If a customer were to walk into the branch and ask to withdraw an entire account’s balance, a bank employee would probably ask why. A similar response should hold no matter which channel is being used, with remote channels triggering investigations at a much lower threshold than in-person channels.
Indeed, a bank should calibrate its response to a remote request based on the typical behavior for that customer and by expected behavior for similar customers. Typical, low-risk transactions should sail through, while atypical, high-risk transactions should be flagged for further review and confirmation with the customer through a separate channel, such as a home phone or email account.
That’s the promised benefit of risk-based authentication (RBA), the cornerstone of security for the modern multi-channel financial institution. “How do we add more security with usability? The easiest way is to silently observe the transactions,” says Eve Maler, principal analyst for security and risk at Forrester Research. “It’s becoming par for the course for financial institutions.”
The move to RBA is driven in part by FFIEC guidelines calling for a multilayered approach to security. However, the benefit goes beyond regulatory compliance in that the technique works extremely well without requiring extreme measures on the application or device side.
The RBA approach is well-established outside of financial services. For example, e-commerce vendors that also depend upon usernames and passwords mitigate their risk with a heavy dose of RBA. “Merchants need to make things easy for consumers,” says Maler. “I’ve never changed my Amazon or PayPal passwords, and they don’t make me change because they’re hardly using those passwords. Instead, they’re using the back-end observational details.”
Security experts describe multifactor authentication as comprising three elements:
— Something you know, like a password
— Something you have, like a one-time-password generator
—Something you are, via a biometric identifier such as a fingerprint or iris scan
RBA can be considered a fourth layer of multifactor authentication by capturing the essence of what you do, suggests Maler. “It’s the booster shot that we need to apply so that we can step up the level of authentication,” she says.
An important question for banks is where to apply the RBA booster shot. Edward O’Brien, director of the banking channels advisory service for Mercator Advisory Group, recommends that banks capture the business logic for risk analytics in the back-end core banking solution. “If the core banking system has the main business rules, it won’t matter if the customer’s going through the ATM, mobile or branch,” says O’Brien. “If something seems out of sync or if there’s an issue to address, anomaly detection analytics can decide whether to call the person or to put a hold on the account.”
“It makes perfect sense to include these rules in the core banking system,” adds O’Brien. “If you have multiple attacks occurring simultaneously through multiple channels, the core system should have the business rules to respond.”