The banking industry infamously divides itself into silos to address different aspects of the business, which can be problematic for customers who think they are dealing with a single entity. This can be especially difficult during onboarding and security checks, when different silos at the bank ask repeatedly for credentials.
In a recent PaymentsJournal podcast, Sunil Madhu, founder and CEO of Instnt, a fraud loss indemnification that covers the entire customer lifecycle, and Jennifer Pitt, Senior Analyst of Fraud and Security at Javelin Strategy & Research, discussed the challenges of providing an easy, frictionless process for consumers while still safeguarding their privacy.
Breaking Down Silos
Retail banks have separate organizational units handling checking accounts, savings accounts, loans, and mortgages. Each of these silos has its own requirements for risk and compliance, comprising a half-dozen or more tools, that are used to vet individuals who are signing up for a particular product or service. Each has its own know-your-customer (KYC) protocols for compliance purposes.
The consequence of this is that anyone who signs up for a checking account has to go through a whole series of checks pertaining to KYC and other types of fraud. If that person comes back six weeks later and applies for a loan, they may have to provide the same information again, even though they have a relationship with the bank.
Obviously, different products have different types of risk, which is one of the reasons for these operational silos. But customers don’t care about that. They perceive themselves as working with a single bank, whether they’re dealing with a mortgage or a small-business loan or a checking account.
So there are advantages to connecting the silos with the technology that allows each line of business to have its own the independent risk and compliance management requirements. That can give the bank’s divisions the flexibility they need to maintain independent control while simplifying the user experience by giving customers a reusable, verifiable credential.
“We get a lot of reports that consumers are not happy with onboarding processes,” Pitt said. “They always say, ‘I thought I already gave you my information. Why do I keep having to give you this information?’ Having one place where that information is kept on the consumer’s device, and the consumer can dictate how they give that information. Not only can this help the consumer, but it can also save time for businesses as they onboard people.”
Relying on the Blockchain
Businesses can frictionlessly sell multiple products and services without repeated signups that can leave customers frustrated. It’s time to rethink this kind of infrastructure so that it focuses on less friction for the user and easier onboarding experiences.
The past few years have seen new compliance standards, including verifiable credentials and decentralized ID, based on the notion of the blockchain. These two technologies combined have enabled businesses to issue reusable passes to customers who sign up.
“If I were to open up a checking account,” Madhu said, “I might get a pass back, which essentially is a tokenized identity document that helps to identify who I am. It also contains assurances from the verifying authority that issued the document, that the information has been vetted and verified. There’s also a KYC verification component to it.”
From a compliance perspective, the presenter of that pass has passed the necessary KYC checks and any other standard that needs to be met. The decentralized ID protocol helps prove the ownership of the document so the recipient can verify that the data belongs to the user. No one else could have stolen the pass or modified its contents.
These two technologies enable a user to get a comprehensive pass when a checking account is opened. When the user logs back into their checking account, they can present the pass again as the authentication token in lieu of a password. When they want to access other products or services, they don’t have to go through a whole other signup; they simply re-present the pass. As long as the level of assurance of the issued pass matches the requirement of the product or service the user is trying to access, they’ll get one-click access into the system.
“The new technology is as strong as multifactor authentication, but unlike other technologies like pass phrases and pass keys and multifactor authentication itself, it’s fully decentralized,” Madhu said. “There is no central point of attack for a hacker to compromise the database and steal the data and authenticating tokens. All of that risk goes away because the technology ensures that the credential is in possession of the end user, securely vaulted into their mobile devices with very mature mechanisms that essentially cancel a pass from a device that might have been lost or stolen.”
The technology is omnichannel, meaning that the person can be authenticated and vetted consistently whether calling into a call center or accessing the application through the web. If someone tries to use social engineering to get the call center to provide them with something like push notifications, the technology essentially thwarts all of those attack vectors.
Multipass: The Newest Solution
Instnt has combined verifiable credentials and decentralized ID in a new product called Multipass.
“We provide a toolkit that basically allows the Multipass issuance and verification capabilities to be embedded in your application and provides secure mobile vault for any passes that have been issued to the user,” Madhu said. “All you need to do is load this toolkit into your application, and you have the full capabilities when the user is first registered and onboarded. At the end of the journey, the user will be asked if they wish to receive and store the pass.
“Behind the scenes, the system issues the pass with the data that was collected from the user that went through identity verification, fraud checks, KYC checks, and whatnot. Any additional information, such as the user’s bank account or other information the financial institution might need later on, can also be packaged up into the pass. The pass is then signed with two sets of keys, one that belongs to the user receiving the pass and the other issued from the business conducting the verification.”
The pass itself contains all the necessary information to non-repudiate the pass and verify that it’s not been altered.
“We essentially match the public record of the public keys of the key pairs that were used for the signature and the encryption of the data in the past,” Madhu said. “By virtue of the blockchain being immutable, you get the assurance that this pass was in fact issued to Sunil, for example, by Acme Bank or whomever issued it, and that all of the data in there was verified by Instnt. That assurance is intrinsically built in using the verifiable credentials document and the DID protocol.”
The Right to Privacy
Financial institutions no longer have to store such data in their database, which removes the liability of being hacked. They’re protected from the possibility of consumer data being stolen. From users’ perspective, they’ve simply clicked a consent request saying, “Yes, I want to share the pass.” That’s the only friction they’ll have to face, but their privacy is maintained, and their data is safe.
“Privacy is a very important issue for consumers,” Pitt said. “We found that consumers will actually cancel their bank accounts if their privacy concerns are not met. Giving back control to the consumer about what can be done with their data, how their data can be used when it’s deleted, essentially, is a great thing.”
That type of comprehensive solution is possible only if banks break down those silos. Customers want to work with a single bank. Those banks should take care not to put obstacles in their way—and give them an incentive to seek another provider.