FinovateSpring: Cyber Security, Branch Banking, Partnerships, Financial Wellness, and More

Cyber security is finally at the frontline of conversations, but is it that easy?

Today we chatted with Sean Sposito, Security Analyst at Javelin Strategy, about the challenges that financial services companies have when dealing with cyber security. While awareness of cyber security has never been higher, Sposito asks whether that really equals an impenetrable safe wall?

Banks: who do you want to be when you grow up?

We ask John Waupsh, Chief Innovation Officer at Kasasa, where the branch stands? “Consumers, including millennials, still want to go into the branch and talk to somebody,” Waupsh says. But he counters with the fact that banks should be investing in a future of embedded banking.

FI + Core Vendor + Fintech: What it takes to make the partnership work

Tina Giorgio, President & CEO of ICBA Bancard, speaks with us live at FinovateSpring 2018 about the three Ts  – time, talent, and treasure –  that can guide community banks as they seek to adopt new technologies.

Financial wellness first: transforming the digital experience

“As a financial services industry, we have not yet been able to help a customer understand that the decisions that they make today impact their short and long-term goals,” says Tiffani Montez, Retail Banking Senior Analyst for Aite Group. Taking a new perspective on the digital experience, Montez addresses the key themes that can be facilitated by keeping financial wellness at the forefront: mobile experience, the role of the branch, and reinventing the checking account.

Security scars are key to innovation

“What’s your surface area and what are you defending?” is the first question you should be asking yourself when considering cyber security, according to Ben Johnson, CTO & Co-Founder, Obsidian Security. We speak to him live at FinovateSpring 2018 about the best practice and innovations in cyber security today.

“Banks can’t be everything for everyone”

We speak to Alex Jimenez, Vice President Senior Strategist, Zions Bancorporation about the key takeaways from the panels he participated in that addresses payments and platformization.

 

Solving the False Positive Problem in Credit/Debit Authorizations

seattle_laFor the third year in a row, I traveled from Seattle to the L.A.-area to drop off my son at college. And for the third year in a row, Bank of America declined my card at Target, buying groceries and incidentals for him. And this time it was an EMV chip-card. Thank goodness I had my trusty Capital One card along, because it seems to do a far better job minimizing false positives (for fraud), at least for my account.

Capital One did have its concerns along the way, though. They sent the following email asking for confirmation that these gas-station authorizations were mine. And even though I didn’t respond right away, perhaps 12 to 18 hours later, they never shut off my card.

capital_one_charge_confirmation

Bank of America also sent a similar email, but it arrived AFTER the card was declined. I understand the bank’s need to terminate suspicious transactions, but is it really that suspicious? For three years running, I’ve shown up in Los Angeles the last week of August (along with visits in between) and gone on a bit of a spending spree to stock my son’s dorm and now apartment (you’re welcome, boys!). Furthermore, I had already used the card to book an L.A. hotel, make some low-level but consistent charges along the way, coffee at Seatac, lunch in West L.A., and so on. But when I try to buy $150 in groceries at Ralph’s or Target, the card is declined, and worse, completely shut off from further purchasing.

Bottom line: My point here isn’t to complain about one issuer’s fraud-handling (although it felt good to get that off my chest), but to implore once again for more integration with smartphones to reduce false negatives. Specifically:

  1. Talk to me on the most immediate channel. Both banks sent emails, but I’m on the road, not checking emails. Pop a notification on the screen and send me a text message. Also, in instances of two account holders, make sure fraud alerts go to both (BofA emailed only my wife).
  2. Know me better. I get that Target in Tustin is outside my normal spending bubble. But I have a history of making charges in that area for 2+ years, so cut me a little slack.
  3. Better yet, know where I am. How many hundreds of millions could BofA save by tracking cardholder whereabouts in the background? I let Starbucks, Google, Yelp, and so on track my location. The benefits of them knowing where I am outweigh the privacy risks. The same goes for my bank.

——————–

iContactHeaderFFNote: Looking forward to seeing everyone at Finovate this coming week. Let me know if there is anything you want to discuss (jim@finovate.com).

Success in Financial Services Starts with Trust

bank_vault

There is a reason why startups have captured approximately 0% of bank deposits a full two decades into the internet era. TRUST. Anyone hoping to get consumers to transfer thousands of dollars their way, must first win the trust battle. That means a killer combination of brand name, convenience, service, transparency, performance guarantees or measurable price/performance advantage.

I’m not saying you need to max out on all those variables, that’s not sustainable cost-wise. But you need to get to minimum levels on all and excel in one or two.

This isn’t news to anyone who’s been involved in the financial services space for more than a few months. But I was reminded of how newcomers are their own worst enemy sometimes when I got the following message from Coin today.

Now don’t get me wrong. I am a huge fan of the space (Dynamics is the pioneer in advanced cards, taking home yet another Best of Show award at Finovate two weeks ago, and we watched Stratos unveil their card at FinovateSpring). And I can understand that there will be delays when 400,000 people preorder your new hardware when you were expecting a tenth of that. But if you want me to entrust my cards to you, be forthcoming in all your communications.

Apparently, I’ll be getting my Coin in October, the last of the original 2013 preorders to ship (Coin’s website says new orders will begin shipping in November). The good news after the long wait is that I’m getting the next-gen EMV version, an important improvement over what I paid $50 for 22 months ago.

But I don’t think the company is doing itself any favors with the disingenuous FAQ on the email:

Q. Why am I receiving Coin 2.0 if I never received Coin 1.0?
(My translation: Why has it taken almost two years to get this thing?)

A. Your first generation Coin was scheduled to arrive next month. But as we just announced, Coin 2.0, we have given you a free upgrade!
(My translation: It took so long to manufacture this thing, the world moved to a new standard, so we had to ship you the new one even though it cost us a bunch more to make.)

Bottom line: Coin has had a tough two years dealing with unprecedented demand (as far as new fintech is concerned) and not uncommon hardware delays. Now, they need to get back on track by telling their mostly patient customers the whole truth and nothing but the truth.

—————

Email from Coin to the last of its preorder customers (30 Sep 2015)

coin_email

Photo credit: Flickr

Finovate Debuts: Pirean’s “Access: One” Keeps Access Management Simple

PireanHomepage

Pirean is an identity- and access-management as-a-service company. It addresses both employee and end-user needs, offering access to online banking apps in a secure environment. The company helps banks improve security practices in a low-cost way.

Pirean facts:

  • 55 employees
  • Privately held
  • Self-funded
  • Founded 2002
  • Headquartered in London

At FinovateEurope 2015, Pirean debuted Access: One, its flagship product. With Access: One, financial institutions offer a platform that matches their branding and makes interaction easy for both employees and customers.

Financial institution employees

The employee portal (pictured below) offers access to a variety of management functions and enables the administrator to generate and customize users’ application dashboards. The administrator can also create and edit identity access-management (IAM) workflows and view security performance data.

Access: One enables the administrator to determine the level of security required for each user-facing app. For example, if they would like a trading account to be more secure, they can require two-factor authentication. Pirean offers the option to use either Google Authenticator or SMS as the second-factor challenge.

PireanAdmin

This screenshot below shows how the administrator adds, edits and removes banking applications from an application dashboard.

In this example, the administrator is adding a cash account, a trading account, and a user-identity application that allows users to change their password, set preferences, and reset security questions.

The easy-to-edit nature helps banks quickly adapt to changing business needs and customer relationships.

PireanAdminApplications

End customers

While the example below shows a customer’s view of bank applications on the Access: One dashboard, Pirean also offers banks the option to integrate Access: One APIs directly with their website.

To create a unified banking experience, banks customize the user-facing platform to match their brand and promote special offers. The clean interface provides access to cash and trading accounts, as well as account settings, user information, and links to partner services.

PireanUserInterface

What’s next

Pirean will have two major partners going live in the next couple of months.

Pirean debuted Access: One at FinovateEurope 2015 in London.

In Partnership with Equifax, Zumigo Further Protects Merchants

ZumigoHomepage

Online merchants generally rely on a card’s CVV number to protect against fraud, but that 3-digit code is easy for a fraudster to obtain. Today, Zumigo is helping to change that by launching an enhancement to its payment validation service, Assure Payments.

In a partnership with Equifax, the San Jose-based company is making it more difficult for a fraudster to complete an online purchase using stolen card credentials. This ultimately protects merchants against chargebacks.

During the online checkout flow, Zumigo asks the customer to provide information such as name, address, and mobile number. It verifies the credentials by pairing the information against Equifax’s mobile billing records. As a secondary verification method, Zumigo compares the location of the customer’s mobile phone with their IP address and shipping address.

Here’s a sample risk analysis:

ZumigoPaymentsResultsNegative

When some data points do not match up, as in the example above, the merchant identifies the transaction as high-risk, and is advised to take further measures to verify the purchaser’s identity.

At FinovateSpring 2014, Zumigo launched Assure, which automatically populates forms on behalf of consumers for easy checkout flow or account opening. Both solutions are available to merchants via an API integration into their mobile or web checkout flow.

Feature Friday: Wow! More City Bank Texas Mobile Controls for Debit Cards

imageLuckily, I ran into Jim Simpson, SVP IT at City Bank Texas, at Finovate Tuesday, or I might have missed his bank’s significant new app update this week.

imageI am so impressed with what they are doing down there in Lubbock. First, it was the debit card on/off switch a few months ago. And now they just added three new control switches (see inset):

  • Increase daily withdrawal limit at the ATM
  • Increase daily debit card purchasing limit
  • Allow foreign transactions

All three controls temporarily increase limits so customers can easily approve their own authorization exceptions (within limits). 

Bottom line: Putting more control into the customers’ hands is what mobile banking is all about. And City Bank has taken the lead.

But they are just getting started. From what Jim told me this week, they have plenty of other ideas in the hopper. Keep an eye on these guys. 

Update 17 May: I neglected to mention that the software is from Austin, TX-based Malauzai Software.

Design: Three Fixes Needed to Make Mobile Banking as Widely Used as a Weather App

image Today I noticed something in Square’s latest Card Case app that I’d missed when it was announced last month. It’s a feature they call "tilt to map" which means that if you turn the phone sideways you see a map of nearby locations using Square (see inset, note 1).  

That’s one of those slick, mobile tricks (like remote deposit) that you can’t quite duplicate on the desktop. However, none of the mobile features have pulled me away from desktop banking, yet.

Why? Partly, it’s because I have a laptop with me 24/7 and am almost always in a wifi zone. But even so, I’ve switched to mobile for most other low-bandwidth information services such as weather, traffic, maps, sports scores, movie times, Twitter feed, flight tracking, concert calendar, renting movies, and so on.

What will it take to get banking on this list?

Three fundamental issues need to be solved (with relative magnitude in parenthesis):

1. Make it much easier to login (60%)
None of of the mobile info services I use regularly require any type of login (after initial registration). Banks often allow the username to be saved, which helps, but the typical 8+ digit alphanumeric password is still not a good user experience on mobile. A four or five-digit numerical PIN would solve 80% of this problem. Or even better, install read-only access to certain data. 

2. Make it easier to navigate (30%)
There should be almost no navigation required to see my balance and transaction stream. Square’s "tilt-to" function could be used by a bank to display account balances in portrait mode and a transaction stream in landscape.  

3. Provide security education & guarantees (10%)
This is not an issue for me. In general, I think mobile banking is more secure than desktop (see note 2). But the general public is still unsure about mobile security. You can change this by providing understandable security guarantees for mobile users.

—–

Notes:
1. ING Direct also uses the same trick, displaying links to its social media sites when the app is tilted to landscape mode.
2. For more improving security perceptions, see our latest Online Banking Report.

Launching: EFTGuard Provides $500k in Online Fraud Protection for Business Banking Customers

image That was fast. Just two weeks after my latest appeal to the industry to provide small business owners with more security options, a new product launched today aims to do just that. And it’s packaged as a turn-key, fee-based service that could be sold by banks at a $10+ per month profit (MSRP is $25/mo).  

That all sounds too good to be true. When I was first contacted by Greenway Solutions last week, I was more than a bit skeptical. But after speaking with CEO Jerry Tylman and Managing Consultant Jon Meyer, I was convinced they had something that as a business owner, I’d definitely buy.

The product, EFTGuard, is a joint venture between Greenway Solutions and Royal Group Services. They say it’s a “win-win-win” for banks:

  • Helps banks meet “UCC requirement for commercially reasonable security and their FFIEC requirement for customer education and awareness”
  • Provides peace of mind to bank clients
  • Protects both the bank and each client up to $500,000 in unauthorized online transfers
  • Helps differentiate checking and deposit offerings

____________________________________________

How it works
____________________________________________

EFTGuard provides protection against fraudulent online-account withdrawals of $100,000 per account (with no deductible), with a maximum of $500,000 per customer. And because it’s not true “insurance” (it just behaves like it), there is no underwriting hassle and the product can be purchased in just a few minutes via online form (demo here). There is, however, the usual list of coverage exclusions; for example, it doesn’t cover insider theft. 

The catch? To qualify, business customers must download and install anti-malware software from Trusteer, Iron Key, or Webroot. And every computer accessing the business account must be running these protective software programs. For the time being, that appears to leave out any mobile access. 

Initially, banks looking to offer EFTGuard will need to work with one of these three malware-protection vendors in order to qualify their clients for the fraud protection. Other than that, EFTGuard is turn-key and comes with marketing support, a co-branded signup page, and full claims management.

The $500,000 coverage is backed by Chartis Specialty Insurance Company.

__________________________________________

Bottom line
__________________________________________

Your business customers are rightly concerned about fraud. Offering them an option to protect themselves is a great way to differentiate your deposit offerings while preventing you from getting bogged down in messy litigation with your customers.

I still have questions about how often the list of exclusions will invalidate claims when actual fraud occurs. But the company assures me that the protections are very real.

Assuming EFTGuard delivers on its protection promise AND creates a small profit center, what’s not to like? I, for one, will be the first business owner in line to buy it. 

——————-

EFTGuard homepage (24 April 2012)

image

———-

Note:
1. I believe insurance is one of the best growth areas in retail banking, especially in niche lines that can be explained and delivered online (see our December Online Banking Report for more about banks delivering insurance online).

New Online Banking Report Published: Delivering that Secure Feeling

image OK, let’s think this through. Consumers have been concerned about the security of online banking for more than a decade. Technology tools are available to ease their anxiety. So, why aren’t these tools readily available?

The answer is that most security enhancements don’t pay their own way in terms of reduced fraud. Therefore, these “nice to have” features languish in the priority queue with little hope of getting implemented.

So do we just let customers continue to needlessly fret about the security of their financial accounts?

No, that just irritates already fed-up customers and invites more independent competitors to the table to provide the missing benefits (e.g., BillGuard, Credit Karma, Mint).

Instead, why not move to the win-win solution: Charge an optional subscription fee for extra “peace of mind,” but only to customers who want it. Or offer the value-adds free of charge for customers who help you lower costs by using self-service channels and foregoing printed statements.  

But wait. Aren’t fees dead after the BofA debacle a few months ago?

While that was a very real customer backlash, optional fees are still possible. Just keep these rules in mind:

  • Fees for extra security should NEVER be mandatory; instead, offer a “security bundle” that goes above and beyond the normal state of the art
  • Do not charge a fee for any security feature you already offer free of charge (the big problem with the ill-fated debit card monthly fee)
  • Do not charge for a security feature that is typically delivered free of charge by others in the industry
  • It’s better to bundle a group of extra security features into a relative low-priced subscription bundle

In our new 48-page report we cover:

  • 12 design elements to make your website feel more secure
  • 7 potential positive elements for your business case
  • 5 talking points for staff education before implementing a subscription fee
  • 37 potential security enhancements to bundle into an “extra security” subscription offering
  • 72 additional security features to consider
  • 5 customer segments to target with a fee-based package account
  • Overview of three promising security services:
    — Anti-virus for transactions from BillGuard
    — Self-service suspicious activity reporting from Bank of America
    — Virtual safe deposit from Northwest FCU, powered by DigitalMailer

__________________________________________________________________

About the report
__________________________________________________________________

Delivering that Secure Feeling (link)
Help consumers reduce perceived risks (for a price)

Author: Jim Bruene, Editor & Founder

Published: 4 April 2012

Length: 48 pages, 8 tables, 12,000 words

Cost: No extra charge to OBR subscribers, US$395 for others here

__________________________________________________________________

Sample screenshot

: Barclays (UK) offers online banking customers free anti-virus software from Kaspersky

clip_image002

ING Direct Read-Only Access Code for Third-Party PFMs

Ceramic Coffee Cup with Silicon Lid (530)To my knowledge, ING Direct is the only major U.S. bank blocking third-party PFM access. But users can direct their PFM around the gate with a special "read-only" access code.

How it works
It’s not particularly easy to find, buried three levels deep in MyAccounts | Preferences | Access Code.

The default setting is Blocked, as you can see in the first screenshot below.

But once you find the page, it couldn’t be simpler to set up. Simply press the blue Create Access Code button in the upper right, and in a split second, you have created a read-only access code and opened your account to PFM access.

To change back, you merely click the "Block" button in upper right.

The only thing missing is an explanation of what to do with the Access Code. Is it the username or password? While that’s explained in an link from the first page, it’s not on the second page where you need it. (BTW, it’s the password).

The bank also confirmed the new code via email right away (third screenshot).

—————————————————–

Access code main page (20 Oct 2011)

ING Direct create access code page

New access code

New read-only access created at ING Direct

Email confirmation

ING Direct access code confirmation email

———————————-

Note: OBR subscribers can access our previous reports on security at OnlineBankingReport.com (published in 1999, 2003, 2004, 2005, 2007 and 2008).

ING Direct Raises the Security Bar Again with Checkbook Activation

ING Direct has brought a number of security innovations to the United States: 

  • Password entry via pin pad instead of keyboard
  • Trusteer “safe login” browser plugin (previous post)
  • Challenge questions at login (when needed)

  Now add a fourth item to that list:

  • Authorization required when a new book of paper checks is ordered (see update below)

ING Direct, which famously eschewed paper checks when it launched a checking account, Electric Orange, in 2007, recently began offering a paper-check option. True to form, ING Direct added a few twists to standard industry practices:

  • Paper checks can be bought only in quantifies of 50
  • Each order is just $5
  • Only one set of 50 can be ordered at a time (but once they have been authorized, another set can be ordered)
  • Before the checks can be used, the book of 50 must be activated online (similar to credit/debit card authorization)
  • Because the order must be authorized, third-party paper checks will not work at ING Direct (another security improvement)

_____________________________________________________________________

How it works
_____________________________________________________________________

The bank isn’t exactly pushing paper checkbooks. There are no obvious links to the option on the primary or secondary navigation. Users must click on the Payments tab, then select Overview on the secondary navigation. That brings up a list of the ways to make payments, with “Checkbook” listed half-way down the page (see below).

New paper-check option at ING Direct (12 Aug. 2011)

ING Direct's paper check book option 12 Aug 2011

And the bank’s order form is drop-dead simple, unlike most major banks which drop you to a third-party order-entry site.

One-click check-ordering process

One-click check ordering process at ING Direct

Confirmation screen explains next steps

Confirmation screen explains next steps

________________________________________________________________________

My take
________________________________________________________________________

Offering paper checks is a good move. Most U.S. customers still need the occasional paper check, and waiting 5 days for ING Direct to send one out on your behalf was slow and cumbersome.

And I really like the authorization feature. Since I was old enough to know about check fraud, I’ve always felt that a book of checks sitting in my mailbox was a bit disconcerting. This solves that worry.

Finally, the $5 per 50 pricing is consumer friendly and competitive. The lower quantity (compared to typical 150-200 orders) subtly discourages paper-check usage, but the price is in line with other financial institutions, which typically charge $15 to $25 per 200 checks (note 1).

——————————————-

PS. ING Direct must be very close to launching remote check deposit. It has a “stay tuned” message posted under the “Deposit Checks” tab in secondary navigation (see below). 

ING Direct’s website implies that remote check deposit is coming soon (12 Aug. 2011)

ING Direct's website implies that remote check deposit is coming soon

Update (16 Aug. 2011): I heard from Citibank today. Apparently, they’ve used checkbook authorization for online account opening since 2007.

Notes:
1. And you can pay more: Chase recently dinged me for $23 for a book of 50 money-market checks (which I didn’t ask for) when I opened a new business savings account. In comparison, I earned $0.40 (before tax) in interest on the balance. That means it would take more than 7 years to earn enough interest to pay for the book of checks. But I’ll give Chase credit for immediately reversing the fee after I dropped the unwanted checks off at the branch. 
2. Apparently ING Direct changed its homepage navigation items earlier this year. The overall minimalist design remains unchanged. But now, in addition to View My Account, the bank offers three choices: Banking, Investing or Retirement. Previously, there were only two other choices: Open an account and Learn more.

Out of the Inbox: Bank of America’s "Irregular Credit Card Activity" Alert

image Several months ago (previous post), I wrote about Bank of America’s online fraud-warning resolution center for consumer cards, MyFraudProtection. It’s a great service, though a little hard to use.

At that time, I showed only the online functions. The more important piece is the email alert (below). It’s a great way not only to reduce fraud, but also maintain good customer relations.

But it’s still read-only. What I’m really waiting for is a truly two-way email, or better yet, text message. That way I can simply respond to the bank’s question in a few seconds and both of us can get on with our business. 

Email alert from Bank of America: Irregular Credit Card Activity (11 Jan. 2011)

Email alert from Bank of America: Irregular Credit Card Activity 

————————————-

Note:
1. See our recent reports: Paperless Billing and Banking and Email Banking: Revitalizing the Channel.