Three Reasons Why Corporate Banks Must Invest in New Security Measures
The New Payments Ecosystem brings great opportunities, if banks can mitigate the new risks and threats that arise. Real-time and open payments enable a wealth of new revenue streams; however, the potential for growth must be balanced against maintaining payments security. They cannot break the bank.
New kinds of security threats must be carefully considered in order to maintain #SleepAtNightability, whilst enabling new services and an improved customer experience.
The challenge for banks is multifaceted; how to provide fraud and financial crime protection for both the bank and the customer, and maintain compliance?
Corporate payments security protocol is twofold; how to prevent financial crime, and how to prevent mistakes. A mistake can be just as costly, in financial and reputational terms, as a fraud breach.
Operators in the back office must be able to repair and verify transactions to help the straight-through process. This human touchpoint is crucial, in that it offers the chance to perform critical maintenance on transactions, which automatic processes were unable to address. But any manual maintenance on payments introduces the possibility of error, or even fraud.
Well documented breaches of several bank back offices have highlighted the need for banks to better protect their operators - and their operations - from internal and external attacks. Typical approaches have included Two-Factor Authentication and Four-Eyes Verification to ensure that no single person can make a mistake, or send a rogue transaction unnoticed. But I also see banks moving to prevent external internet connectivity from back office PCs, to combat man-in-the-middle or browser attacks. New applications of biometric technologies such as vein recognition authentication are also being discussed for corporate clients. These all help protect against genuine security breaches and inadvertent mistakes.
Financial crime detection has typically been performed on the origination side of the transaction, helping to ensure that the bank’s customer did not have funds taken incorrectly. But now we see an increase in detection measures; ensuring that any transaction that passes out of, into or even through the bank, is checked for suspicious activity. It is now scored and monitored in the same way that card transactions have been monitored for years.
Corporate banks, with long-standing relationships and a large transaction history with their customers and intermediaries, are well equipped to build profiles that support anomaly detection. Unusual transaction features such as time, location, device and IP address can be easily flagged to review, verify and (if required) halt the payment.
The new open ecosystem and the move to irrevocable real-time payments mean that real-time risk scoring of WIRE transactions is essential to reduce financial crime. Know Your Customer (KYC) will continue to be crucial to the security of payments, but it will become more complex in an Open API-enabled ecosystem. Banks that implement real-time risk monitoring technology ahead of the market curve, will be able to position it alongside the real-time payment propositions as another value-added service for their customers, as well as protecting their own business and reputation.
- Regulatory Rigour
When servicing important corporate customers and their transactions, you need to be confident that due diligence has been done on both the initiator and recipient of the payment. The regulatory requirements vary by country, but in an increasingly globalized world, banks are responsible for ensuring the compliance of a transaction throughout the payment lifecycle, especially if that crosses borders. This includes anti-money laundering (AML) and counter-terrorism financing checks, in line with regulation such as the Fourth AML Directive (AMLD4), designed to support domestic financial intelligence units.
Specially Designated Nationals and Blocked Persons Lists (SDNs) are mandatory for cross-border transactions, but not all countries insist on this at a domestic level. A bank cannot just check the payment parties against a domestic list of banned entities; it must consider the entire payments chain, including Politically Exposed Persons (PEPs), those individuals whose prominent position in public life may make them vulnerable to corruption. It is better to run as many lists as possible at the source to ensure you don’t fall foul of sanctions screening later in the payments lifecycle.
Sanctions legislation is particularly stringent in the U.S. market. Office of Foreign Assets Control (OFAC) checks are standard when transacting with U.S. banks, and are a sensible precaution on international payments to ensure your transactions are not impounded when they reach their U.S. counterparty.
The potential fines for falling foul of OFAC regulation are high, including not just a large fine from the U.S. financial authorities, but potential loss of a very lucrative U.S. banking license. A bank must do everything possible to validate the parties of a transaction from being SDNs, otherwise the full wrath of the authorities will arrive rapidly. Efficient processes, fuzzy matching of data and ease of resolution are critical; for every single correctly stopped transaction, there will be at least ten that could be ‘false positives.’ It is essential to lower those false positives, or get them moving again, as quickly as possible before missing the date for value delivery.
- Customer Experience
Corporate banks hold an incredible amount of knowledge about their customers, thanks to effective relationship managers. There is no technology that can truly replace the knowledge of knowing your customer. But the right technology can apply the rules and be the guardian of your data, to enable you to better protect and support customers. And systems can help you enact what you know about customers.
Customer profiles need to extend beyond the individual and company level; you need to be able to analyze your entire customer base and look across transaction patterns to spot what is typical for your business. The application of machine learning models will improve this drastically. These models can work across large datasets to detect patterns too complex for humans, and they continually learn and adapt to stay ahead of potential threats to your business.
Anomalies are not necessarily fraud; spikes in transaction volumes or values around the end of the tax year may be normal. But outside of your usual patterns, they should be verified with the customer, to ensure the transaction details are exactly as intended. Preventing a mistake is as important as preventing a fraudulent attempt.
The pace at which regulatory developments and new security threats reach the market is not going to slow down. Open APIs in banking are new and unknown, and are therefore a tempting target for thieves. We must secure who is requesting data through balance enquiries and transaction histories, and on top of this we must ensure they have the authority to make a payment.
Banks should commit more resources to compliance and financial crime protection; finding a way to turn this investment into a value-add for customers will be the differentiator. Innovation in security layers onto a transaction bank’s foundations, providing a base for new real-time payment services.
Discover more about security in the Hierarchy of Payment Needs, watch the video with Silvia Mensdorff and Mark Ranta.
Related Blog Posts
Hat in Hand with 17 Heads: Payments Innovation and the Fraud Pitfalls to Avoid
Imagine that you live in a world that is revenue-agnostic, where payments revenue is so far decoupled from the payments channels that they ride on, and that startup culture and venture capital allow for the creation of all sorts of innovations that have some creative monetization that keep the train on the tracks. If you got halfway through that horrific sentence and realized we’ve been there for quite a while already, I’m impressed. It is essentially the cornerstone of banking, in many capacities.
Pints, Penalties and Payment Fraud: Welcome to the World Cup
You’d think that England already had the World Cup in the bag, based on the nationwide scenes of jubilation after the Three Lions’ penalty-takers had gone against the (painful) grain of football history, and emerged victorious at the end of a scrappy match against Colombia. However, those cries of “It’s Coming Home” from English football fans may just be a little premature, given that there are still three matches to play (and win) before the English can lay claim to being world champions for the first time in half a century.
Taking Payments and Fintech for Granted? (A Lyrical Edition)
Based on a very quick search of the Googles, there are 128,014 songs that contain the lyrics “take for granted”— from the likes of Mary J. Blige, Social Distortion, Madness and Frank Sinatra as well as countless other great (and not-so-great) crooners. And that would make for a sizable Spotify playlist… and I do love my Spotify playlists (I’ve been on a Wham! kick lately).
Consumer Payments: Will ‘Request for Payment’ Be the Next 'Big Thing'?
This week, NatWest announced that it has teamed up with British mobile phone retailer Carphone Warehouse to trial a new online shopping system that lets customers pay directly through their bank account, without using a debit or credit card.
A Rocky Mountain High on Payments Innovation
We were so high last week; in fact, we were a figurative mile high… in sunny Denver for our annual ACI Exchange user conference. And among the myriad highs during the week was our own ‘Un-conference,’ which generated major buzz that sparked an enormous appetite for some tasty innovation. Some of the ideas generated included the following:
The Age of Consent – Who Owns “Big Data”?
The EU General Data Protection Regulation will enter in force at the end of this week, and there can be very few businesses today that are not scrabbling to meet compliance objectives.
GDPR sets out rights of citizens and consumers as owners of their own personal data, meaning that data can only be processed by a company if the data subject has given consent to the processing of his or her personal data for specific purposes, or if that data is essential to fulfil the service contracted by the data subject. So far, so good. Arguably many companies will alter existing customer agreements in search of compliance.
Slam the Brakes on Gas Pump Fraud and Rental Car Scams This Memorial Day Weekend
The process of secretly reading data off credit and debit cards (aka skimming) could be netting criminals as much as $3 billion a year in the US, according to Bankinfosecurity.com.
As we look forward to Memorial Day weekend here in the U.S., travelers are getting ready for road trips to their favorite destinations. Whether it’s a beach party in Miami, snorkeling in Catalina Island, or even a staycation, payments – and more specifically, payment fraud – is a huge consideration for travelers, especially during the holiday weekend. I sat down with one of our payments fraud experts, Seth Ruden, to talk about what travelers must look out for regarding payment fraud and how they can keep their money safe. Here’s what he told me.
Gen Z: A Day In The (Payments) Life
There has been an immense focus placed on the ‘Millennial’ generation, and for good reason, as they have become a driving force in the future of payments. This generation looks to technology to solve their payments needs—and it’s all about the factors of convenience, speed and flexibility. And as a college student, my typical daily ‘payments routines’ reflect these factors. With that, I wanted to share a snapshot, which I think demonstrates how my own demographic is influencing the payments industry.
Cash... Almost As Good As Money! (The Story of Two Americans in London)
Mark, although we were both recently in London, shockingly, our paths didn’t cross—the city was bustling as the Commonwealth leaders had all descended upon the British capital, which was also readying for its annual Marathon. You were there for work (cooped up in conference rooms) while I was there for fun (and the surprisingly fantastic weather made my trip that much more enjoyable). So enjoyable in fact that I’d rate my trip a 9.7 out of 10, a rarity these days. The reason for the 0.3 demerits? A frustrating taxi experience!
Despite the Hype, Machine Learning, Models, Behavioral Profiling and the Customer Experience are Still Fundamental
Think about the last time you got a fraud decline. Where were you? In the grocery store? Buying airline tickets? On holiday? Shopping in the same place you’ve been a dozen times, but across the border? How frustrating was that, what did it do to your perspective, your mood, your confidence in your financial institution? This can be embarrassing and inconvenient, stressful and alarming for the consumer. There are few things that can be more disruptive in our day-to-day lives then the lack of access to your funds, or the care taken by your financial institution after a fraud occurs. According to ACI’s Global Consumer Fraud Survey, 20% of people may decide this is too much and move along to another financial institution.