How can banks strike a balance between user experience and security demands?

Financial institutions pay close attention to how they can improve their customer experience to gain a competitive advantage. However, operating in one of the most heavily regulated industries, these institutions face a complex web of security pressures and obligations that can affect their efforts to streamline and digitise the customer experience.

This friction between delivering great customer experiences and meeting the evolving challenges      of securing customer data and preventing fraud is exacerbated by the disruptive and rapidly changing landscape of digital challengers within the financial world and beyond.

Meeting security requirements may impact incumbent banks' ability to deliver a smooth customer experience.     

In this piece, Finextra interviewed experts from WSO2, Barclays, ING, and TSB Bank to gain insights into the challenges faced by financial institutions as they strive to balance meeting consumers’ digital expectations with the obligation to protect and maintain security.

Why is security impacting banks’ efforts to provide a seamless customer experience?

Beyond operating in a heavily regulated industry, banks are increasingly transforming their operations toward multi-channel, digital-platform based models. As they move towards using cloud computing systems in their architectures, there is a risk that the moat built by banks around their data stores could become more vulnerable to attack.

Many perceive this as a rapidly evolving problem that banks and their tech teams must manage. Seshika Fernando, vice president of banking and financial services at WSO2, explains that this is particularly so in the context of digital banking.

Banks face the challenge of ensuring the identity of individuals engaging with their digital banking channel (such as carrying out transactions or requesting services) is in fact that of the customer. This requires frequent and secure verification of both identity and intent.

“Unfortunately, those who conduct their finances through their bank’s digital portal have their identity checked at multiple points during their banking session. As a result, the bank interrupts customers to ensure the verification remains authentic and secure. If you've ever banked with a traditional or incumbent bank, you know what I'm talking about,” Fernando states.

The problem for banks is that verification has largely been a user-driven process, and the customer must provide specific inputs for banks to verify whether they are genuine users of its services.  This is explored during an in-depth FinextraTV discussion with Fernando and Constantin Mareș, EMBA, who serves as the chief digital officer at OTP Bank Romania.

Fernando believes this impedes an outstanding customer experience. “Data platforms like Netflix, eBay, and Amazon all have great customer experiences because the customer is not interrupted frequently. We just keep consuming without interruption. Sadly, this isn’t the same for digital banking, and it’s frustrating for users and banks alike.”

TSB's head of fraud, Steve Cornwell, explains that banks have a range of available technology and controls to establish strong and reliable channels of communication and interaction with customers.

He observes that digital apps, with strong authentication controls and layers of detection technology, are a great example and have delivered good results. However, as Fernando noted, these rely on the customer providing input to maintain that level of security.

“Across the board, we are seeing a growing use of ‘social engineering’ by fraudsters to circumvent these controls through authorised push payment (APP) fraud – they are targeting customers as the ‘weak link’ in the chain,” states Cornwell.

“The scale of APP fraud amounts to losses of nearly £1.5 million every day across the banking sector. Almost every fraud case starts from weaknesses and vulnerabilities on other platforms – such as social media and telcos. This is a challenge that banks are actively facing, but a number of these cases could be prevented at the source if social media companies provided safe platforms for their users. For instance, UK Finance figures show that 78% of all fraud starts online.”

Impersonation scams are a prevalent modus operandi in fraud, as explained by the global head of fraud at ING, Jaco Struik.

“The tactic is not easily scalable, and fraudsters have a relatively high failure rate,” but Struik questions – what if they could improve their success rate “not only by making persuasive phone calls, but also by leveraging real-time deepfake technology during video calls to look and sound like a customer’s long-term account manager? They could use generative AI to automate these calls, drastically increasing the scale of their operations.

In what ways does security impede banks’ efforts to offer a smooth customer experience?

Fernando argues that consumers experience varying levels of frustration as some banks attempt to minimise customer interruptions by implementing tools like biometrics.. Biometrics doesn’t entirely solve the issue, but they enhance the customer experience when engaging in banking transactions.

Fernando explains that most banks are trying to find the balance between security and customer experience. “If banks reduce the number of verifications, the customer experience improves, but there is a higher exposure to the risk of fraud. Conversely, if banks tighten their security and increase the number of verifications, this results in a negative customer experience. Banks are always trying to balance this see-saw between security and customer experience.”

Cornwell concurs, stating, “Meeting customer experience expectations and managing the security of customer interactions will always be a balancing act. Banks cannot simply clamp down with rigid or inflexible controls that prevent all fraud, as this would greatly slow down the payment journey that consumers are used to and rely on. A balance between robust checks and consumer experience is key.”

He adds that due to fraudsters’ continued adaptation to banks’ control measures, the constant evolution of controls, checks, and balances is vital.

The organisational structure of banks also lends itself to reinforcing a to-and-fro between product-focused teams and operational or security-focused teams. In most cases, requests from security teams are more likely to be implemented, as banks tend to prioritise caution in these circumstances.

Matt Valentine, director of Next Generation Platforms at Barclays, takes a slightly different view. He explains that while safeguarding customers’ funds and data is a top priority, the bank also strives for seamless and user-friendly experiences to meet customer expectations.

“However, this doesn’t have to be at the compromise of security,” Valentine emphasises. “Security can actually be a massive enhancer to experience if done in the right way. Take FaceID on the iPhone, for example (which can be enabled in the Barclays app), what’s more unique to you than your face? What’s more seamless than not having to press anything to access your app, but knowing it is 100% secure?”

Valentine further emphasises the dramatic shift in consumer behaviour toward digital banking, with over 10 million customers banking with Barclays digitally and conducting over 90% of their transactions digitally. Because of this shift, he argues that a crucial element of creating a truly consumer-centric journey is ensuring that every customer is aware and in control of what they are doing, and the boundaries they set. An example of this is in-app card control features where users can set their own contactless, ATM, or spending limits and amend them any time, in real-time

How are incumbent banks approaching this challenge today?

Cornwell states that prior to APP and social engineering fraud, the development of anti-fraud controls had all been about implementing layered controls, or, “the ‘Swiss Cheese model’.” 

This is where banks use a combination of controls including authentication, malware detection, behavioural biometrics, device intelligence, and transaction monitoring to create a “very strong defence against fraud,” making it expensive (albeit not impossible) for fraudsters to circumvent. However, APP fraud bypasses most of these by persuading customers to make transactions themselves by relying on emotional blackmail and persuasive, complex, and sophisticated tricks. What many banks are doing is a combination of repurposing existing controls and building new intelligence layers. 

Cornwell also points to repurposing existing controls, specifically mentioning the potential of behavioural biometrics. He stated that it was originally designed to analyse a customer’s behaviour on their device and notify the bank if there was a deviation from their recognised profile. “This use case can be turned on its head so that instead of looking for the customer, behavioural biometrics can be used to profile what a typical fraudster looks like and be on the lookout for them.”

As technology continues to rapidly evolve the customer experience, will this be a challenge that banks always face?

Fernando does not view evolving technology as a challenge that banks will always face, especially since a handful of progressive banks are finding ways to “circumvent the need to balance.” Instead, it’s about identifying the appropriate technologies and technical methods for conducting verifications, rather than sticking to the status quo.

Cornwell asserts that banks will always need to be at the cutting edge of technology because their customers will demand it. “However, while this does present challenges, these evolutions also present opportunities. Just imagine if you’d asked that question in the 1990s, when internet banking was invented!”

When discussing whether banks are satisfied with meeting customer experience expectations while improving and strengthening their security, Valentine explains that customer desires are always changing and they will continue to expect more from banks. “This is a challenge we welcome, as we never want to get comfortable or satisfied with the status quo and will always be striving and improving to find new opportunities to make things easier for customers or to offer helpful and intuitive ways for them to get more from us as a bank.”

Struik believes that constant evolution is the nature of the game. As technologies evolve, so too will customer expectations, leading to new and greater opportunities for financial institutions. “And at the same time, new technologies and processes allow for new attack vectors on the side of fraudsters. Our role is to meet those expectations, leverage on the potential, anticipate the threats, and mitigate accordingly.”

He points to generative AI and its reportedly limitless potential to enhance banks’ customer experiences. However, he also observes the darker side of this technology, as fraudsters are leveraging the technology to deploy phishing messages. “We need to identify these threats, understand their application, and find ways to mitigate them constantly. When it comes to identifying these threats and understanding their applications, the time to act on them is yesterday. In-house, and with technology partners. Alone, and as an industry,” Struik states.

It will also be interesting to see what can be achieved by collaboration with other parties whose platforms and products are (ab)used in the executions of fraud attacks, Struik continues. Taking the impersonation scam again as an example, almost every step of this scam happens outside of the banking environment. “It is only at the very last step, the execution of the transaction, that the fraud moves to the banking environment. This means that in order to effectively mitigate these attacks, all parties in the chain need to step up and take responsibility. Luckily we see this happening more and more, as we believe that such an integral approach offers a lot of value.”

Valentine also raised this point on collaboration, observing that intelligence, or the bank’s ability to share data on fraud typologies is very powerful. If both the sending and receiving banks can share data about their accounts, they can achieve a more holistic assessment of the fraud risk associated with a given transaction. This makes payment journeys far less dangerous to participate in.

What are the technologies available to deliver new customer experiences without sacrificing security?

Fernando states that fewer interruptions to the customer remove the tug-of-war between innovation and security. In fact, she adds, “it becomes a virtuous circle where the fewer interruptions the customer experiences, the more they interact with the platform, which generates more data for the bank, which in turn improves verification. If banks can move towards data-driven authentication, it removes the need to approach this issue of striking a balance between friction and security.”

Banks and their customers do not have to endure the friction caused by user-verification indefinitely. As discussed in Fernando’s white paper, Behavioural Authentication: Improving Security and CX Without Compromise, by recognising and leveraging technology that enables data-driven or behavioural verification, it becomes possible to monitor activity after the initial login without disrupting the user experience. Users may be prompted to verify their details biometrically only if any suspicious or unusual activity is detected.

Struik feels there is a misconception that customers of financial institutions experience many types of security-related friction when accessing their accounts, onboarding, or enrolling in their banking apps. “Clearly there are worse and better experiences, but the solution does not lie in removing friction altogether. In fact from experience we see that if we only rely on invisible and frictionless security measures, customers’ overall experience of the process and feeling of trust and security are negatively impacted. As a financial institution our customers entrust us with some of their most valuable assets, and our customers want to see and feel that we take that responsibility seriously.”

Taking a different perspective, Cornwell thinks that instead of prioritising ‘new technologies’, the focus should be on using existing technologies intelligently. “Where and how you use them in the journey is important.”

He explains that the safest point to register and enrol a customer for secure direct channels is during onboarding, as there is little risk at that stage of an imposter trying to access and steal funds. Thinking about future customer needs is also important in designing controls that enable them to enrol those new devices securely. “Of course, there will always be new technologies that will evolve, and banks must keep pace with these and exploit them.”

Conclusion

Financial institutions face a significant challenge in balancing user experience and security demands. While they strive to enhance customer experiences and stay competitive in the digital era, they are required to adhere to strict security standards and protect customer data from ever-evolving threats. This is further amplified by the rapid disruption and innovation introduced by digital challengers in the industry.

Efficiently securing and verifying identities while ensuring robust security measures are  major  obstacles to delivering a seamless customer experience. Traditional verification methods often disrupt customer journeys, leading to frustration and a subpar banking experience. Balancing security measures with customer expectations is crucial. While decreasing verifications can enhance the experience, it also increases the risk of fraud. On the other hand, tightening security can result in a negative customer experience.

Banks must continually adapt their strategies to meet customer expectations, leverage new opportunities, and anticipate emerging threats against the backdrop of evolving technology. They can create a customer-centric journey that combines seamless experiences with robust security measures by utilising existing technologies, designing secure onboarding processes, and incorporating customer feedback.

Ultimately, if banks position themselves to welcome innovative technology, such as data-driven authentication, they will no longer be forced to find a balance between heightened security and improving the customer experience. In fact, they will be able to enhance both pressures simultaneously.