What do consumers want from digital banking?
We are all of us – or at least most of us and me included – consumers of digital banking and therefore have views on what we want from our Internet and mobile banking services both in terms of functionality and security. On that basis I polled some friends to understand their views on digital banking services – not a big enough group to describe it as scientific 'wisdom of the crowd', but nonetheless the views of a few consumers and not just me, writes Mark Waghorne
Prior to moving into consultancy twelve years ago Mark was Global Head of Information Security for Standard Chartered Bank with responsibility for all aspects of information security across all the Group’s lines of business and geographic operations. He has helped organisations implement security management organisations and processes focused on supporting the requirements of their business.
At the end of June 2009 Mark completed a four month secondment to a UK mobile telco as interim head of IT security and since then he has headed up KPMG’s I-4 Program (www.i4online.com) and lead other engagements across industry sectors, including multi-client benchmarking studies.
We are all of us – or at least most of us and me included – consumers of digital banking and therefore have views on what we want from our Internet and mobile banking services both in terms of functionality and security. On that basis I polled some friends to understand their views on digital banking services – not a big enough group to describe it as scientific ‘wisdom of the crowd’, but nonetheless the views of a few consumers and not just me.
Ease of use seems to trump most things. Even among security savvy consumers who know that ‘security is a good thing’, they don’t want to be encumbered with security tokens that they have to have with them and their PC, laptop or mobile device when they want to transact. However, the views of those who have suffered some form of fraud or identity theft tend to be more cautious!
What is it then that consumers like, want to have and don’t like at all? My small sample group came up with this.
– Like – the ease with which money can be moved between accounts, pay bills etc which compared to having to go into a branch makes things so much easier. You can be much more in control of your money to set direct debits and payments up that you can view or change very quickly.
– Dislike – access, thought to be far too clunky and restrictive and negates some of the native functionality of the smart device.
– Most of all, want – instant access to money and services in the simplest way possible, "when I want it and from the device I want to use".
So what do I think about security in this context? As in many areas of industry, government and our own daily lives, security issues and the need for security are not diminishing and nor are they likely to. Whether dealing with the game changing nature of destructive malware such as Shamoon, or fending off highly disruptive distributed denial of service attacks against the online presence of US and other Western banks by alleged Islamist activists, the persistence of attackers and their capabilities are likely only to increase.
What does this mean for digital banking?
Even among consumers who want ease of access above all else, passwords and phrases are looked at as out of date but, paradoxically, needing a ‘token’ to access services is viewed as ‘clunky’ and if it’s lost then no services until a replacement arrives. If we really do want access to everything, from any device at any time, then we may need to accept more intrusive security mechanisms such as multiple factor authentication to help prevent against identify theft and financial crime. Soft tokens that avoid the need to carry an additional device could help provide an answer here. Out-of-band confirmation of specific transactions may also increase, but how ‘out-of-band’ is the verification when the mobile phone and banking app are on the same device? Additionally, if consumers are to be faced with systems being unavailable because of some ‘security incident’, then they may need to consider other channels to transact their business such as branches and telephony.
To wrap up, what are some the financial services regulators doing or contemplating? Mandatory breach disclosure is becoming more common, so when something does go wrong the regulator – and often the public – need to be notified. And in Singapore to help the consumer, the direction of travel is to levy fines for key banking systems that are unavailable for four hours or more in a year and this is likely to based on the systems that the consumer defines as key. This focus clearly on the ‘need’ of the client rather than the ‘capability’ of the provider.
So for the banks – services that are highly available, give the functionality the consumer wants and are secure.