Over the past few weeks, we've been talking about multilayered security and how it helps protect your account holders from fraud. Last week, I described the "digital peephole" that validates users as they seek entry into your digital branch, and how it can prevent intruders from gaining access to your customers' assets. Today, we're talking about anomalous transactions and how they suggest the presence of risk.
But what is risk? How do you define a risky action? It all depends on context.
In my first Cyber Security Month blog, I shared my love for running. A great way to keep running fresh and to enjoy a new place is to run in the places you visit. So, last week, while in New York for a conference, I got up early Tuesday morning to go for a run in Central Park. It was 5:30 a.m. and I was just about to head out the door, when the doorman stopped me. Seeing how I was dressed, he politely asked what I was planning to do.
I excitedly told him, "I'm going for a run in Central Park."
Without missing a beat, he responded, "You're not from around here, are you?"
Turns out that—while running at 5:30 in the morning around my hometown of Lincoln, Nebraska, is perfectly safe-running in Central Park at 5:30 a.m. is the very definition of a risky action.
But how do you define a risky action in your digital channel?
Just like my running story above, it's all about context. You should monitor user behavior and transaction characteristics in your digital channel to determine a baseline of usual, expected behavior—actions that aren't risky, like running in Nebraska. Then, like the sharp-eyed doorman in NYC, your digital channel should be able to identify anomalous transactions and activity that might present risk. Armed with this data, your FI should be able to intervene when necessary, putting suspicious transactions on hold for further approval or additional authentication.
You may want distinct security features for different groups of customers or kinds of accounts. Your digital channel should allow for stronger authentication controls for groups with access to higher-risk transactions or entitlements, for example—or set different limits for each kind of account. I may want my small business groups to be able to initiate an outgoing external transfer of up to $5,000 dollars, for example, but limit the risk exposure for my retail clients to only $1,000 dollars.
By having this kind of flexibility in your security controls, you improve your overall customer experience, while still managing risk. And while some of your account holders might not feel great about your "digital doorman" stopping them from an early morning run, they'd feel worse about you letting them get mugged in pre-dawn Central Park.
Join me next week as we discuss how Q2 protects your brand with our multilayered security approach, by developing your applications with a security-first approach.
Thank you and Happy Cyber Security Month.