Real-time processing heightens risk for providers that aren’t prepared. Here’s what financial institutions should be doing now, says Eric Woodward.
Instant downloads. Instant delivery. We live in an age of instant gratification. The banking industry is no exception. An overnight batch process is a lifetime, and three-day settlement feels like an eternity. With so much information available at people’s fingertips, real time is the only time. Networks are delivering on the promise of real-time payments by allowing money to be moved from one bank account to another, typically in minutes when both the sender and the recipient are enrolled in the service.
While speed and ease-of-use have made these technologies popular with consumers, financial institutions should balance their potential with the need for new approaches to security to reduce the risk of fraud, without adding unnecessary friction to the consumer experience.
Not All Payments Are the Same
When you use a check to pay someone, you share your routing/transit number, your account number, your home address, and your personalized signature. That’s a lot of personal financial information to share, even with your friends.
At least you don’t have to make a trip to the branch or the ATM any more, thanks to cool technologies like remote deposit capture, but the recipient still has to wait days for the check to clear and settle before they can get access to the funds.
Real-time payments, on the other hand, rely on funds being pushed by the payer to payee. These digital transactions go to a secure token, like an email address or mobile-phone number, which is unique to the individual. The payment is pushed from one account to another in near real-time without revealing sensitive or identifiable information about the consumer.
A network, for example, may be able to answer questions about whether the email or mobile number are associated with the right account and take into consideration the history of that account when making a payment decision.
Credit-push models allow paying banks to authenticate the customer and confirm funds are available to support the transaction. It’s the foundation for real-time person-to-person and business-to-person payments.
The Need for Layered Security
But mapping and analyzing token information to account information at the network level is just one risk strategy. This approach can be coupled with other risk layers to further authenticate a consumer and keep payments from being intentionally misdirected. Also, financial institutions have to be careful not to have so much friction in the authentication process that they frustrate customers, have too many false declines, or get too relaxed and allow fraud levels to rise.
When you’re battling real-time fraud, solutions should be varied, continuous, and adaptable. They need to move from passive authentication and validation to active, but still appear seamless to the customer.
Real-time payment is capturing consumers’ attention, but to keep up, banks will want to have real-time fraud-detection capabilities ready before they jump into the dance.
Authentication layers that offer strong validation and are relatively unobtrusive include the following:
- Mobile Network Operator (MNO) intelligence identifies daily activities that are potentially high-risk moments. It answers questions such as: Is this the same wireless persona, regardless of the MNO, mobile number, SIM, and device? Does the phone number tie to the SIM that ties to the carrier? Is the phone valid on the network? Has anything changed on the consumer’s account? Is this person authorized to transact on behalf of the account?
- Mobile-device binding identifies if a phone has been spoofed or if it’s proving difficult to validate. When a customer uses a banking app, there is an ability to bind him to a device. It helps banks identify whether there is a profile for this device. Is there encrypted communication for this device? Has the application been re-installed?
- Device intelligence provides a permanent device ID to help to authenticate customers, reduce risk, and improve the customer experience. It also identifies whether the device is healthy or malware is installed. It will also tell the banks if they have seen this hardware before. Has it been jailbroken? Does the software match up to the last time this customer came?
In addition to a passive, multilayered risk approach, financial institutions can use more active, stepped-up authenticators such as one-time passcodes or driver’s-license scanning to further authenticate a customer who is deemed a potential risk.
Importantly, machine-learning or behavioral-data analytics collected at the network level is essential for monitoring for real-time payments fraud. A network view sees patterns of behavior not visible at any individual financial-institution level.
For example, participant financial institutions in the Zelle network share information on fraud with Early Warning for constant learning and to improve overall network fraud-prevention efforts. Current data is key in real-time security, because data that is just weeks old can be stale and may not provide accurate information on the customer to authenticate her.
Trust is Essential
Ultimately, financial institutions can better secure digital payments by instituting a multifactor risk-authentication approach. They can start by taking small steps on the journey, like verifying that the device and phone enrolled on the network are tied to their customer, or confirming the token is accurate and up-to-date.
To ensure easy, fast, and safe payments, we need to work together at real-time fraud detection. The banking relationship starts and ends with trust. We need to have trust in the network and trust in the solutions. To maintain that trust, we must have the proper risk controls in place today, and prepare for what new technologies bring tomorrow.
—Eric Woodward is group president for risk solutions at Early Warning Services, Scottsdale, Ariz.