FinovateSpring: Cyber Security, Branch Banking, Partnerships, Financial Wellness, and More

Cyber security is finally at the frontline of conversations, but is it that easy?

Today we chatted with Sean Sposito, Security Analyst at Javelin Strategy, about the challenges that financial services companies have when dealing with cyber security. While awareness of cyber security has never been higher, Sposito asks whether that really equals an impenetrable safe wall?

Banks: who do you want to be when you grow up?

We ask John Waupsh, Chief Innovation Officer at Kasasa, where the branch stands? “Consumers, including millennials, still want to go into the branch and talk to somebody,” Waupsh says. But he counters with the fact that banks should be investing in a future of embedded banking.

FI + Core Vendor + Fintech: What it takes to make the partnership work

Tina Giorgio, President & CEO of ICBA Bancard, speaks with us live at FinovateSpring 2018 about the three Ts  – time, talent, and treasure –  that can guide community banks as they seek to adopt new technologies.

Financial wellness first: transforming the digital experience

“As a financial services industry, we have not yet been able to help a customer understand that the decisions that they make today impact their short and long-term goals,” says Tiffani Montez, Retail Banking Senior Analyst for Aite Group. Taking a new perspective on the digital experience, Montez addresses the key themes that can be facilitated by keeping financial wellness at the forefront: mobile experience, the role of the branch, and reinventing the checking account.

Security scars are key to innovation

“What’s your surface area and what are you defending?” is the first question you should be asking yourself when considering cyber security, according to Ben Johnson, CTO & Co-Founder, Obsidian Security. We speak to him live at FinovateSpring 2018 about the best practice and innovations in cyber security today.

“Banks can’t be everything for everyone”

We speak to Alex Jimenez, Vice President Senior Strategist, Zions Bancorporation about the key takeaways from the panels he participated in that addresses payments and platformization.

 

Educating Customers About Breaches: Equifax Edition

Educating Customers About Breaches: Equifax Edition

Mistakes happen. Ultimately, it’s how you respond that makes or breaks you. Clearly, Equifax could have done better. But this isn’t about them it’s about you.

Banks and credit unions have an opportunity, even a responsibility, to advise customers on important financial matters. And I think this qualifies as one. So what do you tell them about the latest breach?

Other than Wells Fargo (see screenshots 1 & 2 below), it’s mostly silence from the top-10 US banks who are understandably conflicted here. Where did Equifax get information leaked in the hack? Financial institutions are feeding millions of records every week into the credit bureaus, and using the pooled information to fuel massive loan programs.

CU Examples
But I did find some credit unions helping their members sort things out. The first one I ran across (and the inspiration for this post) was at BECU, the sixth largest credit union in the United States. Last week, BECU had a warning notice running in the lower part of its homepage (see screenshot #3 below; which was taken down over the weekend). The warning led to a full page (posted Sep 8th), discussing the breach and how to protect your accounts at BECU and elsewhere. NASA FCU has a more prominent notice, running in the main part of its homepage, in rotation with seven other items.

Bottom line: It’s no fun communicating negative information especially when you are part of the industry that created the problem to begin with. And I think all 3 of the explanations show below create more questions than they answer. But your customers need help. And it’s so hard to find the truth about data breaches and financial information in general amidst the sea of detritus that is the modern Internet. You should be the trusted place to turn to in times of financial concerns. That should be part of the definition of “primary financial institution.”

Author: Jim Bruene (@netbanker) is Founder & Senior Advisor to Finovate as well as Principal of BUX Advisors, a financial services user-experience consultancy. 


1. Wells Fargo homepage (2 Oct 2017)

 

2. Wells Fargo landing page (link)


3. BECU homepage
(29 Sep 2017)

4. BECU landing page (link)

 

5. NASA FCU homepage (2 Oct 2017)

NASA FCU landing page (link)


Note: Top graphic from Gemalto’s BreachLevelIndex.com

Entersekt Brings Biometric Authentication to FirstBank’s Mobile App

Entersekt Brings Biometric Authentication to FirstBank’s Mobile App

entersekt_homepage_november2016

When it comes to mobile banking, the only thing more important than providing customers with a first-rate app is making sure that it has first-rate security as well.

To this end, FirstBank—with more than $15 billion in assets and more than 120 locations in Colorado, Arizona, and California—has selected biometric authentication technology from FinDEVr alum Entersekt to provide security for its iOS mobile banking app. In deploying Entersekt’s Transakt solution, FirstBank will give its mobile banking customers the ability to use Touch ID to authenticate as well as Transakt’s unique digital certificate identifier which the company says turns the mobile device “into a trusted second factor of authentication.”

firstbank_homepage_november2016

Launched in 2014, FirstBank’s mobile banking app has been “incredibly well received” by customers, says bank COO Jim Reuter. “Adding one-touch authentication will further enhance what is already one of the most progressive, easy-to-use mobile banking technologies on the market.” FirstBank plans to add biometric authentication functionality to its Android-based mobile app soon.

“The security benefits are obvious to everyone,” Entersekt CIO Gerhard Oosthuizen explained, “but users are justifiably wary of tired authentication technologies like one-time passwords that slow them down and do not necessarily provide the required protection, particularly on mobile.” Oosthuizen sees his company’s technology as a way for “digital-savvier banks” to gain a valuable edge over their competitors “by engineering attractively low-friction mobile interactions that nevertheless inspire confidence and trust.”

Founded in 2008 and headquartered in Stellenbosch, South Africa, Entersekt demonstrated its transaction authentication and mobile app security solutions at FinDEVr Silicon Valley 2014 as part of its presentation, “Securing Mobile Applications through Transport Layer Diversity.” In September, Entersekt announced a new reseller agreement with Minneapolis-based security firm, Blue Bay Technologies. And in August, Entersekt forged a partnership with Finovate alum Backbase that will make Entersekt’s authentication solutions available via Backbase’s Open Banking Marketplace.

Tuesday Tactics: Opting Customers In to Proactive Fraud Alerts

Tuesday Tactics: Opting Customers In to Proactive Fraud Alerts

bofa_logoLast week, I logged into my Bank of America accounts—checking, personal credit card, business credit card—and the bank used a pop-up screen to gain my permission for proactive fraud alerts (see screenshot below). I’ve been a mobile user for seven years, so it wasn’t like they needed my mobile phone number. And as far as I know, I’d already selected all the available fraud alerts. So it seems that the bank is looking to get more specific permission, and perhaps uptake, to its proactive security communications.

Customers have a chance to choose text message alerts and/or phone calls. Then there is the usual T&C (terms & conditions) to agree to, and that’s that. It took all of 30 seconds and made me feel like Bank of America was watching out for me. So, if this makes the bank’s lawyers happy, it’s a win-win.

bofa_fraud_optin

 

Mobile Fees: BillGuard Goes Freemium with Integrated Credit Monitoring

Mobile Fees: BillGuard Goes Freemium with Integrated Credit Monitoring

 

billguard choices

We are always on the lookout for digital fee-income opportunities. And if I got a nickel for every one of them I’ve ever found … I’d have about a buck at this point. Fees in U.S. online banking are rarer than the (not-so) mythical fintech unicorn. And mobile banking fees are pretty much non-existent outside a few remote deposit fees (see previous post).

billguard_main_newBut last week BillGuard demonstrated a promising new avenue for incremental fee income: Integrated mobile identity-theft alerts, resolution and insurance (see inset). Actual credit report access is not included, but BillGuard says that it is coming soon. The service is mobile only, and the company currently has no plans to add it to the desktop version.

The credit and fraud monitoring is powered by CSIdentity (CSID), an Austin-based firm that says it powers 80% of the retail identity-theft-protection industry. The company, founded in 2006, has raised $36 million in equity (mostly in 2010) and $6 million in debt.

What it costs
The service is value-priced, at $2.99/mo for the single bureau Pro version or $6.99/mo for the 3-bureau Ultimate. In comparison, most ID-protection services are in the $15 to $20/mo range (Experian charges $15.95/mo for a private-labeled version called ProtectMyID with BillGuard). Founder Yaron Samid says BillGuard provides essentially the same third-party monitoring as the $30/mo offering from Lifelock for one-fourth the cost. And with BillGuard, users get credit/debit card transaction monitoring (powered by Yodlee) for free.

BillGuard premium benefits:

  • Credit bureau monitoring (3 bureaus in Ultimate service, 1 in Pro service)
  • Identity restoration services (via call center help)
  • 24/7 call center support
  • Lost wallet recovery
  • Social Security Number fraud alerts (Ultimate service only)
  • Black market alerts (Ultimate only)
  • $1 million insurance (Ultimate only)

Cardholders are already looking to their smartphones to stay informed of problems in real-time (case in point, BofA just integrated fraud alerts into its mobile app). So it makes sense to deliver extra protections services in-app. Although there is stiff competition from free ad-supported versions such as Credit Karma, we believe integrated protection services are a logical fee-based upgrade for mobile banking customers.

——–

Screenshots

BillGuard iOS app homescreen includes a pitch for its premium ID protection (17 June 2015)

billguard_home

An actual fraud alert I received after signup for BillGuard Ultimate (19 June 2015)
Note: It was from a breach in November 2013. I assume I received the alert this week since I was a new customer.

billguard_fraudalert_adobe

Feature Friday: Capital One Helps Users Identify Recurring Charges After Card Reissue

Feature Friday: Capital One Helps Users Identify Recurring Charges After Card Reissue

capitalone_mobileCard reissues after a data breach, or lost/stolen situation, are annoying for cardholders. But it’s even worse for the issuer who has to pay for a new card, hound the customer to activate it, handle customer-service calls, and then risk losing recurring revenues from now-broken automated pre-authorized charges.

So kudos to Capital One for taking an important step in solving this problem.

Earlier this week I received a new card and number from Capital One, presumably because my card had been involved in a breach. I am not aware of any unauthorized attempts to use it.

In a followup email this morning, the giant issuer reminded me to activate the new card. That’s a fairly typical technique these days. But the help didn’t end there. The bank provided a list of likely merchants where I may need to update card info to avoid the charge being denied (see screenshot below).

That’s great customer service and something I’ve not seen before. But of course I want more. The list I received was primarily merchants where I made one-off payments. Who has a recurring charge with United Airlines? So it needs to be scrubbed better. And it would help to include the most recent charge amount and number of charges to help identify actual recurring charges.

And ultimately, it would be even better if the process was semi-automatic. Let me respond to the email with a simple yes/no response for each merchant indicating if I wanted them to continue the automatic billing under the new card number. Or at least provide links to reduce the friction of the task.

But all-in-all, a welcome improvement.

———

Capital One email to cardholder (19 June 2015)

capitalone_email_recurring_new

 

 

Transaction Alerts Need to Get Smarter

fraud word cloud.jpgMy inbox is far from normal. With 25 active financial accounts, all set to maximum notifications, I am drowning in email alerts, push notifications and other helpful communications. But who isn’t overloaded with missives from social media, news feeds, spambots and whatever else is competing for your attention.

Banks need to help users cut down on the noise, by offering smart alerts that don’t bog you down in trivial details. Not to pick on anyone in particular, because all my providers do pretty much the same thing (with the notable exception of BillGuard), but this alert from Bank of America today (see below) is a good example of info overload.
Yes, I’m sure I asked the bank to notify me of any card-not-present transactions. Given the amount of times my card number has been breached in the past five years, it’s a good early warning. But really, do you think it’s necessary to tell me for the 89th consecutive month that you paid my $8.75 Netflix monthly fee? Really, I just want to be informed if it were to suddenly go up or be repeated.
BofA would probably want my permission to stop sending me this monthly alert. So how about a little button that says, “Don’t tell me about this charge if it’s the same next month” or something along those lines. And this should also be an option in the bank’s alert dashboard: “Please don’t alert me to repetitive monthly fees, unless they change.”

Thanks for listening.

——-
Bank of America email alert (18 Feb 2015)
bofa_alert.jpg
——-
Source: Fraud artwork above from NCUA’s MyCreditUnion

Capital One’s Well-Designed "Suspicious Activity" Email Alert

image I’ve used Capital One’s credit card fairly actively for the past 4 or 5 years. And they’ve rarely, if ever, declined a charge (and there has never been any fraud on the card). The last fraud message I can find in my email was in December 2011 (see last screenshot). But apparently our travel combined with extra holiday spending finally caused the banks’ fraud system to flag our account, rejecting a $100+ Target purchase a few days after Christmas.

I have Capital One’s mobile wallet installed which pushes near-real-time notifications to the lock screen (iOS). I did receive a notice I’d been declined, but no word on why or what to do about it. But luckily the issuer’s email system handled that task admirably. Within a few hours I received an excellent email detailing the five most recent charges, and providing a simple "all clear" button that was clickable within the email, a major improvement over issuers who merely tell you there is suspicious activity and make you call or login to find out the details.

___________________________

Analysis
___________________________

This is the best suspicious activity notice I’ve ever received. Typically, I receive message similar to Capital One’s "old" version imploring me to call the bank (see last screenshot). However, there is still room for improvement, especially in the reporting process.

As much as the fraud folks desire a concrete yes/no answer, the real world is often full of gray areas. In this case, I was sure that I’d make all these transactions, but often that’s not the case. Sometimes you don’t recognize a merchant or your spouse may have made the charge or you simply don’t recognize something you may have authorized a while ago. There needs to be a third option here, "I’m not sure." Furthermore, when faced with a list, users should be able to address each transaction individually.

In my case, clearly the Target purchase triggered the red flag. It was a large amount, I rarely shop there, and I’d just flown 2,000 miles from my previous transaction the day before. In reality, the other transactions were pretty meaningless to the fraud detection algorithm. Even if I couldn’t remember one of the previous four routine transactions, Capital One wouldn’t have wanted to shut my account down. They’d already lost a few dollars on the declined Target transaction, there was no reason to compound that loss with costly calls to customer service to vet the other transactions.

Finally, I’m not a fan of the web pages presented after clicking on the "Everything’s OK" or "There’s an issue" button (see second and third screenshots). The bank gets points for thanking me for my help, but they forget to apologize for the inconvenience of declining my purchase at Target. It’s pretty embarrassing to be standing at the checkout with a basket full of goods while everyone thinks you are a deadbeat.

The webpage responses don’t go very far it telling me what to do next. Even if I’d given the all clear, I still have questions. Which of the transactions, if any, were declined? Will the declined transaction go through now that I’ve said it’s OK? And how can I avoid this in the future.

And if I did have issues with one or more of the transactions, the only option is to call the bank, and there isn’t even a number supplied. Aren’t there self-service options at this point that could save everyone some time?

—————————–

Suspicious activity email from Capital One (28 Dec 2014)

image

 

Webpage after clicking "Everything’s OK" above

image

Webpage after clicking "There’s an issue" above

image

Previous Capital One Fraud Alert (16 Dec 2011)

image

Launching: “Final” Credit Card with Integrated Disposable Card Numbers Captures Imagination of Product Hunt Geeks

imageProduct Hunt is the newest website catering to tech enthusiasts. Each day 40 to 50 new products or new product features are featured on the site. Anyone who has registered is allowed to upvote any of the submissions and a continually updated leaderboard surfaces the hottest products of the day. Then at midnight, the whole thing resets, and 40 to 50 more products get their 24 hours of fame. I’ve been following it for a few months and have seen that while only two or three fintech entries appear each week, they tend to be popular (which could be a function of their scarcity). But rarely, if ever, do they climb to the top. And this week, not one, but two companies have dominated their day on Product Hunt.

On Tuesday, the Plastc Card (yes, spell check, no “i”) garnered 545 votes, almost 200 more than runner-up Student Developer Pack. Plastc is similar to Coin, a computerized credit card that can hold multiple mag-stripe cards in a single piece of plastic, planning to ship to pre-order backers in the first half of 2015. Plastc holds more cards, has an e-Ink display, and at $169, costs more than three times the pre-order price of Coin.

On Wednesday, fintech ruled Product Hunt again, with new security-minded credit card Final gaining more than 900 upvotes, 600 more than the next-closest newcomer, Clearbit. I believe it’s the record for a financial product, eclipsing Plastc’s from the day before.

image What is Final?
Final is a standard mag-stripe (and chip) credit card with a companion mobile app and desktop dashboard. The card is upping the security ante by incorporating easy-to-use disposable (aka temporary) card numbers for ecommerce (card not present). It allows users to designate a unique number for every online merchant, that way it’s easy to shut that merchant off, if you don’t want them to be able to charge your card again. Users can also set transaction limits by merchants to make sure there are no overcharges.

Final also plans to offer advanced controls for brick and mortar purchases. Purchases could be allowed at only certain merchant categories, for example. And Final’s card will be able to be tethered to your smartphone allowing chip-and-pin purchases only when the two are in close proximity to each other. 

The card-management app features PFM features not unlike what Moven and Simple offer today. But there is more emphasis on fraud controls and ridding yourself of “gray charges” ala BillGuard (see inset). In fact, the best way to think of Final is a credit card version of a Moven/BillGuard mashup. It is to credit cards what Simple was to checking accounts. A winning combination of good design, consumer advocacy and a bit of tech flair.

The startup is still looking for a credit card issuer-partner (attention Capital One, this could be your 360 credit card), so pricing is not available. However, CEO Matt Rothstein told me yesterday that they plan to make the card fee-free. In fact, they are looking at the business as much more than just a security play. They are focused on consumer advocacy and helping consumers reign in their spending (see first screenshot).

Final Thoughts 
Final is part of the current batch at TechStars Boulder and is pitching at its Demo Day today. The company has 2,200 people on its waitlist (Update: As of noon Pacific on 10 Oct 2014, the number has jumped to more than 21,000). Not a bad first-24-hours out of stealth. There is clearly consumer demand for more card controls, to avoid outright fraud, fight merchant overcharges and reign in overspending.

imageMost of the newcomers that have gone down this path have used prepaid debit cards and/or account aggregation. We haven’t seen an ambitious startup credit card play since well before the 2008 meltdown. Final will benefit from substantially higher interchange (albeit shared with its partner), but will also have to deal with rejecting the credit applications from a significant portion of its waitlist. That will not be easy to explain to the early adopter crowd, who will likely take their case to social media (note 1).   

But overall, I’m a big fan of what they are trying to do, and expect to be following Final for a long time, unless they get swooped up by a large issuer right out of the gate.

———————————-

Final desktop card management area: Transaction view (9 Oct 2014)
Notes: 
A.) Current balance and monthly goal dominate top of page. 
B.) Customer service, and a log of recent inquiries, appears in right sidebar
   

image 

Final desktop card management area: Budget view

image

——————————-

Note:
1. I’d advise having a prepaid card backup to mitigate the rejected applicant backlash.

Winning Checking/Deposits from Established Small Businesses

imageI was asked recently what it would take for me to move my business deposit relationship. My immediate answer: “There is nothing you could do to get me to move.”

We have changed banks only once in our 20-year history, moving to Washington Mutual (now Chase) in 2007 in order to get a better line of credit (which ironically, was never granted, as WaMu was about to go into a death spiral).

We’ve been happy with Chase for the most part, and now have so many services and payees connected to it, that I can’t imagine going through the headache of changing. Even if another bank or CU offered a fee-free account that matched Chase feature for feature, it’s just not worth the considerable investment in time and energy to switch.  

But a few minutes later I changed my mind. Yes, there is one thing that would make me move my entire business account. And it’s so basic that it seems ridiculous that I’d even have to ask for it.

It’s the one thing that Chase, or any bank that I know of, isn’t currently delivering to small business owners:

Guaranteed safety of our funds against all fraud/theft

Chase has state-of-the-art security as far as I can tell (e.g., two-factor authentication for all the risky moves). And we’ve never had a problem. However, every time I read about some nonprofit or small business having their account drained after a successful key-logging attack, I get that queasy feeling.

And I’m not even asking for the fraud guarantee to be free. I’d be more than willing to pay for it. How about $25/month for the first $100,000 covered, then $10 to $15 per $100,000 thereafter? That should be enough to make it a decent profit center for the bank and I could sleep better (note 1). A win-win.

————————-

Note
1. Two years ago, I was encouraged by the new offering from EFTGuard (see post). They were offering coverage of $100,000 per account up to $500,000 total per customer. Insured customers were required to use fraud-monitoring software from Trusteer, Iron Key or Webroot. The price was $25/mo to the end-user with $10 of that pocketed by the bank distribution partner. But I haven’t run across any banks currently offering it.

Apple Touches Off First Wave of Mobile Banking Biometrics

image We’ve known this day was coming ever since Apple acquired AuthenTec two years ago for $350 million. That was real money back in the pre-Beats/Nest/Oculus days.

Monday, Apple made it official at its annual developers’ conference: The fingerprint authentication system built into the iPhone 5S (Touch ID) will open to outside developers in the next iOS update (v8.0 expected in mid-September). That means that app publishers, including banks, credit unions & wallet providers, will be able to use it to provide initial authorization into a secure app. 

image The new feature was demonstrated on stage by logging in to Mint (see inset, screen cap tweeted by Bradley Leimer Monday). In the demo, Mint users are prompted to use the touchpad to open the app (the small type says, “Please authenticate in order to proceed”). Users are also given a password option.

Most likely, banks will use Touch ID, as well as other handset-resident biometric systems (note 1) to deliver “read-only” access to data. It’s an approach that’s been catching on around the world even before Apple’s biometric wizardry. Citibank is the most recent to provide a no-login glimpse in its mobile app (called SnapShot), rolling it out nationwide two weeks ago (press release). It’s also used at Westpac (NZ), Commonwealth (AU), Bank of the West, City Bank of Texas and many more (note 2).

For anything transactional, such as a wire transfer, banks will likely require additional authentication (see our Nine Circles of Security).

And of course, these security changes will generally need to be optional for customers until they become commonly accepted practices. Most users are still extremely wary of security on mobile phones, even though it is a marked improvement over the desktop (note 3).

While it’s too early to know if any financial institutions will have it enabled by September, one fintech payment provider, CardFlight, wasted no time, announcing support for Touch ID just a few hours after the Apple keynote (note 4).

—————————

Notes:
1. Celent’s Jacob Jegher showed me his facial recognition login on his Android phone (Samsung?) at last month’s FinovateSpring. Very cool, though he doesn’t have it enabled since it slows up the login process just slightly.
2. Malauzai Software powers more than 90 credit unions and banks alone (post).
3. See our latest report on Mobile Security (March 2014, subscription) for more info.
4. Cardflight will be showing off its latest tools at our first developer event, FinDEVr, 30 Sep 2014, in San Francisco.