10 security tips your account holders need to hear

As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders

As we move into Cyber Security Awareness Month, we’ve assembled a list of security awareness tips that should be top of mind for account holders doing any type of online banking, or even just accessing the Internet in general. Many of these are likely things you have heard before, but a little repetition can go a long way. As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders:

  1. Take infections seriously; a virus may not just be a virus. Most of us, if we’re honest, have probably been guilty of thinking that if our PC gets infected with something, it’s not that big of a deal—that’s what our IT department is for, after all. They’ll have whatever the latest nasty bug we’ve contracted wiped from our machine and we’ll be back on track in no time… right? Wrong. These things are not named after scary critters for no reason—they are serious and have serious implications. Think about the effect financial malware can have on your personal finances or to your small business’s network immediately upon download.
  2. Control access to your machine. Think twice before walking away from your computer to get that third cup of coffee without first locking it. Even worse is leaving your machine unattended in public, or in the backseat of your car during happy hour. Malicious physical access to devices can be an overlooked attack vector. It’s amazing how quickly files can be dumped or unintended access to sensitive information gained during a quick few minutes away from your machine.
  3. Trust but verify: if it sounds too good to be true, it probably is. Don’t fall prey to schemes that play on your natural inclination to trust. Being trusting is not necessarily a bad thing, but it’s important to verify before taking action. Be wary of things like employment offers to make a quick buck, claims that you are a lucky winner of something, or limited time offers to cash in on an opportunity. Simply put: if it sounds too good to be true, don’t be too quick to believe it.
  4. Don’t use insecure Wi-Fi or unknown machines for banking. Sensitive online activity, such as online banking, should only be conducted from a device that belongs to you on a trusted network. Paying a few bills while you’re sipping your favorite latte at a local coffee shop may seem innocent enough, but what do you really know about others who are connected to that public Wi-Fi? Sniffing traffic on a public Wi-Fi connection can be shockingly simple, and can leave everything you are doing on that network free for the taking.
  5. “TMI” – Don’t overshare on social media. We may all be guilty of sharing too much information (TMI) at times. Don’t let social media be your outlet for sharing “TMI” about yourself to millions of people all over the world. Social media outlets are information gold-mines for anyone who may be looking to learn more about their next victim. Knowing where you vacation, the name of your pet, and your mother’s maiden name may come in quite handy for someone attempting to impersonate you.
  6. If you’ve got it, update it. If you don’t need it, delete it. Updating your software is not something you should do only when your machine slows to an unbearable crawl because it hasn’t been updated in months. Installing the latest versions of software ensures that what you are running has the latest security patches and keeps you protected. Update your software as soon as new releases are announced, and delete any unnecessary programs on your devices that you don’t need in day-to-day business. Installing lots of nonessential software just provides increased exposure points for you and your information.
  7. Scrutinize your email. Many of us comb through hundreds of emails every day, and clicking through and opening these emails is second nature. However, email is one of the most common attack vectors and is a quick and easy way for attackers to drop malware onto your PC or mobile device, or to trick you into providing sensitive information. Pay close attention to any emails that appear to come from slightly odd senders, and be extremely wary of any email requesting you to provide or confirm sensitive information. Your financial institution should never ask you to confirm or provide any type of personal information via email. Report suspicious emails to your employer and delete them completely without opening or clicking any contained links.
  8. Be mindful of what you plug in. Throwing files onto a USB drive can be a quick and easy way to share information. However, it’s also a quick and easy way to spread malware. Only plug removable media that you know and trust into your devices, and never share these storage devices amongst multiple parties.
  9. Knowledge really is power. When it comes to online banking, it pays to be in the know. Use your financial institution’s real time alerts to keep yourself aware of anything that is going on in your account that may not be normal. Setting these alerts to deliver to multiple targets (voice calls, SMS text messages, and email) can help ensure their safe and quick delivery. Notify your financial institution immediately if you receive an alert regarding activity you did not generate.
  10. Get away from the “that can’t happen to me” mindset and prepare yourself. Live by the adage that it’s better to be safe than sorry. Believing that “it can’t happen to you” is a very risky position to take. Educate yourself on security precautions that you can take to prevent yourself or your business from becoming a victim. Work to spread the word of online safety to your friends, colleagues and families and be proactive in putting security measures into place.

 

Cyber security and the threat landscape are constantly evolving, and keeping your institution and your account holders as secure as possible requires their participation. Use October to stress the importance of cyber security and remind your account holders of their own role in keeping themselves safe.

User experience: What is it and why all the hype?

“Experience schmicksperience.” There is no doubt in my mind that this phrase has been uttered, or at least thought, by many a banking executive in response to a member of their staff expressing the need for an improved online account holder experience. Yours truly has witnessed a few such reactions first-hand. As one who believes strongly in the value of a quality user experience for online banking users, I’m hopeful that a fairly recent event will convince the skeptics who disregard user experience. But first, what exactly is user experience?

 

According to the Nielsen Norman Group—pioneers in the field of evidence-based user experience research, training, and consulting—user experience (UX), “…encompasses all aspects of the end-user’s interaction with the company, its services, and its products.” Carrie Cousins of Design Shack—an online locale that covers all things web-design related, defines user experience as “…how a person feels when interacting with a digital product.” Cousins adds that UX encompasses many other factors, including but not limited to: “…usability, accessibility, performance, design/aesthetics, utility, ergonomics, overall human interaction and marketing.”

 

While some folks find it necessary to distinguish between usability—how things work— and user experience—how things feel, most lump the two terms together when discussing the totality of an end user’s digital experience. Plainly put: user experience concerns how things look, feel, and operate. This concept tends to be abstract and difficult to quantify, which is why it doesn’t fit neatly into the CFO’s spreadsheet. It’s hard as heck to quantify it; hard as heck to truly appreciate; and hard as heck to sell to bankers who are already paying a bunch for their digital channel efforts every month. So how did it become such a big deal, and why all the hype? Believe it or not, there’s science behind it.

 

One of the earliest and most interesting studies around UX was conducted by the UK Design School between Dec. 1993 and Dec. 1994. Researchers tracked the share prices of publicly traded companies who had won awards for their focus on design and UX, and then compared them to various indices such as the FTSE 100 and the FTSE All Share index. They found that the design-focused companies out performed all others by more than 200 percent. And that was over the course of a five-year bear market, a three-year bull market, and the beginning of the recovery in 2003; the superior performance of the design-led companies persisted throughout.

 

Intrigued by the findings of the UK study, in 2006 researchers in Canada created a UX fund of their own, comprised exclusively of companies well-known for their UX prowess, such as Google, Apple, and Netflix, and promptly invested $50,000. Their original plan was to sell after one year, but when they realized a nearly 40 percent return in year one, they simply couldn’t sell; four and a half years later, the fund had matured 101.8 percent! These two studies kicked off a wave of UX studies around the globe, as more and more business leaders began to grow curious. U.S.-based Watermark Consulting conducted a study from 2007-2012 that found that the top ten leaders in customer experience—based on Forrester Research’s Annual Customer Experience Index— outperformed the S&P with close to triple the returns, at a cumulative total of +43 percent. In spite of a growing mountain of evidence in support of UX investment, skeptics remain.

 

Which brings us back to that “fairly recent” event I referenced earlier. On Oct. 2, 2014, Capital One– yes, that Capital One– acquired San Francisco-based Adaptive Path. Why was this so significant, you ask? Because, Adaptive Path and the folks they employ are considered by many as the gurus of UX. The huge-font verbiage that adorns the Adaptive Path corporate home page makes it very clear what they do and what they believe: Great businesses are built on great experiences. We make those experiences happen. If you explore their website further, you’ll encounter such statements as, “When Adaptive Path was founded (2001), UX (user experience) firms didn’t exist…” Not only are they the gurus of UX, you could also say they invented the space. And Capital One just acquired them – lock, stock, and barrel. If you’re someone who provides financial services to consumers and you haven’t been taking all this UX stuff seriously, it’s officially time to begin doing so–others are taking it very seriously. It can mean the difference between winning and losing.

What a gaming conference can teach FIs about user experience

I recently escorted my son and several of his friends to PAX South, a three-day convention celebrating all things gaming. The most lasting impression I came away with was that this event exists first and foremost to serve the broad community of gaming enthusiasts; considerations of commerce and enterprise are subordinate to the experience itself. As a result, PAX events nationwide have earned a large number of loyal and raving fans.

 

So, what does a gaming conference have to do with community banking or the digital channel?

 

PAX demonstrated a complete commitment to their audience. In addition, there are several other attributes of the show that I believe contribute to its popularity. It is these attributes that should be remembered when cultivating a community whose primary engagement is online.

 

Content

The content of PAX focuses exclusively on gaming and its attendant culture, and varies widely from immersive (PC, console, mobile and tabletop games) to spectator-oriented (panels, tournaments, concerts) to traditional (game developer and creator interactions with fans and fans’ interactions with each other). This range of content style and depth makes participants at all levels of fandom and gaming experience feel welcome and relevant. Perhaps most importantly, thanks to PAX’s dedication to their constituency, gaming aficionados like myself need not worry about becoming bored.

 

Community

The tone, language and design of the experience itself speak to the community in subtle but powerful ways. The rules of the event are written in clear, unornamented English (e.g., “Don’t harass anyone”). And unlike most technology-enthusiast-oriented shows (E3, Auto Shows, etc.), PAX explicitly bans “booth babes,” one example of many that speaks to a culture geared toward encouraging women to participate fully in the gaming community. The event staff are dressed recognizably, but informally, as are most exhibitors and presenters. As an attendee, you get the distinct feeling that even the people here who are “working” the event share in the culture and excitement of the community’s love for gaming.

 

Experience

PAX is certainly a tremendous platform for commerce, but again, commerce is secondary to the experience itself; it’s only present where it best serves attendees. The open booths invite attendees to play and discuss games and then make purchases if they so choose. With a standard badge, all of the content is essentially included and the “conversions” that occur after panels or in the exposition area are all attendee initiated. It would be possible to attend PAX, spend nothing beyond the cost of your badge, and have an incredibly rewarding day. By my estimation, however, this would be a rare occurrence, as most attendees were very keen on acquiring products they had tried or that reinforced and proclaimed their participation in the shared culture. Ironically, I think the fact that the experience comes before commerce, ultimately drives more commerce than if it were the other way around.

 

An event like PAX is the real-world, offline equivalent of an online user experience. It’s the convergence of an enormous number of online behaviors such as interactive gaming, message boards, and myriad content consumption from the likes of YouTube or webcomics. The event bridges the gap between the virtual experience and a physical, in-person experience in a fascinating way. There are tremendous lessons to be learned in the design of the experience, cultivation of the community, and integration of the commerce that funds the experience itself.

 

It has become popular to characterize the millennial generation as distracted, always online, detached from one another. Based on what I witnessed firsthand last weekend, I would contest every aspect of that view. If we want to learn how to reach them, we need to learn about the things that they love and why, and the way that PAX integrates their online and in-person experiences is a powerful model. To serve any community it is critical to understand its culture and values— I saw a tremendous display of both at PAX South.

Words Have Meaning…Names, Power

The Patagonian Toothfish proved to be so popular that several years ago there was concern the species was on the verge of ecological collapse. How is it possible you’ve likely never heard of this fish, yet enough of it is sold and eaten each year to threaten its viability? The ugly creature was remarkably unpopular until it was marketed under the more attractive and exotic name, Chilean Sea Bass, by an enterprising fish wholesaler.

 

Everything from fish names to product and feature titles is responsible for creating powerful first impressions for consumers. Based on consumer impressions, products and features either experience widespread adoption or massive failure. Specific to financial services, here is a more concrete example: Mobile Remote Deposit Capture. If you’re a banker or commercial client, this is a great name for taking a picture of a check and depositing it remotely, versus driving to the local branch. However, if you’re a consumer, this is jargon. Taking high-value business-centric features like the remote capture of a check for deposit to consumers is a great way to create a high-value, self-service workflow. However, the packaging and naming must create logical connections and context associated with the features. Essentially, you have to create a brand around the feature for consumers to connect with and embrace.

 

The more complex the function, the more important it is to create an intuitive message about the what and why of a new feature. Without establishing a relatable name, value proposition and brand, consumer adoption and satisfaction of valuable workflows and features are likely to lag. Naming, branding, and complexity are key elements to consider when delivering business services to consumers in ways that delight, rather than frustrate them.

 

Products and services are named with the same goal in mind: to say something about the product that a lengthy explanation cannot. Easy Deposit is a tremendously popular name for Retail Mobile Remote Deposit Capture because it communicates the benefits of the feature. The emphasis is on the function (deposit) and the benefit (ease). The value proposition is built into a simple name that provides the context for use and a promise of why consumers should care.

 

The second key component of bringing a business-oriented service to the consumer space is to think about the complexity of the task required to achieve the result. Transfers from a locally held account to an account at another financial institution via online or mobile banking are typically fulfilled via the ACH network, but not presented this way to retail customers. Given the lack of familiarity with ACH processing, a feature called ACH payment would be confusing. Therefore, further exploration for a name that creates context for consumers is vital for success.

 

Beyond the naming, this feature’s adoption benefits by reducing the choices of how the transfer is made, as well as the complexity required to set it up. Rather than a model in which end users create a recipient and bind an account triplet (ABA, account number, type) for the external account, the workflow for identifying the target account is simplified and broken into multiple steps, each step with an explanation of the required data and how to obtain it. Addressing the how in this case will prove as valuable to consumer adoption as addressing the what,demonstrating the power of fusing naming conventions and technology.

 

Finally, in this particular example, careful consideration of the entry point for this feature, which is often the transfer menu item, should be considered. The typical distinction between an internal funds transfer and an external ACH-fulfilled transfer is likely hidden or invisible to consumer banking customers. After a self-service linking process (often involving micro deposits), the external accounts should be presented alongside the account holder’s internal accounts as options for transferring funds.

 

Packaging, including naming and reviewing workflows, will greatly influence how consumer banking customers will perceive the value of business features or services.  Creativity and workflow review will make the difference between success and failure.  Ensure the features and benefits are easy to discover, use, recall and share. Ultimately, a well-packaged feature may require significant effort to repackage and market, but without this effort, business features are likely to live in obscurity – like the nearly forgotten Patagonian Toothfish – rather than embraced and adopted by millions.

 

This article was originally printed in the September/October 2014 issue of Western Banker magazine.

Are you a good banking solution or a great one?

“Sometimes you have to leave today’s good for something great,” an account holder recently summarized about the interactions with her long-time, hometown bank. This got me thinking—from a consumer’s perspective, all the work we do can often be summed up in a single word. So, what differentiates a good banking solution from a great one? And when and how is that determination made?

This account holder’s perspective was that, while her good bank adequately delivered on the features they offered and had provided an acceptable level of service, she had no expectation for innovation—even if she never realized she wanted any. Overall, she had no complaints as she didn’t know what she didn’t know and the institution had provided a sufficiently good experience with classic banking products and delivery.

In contrast, her new, ‘great’ bank was simply more innovative than she expected. She was attracted by the bank’s technology reputation and ability to open an account online, and once she was enrolled there was no slowing down. She learned she could utilize the bank’s technology to do everything important to her, including mortgage and lending via apps and e-signatures. Though not groundbreaking in the financial services industry, this convenience and self-service experience was entirely new for her. The ability to e-sign loan documents from her phone while in a meeting or deposit a check from her kitchen table was exactly what she needed at this time in her life.

When asked what makes her relationship with her new financial institution better than the first, she remarked, “This great bank constantly innovates and releases new features that I not only adopt and use regularly, but—in some cases—have become very dependent upon, especially through my mobile devices.” “The feature just appears. It looks and feels organic, and there is no bumpy enrollment or adoption process. I love this bank and their attention to me as a technology user.” Couple that very positive emotional response with great call center service and this institution has created a self-described loyal customer who, without a branch interaction, evangelizes their great banking experience as though it were a hot new mobility app—which, in reality, it has also become.

In the business of banking, it is easy to forget about the significance of emotional connection to a brand or experience. Traditional banking functions such as checking a balance or withdrawing money from an ATM are not emotional experiences. Or are they? If someone is heading out for an evening and cannot find an ATM or must pay a fee through a non-affiliated ATM, there is negative emotion associated with the irritation of not having easy access to their cash. If banking requires an appointment or lengthy wait at a branch, away from an individual’s life, the experience can be emotionally negative before it even begins. Conversely the examples noted above transformed an individual who was simply an account holder into an excited, vested and emotionally connected cheerleader for the brand. Emotional connection is a very real part of whether your business is characterized as good, great or any of many other single word descriptors. And fortunately today, reinforcing that emotional connection through technology makes that much easier than a generation or two ago where branch location and new account opening gifts were among the only tools available to keep customer experience positive.

We’ve touched on ‘good’ versus ‘great’ from a consumer’s perspective, but how does that work from the service side of the counter? Is simply investing in new technology enough? The answer is both yes and no. Yes, a technology investment that is properly marketed and deployed can increase customer happiness with your brand and increase feature adoption in the near term, but the pendulum can swing in the other direction by investing in the wrong technology and/or deployment method. Here are some key questions to ask:

  • Does a new feature fit naturally into the digital channel or is it a third- party offering that looks “bolted on?”
  • Does the offering’s workflow feel the same through all your electronic channels?
  • Does it match the workflow the user would experience in the branch? (an easy miss as many institutions stop thinking about the downstream affect at feature rollout.)

“Future-proofing” requires investing in a strategy that allows new features to feel organic on the digital platform and to the account holders’ interactions with your brand. In a world of rising consumer expectations, spending the time up front to map an experience that feels the same wherever an account holder touches your brand is important. This can oftentimes be as simple as using the digital channels with the account holder in the branch, so workflows don’t just feel the same, butare the same. For example, using a tablet equipped with your electronic offerings to help solve an account holder’s problem in the branch keeps your servicing touch points aligned in both form and function. This continuity through every interaction subtly and repeatedly reaffirms your institution’s commitment to innovation and account holder experience.

Today’s account holders are choosing their financial institutions for their commitment to thoughtful, relevant innovation. So in the year 2014, it’s important to ask yourself: what’s your innovation reputation?

So How Do You Thrill a Customer? Solve Their Vexing Problem!

Today, I conducted a webinar, part two of a three part series on branch transformation. Today’s webinar was focused on how financial institutions need to change the focus of what actually occurs in the physical branch. I am advocating for a dramatic move away from the traditional transaction/new account opening focus to an engagement center. Activities that will actually draw in existing and potential customers in three distinct categories: consultative selling, education, and problem solving. Based on the feedback from the webinar, this message resonated with the FIs that signed up for the series.

Not an hour after the webinar ended, I was clearing out some emails and found this article from Bank Innovation. The story was about a new study released by Ernst and Young that revealed the results of why people make the choices they do regarding primary banking decisions. Interestingly, the three areas that EY highlighted from the study are simplicity, advice, and problem solving. I found the fact that their three key areas were so similar to what I had advocated in the webinar both validating and challenging. Validating in the sense that what I was providing in education for the attendees was in alignment with a new study right on topic. Challenging in that I still don’t see much movement in community bank and credit union C-level executives’ attitude regarding how rapidly the virtual branch is advancing and the associated impact on the branch.

I firmly believe that we live in an age where people of all ages and companies of all sizes know how powerful and liberating mobility has become. People are shopping, receiving entertainment, transacting, and interacting via mobile devices. Smartphones and tablets have enabled anyone to be able to access their financial institution at any time and place they choose with whatever device they have in their hand. How powerful! The resulting decline in branch traffic and any measurable statistic on transactions has been precipitous. Yet many bankers cling to the traditional structure and say that it is in the branch where true customer service is manufactured. And to them I say: customer service is what any one customer says it is and nothing more. Once someone has deposited a check from their mobile phone at 11:00pm on Sunday evening, can you really say that requiring them to make a trip to a branch Monday morning is better customer service?

One of the most telling statistics from the EY study had to do with satisfaction with their institution across four categories: products, channels, benefits, and problem solving. Not surprising (at least to me) was that satisfaction with problem solving ranked the highest, with 56% saying that when their FI solves vexing problems, that brings the highest level of satisfaction to account holders. See chart below:

 

In light of this fact, it is interesting to that so few FIs make any actual real effort to be in the problem-solving business. The model I advocate for banks to consider and possibly emulate is the Apple Store and the world-renowned Genius Bar. How hard would it be for a bank to have one? You already have a really good bar structure– you call it the teller line–just cut all that wood off the top and you’re left with a great looking long piece of marble or Corian. Put some geniuses behind there and you are in business. Once your customers and members knew that such a resource existed from your institution, they would be calling making appointments the next day. And perhaps, just as an Apple store in the mall is slammed at 11:00 on Wednesday, so your branch would experience the type of activity that befits an engagement center, drawing in virtual branch customers and prospects alike.

To get the full story, sign up for the webinars. (If you missed them, you can always ask for a replay.) But even if you don’t, I strongly urge you to revisit your strategy on branch transformation. These physical locations can become powerful engagement centers. But it won’t happen organically; you are going to have to push a new paradigm, a different attitude towards what constitutes customer service.

For more information on Q2’s Webinar Series, contact q2webinars@10.115.16.126.

“Who Stole My Cookie?”

In June 2011, the FFIEC issued a supplement to their guidance entitled  Authentication in an Internet Banking Environment,” originally published in 2005.  The supplement keyed on several widely-adopted controls, one of which they referred to as “simple device identification.” Simple device identification is known as the process of identifying a customer or end user by nothing more than verifying the presence of an HTTP cookie.  But more than two years since the guidance was published by the FFIEC, financial institutions of all sizes continue to rely on this traditional, undoubtedly broken, authentication method. In fact, it remains rather prevalent across many banking sites.

So why are banks and credit unions still using such methods for authentication?  Understand, I’m not suggesting cookies are evil nor am I suggesting we should stop using cookies in our web applications. Due to the stateless nature of the HTTP protocol (which is how we navigate the World Wide Web), cookies are a very credible means for a server to maintain a certain level of state for each session. HTTP cookies are sent from the client (browser) to the server (application) on every navigation request or HTTP call that is made—this is web applications maintain the state of a session. E-Commerce sites, which feature online shopping carts, or social sites, which track user preferences often rely on cookies. In reality, these cookies do not present any risk to an end user.

The problem lies in how financial institutions are relying on the presence of these cookies as their primary control for end user authentication (e.g. simple device identification). Unfortunately, cookies are usually not associated with a particular device, but rather a particular end user. Adding to that problem, there’s no mechanism that prevents cookies from being stolen or copied from the browser cache. Modern financial malware has capabilities to not only log keystrokes to steal credentials, but can also steal information such as cookies.  Surprisingly, many financial institutions are unaware cookies are even susceptible to being lifted from a computer.

 

Simple device identification vs. Complex device identification

Although no device authentication method can mitigate all threats, the FFIEC considers complex device identification to be more secure and preferable to simple device identification. Clearly stated in the guidance, “institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.” The method of complex device identification alone is not enough, as an attacker can spoof many of the attributes that are examined.  However, using techniques to detect unusual values in headers along with the analysis of historical patterns makes it much more difficult for an attacker attempting to impersonate the legitimate end user.

Of course the best defense a financial institution can deploy is one that uses multiple layers.  With a layered security model, the weakness in one control is compensated by the strength of another. Ultimately, the reliance on any single control or mitigating factor is insufficient—but using a stratified approach prevents a shortcoming in any one defense.

A Factor of Two

The password is dead. At least, so they say – the headlines anyway. And if you haven’t seen them, you may not be paying attention. From the 2011 Forbes article declaring “The Password is Dead”, to the December 2012 Wired Magazine cover story titled “Kill the Password”, to the recent 2013 American Banker report reiterating “The User Name and Password Are Dead. Now What?”. Houston, we clearly have a problem – one that requires solving.

Authentication processes that only rely on static values presented at each logon event are well known to be vulnerable to compromise. It only takes a single misstep to fall victim to malicious threats lurking in the inter-webs, keystroke-logging their way into your online life.

Is it surprising to see the rapid adoption of two-factor authentication by social and consumer sites such as Gmail, Yahoo!, Twitter, Evernote, Dropbox, PayPal, and so many others? Please explain: why wouldn’t you want to protect your online banking account with at least the same level of security protecting your Facebook account!? Struggling to understand why these online services are surpassing the adoption rates of technologies by banks, credit unions, and other financial institutions? Me too. Maybe what’s even tougher to accept is the number of financial institutions not even offering such enhanced authentication features to their customers? One barrier often cited is the fear institutions tend to have around customer attrition due to overburdening security hoops. I may have given you that one a few years ago, but two-factor authentication is becoming more of a standard offered in many online services, such as the popular ones listed above. Google recently introduced their two-factor authentication for Gmail users. With nothing more than a simple instructional video, Google rolled out this feature in “3 easy steps.” Quite possibly, banks and credit unions alike haven’t considered that such enhanced authentication features might be welcomed and seen as a benefit or differentiating advantage in the eyes of their customers and members.

Introduce the smartphone. Yeah, you know, that device nearly every one of us owns. You remember now – the one you have connected at your hip. Consider online banking, from a security perspective, and realize the opportunity a mobile device introduces. Then consider engaging that mobile device in authentication-based events – representing the “something I have” in the two-factor realm. Why would your institution not leverage this second factor? To send a real-time SMS message to authenticate a user at login? To initiate an automated call containing a one-time code to authorize a transaction? Or to validate a higher-risk activity using a randomly generated value from a soft token app? This added level of security could often be just enough to halt fraudsters perpetrating account takeover attacks. Sure, it has its weaknesses, such as a smart phone infected with a malicious SMS-stealing Trojan. But show me a technology that doesn’t have weaknesses. There isn’t. That’s why the best protection strategy is one that employs “multi-layered” security controls, to compensate for whatever weaknesses may exist in one control with the strengths of other controls.

It’s something I know. My Password. But it’s clearly not enough. Add to the equation something I have. A second factor.

Virtual Branch Myth #2, Part 2

In my previous blog entry, I detailed the myth that integrating online and mobile banking will hold back mobile banking.

As we continue the series in this blog post, I would like to address the issue of mobile being a separate channel.

Mobile is a Channel Myth: Mobile is the next evolution in online banking.

Mobile is cool. Mobile is hot. Mobile devices sales are rising as PC sales are falling. These type of stats are used as “evidence” that mobile is the next evolution of the online experience. When it comes to banking, the fact is that mobile is just another access point for consumers who want to access their financial institutions anytime, anywhere and on any device.

Newsflash: each access device is not a channel; your customer, acting beyond the branch, is the channel.

Think about how many types of mobile devices and operating systems exist today. You have the commercially viable iOS (Apple) and Android OS, plus minor systems in Blackberry (RIM) and Windows 8 (MS). There are multiple Apple devices and literally dozens of Android devices. Now suppose each of these required a separate interface to your core system. Each one would need to have its own user interface. The navigation for similar tasks would not be the same. All of this would generate confusion for your customer. Does that sound like evolution or taking your virtual branch back to the stone ages?

Customers want their financial institution to offer the same unified multi-device access they receive from the non-banking brands they trust with their shopping and browsing. Put another way, if decoupling mobile from online was a great idea, wouldn’t most all of the large online players be doing this?

On the contrary, Amazon and Apple go out of their way to integrate their mobile and online experiences across access devices. Facebook spends millions on ensuring that the user experience from online to handset to tablet is unified, integrated and consistent. Do you think that Facebook thinks that they should shun online and go mobile only? Of course not and neither should you!

Embracing a mobile strategy based on concerns over whether the days of online banking is over is a compromise that leads to dissatisfied customers and a weak Virtual Branch offering. To be successful, FIs need to focus on providing an integrated and unified customer experience that maximizes each access device for its unique qualities while ensuring that data, transactions, security protocol and user interface are consistent. This channel of one strategy is the central to retaining current and attracting new customers.

Stay tuned for more in my next blog post.

Virtual Branch Myth #2, Part 1

There are many in financial services who believe that mobile banking is a channel of its own, distinctly separate from other online banking applications. They theorize that only when mobile is decoupled from all other online capabilities can mobile grow, expand and capitalize on its unique capabilities.

Those who argue for a mobile-only strategy usually believe in the following myths:

1) Online banking will restrict mobile from growing as it normally would.

2) Mobile is the next evolution in online banking and that traditional online access is archaic and antiquated.

3) Mobile and online channels are different and therefore deserve their own distinct applications and systems.

To me these three myths are all part of one misconception: that the mobile channel can be successfully decoupled from other online services. To gain a better understanding of the issue at hand, these myths must be thoroughly explained and debunked. Due to the amount of information needed to discuss this topic, I will break this topic up into multiple blog entries.

Mobile Is a Channel Myth #2, Part 1: Internet banking will hold mobile banking back.

In order for you to believe that online holds back mobile, you would have to assume that mobile will only take on all of the features that online offers.  Since so many financial institutions have online systems that are so far removed from the expectations of their customers, offering only the most rudimentary functionality, it is easy to see why they would be attracted to the bright shiny object that mobile represents compared to their antiquated online system.

There is no question that PC sales are down while at the same time the sales of mobile handsets and tablets are off the charts. But without a synchronized mobile and Internet offering, consumers and FI support personnel alike must deal with a separate verification, authorization and issue resolution processes.

Rather than holding mobile back, Internet banking acts as an additional integrated resource for consumers.

Consider this example: suppose a consumer takes a photo of a check with a mobile device to make a deposit. Twenty minutes later, the same consumer is trying to verify if they have enough money to buy that flat screen TV they have found on sale – today only!. The mobile deposit will probably show up in the online system, but will the customer’s mobile available balance match up with the online balance? If the systems are separate, there is a good chance that they have separate interfaces to the core system that holds the balance information.  Separate interfaces often mean mismatched information.

Here’s another example, suppose a consumer creates a bill payment on their non-integrated mobile device. The bill payment goes through fine. When it’s time to pay that bill the next month, they find it on the mobile device and make the payment. The following month, when they need to pay the bill their mobile device is not available. So they use a friend’s computer to access their financial institution via online banking and look for the bill payment vendor. Only it’s not there because the FI has a mobile strategy that is not integrated into all of the access points that the customer can use. This same scenario plays out for issues such as support, security, authorization, dual control, and so forth.

Embracing a mobile strategy based on concerns over outdated online banking technology is a compromise that leads to future obsolescence and a poor consumer experience. Instead, to be successful, FIs need to focus on providing an integrated experience that maximizes each access device for its unique qualities while ensuring that data, transactions, security protocol and user interface are consistent. This channel of one strategy is central to retaining current and attracting new customers.

Check back soon for my next blog post – Mobile Is a Channel Myth #2, Part 2.

With everyone talking about adopting virtual branches lately…

Think you have a true virtual branch?  Maybe not, read on …

If I defined a “branch” as being:

1. A place where customers could perform basic banking transactions

2. Staffed by trained professionals

3. Had all of the equipment and services needed

4. Had its own budget

5. Had a senior manager overseeing its success

Would your current online offering fit this definition of a virtual branch?

I find that most financial institutions have a limited view of what the virtual branch is and what it can (or should) be.  As I have conversations with bank and credit union professionals about the virtual branch, I am amazed by comments that lead me to believe that there is a great deal of myths and misconceptions about what the virtual branch is and can be.  In this series of blog posts, my goal will be  to examine these myths and dispel them, using verifiable facts and data and adding my own color and opinions to each component of this series.  It is my hope that as you examine all of the evidence that you would not leave the discussion unaffected.

You may decide to ignore the truths of what the virtual branch has become, but this  will not change the fact that this method of access  has (or soon will be) your largest branch, by both number of primary customers/members and financially.  The question is whether you will strategically address it as your largest branch or continue to view the virtual branch (I’ll refer to it as VB throughout the rest these posts) as just a tactical operational expense.

The types of myths I will address in this series will cover subjects like:

1. Our end users do not desire the VB as their primary channel

2. Devices such as smartphones and tablets are channels (Spoiler note: your customer is the channel!)

3. I can’t charge for any online banking or mobile activity

4. Only young people are interested in online banking

5. Online/Mobile banking is just an operational expense

6. I should abandon online and concentrate on a mobile only strategy

7. End users don’t care about a consistent user experience

8. My customers/members do not expect our institution to offer the same experience as Apple, Google and Facebook

9.My customers/members don’t use smartphones and tablets very much if at all

10. A compelling user experience will not engage the end user to do more with our institution online

11. We do not need to treat our online banking as we do a branch, it’s completely different

12. We have plenty of time to offer more advanced services in our community, we are not competing against larger regional FIs

While not comprehensive, this list will give you an idea of the subjects that this series will cover.  So stay tuned and setup a reminder to check this blog often so you can see the latest post.  And whether you agree or not, send me a reply. I am particularly interested in those that would challenge my assertions, .  Perhaps you will change my mind on an issue or I might wind up changing yours, either way, I welcome the conversation.