The digital entrance gates
A digital transformation strategy is not complete without a digital customer onboarding process—any type of future digital product begins with onboarding. This is all the more obvious as digital is increasingly relied upon to drive growth through new deposit account openings or personal loans rather than just acting as a digital representation of branch services.
A more mobile mindset is required to complement this expansion of digital services. For any new account that is opened digitally, we need to know who is using the device and that they are who they say they are. The risk of account impersonation or account takeover needs to be balanced within the total range of cyber risks.
Many of the standard in-branch steps of the new account application process such as identity verification need to be replicated in a digital-only channel and supported with additional confirming factors. For example, the name of the applicant should be verified with the authentic owner of the device that the account is being opened on. This often occurs through connectivity to mobile network operators. Other means such as out-of-wallet questions (e.g., address the applicant used to live at) or out-of-band authentication (e.g., confirmation through second authenticator) can be effective to understand whether the applicant is, with a high degree of likelihood, who they say they are.
Once the customer’s identity is determined (i.e., KYC), the decision as to whether the customer should be allowed to open an account, and the risk parameters for this account, should be established. A framework to automate and coordinate anti-money laundering (AML), risk management, onboarding decision engines, and corporate reporting is a key element to minimize friction and increase customer satisfaction while not sacrificing risk controls. Speed and convenience is an important differentiating factor for digital onboarding. Certainly these are also important factors for in-branch servicing, but a digital setting emphasizes first impressions as it allows easier competitor comparison and sees higher abandonment rates.
Fair or not, consumers compare the account opening process to the other mobile apps they use. They also expect an almost instant response for next steps the moment they provide their personal information despite the additional compliance and data sensitivity requirements that come with it. An effective way to balance immediate and seamless access is through the use of microservices or an application programming interface (API) gateway. Not only can this reduce duplicate processes across silos but it can align the needs of the operating model—such as parallel internal and third-party authentication methods—around the digital platform.
Digital models raise challenges for authentication and authorization
The transition to a more digital-based model also provides an opportunity to reevaluate broader authentication, authorization, and access management processes. Often, these functions can be improperly lumped together with authentication occurring but no further distinction for the authorization process.
This shortcoming will be exposed due to the fact that the definition of a ‘user’ expands to include ‘machine’ as the transition to a digital model occurs. In digital banking for example, a bank needs to account for both customer- and machine-originated access. Features within a digital bank may ultimately include account aggregation or provide insights from the customer’s spending habits. These features are often assembled from machines accessing and providing various internal and third-party data in order to provide a holistic view.
In this example, a bank will see an exponential increase in machine-derived access relative to human-derived access. Further, use of cloud infrastructure and microservices will introduce even more ‘machines’ that need to be authenticated and authorized—and this needs to be done on a massive scale. Each request type and source should be distinguished in order to be authorized first and then addressed. A machine should have access to a select set of information and only users should be able to change personalized settings, for example.
The authorization and access management processes, in which visibility to distinguish authn (user identity) from authz (what can the user do), is important to properly manage risk in a digital environment. Ensuring these systems are appropriate for a fully-digital model can help future-proof for the evolution of the organization’s digital agenda whether it be a digital-only model, open banking platform, or a migration to a public cloud infrastructure.
Basic security hygiene - embed security into everything
Digital-only banks conjure thoughts of cloud-based FinTech startups. But for many institutions, building a digital-only bank from scratch may be a nonstarter. Whether tied to legacy infrastructure or saddled with bureaucratic processes, the opportunity to build an entire infrastructure on a public cloud just might not exist. As simple as it sounds, basic security hygiene such as knowing what data is stored where or the right amount of privileged separation, can play a big factor whether infrastructure is on-premises or in the cloud.
Building a digital bank in the cloud, as some incumbents have done, presents certain benefits. The infrastructure at most public cloud providers is developed to meet very high security standards. Data encryption may be the default setting from the start, inclusive of data at rest, which is a requirement for some industry regulations. In contrast, legacy infrastructure may be less secure purely due to unencrypted data located in on-premise data centers. Other cloud-centric aspects, such as the ease of infrastructure segregation, acts to separate account details that can mitigate harm if there is a breach.
Further, a cloud environment may be more appropriate to closely match the flexibility a bank may want to achieve with its digital products. Consumers make decisions differently today, and the ability to deliver new services in a faster and secure manner are components of the customer-centric mindset that many banks desire.
In all likelihood, however, existing infrastructure will remain a part of most digital offerings for the foreseeable future. Here, the security mindset needs to change from ‘bolted-on’ to ‘baked-in’ as security needs to be embedded in all software. Embedding security from the start at the developer level can be a component of a transition to agile, or even imposed through basic training.
We believe some of the building blocks to achieve a more embedded security infrastructure include security services delivered through an API approach. APIs in financial services are beginning to enable flexibility, customer choice through third-party, new product expansion, and new revenue streams—all key aspects for a digital bank. However, the industry move toward APIs also paves the way for industry standards. This includes distinct aspects such as OAuth, which effectively empower banks to take greater ownership of customer data security, and bigger picture transformations such as a core banking to public cloud migration.