With "man-in-the-middle" and other types of fraudulent account hijacking attempts on commercial customers escalating, Columbus, Ga.-based Synovus Bank needed a solution it could implement quickly. "By mid-2010 ACH and wire fraud attempts seemed to occur every few days," recalls Kevin Gibson, director of product development at Synovus. "None breached our systems. But it was a problem for our customers, particularly for larger businesses where the attacks were becoming relentless."
Because best practices and FFIEC regulations called for a layered authentication approach, Gibson says, Synovus ($28 billion in total assets) settled on a two-pronged strategy. First, the bank decided to adopt a front-end solution that could immediately authenticate customers. In addition, the bank wanted to deploy a back-end system that would analyze traffic behaviors and IP addresses to alert the bank of potentially fraudulent activities.
For the front end, Synovus evaluated five vendors during summer 2010, narrowing the field to two. Of those, according to Gibson, the least intrusive and most user-friendly solution was Rapport by Boston-based Trusteer.
Upon inking a deal with Trusteer in November 2010, Gibson says, Synovus began developing strategies to promote customer adoption. Otherwise, he relates, the implementation required virtually no Synovus IT resources.
A lightweight application, Rapport is installed on clients' computers. The process starts when a customer logs in to a Rapport-protected account, Gibson explains. The customer immediately is presented with a customized splash page explaining the solution and is directed to click on a link that automatically downloads and installs the software.
Promoting Client Adoption
According to Gibson, it came as no surprise that the "click on a link" directive presented an adoption hurdle. "We'd always told our customers, 'We'll never ask you to click on a link,'" he admits. "However, with Rapport, the 'ask' comes after customers have authenticated."
To reduce end user resistance, Trusteer worked with Synovus on internal and external messaging as well as on customizing the splash page. For corporate customers that prohibited downloading applications, Synovus offered to implement the solution at the enterprise level.
In addition, Gibson's team elected to limit the presentment's duration and make customer participation optional. "We decided to present the splash page for four months and then reevaluate," Gibson affirms. "Customers could respond to the instructions or ignore them."
Ultimately, however, when the splash presentment began in February 2011, it met strong adoption and negligible resistance, Gibson relates. "About 42 percent of our customers adopted during the presentment period, which ran through May," he says. "And we took very few calls."
For the customers that adopted the anti-fraud solution, no incidents of fraud have occurred since the implementation, Gibson reports. "There have been 3,000 attempts, all of them stopped by Trusteer," he says.
Based on adoption data, the non-adopters, Gibson says, proved to be predominantly small businesses, as expected. "Since hackers have targeted larger businesses, those customers understood the need," he comments. "So we've now honed the message and redesigned the splash page."
In the meantime, Synovus added token layers and additional transaction completion verifications to its existing online payments environment. It also is in the process of migrating to a new payments platform from New York-based ACI Worldwide that includes a back-end fraud-monitoring component.
Regardless, Gibson foresees an ongoing relationship with Trusteer. "We'd like to expand Rapport into the retail side. Also, we've invited Trusteer to show us what other layers they offer and what's on their road map for the future," he says. "The ease of moving to Rapport helped us get to market very quickly. Now it's just a matter of adding to the layers."