building the future of mobile banking...report, alongside analysis of more than 30 digital banks,...
TRANSCRIPT
In collaboration with:
Building the future of mobile banking Part III: Security and regulatory issues
REPORT
2 Building the future of mobile banking
CONTENTS
05 | Onboarding as the cornerstone of mobile compliance
05 | Validate the identity of future mobile bank customers06 | Digitalise scoring and respect the MiFID 2 directive08 | Respect customers’ rights and protect their data to reinforce trust
09 | End-to-end digitalisation of banking relations to secure access at every connection
09 | Adapt security measures to smartphones14 | Digitalise fraud management to enhance security and reactivity14 | Use bank-customer interactions to secure operations17 | Modulate security policy depending on the content of each operation
18 | Conclusion
PART ONE
INTRODUCTION
PART TWO
PART THREE
3
IntroductionFor several years now, the growing use of mobile devices to surf the web and make online payments has caused a steady rise in the number of targeted attacks. Every year, fraud-related incidents are generating increasingly heavy costs for banking establishments and the techniques employed are becoming more sophisticated.
In addition, while users are becoming more vigilant when carrying out digital operations, they seek reassurance when it comes to their personal data. According to a recent report published by HSBC1, key consumer concerns include ‘personal data leaks’ (56% of respondents), ‘bank account hacking’ (55%) and ‘bank card cloning’ (54%). Furthermore, 87% of respondents consider the security of their personal data as important as the security of their money.
In a bid to contain these trends, legislation has been tightened in recent years and is posing several major operational challenges. Rather than being a constraint, these new regulatory requirements offer mobile banks the opportunity to optimise customer knowledge, personalise customer experience and services, reinforce operational security and, as such, boost trust in mobile banking services.
In addition to respecting regulatory requirements, mobile banks must obviously provide the necessary guarantees to win and retain client trust in digital services: ensuring authentication and personal-data confidentiality and implementing measures to combat fraud.
This level of security must be maintained at all times, notably for:
• Customer onboarding, in order to validate their identity• Accessing banking services even if not authenticated• Payments services, to identify and block any doubtful transactions.
In this, the third and final part of our Building the future of mobile banking study, realised in collaboration with Efma, we take another look at these key moments of exchange between the bank and its clients from the point of view of introducing the security and compliance principles to be implemented.
Our report, which covers the individual and professional markets worldwide, is based on numerous inputs such as our security and compliance materials, our digital banking services benchmark, our digital banks and fintech observatory, our benchmark of process performance within the retail banking industry, banking case studies and a selection of interviews. These resources are shared throughout the report, alongside analysis of more than 30 digital banks, including new challenger banks, digital banks, traditional banks, and approximately 180 fintechs.
This will be followed in due course by a global report that summarises all our findings into the future of mobile banking by looking at the pillars that address the bank’s key areas of operation:
• Part I: Customer targets, acquisition strategy and customer experience• Part II: Organisation and processes• Part III: Security and regulatory issues.
1 HSBC, Trust in Technology, November 2017: https://iatranshumanisme.com/wp-content/uploads/2017/06/170524-hsbc-trust-in-technology.pdf
4 Building the future of mobile banking
PART ONE
Onboarding, designed with a view to winning new clients, is decisive in fostering lasting and profitable customer relationships in the banking sector. For mobile banks, this is the first stage in the customer journey which determines whether or not they will be able to achieve their ambitious customer acquisition objectives, which systematically target portfolios of over one million clients.
As such, this is a key moment which enables banks to establish contact with clients, determine their identity accurately (and by doing so respect legislation in force) and identify those who could be at risk. This traditionally long and complex process must now be fully digitalised to enhance fluidity and appeal.
Onboarding as the cornerstone of mobile compliance
Figure 1: Onboarding end-to-end digitalisation around four pillars: dematerialisation, selfcare, automation and client-data value extraction
Attraction
Advisory
Servicedelivery
Onboarding
Dematerialisation Selfcare Automation
Orchestration
Data/CRM
Documentupload
Informationand contact
space
Commercial leadsidentificationwith Big Data andMachine Learning
Needsand productpropositionanticipation
Offercustomisation:solution andpricing
Use casesand incidentsanticipation
Virtualassistant/RPA
Decisionautomation
Operationsautomation
Simulationarea
Onlineproduct
subscription
Events and alertsmanagement
E-signature
Automateddocument
recognition
5
Validate the identity of future mobile bank customers
The identification and verification processes enable banks to forge customer relationships on the basis of correct information and constitute the bedrock of security. The revision of the fourth European Union Anti-Money Laundering (AML) directive stipulates that the means used to identify clients electronically must be equivalent to those used in a one-on-one context, in accordance with European eIDAS2 legislation requiring the digital read-out of passport and ID card data.
For example, N26, a German mobile bank which operates in all countries throughout the Eurozone, has developed a 100% mobile account-opening process that can be completed in eight minutes.
After completing the first automatic email address verification stage and inputting the standard subscription information (surname, first name, address, password, etc.), new clients are required to make a video call to a bank agent. During this conversation they will be asked to answer several questions and present the two forms of ID needed to open an account in an online bank.
This video authentication stage is ensured by IDNow, which partners with several European banks and whose Automatic Identification and Data Capture (AIDC) technologies notably make it possible to:
• Identify the type of ID document presented (ID card, passport, etc.) by comparing it with a set of models• Verify document integrity: validation of image quality, verification of control keys and the Machine-
Readable Zone (MRZ)3• Extract data: once extracted by means of Optical Character Recognition (OCR)4, data is compared to
the information entered by the user.
AIDC technologies can also be used in conjunction with a document uploading module to automate the verification of all types of document (pay slips, income tax returns, proof of address, etc.). This stage is also proposed by companies such as ResoCom5 in France, which delivers a certificate of compliance upon document verification and, in the event of any anomaly, contacts the administrative body that issued the document in question.
Furthermore, in the not too distant future it may be possible to delegate prospective-client identification to an entrusted third party such as the State. In 2002, Estonia6 implemented, and has since been developing, a digital identity system for its citizens which can be accessed by private companies via an Application Programming Interface (API). Similarly, in France, FranceConnect is a service that enables all administrative authorities and certain private players that contribute to public action to validate an individual’s identity by giving them access to data of trusted third-party bodies such as the French Tax Authority or French Health Insurance. In India, Digibank, a 100% mobile bank launched in 2016 by DBS, offers a 90-second account-opening service based on the state biometric authentication repository.
2 eIDAS: Electronic Identification and Trust Services – an EU ruling implemented in 2014 to harmonise the minimum standards to ensure trust and digital identification, such as the electronic signature.
3 The MRZ is a zone reserved for document identification and validation purposes that can be read automatically.4 OCR covers IT processes that make it possible to transform images and printed text into digital text files.5 http://www.resocom.com/solutions/6 http://www.gemalto.com/france/gouv/inspiration/digital-estonia
19
A global non-profit organisation, established in 1971 by banks and insurance companies, Efma facilitates networking between decision-makers. It provides quality insights to help banks and insurance companies make the right decisions to foster innovation and drive their transformation. Over 3,300 brands in 130 countries are Efma members.
Headquarters in Paris. Offices in London, Brussels, Barcelona, Stockholm, Bratislava, Dubai, Mumbai and Singapore.
www.efma.com
Wavestone is a consulting firm, created out of the merger of Solucom and Kurt Salmon’s European activities (excluding retail and consumer goods consulting outside of France). Wavestone’s mission is to enlighten and guide its clients in their most critical decisions, by drawing on its functional, sectoral and technological expertise. With 2,500 employees across four continents, the firm ranks amongst the leading players in European independent consulting, and number one in France.
Wavestone’s key financial-services contacts:
Joël Nadjar, Practice [email protected]
Pierre de Brabois, [email protected]
Pierre-Louis Durel, [email protected]
Maxime Meneboo, Senior [email protected]
Quentin Pallotta, [email protected]
For more information: www.wavestone.com
About us
www.efma.com
In collaboration with:
Building the future of mobile banking Part III: Security and regulatory issues
January 2018
www.efma.com
In collaboration with: