In an age where digital experiences are being redefined by giants such as Netflix and Amazon, banks also need to step up their game in enhancing customer experience. The ease, personalisation, and seamless interaction offered by these entertainment and retail platforms set a high bar for customer expectations. It becomes imperative for banks to emulate similar practices and strive for a customer journey that is effortless, intuitive, and tailored to individual needs.

Unfortunately, today's user-driven authentication methods, including multi-factor authentication and even biometric verification, while secure, often introduce friction in the user experience. The need for an additional step such as typing in a code received via text or scanning a fingerprint can disrupt the user's flow, leading to potential dissatisfaction. It's a delicate balance to strike – enhancing security measures for user identity verification while maintaining a seamless and engaging user experience.

OakNorth Bank’s head of internal audit and DPO Matt Rigby outlines the negative aspects of multi-factor authentication: “Having multi-layered passwords and authentication protocols to get into your account would create a poor customer experience, and it can often be difficult for users to manage and remember all their passwords, especially vulnerable or elderly customers. Whatever a digital bank develops needs to be set against the pace of cyber criminals to develop ways around new controls.”

What is data-driven behavioural authentication (DBA)?

DBA performs authentication by creating a comprehensive customer profile using five categories of information: identification, usage, behavioural, demographics, and life events. The customer profile, created using historical data, is compared to the customers' online behaviour when using the system. Importantly, this comparison is done without interrupting the customer. The verification process may utilise multiple methods such as combination scoring, threshold setting, and machine learning algorithms.

Vice president of banking and financial services at WSO2, Seshika Fernando, provides further insight into the informational data utilised by DBA:

1. Identification data such as usernames, passwords, and fingerprints;
2. Transactional data, which relates to the type of transaction taking place and factors such as the frequency and time of those transactions;
3. Behavioural data such as keystrokes and IP addresses;
4. Demographic data analysing how the user is making transactions that correlate with their age, gender, and other demographics; and
5. Life events such as graduations, marriages, and other milestones can determine how and for what purposes a user is making a payment.

Because DBA utilises historical customer data to accurately verify customers, it eliminates the security risks associated with stolen or compromised passwords. Amit Aggarwal, senior director of product and fraud at Varo Bank comments: “Enhancing and optimising both preventive and detective monitoring and feedback mechanisms to identify emerging fraud trends gives the capability to adapt quickly to an ever-changing environment.”

DBA also improves CX by freeing customers from the burden of frequently inputting authentication credentials, and instead, allows them to engage seamlessly with their banking services. Global head of identity and access management at HSBC, Barbara Roberts states: “While securing your digital banking is of utmost priority, security and user experience can sometimes be at odds with each other given the additional verification steps required. However, the adoption of positive identity indicators such as behavioural biometrics can enable financial institutions to better verify consumer behaviour and deploy step-up authentication where required.”

In addition to enhancing security and CX, DBA can also serve as a gateway to personalisation. The same historical data used for authentication can be utilised to provide individual recommendations to customers, such as offering them hyper-personalised savings or investment opportunities.

What are the challenges of DBA?

While there are numerous benefits to integrating DBA as outlined above, there may be challenges and concerns from some banks looking to implement behavioural authentication technologies into their operations.

A spokesperson from Starling comments: “These challenges can exist in multiple arenas including data privacy, regulatory requirements, reliability, associated risks that occur through automated decision making and a host of other data-centric problems, such as sample size and accuracy. Any data-based technical approach to solving a problem will come with its own set of pros and cons that institutions should assess against their risk framework and appetite.”

Aggarwal notes that a significant challenge to authentication is that fraudsters are able to evolve as technology progresses, and that banks need to continually adjust their strategies to stay ahead.

Rigby outlines two challenges for digital banks, the first is dealing with sensitive and higher risk data and how to process it securely. He states that for that purpose the security of the entire bank’s ecosystem needs to be reconfigured to address more serious risk. His second concern is how banks can inform customers about how the bank is collecting and processing high-risk data to maintain transparency.

He explains: “There is also inevitably the potential for rapid developments by cyber criminals to be able to replicate customers’ behavioural data (perhaps by using generative AI for example), negating the additional security a bank may think it has.”

Roberts expands on the same point, adding that sensitive personal information such as behavioural data requires explicit consent from the user. She adds: “Whilst DBA is still developing, the cost to implement this solution is seen as one of the challenges due to the software required to collect and analyse the data-driven behavioural data. Another challenge comes with the section of the device that can detect all these signals. Some smartphones have the capability to provide certain signals. Whilst there is a wide usage of smartphones, financial institutions need to consider back-up mechanisms to address scenarios where consumers are unable to use their phones in corporate or consumer spaces.”

Fernando posits that the usage of sensitive behavioural authentication data goes no further than what is already mandated in open banking legislation within Europe and many other countries, where data is shared with third-party platforms with the explicit consent of consumers in exchange for better services. The setup already allows data to be shared securely, but DBA is much more conservative in that the consumer consents for the bank to use the same data again to authenticate the user, and not share with a third-party.

“If you are getting authenticated onto a bank's online portal using a biometric validator, then that data is collected anyway. Now we are asking the consumer to give the bank consent to use that data to continue to authenticate them in the future without having to interrupt the user.” She details: “For personalisation, which is the next step, we use data that indicate the characteristics of a user so that we can provide better personalised services, recommendations, and interest rates. Essentially, we are asking the consumer to provide consent to utilise the data already held within the bank.”

How can banks prioritise security and user experience?

Roberts states that the future of digital banking will focus on both security and enhanced user experience that will lead to rapid adoption. She adds that there are a great deal of factors to consider in integrating DBA including enhanced security, customer safety, regulatory compliance, technological maturity, secure user enrolment, incorporation into existing systems, and data reliability.

Referencing a whitepaper published by WSO2 on the subject, Fernando states that user-driven authentication is often compared to a see-saw, trying to find the balance between user experience and security on either end, with one being prioritised at the expense of the other by having multiple friction points for the consumer in order to enhance security.

She concludes: “In the data-driven authentication world, it's not a balance but a virtuous cycle, where essentially better authentication leads to better CX and vice versa.”