With the COVID-19 lockdown wiping out many face-to-face interactions, it’s hardly surprising that more of what we do has naturally moved online.
For the consumer, online shopping has become the norm, but so too has opening accounts digitally; even if you look at financial accounts where many would say there is a higher risk of loss. 89 percent of UK citizens say they would open a financial account digitally - using a mobile app or on a website - of those 83 percent would open a current account, 70 percent a credit card account and 74 percent would take out a mobile phone contract.
But the move to digital channels comes with the responsibility to protect both customers and organisations from fraud. This includes application fraud – i.e. a fraudster uses a stolen or synthetic identity to open an account and account takeover fraud - where fraudsters know enough about someone to login to their accounts and take them over.
This blog post highlights six of the issues and risks in the identity management process where COVID-19 demands organizations focus their attention.
1. Customer experience
There is a fine balance to be struck between managing ID security and offering customers an acceptable experience. If you make security too difficult to fulfil then you risk losing business. If you make it too easy, then the risk is that you let fraudsters in. The question is no longer if you will offer services digitally, but how finely you can tune that balance.
This is where organizations that are ‘digitally native’ have an advantage; they are not trying to tie together multiple legacy systems. And when they have built from the ground up with a digital first mentality, they have a 360 degree view of each customer.
In contrast, established organizations where information about customers may be in silos will need to rethink how they share information across systems. For example, in banking there have been cases where an account is closed because of fraud, whilst simultaneously another part of the bank is opening an account for the same fraudster. The bank may have all the information they need to stop the criminals, but they can’t share it effectively.
2. Working from home and data security
Remote working doesn’t only impact the organisation in terms of how it authenticates employees. If the business provides services to consumers it also has an impact on customer identity verification.
COVID-19 turned call center workers into home workers and in an emergency timescale. And even though some organizations have reinstated office-based working for some employees, there are still many brands ‘promoting’ home-based call center services. In this context, organizations need to ensure the practices, policies and systems available in a call center can be replicated in a home working environment. Verifying customers’ identities by operatives working from home should not come at the expense of data security and privacy. Poor ID and access management increases the likelihood of an organization suffering a data breach and with that comes the risk of substantial fines (up to four percent of annual turnover under GDPR) and loss of reputation. These should be fundamental concerns for any business, but for those that hold substantial amounts of in-depth consumer data, the need to reassure customers, shareholders and wider society means that it should be an underlying principle of how they do business.
3. The non-digital customer
While many people are digitally savvy, those currently being forced to use websites and apps to access services (particularly banking services) may not be. To accommodate increased digital interaction without being off-putting, organizations may have needed to relax identity checking and authentication standards. The acceptability of this was signalled by the Financial Conduct Authority which, early in the pandemic, relaxed its rules to allow more widespread use of ‘selfie’ technology to open bank accounts.
It’s all very well to suggest that organizations lower security standards to serve new digital customers, but undoubtedly fraudsters and money-launderers will take advantage and those that lower defences too much will likely see increased levels of attack.
4. Appropriate friction
A completely seamless user experience is important but shouldn’t be the aim of every interaction. Sometimes, a little friction is necessary to demonstrate the importance of security, for example, if a customer could log in and carry out transfers of funds without seeing any security in place they may feel unprotected (even if the payment service provider was assessing security invisibly). And in some cases, friction is an absolute must. For example, if you are about to send money from your bank account to a new beneficiary, your bank really does need to inform you about fraudsters that use social engineering to get you to send them money and they do this by asking you to confirm that you really intend to make the payment. In other scenarios friction needs to be as limited as possible.
Username, password, OTP by SMS to make a low value card payment can cause unacceptable friction and lead to transaction abandonment. The ability to make the right decision in every case means that blanket policies about what authentication to use are unlikely to work and this has led to the development of the concept of adaptive authentication. This type of authentication means making sure that the most appropriate method(s) are used at every interaction specific to the factors present including customer preference and ability, level of risk/risk appetite, cost of authentication and regulatory requirement.
5. Retaining customer trust
Identity management facing new challenges and an increased risk of breaches in security, may result in loss of customer trust. In the long-term brands do seem to recover from the trust that they lose – perhaps, the sheer volume of breaches has made consumers feel that these incidences are inevitable. What can make all the difference is how an organization responds to a breach. Response times and reporting are now enshrined in EU law through GDPR, however, there is still scope for organizations to get it wrong.
Lack of notification, poor support for those whose data has been lost and ill-advised statements to the press can all increase the long-term loss of customer trust after a breach. Whilst friction that interrupts customer interactions can be viewed as a negative, showing that you have security in place may be seen as a positive.
6. Communication and centralisation are vital in this brave new online world
Information being in silos is the enemy of both personalization and protection – but it isn’t easy to get it right, particularly for long-established organisations struggling with multiple legacy systems that cannot communicate. Any attempt to centralise information has to be a top down approach with buy-in at the most senior level. Most organizations have changed their attitudes and are willing to share customer information, but time and investment is still needed to make it a reality.
For more information about how FICO helps organizations deliver better customer identity management visit:
