Think how hard it would be to perpetrate a fraud if each and every transaction were scrutinized by a pair of motivated and knowledgeable human eyes. No, we are not proposing a 10-fold increase in your auditing staff, but rather that you tap a freely available resource, your own customers. Let them become virtual security guards for their own accounts.

The end user is the only one who knows beyond a shadow of a doubt that the 3 a.m. access attempt from Eastern Europe was fraudulent. Most customers will gladly help you guard their accounts. It’s a true win-win, simultaneously lowering your costs/exposure, while increasing customer satisfaction.

With email alerts and user-defined transaction controls, arm users with tools to detect fraud attempts almost immediately (see Table 1). Monetary incentives probably won’t be necessary, since users are motivated out of self interest. However, their efforts should be reinforced with positive feedback such as labeling their account “PROTECTED” whenever they enable high-level fraud controls. You can also provide clear fraud guarantees that make customers feel good about pitching in on the fight. See Table 6 below for more ideas.   

Table 1

User Incentives to Participate in
Anti-fraud Programs

•    Thank-you for CEO and/or account rep, with an optional promo item such as t-shirt, clock, etc.
•    VIP treatment such as 24-hour premium customer service, customer service chat rooms, dedicated security contacts.
•    Discounts for users accepting more rigorous account-protection schemes (similar to a discount on homeowner’s insurance for installing an alarm).
•    More comprehensive fraud-loss protection and guarantees for users choosing more rigorous account protection parameters.
•    “Bulletproof” credit lines that can be drawn upon with no questions asked if an identity thief draws down all available credit

Source: Online Banking Report, 3/03

Table 2

User Tools for Monitoring their Own Accounts

•    Let users decide, ahead of time, at which point(s) they will be challenged with a question/password.
•    Emailed alert whenever the user’s account is accessed, or when an unsuccessful access attempt is made (for extra credit, log the incorrect passwords and show them to the user so they can determine whether it was a random attempt or if someone has stolen or guessed the user’s true password from another site).
•    Use geolocation to reject access attempts from IP addresses outside the customer’s normal geographic location; users could disable or alter the geolocation algorithm prior to traveling.
•    Require an email/VRU confirmation for major transactions (e.g., large bill payments, wires).
•    Require an extra password when accessing critical functions
•    Deposit or loan “lock down” options, where special authorization is required to move deposits or take additional loan advances.
•    User-defined transaction limits
•    Email confirmations of all transactions
•    Bank security contacts for users to report suspicious activity.
•    Require users to confirm password resets and email address changes by replying to an email sent to their email address(es) on file; if email access is no longer available, send reset material through snail mail.
•    Security preferences tab that allows users to set security parameters at different levels, similar to the security controls found in Internet Explorer and Netscape Navigator.
•    Session-tracking logs that list transactions authorized in previous online sessions; new log entries could be sent via email for added protection.

Source: Online Banking Report, 3/03