In a payments context, banking authentication refers to the use of various security measures to protect consumers’ bank accounts, transactions and other sensitive financial information. Banks can achieve this by validating a consumer’s identity during or prior to payment using a combination of factors.
Though these factors may vary, they almost always include:
Something the consumer knows, such as a password, passphrase or PIN; this is known as knowledge-based authentication
Something the consumer has, such as a mobile phone, wearable device, hardware token or smart card; this is known as possession-based authentication
Something the consumer is (based on biometric data), such as a fingerprint, facial recognition scan, voice pattern or DNA signature; this is known as biometric authentication
Strong customer authentication (SCA), which is a prerequisite for compliance with multiple industry regulations, requires banks to use at least two of these authentication methods to secure consumers’ accounts.
Ultimately, the goal of all bank authentication methods is to ensure that only the intended consumer has access to their accounts and banking services, thereby protecting them from unauthorized access to their personal information and preventing service interruptions.
Why is authentication essential for banks?
The list of reasons why authentication is essential for banks is long and includes:
Increasingly prevalent — and sophisticated — fraud One in every five global consumers surveyed in 2022 said they fell victim to payments fraud within the past four years. As fraudsters’ methods become more sophisticated, leveraging artificial intelligence and machine learning to circumvent traditional security measures, banks have a duty to strengthen their security and protect their consumers from risk.
Compliance with industry regulations The banking industry is subject to a wide variety of consumer protection regulations and standards, such as the Revised Payment Services Directive (PSD2), the Payment Card Industry Data Security Standard (PCI-DSS) and the Banking Secrecy Act (BSA). Banking authentication is often a prerequisite for complying with these regulations and standards, particularly any anti-money laundering (AML) requirements they may include.
Security for high-value, high-risk transactions Banking authentication ensures that any individuals attempting to make high-value and/or high-risk transactions are who they claim to be, protecting both consumers and banks themselves from potential breaches and unauthorized access.
Long-term consumer loyalty Consumers need to be able to trust their bank with their financial assets and personal information. Even a single data breach can significantly erode consumer trust — or worse, motivate consumers to take their business elsewhere. To earn consumers’ long-term loyalty — and to protect their own reputational standing — banks must demonstrate their commitment to maintaining the highest security standards by implementing authentication.
Frictionless consumer experiences In addition to robust security, consumers expect their bank to deliver a frictionless user experience. Modern bank authentication methods, such as biometric or adaptive authentication, eliminate the need for cumbersome, manual security checks without compromising on consumer protections. With the right authentication measures in place, banks can make it easy and efficient for consumers to safely access their accounts and banking services, enhancing overall satisfaction.
Lower operating costs Banking authentication dramatically reduces the risk of fraudulent activity, which lowers the overall cost of fraud investigation and resolution efforts. It can also streamline operational processes, decreasing the frequency of security-related customer support inquiries, enabling banks to more effectively allocate support resources elsewhere. Finally, banking authentication ensures compliance with PSD2, PCI-DSS and other regulations, mitigating the risk of legal fees, financial penalties and other costs associated with non-compliance.
What are some common bank authentication methods?
As noted, all bank authentication methods fall into one of three categories — knowledge-based, possession-based or biometric authentication. Let’s take a closer look at some of the authentication methods that belong to each of these categories:
Something the Consumer Knows
Password
Passphrase
Personal identification number (PIN)
Answer to a security question
Something the Consumer Has
One-time password (OTP)
One-time SMS code
Card verification value (CVV)
Security token
Smart card
USB security key
Bluetooth or near-field communication (NFC) device
Something the Consumer Is
Fingerprint recognition
Facial recognition
Voice recognition
Iris or retina scan
Behavioral biometrics
What’s the difference between authentication and authorization?
Authentication and authorization are distinct but interconnected processes which, together, ensure the security and integrity of financial transactions. To reiterate, banking authentication refers to the various security measures used to verify a consumer’s identity in order to protect their financial assets and personal information.
By comparison, authorization refers to the process by which a bank approves or denies a transaction based on a number of factors, including the authenticity of the payments request and the availability of funds within the payee’s account.
When authorizing a payment, a bank will first authenticate the consumer’s identity, then review the details of the transaction — such as the amount, the payee and the purpose — to ensure they align with the consumer’s authorization levels and the bank’s established rules. The bank then determines whether the consumer has sufficient funds in their account to cover the transaction; at this point, the bank may impose certain spending restrictions. The bank will also conduct a risk assessment to further ensure the validity of the transaction. Depending on the results of this process, the bank will either approve or deny the request and transfer funds accordingly.
Authentication and authorization are both essential to preventing fraudulent activity, particularly authorized push payment (APP) fraud. APP fraud is a form of confidence-based fraud in which a scammer poses as a consumer’s bank or another trusted institution in an attempt to convince them to authorize a payment. By implementing robust authentication and authorization, as well as other risk mitigation and fraud management measures, banks can help protect their consumers against this and other forms of fraud.
How can artificial intelligence support authentication in an internet banking environment?
Artificial intelligence and related technologies, such as machine learning, are dramatically changing how banks approach authentication, particularly in the context of internet banking.
Here are just a few examples of how banks can use AI to support authentication:
Behavioral biometrics: Banks can use AI to analyze consumers’ behavioral patterns, such as their typing speed, mouse movements, touchscreen pressure and navigational habits. They can then use these behavioral biometrics to create unique user profiles for authenticating consumer identities.
Anomaly detection: Once a bank has created distinct user profiles, it can then use AI algorithms to continuously monitor user activities and flag unusual patterns or behaviors. If the system detects anomalous behavior, it can automatically trigger additional authentication steps or temporarily restrict access until the consumer verifies their identity.
Risk-based authentication: Machine learning can assess risk factors in real time while authenticating a consumer’s identity, considering variables such as their location, which device they’re using and their transaction history. Based on this analysis, banks can adapt their authentication requirements, building in an additional layer of security for high-risk transactions.
Continuous authentication: Rather than perform a one-time authentication, AI can continuously authenticate a consumer’s identity throughout their interaction with banking services, constantly evaluating and reevaluating their risk level. If, at any point, the consumer’s risk profile should change, the system can automatically respond by imposing additional authentication requirements.
Predictive analytics: AI can use predictive analytics to identify potential security threats based on historical data. By recognizing patterns indicative of fraud or unauthorized access, the system can proactively enhance banking authentication measures.
As AI becomes more advanced, so too will bank authentication methods, integrating AI and machine learning to analyze vast data sets, predict potential risks and dynamically adapt to evolving threat, providing holistic security for both banks and consumers.
Other than authentication, how else can banks protect their consumers?
Authentication is just one way that banks can protect their consumers’ sensitive information. To bolster their security efforts, banks should:
Educate consumers about potential risks
From in-person or online fraud education sessions to social media campaigns designed to raise awareness about common risks and security best practices, banks should make a concerted effort to educate and inform their consumers.
Set up automated alerts
Payment scams pose a real risk to both banks and their consumers. To reduce this risk, banks should implement automated alert systems that send out a notification any time a consumer attempts to make a payment to a new or high-risk recipient. These systems add another step to the authentication process, ensuring that the recipient is legitimate, and the payment is genuinely authorized, which can significantly reduce APP fraud.
Confirm all payees
Banks in the U.K. can participate in Confirmation of Payee, a name-checking service designed to verify account details — including account name, sort code and account number — so that consumers can be confident they’re sending funds to the right recipient.
Use AI to their advantage
Artificial intelligence and machine learning have applications beyond just banking authentication. Banks can also leverage these innovative technologies to build predictive machine learning models that analyze large datasets to identify common patterns and anomalous behavior for proactive fraud prevention.
Share and receive fraud signals
Through the use of network intelligence, banks can share and receive industry-wide fraud signals based on global consortium data. They can feed these fraud signals into their machine learning models, enhancing their fraud detection and prevention strategy and responding to threats in real time.
How does ACI Worldwide support banking authentication?
ACI Proactive Risk Manager — part of ACI Fraud Management for Banking — combines expertly defined rules with a variety of scoring methods for fast and accurate responses to the evolving nature of fraud. Not only that, but Proactive Risk Manager has the unique ability to connect with nearly any third-party provider to support banking authentication, serving as the central platform for decisioning based on a large ecosystem of third-party authenticators.
ACI Fraud Management for Banking also features SCA capabilities, empowering banks to intelligently analyze transactions, strengthen their SCA exemption strategy without compromising on security and better manage risk and liability.
To learn more about Proactive Risk Manager, SCA or any of ACI Fraud Management for Banking’s other capabilities, schedule a free consultation with the ACI Worldwide team today.
Fight Real-Time Payments Fraud in Three Simple Steps
Discover global real-time payment fraud trends and insights on how to effectively fight banking fraud in our whitepaper.
