained. In short, most consumers believe that most banks offer pretty much the same thing, and at the same price. Imagine my shock then reading the official press release: “Despite [some] encouraging developments, because too few customers are switching, banks do not have strong enough incentives to work hard to compete for customers through better products or cheaper prices, and smaller or better banks find it hard to gain a foothold.” Sooooo, basically you’re not getting better products because you’re not switching. Surely that can’t be right?! It continues: “The CMA says: “The problems in the market are unlikely to be resolved by creating more, smaller banks; it is the underlying issue of lack of switching which has to be addressed.”   Now, I’ve taken the quotes somewhat out of context – please read the full release – but the remedies proposed focus heavily on the switching, and not the underlying issue. The CMA seems to think that there is both differentiation and ways of finding the accounts. Both these points I believe to be deeply flawed.   Differentiation The release suggests that “heavy overdraft users, in particular, could save up to £260 a year if they switched, and on average, current account users could save £70 a year by switching”. I suspect the key word is average. Do they mean mean, median or mode? UK bank accounts operate generally on a fee free basis, but with heavy penalty and overdraft fees. To save £70 on average implies the average person is overdrawn most of the year (i.e. they’re still overdrawn, but paying £70 less). £70 is £70 – but equally, it’s only 2 Starbucks a month. However, the bigger issue is that the assumption that the alternate bank would actually offer them an account with the overdraft they seek. Lending criteria has tightened up significantly over the last few years – most UK consumers have had the overdrafts and credit card limits reduced, and remortgaging is now frankly very hard work. I recently had to supply more than 15 additional documents to remortgage a house which 3 years ago took no more than 10 mins for a decision to be made, and where the value has risen by 20%. The reality then is that the heavy overdraft users simply won’t ever get a better deal as their existing bank, if they’re accepted as customers at all. The “average” UK consumer won’t see any benefit at all – if they don’t go overdrawn, it’s very difficult to see where the savings will come from. Which just leaves a very small set of people who will benefit. The switching service needs to be measured against this set of people, not against all those who won’t switch!   Comparison But perhaps I’m wrong? How can we find out? This element really surprised. One suggestion was: “Making it easier for consumers and businesses to compare bank products by upgrading Midata, an industry online tool, launched with the support of Government, that gives consumers access to their banking history at the touch of a button. Midata allows consumers to easily access their banking data from their bank and input it directly into a price comparison website which can then analyse their transactions, and alert them to available bank accounts which best suit their needs. An improved Midata could have a radical impact on consumer choice in retail banking markets” What?? Midata? What is Midata? Considering that the switching service has been heavily promoted, by the banks and on TV, the fact that I’m both a consumer and in the industry and have never heard of it, nor could I readily find details on it, speaks volumes. As a family, we have accounts at 4 of the 6 banks signed up. Not one, to my knowledge, have ever told me about it. My main bank has one single mention of it, as the last item in an obscure FAQ page. I’m also uneasy that a well-known comparison website is hosting the service. Whilst the data is anonymized, I assume the site knows a fair bit – cookies will show I used the service, and so the ad’s will be served up to me based on my searches. Given that comparison sites get paid from ad revenue and lead generation, it feels a little too cozy. Not implying everything isn’t above board, but it undoubtedly put me off using the service.   So, enough ranting, where does this lead us? As a consumer, I suspect probably worse off. Further change will cost more money – and it’s the customers who will foot the bill. There is also the danger that the more affluent, who already play the system, will be the ones who benefit, whilst those at the opposite end will just find things harder. It would seem then at first glance (i.e. without having read the report in full yet) that CMA has potentially not only got it wrong, but is set to make things worse.

Proposed new cyber security regulations will be a huge undertaking for financial institutions

New York State Department of Financial Services (NYDSF) is one step closer to releasing cyber security regulations aided by the largest security hacking breach in history, against JP Morgan Chase. The attack on JPMorgan Chase is revealed to have generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts. Yesterday (Tuesday, November 10), the authorities charged three men with what they call “pump and dump” manipulation of publicly traded stock, mining of nonpublic corporate information, money laundering, wire fraud, identity theft and securities fraud. The attack began in 2007 and crossed 17 different countries. On the same day as the arrests, the NYDSF sent a letter to other states and federal regulators proposing requirements around the prevention of cyber-attacks. The timing will undoubtedly put pressure on regulators to push through strong regulation. Under the proposed rules, banks will have to hire a Chief Information Security Officer with accountability for cyber security policies and controls. Mandated training of security will be required. Tuesday’s letter also proposed a requirement for annual audits of cyber defenses. Financial institutions will be required to show material improvement in the following areas:
  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority
This will be a huge undertaking for financial institutions. Costs have yet to be evaluated but will be in the millions of dollars. It will be very difficult to police third party security because, under the proposal, vendors will be required to provide warranties to the institution that security is in pace. The requirements are in the review stage and financial institutions should join in the debate by responding to the NYDFS letter.

Why banks should pay attention to “Assistant as an App”

Last week I had the pleasure of going to Finovate, a biannual event (at least in NA) where startups and established vendors show off their newest creations. My colleague Dan Latimore wrote an in-depth piece about it last week. It’s usually a good temperature read of where the market is and what banks are thinking about. PFM used to be hot, now it barely makes an appearance. Mobile account opening and on-boarding was massive. Each year you can count on a few presentations tackling customer communication, whether it´s customer service applications or advisory tools. While this year was no different, I didn´t see any presentations representing an emerging trend in mobile: assistant as an app. What is assistant as an app? Basically, it puts a thin UI between two humans: the customer and the service provider (e.g. retailer or bank). The UI layer enhances the interaction by allowing each party to push information back and forth, whether its text, pictures, data visualization, etc. There are a wide range of possibilities. Apps are already starting to incorporate this idea. For a monthly fee, Pana offerings a human personal travel assistant who will take care of any travel related need. The concierge books restaurants, hotels, rental cars, and flights, all via in-app communication. Pana Vida Health allows users to push dietary information to a health coach that can then send back health plans, ideas to diagnose health issues, or create a weight loss regimen. The dating app Grouper uses a concierge to coordinate group dates. EasilyDo is a personal assistant that can manage your contacts, check traffic, schedule flights, etc. The app Fetch uses SMS to let users ask the concierge to buy just about anything. For a small fee (sometimes free, subsidized by business or premium services) these companies provide value-added premium services to customers through a mobile device. The applicability for banks is obvious. Finances can be complicated; most people aren´t good at managing money, and according to Celent research, consumers still prefer to speak to a human for important money matters. Assistant as an app would offer institutions a clear path towards monetising the mobile channel, moving interactions away from the branch, and capturing a growing base of digitally-directed consumers. I predict this will be a major trend in financial services in the future. What do you think? Feel free to comment below.

Unbundling, Fidor, and the model for approaching financial startups

I´ve recently had multiple conversations with financial institutions about the trend of unbundling financial services by FinTech startups. In fact, it’s hard to discuss the future of the industry without touching on it. Articles from Tanay Jaipuria, Tech Crunch, and CBInsights speak openly about inexorable disruption. They all tell a fairly similar story. Unbundled products and services disintermediate financial institutions by improving on traditional offerings. Banks lose that value chain. Banks become a utility on the back end, essentially forced by the market to provide the necessary regulatory requirements and accounts for nonbank disruptors. With images like this (see below), it’s hard to argue that it isn’t happening—at least at some level. Unbundling-of-a-bank-V2 There are plenty of reasons to be skeptical about the hype surrounding disruption by FinTech players (shallow revenue, small customer base, etc.), but even if only a few manage to become sizable competitors, that still represents a significant threat to banks´ existing revenue streams. There’s also data pointing to higher adoption in the future. A study from Ipsos MediaCT and LinkedIn showed that 55% of millennials and 67% of affluent millennials are open to using non-FS offerings for financial services. This number is surprisingly high, and the largest banks in the world are paying attention. The threat of losing the customer-facing side of the business is a legitimate risk that banks face over the next 5-10 years. But there´s a possible solution that could enable banks to remain relevant even as they begin to see some of their legacy products or services fall to new entrants: be more like Fidor Bank. Fidor Bank is a privately held neobank launched in Germany. It has a banking license and wants to transform the way financial institutions interact with their customers by creating a sense of community and openness. The bank views its platform, fidorOS, as a key differentiator that allows it to offer customers services from start-ups or new financial instruments. For example, it offers its customers Currency Cloud for foreign exchange as well as the ability to view Bitcoin through its platform. Going forward, it may make more sense for financial institutions to take this approach. Banks can´t be everything to their customers, and there´s a healthy stream of market entrants trying to chip away at the banking value chain. A middle way is that banks become an aggregator for popular nonbank FinTech offerings as they become popular. This would preserve the benefits of traditional bundling by aggregating offerings and re-bundling them alongside its home grown services. Some benefits include:
  • Maintain the consumer facing side of the business by letting customers access these service through your platform
  • Increase cross-selling and marketing opportunities
  • Preserve a convenient and frictionless experience by reducing the fragmentation of unbundling
These benefits would provide value to both the FI and the FinTech partner, and it´s not a new concept. Netflix is effectively an aggregator of content from a variety of production companies (along with creating great content of their own). The music industry has been offering bundled services for more than a decade. Banks are loath to forfeit parts of the business, but as other industries have seen, the longer they wait the more disruptive the change will be.

Banks are asking the wrong customer engagement question

I have heard banks ask, “How to we use digital channels to bring traffic into the branch?” The rational is straightforward. After years of promoting self-service channels, branch foot traffic is declining – along with the sales opportunities that foot traffic represents. It’s a logical question, but the wrong question. A better question would be, “How do we enable effective customer engagement on their terms regardless of the channels involved? Rather than seeking to influence customer channel preferences, banks should be all about maximizing the effectiveness of each and every engagement opportunity, regardless of channel. They don’t seem to be. One no-brainer example is digital appointment booking – the ability for customers to book an appointment with a banker at a time and place of their convenience – using the bank’s online or mobile platform. Doing so represents convenience for the customer, a logical indicated action as part of online product research and an opportunity to improve branch channel capacity planning (because of the added visibility the mechanism provides). But, the most compelling reason to offer digital appointment booking in my opinion is because doing so maximizes the effectiveness of branch engagement. How so? Done well, frontline staff know who is coming and for what purpose. Consequently, they’re better prepared for the conversation. Banks that have implemented digital appointment booking are seeing significant improvements in sales results. Digital appointment booking should be commonplace – but isn’t. In a October 2014 survey of NA financial institutions, just 8% of respondents offered this capability. Most were large banks. OAB adoptionSource: Celent survey of North American financial institutions, October 2014, n=156 Even better would be to extend the appointment booking option to digital channels, as a phone or telepresence conversation. Engagement doesn’t have to be limited to face-to-face interactions – but is, in all but the largest banks. In the same survey referenced earlier, just 20% offered text based chat online, 12% offered click-to-call and 2% offered video chat. Online Channel Engagement CapabilitySource: Celent survey of North American financial institutions, October 2014, n=156 So, while banks offer abundant digital transactional capabilities, engagement remains largely something only offered at the branch. That dog won’t hunt for long!

Is the branch the newest digital channel?

The branch is an important channel is every bank, but the rise of digital raises two questions: what’s its role in with a digital engagement model, and how should banks think about its value? First, consider some of the challenges of the traditional branch for the modern, digital consumer:
  • Branches suffer from lack of talent availability. The best person for the job is not always going to be in the right location at right time. Yet mobile is driving “right time, right place, instant” contextual interactions, and consumers are increasingly expecting this level of service.
  • Many of the frontline staff are underpaid and undertrained, yet are the face of the institution. They often aren´t trained properly or paid enough to care about delivering the kind of customer service banks are trying to deliver through digital.
  • It’s difficult to distribute foot traffic across locations. Some branches suffer from massive queues, while employees at other locations are killing time on Facebook. This adds cost, lowers efficiency, and is incompatible with demand for instant service from consumers as well as modern IT delivery.
Digital has allowed industries to overcome some of the barriers facing other customer experiences. The challenges facing branches are no different. Virtualizing the workforce, aggregating talent, and allowing customers to access them remotely, either in a branch environment or from a personal device, is at least one path forward. Banks need to start thinking about the branch as a digital channel. Some institutions like Garanti Bank in Turkey, ICICI in India, and Umpqua Bank in the US are already starting to think in terms of remote delivery. As video service becomes more mature (i.e. video advisory through tablets), user experiences across devices will begin to blur, and the branch of the future will look even more like a digital experience. In the new environment, the branch becomes another presentation layer. Vendors like Cisco are already starting to move in this direction, combining telepresence, remote signature, displays, and other infrastructure to allow banks to facilitate remote interactions using context information. Others in the market are beginning to follow suite. The branch of the future has been a topic of discussion since the advent of online banking and mobile. While some meaningful progress has been made in branch transformation, some large institutions have launched numerous pilot ideas and concept branches that have amounted to little more than PR stunts. The role of the branch is changing, but it’s obvious that many aren’t exactly clear what that role is going to be. By talking about the branch as a digital channel, institutions may be better able to craft a true omnichannel strategy for customer experience.