By Seshika Fernando, Vice President, Banking & Financial Services, WSO2.
Balancing customer expectations and operational imperatives is a conundrum as old as commerce itself. In a digital economy, one of the biggest imperatives is cybersecurity. It impacts everything from an enterprise’s relationship with regulators to its reputation among customers. But as customers demand more slick and personalised service, businesses are re-evaluating the efficacy of traditional, user-driven customer identity and access management (CIAM) systems. Having to explicitly provide credentials every time they engage with a brand is irritating to most customers. They look around them and see high-end technologies such as generative AI, the Internet of Things, and the Metaverse. Based on what they see, they may ponder that simple authentication should be more straightforward.
These sentiments are amplified for the brands with which consumers do the most business. The banking sector in the United Arab Emirates has established itself as out in front on digital transformation. Kuwait Finance House launched the Baitak Assistant chatbot in 2018, Emirates NBD developed a range of digital-banking products, including Liv and E20, and Mashreq achieved pioneer status for its in-branch self-service areas.
This activity reflects customer expectations that repeat around the world. A Deloitte report from last year on digital banking maturity divided 304 banks from 41 countries (including Saudi Arabia, Qatar, and the UAE), measured their digital maturity and split them into four categories. Having defined the top 10% as “digital champions”, the study concluded that “digital champions achieve better financial performance indicators”. But to be a digital champion means finding the middle ground between user experience and security.
Behavioural authentication
Or does it? In the same way customers have raised their expectations, can banks not raise their own? Can they not have both superlative digital experiences and robust security? Yes, they can. Data-driven behavioural authentication (DBA) compares the behaviour of a currently authenticating user with past behaviour stored in a rich profile to discern if they are genuine. What is perhaps most powerful about DBA is that the same profile can be used to personalise the customer experience.
The idea behind DBA is simple. Even multifactor authentication has become an irritant to consumers. The more they engage with a brand, the more they will encounter requests for credentials, and the more frustrated they may become. This is counterproductive to a digital business, so when it is presented with the option to tighten its security and improve CX without any trade-off, it should jump at the chance.
DBA leverages large amounts of customer data already captured through past interactions – information such as session time, IP address, preferred device, and keystroke patterns. Verification is an organic, background process that happens during the customer’s digital engagement, falling back on historical behaviour and eliminating the interruptions associated with repetitive user-driven authentication. While authentication is invisible and ongoing, so is personalization because the same historical data can be used to, say, recommend the customer open a savings account. And the opening of the account, should the customer opt for it, can also occur without undue manual input as the bank will already be in possession of the requisite information.
Going further
DBA goes further. Unlike traditional CIAM, it can expose identity data as APIs that can be used by AI modules for even deeper personalisation. These algorithms are connected to an extremely rich dataset. Identification data such as username, password, and biometrics will be provided by the customer. Through transactions, the bank can gather usage data (such as transaction types and information on beneficiaries) and behavioural data (such as keystrokes, IP addresses, ATM locations, and login times). Of course, the bank will also have access to KYC (know your customer) data that is mostly demographic in nature, covering things like age, gender, and marital status. But AI-powered social listening can also allow the business to probe social pages (with a customer’s permission) for life events such as graduation, marriage, career milestones, birth of children, and even children’s life events, like the purchase of their first car.
Using complex combination scoring, which weights each data item based on its likelihood to determine fraud, DBA applies the policies of the bank to either block a transaction, ask for further verification, or block it entirely and flag it to all stakeholders, including the customer.
As can be seen here, the data profile is more than sufficient to personalise banking services. If the system finds that a customer sends the same amount of funds to the same beneficiary at the same time each month, it can recommend the setup of a standing order. By discovering a consistent balance in a checking account over a significant period, the system can prompt the customer to open a higher-interest account. And what about an interest-earning account to mark the occasion of a first job? A joint account upon marriage? A children’s savings plan following the birth of a baby?
Best of both worlds
Of course, some of these proactive extras can only occur if a customer has seen fit to share their personal data. The principles of privacy and consent also feed into brand trust. But younger consumers tend to grant these permissions in exchange for better personalisation. In open banking, customers even give banks the nod to share their financial data with third parties to enhance a broad services ecosystem. Privacy and consent are built into data-driven CIAM, and DBA handles them by granularly recording which data can be shared, with whom, for how long, and for what purpose. And it allows customers to amend their preferences or withdraw consent at any time.
It is clear that to please the younger generation of banking customers, institutions must move away from user-driven CIAM systems towards the less invasive DBA. But unlike most security balancing acts, data-driven behavioural authentication offers the opportunity to enhance digital experience and security at a stroke. This is a huge leap forward in competitiveness.
