Recent reports of fraudulent account creation by employees at large banks to generate a boost in fees have raised many questions. How can such practices grow to such an immense scale? Wells Fargo has admitted to firing 5,300 employees for opening over 1.5 million unauthorized bank and credit card accounts. With allegations that the practice is more widespread, there is a real need to consider preventative measures.
What regulatory policies will need to change in response? While congressional hearings, regulatory penalties, lawsuits and customer churn will undoubtedly discourage future near-term fraud, perhaps the better question is, what can be done to put control back into the hands of consumers more permanently?
How can an employee create fake accounts?
To address the question of consumer control, we must first consider how bank employees create fake accounts. The Consumer Financial Protection Bureau (CFPB) has stated that in one case, employees went so far as to create phony PIN numbers and fake email addresses to enroll customers in online banking services. Those employees then transferred funds from an existing account into the new account without the customer’s knowledge or permission, resulting in charges and penalties for the account holder.
How much access should employees have?
This raises the question of the level of access that should be afforded to employees. Certainly there are legitimate reasons for employees to interact with customer accounts, but for an activity such as opening an account or transferring an entire balance, shouldn’t there be a higher bar for access?
Perhaps regulators need to consider mandating implementation of two-factor authentication (2FA) for significant account management activities. Only the account owner (or legal guardian/trustee) should be making these kind of transactions, which aren’t an everyday occurrence. The level of risk justifies the effort required for an extra authentication step.
How can 2FA be implemented for the masses in a cost-effective manner?
2FA costs skyrocket when extra hardware such as hard tokens or biometric scanners are involved. In response to this challenge, the ubiquity of mobile devices certainly positions them as a logical platform for granting 2FA. But, the recent National Institute of Standards and Technology (NIST) recommendation against the use of SMS tokens for 2FA means that older non-smart phones aren’t preferable for this purpose, which excludes a significant portion of the population using older technology. Additionally, the authentication method in use should be usable across multiple mediums – whether banking online, on the phone or in person.
Perhaps the answer is in voice recognition. Stating a user-generated phrase into a computer microphone (at the branch or online), or over the phone, is something that most people are capable of and satisfies both something you know (the passphrase) and something you are (the voice). Taking the next step to record and match a customer’s voice command as a means to authenticate the user’s account activities is the next logical progression. Protecting the recorded phrases with 2FA is necessary as well with this use case.
2FA is becoming more mainstream for businesses; however, businesses need to consider how 2FA should be implemented to maintain both external and internal control. According to a recent Ponemon Institute Research Report, “75 percent of respondents say a single-factor authentication approach, including username and password, can no longer effectively prevent unauthorized access to information resources.” It’s a shame that protection needs to be from both external attackers and employees alike, but it is in the best interest of the financial industry to maintain trust with consumers.