Deputizing the Customer

By James Van Dyke

Research suggests that combating identity theft will require nothing short of a reorganization around customer security, including proactive communications and an embrace of how the online channel can protect customer interests.

It's been a while since bank customers in the United States were heavily preoccupied with the security of their deposits. One has to go back to the Wild West, where armed guards rode atop stagecoaches to watch out for bandits or, more recently, to the Great Depression, when bank failures wiped out customer savings. Since the 1940s, at least, depositors have been able to focus on other issues such as service quality and interest rates.

But the bad old days may be returning to some degree, with the recent wave of identity theft-related fraud, which has been called the nation's fastest growing crime by many law enforcement agencies. An update to the Federal Trade Commission's 2003 Identity Theft Survey Report, scheduled for a January 2005 release by Javelin Research, will show that there were over 9 million victims of identity fraud in the last twelve months. Many of these fraud attempts involve bank accounts. Meanwhile, record numbers of bank consumers receive new forms of fraud attempts, through e-mail, bogus Web sites and more.

As a consequence of the recent outbreak, banks must once again position their offerings around security. Are they up to the challenge? Unfortunately, many are not. Misunderstanding the threat posed by identity fraud, banks still mainly assign its prevention and detection exclusively to risk and fraud managers. Much more is required in this era of multi-channel delivery systems and the widening proliferation of personal information. A modern security approach requires that safety priorities be shared across multiple disciplines such as customer education, channel interface (teller training, ATM or online banking) and chiefly, the customer.

Bank security must now become a top-level priority across all departments that interact with customers. As with previous perilous periods in which banks had to devote disproportionate resources to protecting customer assets, today's banking system must reorganize around customer security.

The Customer's Role

The scope of the challenge can be seen in our recent research demonstrating how security factors increasingly determine customers' choice of bank and service.

In 2003, we asked 2,900 online consumers the following question: "If you were to select a new financial services provider, which of the following criteria would be important to you?" Twenty-seven percent selected "Improved financial stability or security" among their responses. By 2004, the number had jumped to 36% of all respondents. We believe that future years will see an even greater increase. Another pertinent finding of this survey involved a response to a question of why respondents did not access their bank accounts online. In 2004, fully 21% cited fear of unauthorized access to their information, up from 17% the year before.

To meet these customer concerns, banks must elevate messages of security and reorganize their fraud-fighting efforts to involve not only bank security, education and product design but also, perhaps for the first time in history, the customer. Organizations need to be realigned around fraud prevention and detection.

Security specialists can no longer be kept behind closed doors, charged with detecting fraud on the customers' behalf. Rather, these knowledgeable specialists must be organized in triad teams, integrating security knowledge with individuals who determine the communications that have the potential to change consumer behavior, and the customer interface specialists who design products and even training programs used in online banking, ATMs, and even branch systems and employee training programs.

Security, education and product design specialists each play a valuable role in deputizing the customer. And as they increasingly work together in this role, customers can be invited to prevent and detect fraud on their own behalf.

This customer role is critical because customers have unsurpassed motivation and knowledge of their personal transaction patterns. And never before have banks been in a position to deputize customers to protect their own accounts. This can be done by providing customers with more current information on account activity through a variety of channels and notification methods and profiling systems.

In fact, customers are involved today. Javelin's 2005 Identity Fraud Survey will show that three out of four fraud victims detected fraud on their own, primarily through account activity monitoring. Only 20% are notified by their bank or other trusted provider. Customers are increasingly monitoring accounts and other personal information via electronic channels, with unprecedented ability to detect fraud that could be potentially committed in their own names. Surprisingly, the bulk of such self-detected fraud still occurs with the paper statement, which was never explicitly designed as a protection method, and is limited to 30-day cycles and a single stationary destination address.

But few banks have adopted the deliberate strategy of "deputizing customers." We believe that banks can implement strategies that result in account-holders blocking even more cases of identity fraud through early detection. This should result in limited losses for all, with increased loyalty between the accountholder and institution.

According to our new research, new-account fraud comprises the majority of the cost of all identity fraud cases. It can be detected in its early stages through just one method: credit bureau alerts. Yet at most banks, these reports are overpriced, non-existent or both. Because the opening of most new accounts necessarily requires a credit inquiry, the credit reporting industry can offer subscription-based services that notify legitimate account-holders of activity or changes relative to their personal identity. However, at price levels such as $40 to $80 for an annual subscription, it's unlikely that many individuals will ever subscribe to such an essential service.

Banks and credit bureaus must work together to lower the cost of this essential capability, while fully integrating availability and reporting through the customer's existing financial providers. Alert messages for existing accounts (such as checking, savings or payment card) can also enable customers to become deputized, by giving them the information and authority to monitor their own activity through real-time notifications of such activities as high or low balances, unusual transactions and more.

When a problem is suspected today, financial institutions primarily alert only risk and fraud experts to activity that could indicate the existence of fraud. This is despite the fact that account-holders possess unsurpassed motivation and self-knowledge. It's time to change this model, and the change will pay added dividends in the form of customers who are more loyal and frequent users of a bank's interactive services.

Leveraging New Channels

In order to increase customer security, banks must also fully embrace (rather than blame) new channels such as the Internet. It is na•ve and wholly ineffective to respond to the inherent risks of electronic banking and payments while not also taking advantage of the exclusive new strengths that these new channels bring. Banks that operate or communicate as if new channels represent only heightened risk are most likely to suffer the greatest loss, not only in malicious activity but also in reduced growth and profitability.

New data from Javelin's 2005 Identity Fraud study shows that (from victims who know the origin of the crime) identity fraud originates from the following major sources, listed in order of prevalence: a lost or stolen wallet, checkbook or credit card; transactions such as card skimming or a dishonest clerk; from a perpetrator previously known to the victim; from corrupt employees with access to private data; from stolen paper mail; and through computer spyware.

Criminals have the advantage of being free of the inefficiencies that currently hinder bank fraud-fighters — organizational limitations or outdated policies and procedures. Simply put, fraudsters can often out-sprint and outmaneuver banks, inventing new forms of fraud faster than institutions can develop a response. However, institutions can win in the long run by embracing the inherent advantages of Internet channels, including the elimination of paper and frequent detection.

Customers must be educated about the risks of the Internet and any other new channel in the same way as new automobile drivers are expected to be thoroughly prepared for their added responsibility. (Regrettably, those who use new channels and devices are not required to pass certification. We fully expect leading financial institution executives to eventually and respectfully pilot such concepts.)

In addition to detection, banks must also harness the inherent potential of new channels for their use in fraud prevention. For example, online banking excels in the ability to prevent many cases of identity theft while deputizing customers to detect fraud with greater efficacy. Identity fraud begins with identity theft, which is the illicit access to personal information for the express purposes of committing a crime in another's name. With electronic channels, paper delivery of statements and other private documents can be eliminated, moving many potential victims out of harm's way.

However, many customers will not be persuaded to eliminate paper statements until their bank is willing to actually state potential security advantages while adding important capabilities that make electronic delivery as convenient to use as paper and mail methods.

Educational Messages

A balanced approach begins with education, yet today's educational messages often scare customers away from the remedy or simply leave them in the dark. In a September 2004 Javelin mystery shopping survey of banks' online customer service representatives, 15% of 40 large banks' Web sites lacked educational messages regarding significant types of new fraud. And while 85% of sites did provide warnings related to identity fraud that could result from electronic channels, just 54% warned their customers about the cases of fraud that could result from traditional channels.

Such imbalance and omission in the critical area of education not only deprives customers of essential information, but it also gives the impression that new channels are for those who are willing to endure significant risk. Certainly, "Web-phobic" messages will also result in customers who will remain ignorant of how to use new channels to more effectively prevent and detect fraud.

And yet, if new channels bring both risk and safety (primarily dependent on the degree to which customers have been properly educated), one-sided educational approaches will serve to scare away some customers from the very protection offered by new electronic channels. As an example of balanced education and cautionary messages, banks should educate their customers on the protection of passwords, PINs and paper statements. They should also show customers how to avoid criminals who might pose as bank agents through Internet, phone or even in-person channels; eliminate access to their private data by turning off paper statements; understand the virtues of frequent account-monitoring; learn how to reject bogus requests for personal data and install firewalls and anti-virus software.

Any bank that focuses on warning messages endemic to just one channel is subliminally communicating: "We offer online banking, but you're really placing yourself at great personal risk if you use it."

In summary, account security is a heightened customer requirement, and banks must elevate and reorganize their security efforts to meet the new threats and concerns. The concept of self-service made possible by electronic channels must now be extended to a new realm, that of self-security. Multi-channel relationships, sophisticated customers and even more sophisticated criminals are now an essential part of modern banking relationships. To preserve their customers' trust, banks must engage their security, product and communications teams around the customer, and communicate to account-holders with balanced messages.

NEW REPORT SCHEDULED FOR EARLY 2005 RELEASE
Data cited in this article is based on consumer and financial institution research completed in 2004 and 2003 and presented at BAI's Retail Delivery & Expo 2004 in November 2004. Javelin's 2005 Identity Fraud Survey, a longitudinal study updating some of the data, will be released through Javelin's Web site (www.javelinstrategy.com) in late January.

Questions or comments about this article? Post them at the Banking Strategies blog.

Mr. Van Dyke is founder and principal analyst of Javelin Strategy & Research, a research and strategic consulting company based in Pleasanton, Calif. He will be the keynote speaker at the 24th Annual BAI Float Management Conference February 23-24 in New Orleans. For more information, see www.bai.org/float2005/.

Copyright © 2005 by Banking Strategies, published by BAI.

back to top