Lax attitudes towards security by consumers have made it increasingly important for banks to take advantage of digital identity systems and put in place robust security measures.
Long before the Covid-19 pandemic, cost pressures and changing consumer expectations were forcing financial institutions to rethink their digital offerings to clients. For banks, time-consuming, inefficient and costly customer due diligence processes and paper-based account opening procedures have been a common source of customer frustration for years.
As the pandemic took hold last year, the need to digitalise financial services gained an even greater sense of urgency. According to a recent global study from IBM Security, global consumers created about 15 new online accounts during the pandemic, where nearly half (44%) said they do not plan to delete or deactivate any of the new accounts once society returns to pre-pandemic norms.
The study also found that most adult respondents (80%) expect to spend less than ten minutes setting up a new digital account. Almost a third (29%) of respondents said they would only spend 4-5 minutes setting up a non-essential digital account before reconsidering whether it was worth it.
While many would argue that the shift to digital has been a boon for financial services and innovation more generally, it has come with drawbacks, as bad actors sought to exploit the new digital channels. The pandemic has been characterised by steep rises in cybercrime, rampant fraud and a flood of other online crimes.
According to TransUnion analysis, digital fraud attempts among customers rose 23.8 percent in the first four months of 2021 compared to the four months prior. Financial services recorded the largest increase in digital fraud attempts across industries, as 60 percent of customers reported most of their financial transactions were made through mobile apps.
The aforementioned IBM study found that consumers are in many cases prioritising convenience over security and data privacy. Up to 44 percent of the respondents said they would prefer to place an order digitally, even in the face of security or privacy concerns relating to a specific website or application.
In addition, consumers rarely declined to use a new digital platform due to security and privacy concerns, and almost half (45%) of the respondents said they either ‘mostly’ or ‘always’ reuse the same usernames and passwords when creating new online accounts, presenting further risk.
This increasingly lax attitude towards security by consumers sends a clear message to industry – that a financial institution’s role in protecting customers has only become increasingly important.
Amid the pandemic, banks and other financial institutions quickly recognised the need to balance their KYC compliance and cybersecurity obligations against the need to ensure a frictionless and convenient customer experience.
In recent years, there has been broad recognition that digital identity platforms can enable faster onboarding and greater immediacy of transactions, while also offering strong protection against fraud and financial crime risks.
Guidance released by the FATF (Financial Action Task Force) in March 2020 is often credited with shifting perceptions regarding digital identity systems. It highlighted cost-effectiveness, security, reliability and risk reduction as some of the key benefits to using the technology, provided that “appropriate risk mitigation measures” are in place.
Meanwhile, the advent of so-called ‘vaccine passports’ in Singapore, Malaysia, China and elsewhere has introduced consumers to a real-world use case for a digitised proof of identity, paving the way for wider adoption of digital identity systems across sectors, markets and use cases.
Governments around the world have been playing their part, rapidly moving to put in place the necessary infrastructure to adopt digital identity systems, in most cases to initially enable greater access to government services, before expanding such systems to include other areas of the economy such as financial services.
Singapore is a prime example, where the national digital identity system – Singpass – has become entrenched across society, bridging access to over 340 government agencies and private sector services. In financial services, Singpass enables non-face-to-face customer onboarding, authentication and digital signatures.
Hong Kong has similar ambitions. In December, the government launched a new digital identity system known as iAM Smart, offering authentication, form filling and digital signing capabilities. Financial regulators in the city have since been encouraging wider adoption of iAM Smart in the banking, securities, insurance and MPF sectors for remote onboarding and customer authentication.
In Australia, legislation has been proposed that will extend the country’s existing Trusted Digital Identity Framework (TDIF) – currently only used for government services – to allow the private sector including banks to use the technology in their KYC and identity verification workflows.
Currently, only myGovID — developed by the Australian Taxation Office – and an equivalent identity service from Australia Post have been accredited under the TDIF. In December, researchers recommended both be abandoned and redesigned from scratch, due to security flaws identified in each system.
The researchers found that myGovID is subject to an “easily implemented code proxying attack” that is likely to go unnoticed by most victims, and that the ‘Identity Exchange’ component of the Australia Post Digital ID acts as a single point of failure for both privacy and authentication that could allow for large-scale identity fraud.
Under the new legislation, Australia’s digital identity system will expand to allow private sector providers to seek accreditation to offer digital identity services, provided they meet baseline standards on security, data privacy, governance, and system interoperability, among other requirements.
Proposed to be introduced into Parliament in late 2021, the legislation will oblige banks using digital identities to provide their customers with a choice of accredited identity providers. Competitive neutrality principles would also apply to ensure the government does not enjoy competitive advantages over private sector identity providers.
The legislation could ultimately pave the way for wider adoption of digital identity as a tool to combat fraud and financial crime, while also promoting innovation in the space – which could help to address the ongoing security concerns plaguing Australia’s existing digital identity services.
A step further
In banking, fast and reliable digital identity verification can boost customer convenience, improve operational efficiency, and generally enhance regulatory compliance. It can also remove the factor of human error and prevent the need for remediation.
It is no surprise that many financial institutions are turning to digital identity to bolster onboarding processes, facilitate e-KYC and leverage its document signing capabilities to speed up transactions. However, there is more to digital identity than meets the eye.
While government-led digital identity services provide a firm foundation for enhancing account security in financial services, private sector innovation has provided further opportunities to also help in the fight against financial crime.
In addition to offering identity verification and instant document proofing capabilities, Refinitiv’s Qual-ID – for instance – leverages the firm’s World-Check Risk Intelligence database to also screen customers for financial crime and sanctions risks.
World-Check covers 100 percent of sanctioned entities globally, contains millions of additional records not found on official lists, and features negative media screening functionality to identify further potential for regulatory, legal and reputational risk.
The ability to perform screening on individuals based on their authenticated identities takes the technology underpinning digital identity a step further than was earlier envisioned, but this capability will become increasingly important as online financial services become more widespread and regulatory scrutiny intensifies.
A sound model
Today, greater demand is placed on compliance operations to increase search accuracy, reduce remediation time, implement sophisticated screening processes, and allow for auditable due diligence.
Qual-ID enables this, yet the adoption of such solutions also demands that financial institutions put in place other measures to protect consumers. Financial firms should be continuously validating connections to their data and systems to ensure users have authorisation and are authenticated.
They must also ensure they are taking adequate steps in their approaches to fraud risk management, including to perform analysis on behavioural and transaction patterns, and to monitor digital footprints to decrease the risk of account takeover and fraud.
Data security controls such as encryption should always be in place particularly during data transfers, as well as automated mechanisms to monitor data flows, detect suspicious activity, and ultimately protect against any unauthorised access.
The effectiveness of incident response plans and testing applications should also be regularly reviewed and evaluated, to ensure early detection of security vulnerabilities and preparedness for potential breaches.
Given the lax attitudes towards security that persist for many consumers, it is incumbent on banks to put in place robust security, particularly as digitalisation continues to gain pace in the financial services industry.
While digital identity may provide a sound model for future risk mitigation efforts, it is also important to remember that it forms just part of the sustainable, comprehensive and robust frameworks banks should have in place for protecting consumers – and themselves – against risk.
To learn more about how Digital ID solutions can help firms in APAC, join this webinar on Thursday, 1 July at 10:00 SGT / 12:00 AEST.
This article was written by Regulation Asia in conjunction with Refinitiv.