A solid customer identity and access management (CIAM) strategy is a crucial ingredient in successful digital transformation. Over the last several months, many financial services organizations have been forced to recognize that they’re not ready to operate fully online. Features and capabilities that seemed like nice-to-haves in 2019 are being rushed to market in 2020 to meet consumers’ rapidly evolving needs. Delivering a seamless user experience without compromising a strong security posture is the fintech challenge of the moment.
CIAM is among the best tools for building digital resilience and strengthening online banking security. Auth0 CEO and co-founder Eugenio Pace and IMDWORKS founder and CEO Paul Bedi talked with Nick Holland of Information Security Media Group (ISMG) about the role of CIAM in helping banks adapt to our new remote reality and what this means for the future of banking.
Banks Must Change How They Interact With Customers
Life for most people has changed radically over the last several months, and we’ve reached an inflection point where we’re appraising and challenging established systems and procedures. Put plainly, banks, and fintech companies must change how they interface with their customers.
“The way that banks interact with their customers will evolve massively.” — Paul Bedi, Founder, and CEO of IMDWORKS.
For instance, telehealth has gone from an occasional use case to the new default for many types of healthcare. This shift has accelerated the pace of innovation as health systems and technology providers work to redesign their products and procedures for a new system of care.
The COVID pandemic has also created new opportunities for fraud and data theft, raising the security bar even higher. The Federal Trade Commission reports that Americans have lost more than $13.4 million to COVID-related scams since the beginning of 2020. Meanwhile, VMWare noted an alarming 148% surge in ransomware attacks between February and March 2020, along with a 38% increase in the number of cyberattacks in the same period. It’s never been more critical to leverage CIAM to seal up the cracks and ensure your identity strategy is sound.
Enable Contactless Transactions
To establish a financial relationship, people used to bring proof of their identity into a brick-and-mortar bank and show it to a bank employee. Before 2020, Millennials’ preference for online banking over in-person transactions was already driving the industry towards developing better remote capabilities, but the pandemic has accelerated this shift. Financial institutions must be able to authenticate customers remotely: not just when they are accessing an established account via ATM or mobile app, but also when they are first launching their financial relationship. The cost of face-to-face interactions, whether measured in terms of public health or time optimization, has risen.
In general, a trend toward contactless transactions has become apparent. When we ordered a takeout dinner in 2019, we met our delivery driver at the door as they handed over our eagerly-anticipated meal. Now food delivery services leave our orders outside the front door and text us because neither party wants to be exposed to unnecessary risk — and because we have the technology to enable us to neutralize that risk.
Other everyday procedures such as notarization, which traditionally involves a face-to-face interaction, analog signatures, and a physical stamp, need to evolve to match the current situation. Because of pandemic-related travel barriers, pace points out, and demand is growing for technology that facilitates international transactions and interactions. It’s no exaggeration to say that we are in the process of reimagining and rearchitecting the entire technological infrastructure upon which we’ve built our lives and livelihoods.
Earn Customer Trust With User-Centric Security
People have faith in physical banks, Holland suggests because they can see the vault and the teller; there are powerful visual clues that the bank is secure, inviolate. The structures for cultivating and reinforcing this same level of trust in online banking security need to evolve.
A data breach has a devastating impact on customer confidence. IBM reports that the average data breach costs $3.92 million — of which 36% ($1.42 million) is the direct result of lost business. A 2019 customer survey from Ping Identity found that 81% of respondents would stop engaging with a brand online if there were a data breach, while 25% would stop engaging with the brand across all channels.
Bedi advocates for fintech companies embracing public, user-centric security policies and guaranteeing the security of user data across online and mobile apps. “The onus is on you, the company, to protect them, the users,” he says. He urges banks and financial services to consider establishing a contact center staffed with knowledgeable people who can help customers troubleshoot and resolve fraud issues. Now more than ever, Bedi suggests, people want to place complete trust in their financial institutions; they want the reassurance of guaranteed security and genuine accessibility.
Balancing Security and UX Requires a Fresh Authentication Approach
Maintaining a strong security posture without creating friction that drives users away is a perennial challenge. This is especially true with fintech companies and banks: They operate under heavy regulation, and their top priority is protecting user accounts. Their user bases, meanwhile, often vary wildly in terms of technical sophistication, so the authentication function must be low-friction to avoid confusing, frustrating, and ultimately losing customers.
Lose focus on UX and lose 32% of your users
The impact of a cumbersome user experience is easy to dismiss, especially when it’s so important to protect customer data (not to mention a legal requirement across 65% of the globe). But bad experiences for users translate directly to lost revenue for you. PwC found that almost a third of customers will abandon a brand they like after just one negative experience. That’s why it’s crucial to balance high security standards and a smooth customer experience.
Bedi argues that achieving this balance means making the security paradigm completely invisible to users. In other words, making the systems and processes involved in verifying and managing identity so seamless that the user scarcely registers them. “That’s when you know you’ve succeeded [with CIAM],” he says.
Put authentication decisions in context
A primary consideration in balancing security and user experience, says pace, is a keen understanding of the context in which interactions are happening. Situations with different levels of risk demand different levels of authentication. For instance, just checking an account balance might require a lower level of authentication than making a transfer. When a user attempts a higher-risk action, they’re prompted with an additional verification step, like multi-factor authentication (MFA) or a CAPTCHA.
Authenticating based on context also involves looking at what time of day a request was made, from what location, and using which device. Historical behavior patterns also come into play. For example, if you always pay your bills on Monday evenings from your laptop at home, a smartphone login in the small hours of Saturday morning from an unexpected location might trigger an additional verification step, because there’s contextual evidence that you are not the one making the login request. On the other hand, a Monday evening request from your living room might not require that additional authentication — and demanding it might create sufficient friction to drive you, the user, to another bank.
Pace explains that the security world has tended to view authentication in binary terms: a user is either authenticated or they’re not. Fortunately for today’s use cases, modern CIAM technology is sophisticated enough to evolve systems to evaluate all of these contextual factors when making decisions. Requesting different levels of authentication depending on context allows fintech companies to maintain high security standards without pestering the user for authentication every time they turn around.
The Bank of the Future Isn’t Just a Bank
No one has a clear idea of what the future of banking will be, but what is clear is that many features will remain digital. Even once it’s possible to do more banking face-to-face, plenty of customers will still prefer to bank remotely. A hybrid structure is how fintech companies will thrive going forward.
In a post-pandemic world, real-life interactions will incur a new kind of value, and this certainly applies to financial services companies. One possibility Bedi raises is that banks will transform into offshoots of the community. Like Capital One Cafés, banks might leverage their real-estate assets by opening common spaces where people can transact business face-to-face — adding another layer of value to the banking experience. Another possibility is that banking locations could become remote call centers for customers with the kinds of questions that would once have been addressed in person.
Bedi’s predictions largely align with how pace sees banks evolving in the near future. “The emphasis will be on relationship-building,” he says. In order to keep customers coming through the doors, banks will have an opportunity to deliver value users can’t get online. A bank branch could, for instance, proactively reach out to local customers who qualify for a higher line of credit or a lower interest rate on their mortgage, instead of waiting for customers to seek out their services.
The Future Calls for CIAM
Ultimately, no matter what new revenue streams financial companies discover in the course of hybridizing their structures, both customers and vendors will be pressuring banks to digitize more fully. A sound CIAM strategy clears the way to next-generation UX without increasing the security risk to customer accounts.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.