Over the past year, I’ve written extensively on the issues with using simple challenge questions or more elaborate “out of wallet” or knowledge-based authentication (KBA) questions to identify banking customers.
In the recent interview with Tracey Kitten of BankInfoSecurity, “FFIEC: How Well Do Banks Conform?” Gartner analyst and fraud expert, Avivah Litan, expounds on some of these same industry challenges as they relate to the new FFIEC Guidance. She mentions that many banks are:
“Moving from simple challenge questions to follow the explicit guidance in the FFIEC update about using the more elaborate KBA or out of wallet type questions provided from public data aggregators.”
Avivah added that out of wallet questions can be expensive, and that it “remains to be seen how effective they work.”
Having had oversight of such processes during my career, I truly can appreciate the dilemma that banks and other institutions face. They are under extreme regulatory pressure to ensure they are adequately protecting their customers from identity theft, and as a result, they are authenticating every customer they interact with. But there needs to be a balance between managing fraud exposure, negative customer experience, and operational costs.
As I talk to many senior fraud and operations executives, the real struggle is not just what type of authentication products to utilize, it’s knowing when to deploy them and what customers to use them against. Every call that comes into banks today is not a credentialed call. They cannot be trusted, period. As such, the challenge is answering these critical questions:
- Which calls should be trusted?
- Which calls should required challenge questions?
- At what stage of the interaction should authentication tools be used?
- What are the costs and customer impact to using these tools?
Answering these important questions of what tool to use, and when to use it, is critical to a bank’s overall operation. It’s what will determine the operational costs, customer experience and fraud protection. Deploying technology without fully understanding the impact and effectiveness of new tools has driven up customer dissatisfaction and, in part, what has driven the FFIEC Guidance specifically related to Authentication.
While there is certainly a place for KBA and voice biometric, this is where the TrustID® network-based Physical Caller Authentication tool takes a unique approach to authenticating customers dialing into a bank’s call center. Rather than base the level of customer authentication on what the caller is requesting such as adding an authorized user, TrustID allows banks to route the incoming call based on the authenticity of the actual call. By making the Caller ID and ANI a trusted resource for identifying customers over the telephone, TrustID provides a strong certainty that the incoming call is truly the customer. Doing so also eliminates the conversation criminals rely on to socially engineer bank representatives.
By automatically validating the physical location of the caller before the phone is answered, financial institutions can proactively identify fraudulent calls and address good customer inquiries faster, all without putting them through burdensome and costly telephone interrogations that are required by KBA solutions. In turn, if the TrustID solution deemed the incoming call as either spoofed, altered, or determined the source of the call was not trustworthy, then regardless of the customer request the bank may want to put the call to a representative for a second level of questioning.
Now that the bank has a much smaller population of customers they need to deploy expensive KBA towards, they can reduce costs, dramatically improve the customer experience through reduced interrogation for the majority of good customers, and fulfill the FFIEC’s multi-factor authentication best practices for identifying customers.
Today it is paramount for banks to develop a mutual ongoing trust with their customers. By allowing financial institutions to invisibly identify and stop telephone fraud before it happens, TrustID improves the level of customer service that’s critical to protecting customers, reducing fraud rates, and maintaining the sacred trust between banks and their valued customers.Tags: ANI, automatic number identification, call center fraud, challenge questions, FFIEC guidance, fraud rates, KBA, knowledge-based authentication, multi-factor authentication, Physical Caller Authentication, telephone channel, TrustID