Chapter 1 - Hassle Free Security during Customer Onboarding at Banks

Aspire Systems

Customer acquisition and retention is a key challenge for banks given the state of customer loyalty today with a number of them turning to a trusted customer onboarding strategy as a game changer. We spoke with Deepak Panigrahy, CEO of EZMCOM on the state of authentic security in Customer Onboarding, and how EZMCOM has been disrupting the space of authentication to deliver next generation onboarding experiences. As the first interaction sets the tone for the relationship between the customer and the bank, read on as Deepak takes us through this transition to a customer-centric mindset in Customer Onboarding.

Given the negative impact of around 400$ for an attrited customer according to The Financial Brand, what do you think is lacking in the current customer onboarding ecosystem?

Data breaches have led to rampant compromise of personally identifiable information (PII). As a result, correctly reciting PII is worthless as a stand-alone method of corroborating a person's claimed identity during customer onboarding. On the other hand, onerous "identity proofing" methods for new-account opening increase customer abandonment. This creates a competitive liability when customer attrition and market share loss exceed the potential fraud loss. As nearly every component of modern life embraces digital channels, the need to corroborate the identity of customers, users, citizens, partners and employees through remote interactions continues to grow.

The onboarding ecosystem must invest in new technologies now to bolster or replace legacy identity proofing tools and processes. It must be accepted that any sense of security that comes from using highly compromised static data as a means of corroborating identity is a dangerous illusion.

The ecosystem must work towards addition of new approaches for identity proofing use cases that focuses on fraud reduction and credit write-offs, as well as increased revenue from lower false-positive rates, lower abandonment rates, and improved customer experience and loyalty.

Customer Onboarding must align three aspects of identity — the real-world identity, the digital identity and the person

In the recent Security Breach when two Canadian banks were hacked and 90000 customers’ data was stolen, how would EZMCOM have solved this problem?

There were two vulnerabilities that were exploited by the hackers to access information in the data breach mentioned above:

i)     Knowledge Based Authentication: Security Questions and Answers is a dead game. NIST has, also, deprecated the approach but we continue to use them. The reason is simple: the information is personal and a lot of “personal” information of people is already available on the Internet through social media websites such as Facebook, Google etc. The technology which was relevant 10 years before is obsolete today and needs to be re-looked at immediately.

ii)     Lack of appropriate checks with “Forgot Password” and the “Password” itself: Passwords are most vulnerable today. A hack on one website with the leak of password is not a hack of one firm but a hack on many firms because we rely on a fixed form of password or pattern due to human fatigues and unlike few websites to login, we are logging into multiple websites and applications across public and corporate levels on a daily basis.

EZMCOM would recommend the banks to leverage its “continuous authentication” mechanism in combination with an/multi authentication factor(s).

What elements would constitute a successful onboarding program in your view? How has security-based authentication evolved over time?

A Successful onboarding program involves two phases:
1.   Opening Accounts
2.   Activation and Re-activation of Accounts

Opening Accounts falls within the purview of eKYC, which involves verifying the end customer depending on regulations, normally comprising of:

  1. Proof of Identity: A valid ID of a country to which the end user belongs. These include Driving Licenses, Passports, Resident Permits, etc.
  2. Proof of Possession: Are you the same person who claims to be the ID holder? This is normally done by conducting Biometric verification with Liveness detection of the real user with the picture captured from the ID during the Step (i)
  3. Security Checks and Validation: Checks to ascertain that the ID is genuine and not a fake one such as a photograph, Print page etc.
  4. Proof of Address: Address of the user in the form of an accepted utility bill such as electricity bill, etc.
  5. 3rd Party Corroboration: Verifying the identity of the user with the 3rd party databases for the external validation checks.

While account opening is just one part of the story, the customer onboarding should also cover account activations and most importantly, re-activations when people change devices such as mobile.
The combination of a strong Face Biometric Authentication with customer onboarding, can ensure that banks can get a “verified trusted biometric digital identity” for the very first time unlike the FaceID of iPhoneX, where the “biometric face” always remains an unknown face though it might be a trusted device. This mechanism can help banks build right security business workflow keeping the user convenience at the heart of the solution.

What are your views in building a robust and secure customer profile in this dynamic age?

We believe in today’s digital age, it is necessary that banks need to take a multi-layered, intelligent and user convenient security by:

  1. Establishing trust: The gatekeeper for establishing trust on the digital identity of the end user is through a Customer onboarding workflow that uses a right mix of technology and human interaction for Identity Proofing & 3rd Party corroboration.
  2. Authenticate the digital identity: Authentication of the digital identities created by the Gatekeeper with the parameters assigned during the customer onboarding process both during login and financial transactions.
  3. Sustain the trust on digital identity: Behavior and risk-based authentication applied continuously during an interaction between the digital identity and the digital services provided by banks allows the sustenance of trust and helps build the right user experience while adding friction only in the case of an anomaly detection.

What role should security and governance play while onboarding and how can banks support this agenda while meeting customers’ hyper-personalization attributes?

As client onboarding is primarily a coordination function, it encounters many governance issues. It is therefore imperative to establish a governance body to provide leadership and oversight for the program while also supervising “business as usual” activities.
The governance team should define the key principles underpinning the client onboarding process.

  • Client Touch Points: A consistent client experience should be achieved throughout the onboarding process.
  • Process Controls: The controls should be independent from front-office influence. There should be segregation of duties, owners and users. The controls should be integrated in the business flow.
  • People: An interaction mechanism should be defined to facilitate discussion with a diverse set of stakeholders to understand their feedback.
  • Supporting Technology: Processes should be automated wherever possible. The IT infrastructure to support the guiding principles should be continually upgraded.
  • Data Quality: A golden source of client data should be defined. Information should be correct up front to facilitate clean data downstream.

Any security software should be able to do the following things correct and onboarding is no different:

i)   Identify Threats: Ability to identify fake and fraudulent onboardings might include multiple scenarios such as:

  1. Identification of a Physical ID
  2. Identification of fake sources such as picture from a print out or photo of an ID in a mobile
  3. Identification of key security elements such as OVI and Holograms
  4. Liveness detection during Biometric Match of the user with the photo from the ID

ii)   Adapt to changing scenarios: Real-life threat scenarios could vary and these might include scenarios such as:

  1. Multiple onboardings from a single device across a certain period of time
  2. Leveraging compromised mobile devices such as Jailbroken and rooted devices for onboarding
  3. Onboardings originated from blacklisted IPs or geolocations

iii)   Audit

  1. Ability to check and verify the onboardings, real-time and historical

How does EZMCOM support the Temenos digital banking ecosystem?

EZMCOM has a software platform that establishes and sustains trust in digital identities. This platform comprises of multiple-layers of security
i)   The 1st layer is our Identity Proofing software. It can verify on-boarding users and establishes trust on “who they claim to be”.

  • By scanning and verifying National ID cards, Driving License, Passports, our software performs a “Proof of Identity” and then by matching the Face of the user against the photo in the ID it performs a “Proof of possession”.

With these two and an optional external 3rd party corroboration, trust can be established on the on-boarding user.

We’ve built our Identity Proofing product using Deep Learning, AI/ ML technology. That is used in detection of the IDs, data extraction and its authenticity verification. And we use PKI & NFC technology for Identity Proofing of Passports.

ii)   The next layer is Biometric Authentication that sustains the trust. We do this with using Device biometrics as well as True-Identity verification using Face recognition, independent of device capabilities.

Our Face recognition is also built using Deep Learning based AI/ ML technology with a very flexible, and robust design on calibrating the FA-FR and Liveness detection to balance security and usability depending on the risk appetite of our customers.

iii)   We also have 2-Factor authentication (providing clientless, software, hardware form factors) – PSD2 compliant and deliver Strong Customer Authentication.

Our Software Token for mobile and desktop has been integrated as an SDK or as an independent app by our customers. First time registration (or a re-registration) of the Soft Token has been enhanced with our Identity Proofing software in emerging new use cases.

We’ve implemented our authentication layer for Users, API built on top of OATH, OCRA, OAuth2 OIDC and we can provide Federated Authentication.

iv)   The last layer of our platform is for continuous authentication. This layer maintains the trust on a digital identity in an on-going session. Our Behavior-based authentication comprising of keystroke dynamics, GAIT analytics, Risk-based authentication for contextual anomalies delivers this continuous authentication that can trigger a step-up when required or otherwise enable a frictionless experience.

EZMCOM has, already won two clients with Temenos where Aspire Systems has been involved as a digital implementation partner. We have gone live with one of them and we are looking forward to replicating the wins across the globe.

We thank Deepak for his insights on the pressing need to transform security in customer onboarding programs for Banks through continuous authentication. As the onboarding ecosystem is evolving, Deepak calls for a multi-layered, intelligent and hassle-free security layer to build that robust customer profile for this dynamic digital age. This needs to be coupled with a strong governance structure in place that can proactively identify threats and adapt to changing scenarios to sustain that trust in digital identities. It’s a big opportunity for the incumbent banks and others to tap into this ecosystem and nurture deeper relationships with their customers.

About Aspire

Aspire Systems, a Temenos’ specialist partner, is a global technology services firm, with technology expertise in Digital Services, Enterprise Solutions, Software Engineering, Testing and support. They work with some of the world’s most innovative enterprises and independent software vendors, helping them leverage technology and outsourcing in their specific areas of expertise. The company currently has over 2400 employees, over 150 customers globally and is CMMI Level 3 certified. They also have a growing presence in the North America, UK, Europe, India, Middle East and Asia Pacific. For the eighth time in a row, Aspire has been selected as ‘Best Companies to Work For’ by the Great Place to Work® Institute.