Three Reasons Why Corporate Banks Must Invest in New Security Measures
The New Payments Ecosystem brings great opportunities, if banks can mitigate the new risks and threats that arise. Real-time and open payments enable a wealth of new revenue streams; however, the potential for growth must be balanced against maintaining payments security. They cannot break the bank.
New kinds of security threats must be carefully considered in order to maintain #SleepAtNightability, whilst enabling new services and an improved customer experience.
The challenge for banks is multifaceted; how to provide fraud and financial crime protection for both the bank and the customer, and maintain compliance?
Corporate payments security protocol is twofold; how to prevent financial crime, and how to prevent mistakes. A mistake can be just as costly, in financial and reputational terms, as a fraud breach.
Operators in the back office must be able to repair and verify transactions to help the straight-through process. This human touchpoint is crucial, in that it offers the chance to perform critical maintenance on transactions, which automatic processes were unable to address. But any manual maintenance on payments introduces the possibility of error, or even fraud.
Well documented breaches of several bank back offices have highlighted the need for banks to better protect their operators - and their operations - from internal and external attacks. Typical approaches have included Two-Factor Authentication and Four-Eyes Verification to ensure that no single person can make a mistake, or send a rogue transaction unnoticed. But I also see banks moving to prevent external internet connectivity from back office PCs, to combat man-in-the-middle or browser attacks. New applications of biometric technologies such as vein recognition authentication are also being discussed for corporate clients. These all help protect against genuine security breaches and inadvertent mistakes.
Financial crime detection has typically been performed on the origination side of the transaction, helping to ensure that the bank’s customer did not have funds taken incorrectly. But now we see an increase in detection measures; ensuring that any transaction that passes out of, into or even through the bank, is checked for suspicious activity. It is now scored and monitored in the same way that card transactions have been monitored for years.
Corporate banks, with long-standing relationships and a large transaction history with their customers and intermediaries, are well equipped to build profiles that support anomaly detection. Unusual transaction features such as time, location, device and IP address can be easily flagged to review, verify and (if required) halt the payment.
The new open ecosystem and the move to irrevocable real-time payments mean that real-time risk scoring of WIRE transactions is essential to reduce financial crime. Know Your Customer (KYC) will continue to be crucial to the security of payments, but it will become more complex in an Open API-enabled ecosystem. Banks that implement real-time risk monitoring technology ahead of the market curve, will be able to position it alongside the real-time payment propositions as another value-added service for their customers, as well as protecting their own business and reputation.
- Regulatory Rigour
When servicing important corporate customers and their transactions, you need to be confident that due diligence has been done on both the initiator and recipient of the payment. The regulatory requirements vary by country, but in an increasingly globalized world, banks are responsible for ensuring the compliance of a transaction throughout the payment lifecycle, especially if that crosses borders. This includes anti-money laundering (AML) and counter-terrorism financing checks, in line with regulation such as the Fourth AML Directive (AMLD4), designed to support domestic financial intelligence units.
Specially Designated Nationals and Blocked Persons Lists (SDNs) are mandatory for cross-border transactions, but not all countries insist on this at a domestic level. A bank cannot just check the payment parties against a domestic list of banned entities; it must consider the entire payments chain, including Politically Exposed Persons (PEPs), those individuals whose prominent position in public life may make them vulnerable to corruption. It is better to run as many lists as possible at the source to ensure you don’t fall foul of sanctions screening later in the payments lifecycle.
Sanctions legislation is particularly stringent in the U.S. market. Office of Foreign Assets Control (OFAC) checks are standard when transacting with U.S. banks, and are a sensible precaution on international payments to ensure your transactions are not impounded when they reach their U.S. counterparty.
The potential fines for falling foul of OFAC regulation are high, including not just a large fine from the U.S. financial authorities, but potential loss of a very lucrative U.S. banking license. A bank must do everything possible to validate the parties of a transaction from being SDNs, otherwise the full wrath of the authorities will arrive rapidly. Efficient processes, fuzzy matching of data and ease of resolution are critical; for every single correctly stopped transaction, there will be at least ten that could be ‘false positives.’ It is essential to lower those false positives, or get them moving again, as quickly as possible before missing the date for value delivery.
- Customer Experience
Corporate banks hold an incredible amount of knowledge about their customers, thanks to effective relationship managers. There is no technology that can truly replace the knowledge of knowing your customer. But the right technology can apply the rules and be the guardian of your data, to enable you to better protect and support customers. And systems can help you enact what you know about customers.
Customer profiles need to extend beyond the individual and company level; you need to be able to analyze your entire customer base and look across transaction patterns to spot what is typical for your business. The application of machine learning models will improve this drastically. These models can work across large datasets to detect patterns too complex for humans, and they continually learn and adapt to stay ahead of potential threats to your business.
Anomalies are not necessarily fraud; spikes in transaction volumes or values around the end of the tax year may be normal. But outside of your usual patterns, they should be verified with the customer, to ensure the transaction details are exactly as intended. Preventing a mistake is as important as preventing a fraudulent attempt.
The pace at which regulatory developments and new security threats reach the market is not going to slow down. Open APIs in banking are new and unknown, and are therefore a tempting target for thieves. We must secure who is requesting data through balance enquiries and transaction histories, and on top of this we must ensure they have the authority to make a payment.
Banks should commit more resources to compliance and financial crime protection; finding a way to turn this investment into a value-add for customers will be the differentiator. Innovation in security layers onto a transaction bank’s foundations, providing a base for new real-time payment services.
Discover more about security in the Hierarchy of Payment Needs, watch the video with Silvia Mensdorff and Mark Ranta.
Related Blog Posts
Increasing Collections & Satisfaction: Real-Time Payments for Loan Servicing
The old adage that “cash is king” is precisely that: old. In today’s world, convenience is king and real-time payments deliver it in spades. Consider that convenient ways to pay can reduce late payments by up to 76%, while reducing call center volumes by up to 83%, and it’s no wonder lenders are expanding their offerings over time to include checks, ACH, debit cards and now real-time payments.
GDPR: Modern Wealth Is In Your Digital DNA
Hands up if you don’t really know what GDPR is… don’t worry, you’re not alone in fact, 6 in 10 people have never heard of it.
And why should the average consumer know about the General Data Protection Regulation (GDPR)? The regulation itself, which will become enforceable in May 2018, is designed to stop businesses using our data without our knowledge or consent. And that consent means complete transparency on how our data is being used. This sounds like a very reasonable expectation for consumers to have, which of course begs the question; why hasn’t this been the standard up until now?
Fintech Frenzy and Fun
I’m in vibrant Singapore for day one of the inaugural Money20/20 Asia... or is this day two? I’ve lost all concept of time this week (and didn’t realize how close Singapore is to the equator… it’s like wicked hawt outside!) And I’m joined once again by my ever-intrepid Rantings colleague to rant about what’s happening in this fun-filled world of payments.
It’s A Hard Knock Life: Digital Transformation for Payment Service Providers in the New Payments Ecosystem
Is it a hard-knock life for processors and PSPs? Margins are constantly under pressure, and there’s the need for constant innovation, not to mention rock-solid #SleepAtNightability of solutions. And if there’s even the slightest crack in the fundamentals, customers will surely let you know all about it!
Instant Payments Are at the Heart of the New Global Payments Landscape: 10 Trends to Watch in 2018
2017 was a big year for immediate payments: European Banking Association, Real-Time 1 (EBA RT1) SEPA Credit Transfer Instant, The Clearing House (TCH) Real-Time Payments in the U.S., and the Australian New Payments Platform (NPP) schemes, all either going live, or in the case of Australia, about to go live. These schemes enable real-time payment transfers across the United States, 34 European countries and Australia, with the potential to reach nearly another 1 billion people. This comes on top of the existing live schemes in the UK, China and India, so that over half of the global population now can access real-time payments solutions.
The Complexities of Cannabis: Banks, Merchants, Consumers and More
Cannabis—it’s no longer the verboten 800-pound pink elephant (though I think that might be a new strand). It’s about as mainstream as well…mainstream. And as we begin our latest Rantings Rant, it seems like the last time we (well, not you or I) experienced something like this, Al Capone and Elliot Ness were facing off during the time of Prohibition (if you’ve never seen the film The Untouchables, I highly recommend it!).
KodakCoin and Six Ways That Blockchain Could Really Be Leveraged
The newest cry in the cryptocurrency clamour? That of heritage-photography-giant-cum-new-kid-on-the-payments-block, Kodak. Unbelievably, they have managed to out-blockchain the long-island-iced-tea company in their audacity, and (more than) double their share price to boot.
Why User Engagement Matters, Even for Enterprise Applications
As a User Experience Designer at ACI, I spend a lot of time watching users interact with my designs. I need to make sure our solutions work properly, but lately I’m more interested in how they make my users feel. Engagement is a dominant concept in user interface design right now. It’s important because positive emotional experiences often lead to increased use and loyalty.
Five Payments Trends to Watch in 2018 [Part 2]
The New Payments Ecosystem Is Here. The floodgates are opening with PSD2 and UK Open Banking coming into force, bringing an onslaught of new competitors and potential partners. Whether evolution is mandated or market-driven, banks and processors are facing a critical year in their long-term success.
Five Payments Trends to Watch in 2018 [Part 1]
2018 is set to be a year of rapid change and new challenges for payments players. The floodgates are opening with PSD2 and UK Open Banking coming into force, bringing an onslaught of new competitors and potential partners. Whether evolution is mandated or market-driven, banks and processors are facing a critical year in their long-term success.