If you’re a financial institution, your goal is clear. You need to reduce your exposure to fraud. Oh, and incidentally, it would be so much nicer if you could do it in a way that doesn’t adversely affect the client experience.
Some institutions transfer fraud risk back to the customer through legalese: “If you want to use our wire service, click here to accept the risk that our fraud detection procedures may fail and that you are responsible for any funds a ‘bad guy’ may wire from your account.” That is a particularly unfriendly demand of a customer - if they even notice it in the fine print.
Other institutions accept fraud risk, acknowledging that managing it is part of their business. Regardless who holds the end risk, institutions are all feverishly working to minimize it. Let’s focus on one of the most common fraud reduction procedures used today: the age-old “call-back.”
Most institutions still make a phone call to their clients to authenticate that they sent the wire instruction (especially those that retain fraud risk). When the customer is reached, they are quizzed with well-meaning but generally useless questions. Between hacking and social sharing, there are few secrets these days.
Let’s face the ugly truth. Call-backs are an outdated, cumbersome task that slow down transactions and are one more drag on the client experience. Call-backs still don’t work smoothly: the client is frequently hard to reach; missed cutoff times alienate clients; and the delays tie up expensive resources at the institution.
Of course, that’s assuming the call-back itself hasn’t been redirected to the fraudster. Wire fraud has evolved in the digital age; it’s easy to impersonate someone online and alter customer profiles (including contact details). Further, it's getting ever-more common for phone calls to be redirected and one-time PINs intercepted. Fraud prevention controls now require more than a phone call.
How Did We Get Here?
The core question we are all trying to answer is whether the transaction is legitimate – and that means understanding both who the requester is, and what they are instructing the institution to do.
Wire fraud essentially occurs in two ways:
1. The first happens when a client is directly tricked into transferring funds to a disappearing fraudster’s account. While a horrible scenario, unfortunately often involving large amounts of money, it is a one-time event.
2. The second and more vexing scenario is when a customer’s supposedly “secret” information is compromised, whether through hacking or phishing, and the fraudster uses it to take over the account.
Once the fraudsters gain access to a client account, they have free reign to execute numerous transactions until discovered. Therefore, substantial effort is focused on who is behind the instruction. After all, if you can’t verify who they are, how can you proceed to the next stage – verifying that the transaction is authorized?
For many wire instructions, that means call-backs to the client to authenticate their identity. But as we said, what if the client can’t be reached? Everything comes to a grinding halt. What if the fraudsters have changed the number on file, or hacked the clients phone account and forwarded calls?
The Impact on User Experience
While there are several means to authenticate a client’s identity – more often than not, institutions still resort to asking clients a set of secret questions during a call-back. This practice brings about specific challenges to both parties in maintaining the accuracy and confidentiality of the stored answers.
The process also requires the customer to remember these details on demand. There isn’t much worse for User Experience (UX) than a disagreement with a call center rep over whether you were born in Manhattan or New York City.
As noted, the whole process is plagued with timing issues. Customers miss the call from the institution (often they don't answer because they don't recognize the number). When reached, clients are invariably interrupted from the task they’d moved on to, and frequently asking themselves whether to talk with someone claiming to represent the institution (funny how it works both ways!).
When you think about it, it’s a lot of trouble to go through to answer one simple question – is this transaction authorized?
A Better Way
Could it be that this entire challenge process can be avoided, and client transactions still validated with absolute certainty? Is it possible to eliminate the need for call-backs to confirm transactions?
The solution would have to guarantee with absolutely certainty that the wire transfer originates with and is authorized by the client and none other.
What if we flipped the model, and put secure control of transactions (origination and termination) in the hands of the client? That would keep the UX simple, and give businesses the confidence that the transaction is authorized.
Authoriti provides just such a solution, the Permission Code™ smart PIN.
The Transaction Is Authorized – By the Client
With the Permission Code, clients can authenticate direct to their device, and then generate a one-time smart PIN from that device to authorize transactions anywhere anytime. The real magic is that the Permission Code is unique and cryptographically bound to the specific transaction that the client authorized.
Fine-grained restrictions, specifying account, amount, and location and timing are embedded in the Permission Code to prevent it from being misused, even if somehow intercepted.
If a client authorizes an immediate wire transfer out of a specific account in a certain bank, the Permission Code can’t be used for any other transaction or any other purpose.
Institutions can check the integrity of a transaction by validating a Permission Code through a simple RESTful call to the Authoriti web service.
No back-office changes to databases are needed; account numbers are still the identifier of choice and the Permission Code can be safely discarded once checked. Permission Codes aren’t stored anywhere.
This easy and secure process is inherently customer-centric. Clients prepare wire instructions when it’s convenient, and don’t worry when the institution will call them back. No calls and no ridiculous questions means better UX.
With the Authoriti Permission Code, we can confirm with 100% certainty that your client both originated and authorized that transaction.