The Bankwatch

Tracking the consumer evolution of financial services

Tower Group are right – US financial services firms have lost the battle to protect the personal information of customers

This is a sufficiently provocative headline that I can hardly ignore.

Financial institutions have lost battle to protect customer data – TowerGroup | Finextra

US financial services firms have lost the battle to protect the personal information of customers and must now assume that all their clients’ data has been, or will be, compromised, according to TowerGroup.

First of all I agree with the headline.  The battle is largely lost;  I would go further, and hesitantly admit what few bankers will, that control over customers information never really existed.  Why do I say that?

Consider how banks have evolved, which is one account type at a time, one service at a time.  Each of those were managed by disparate computer systems, and as new products were added new systems were added. This problem has only been magnified by bank consolidations which added even more disparate systems.

The result is that Joe Customer has ‘files’ located within different systems, each with his own address, and personal information.  In fact he is often Joe C. Customer, or J.T. Customer in those other systems.  Government regulation that forestalled the use of Social Insurance/ National Insurance numbers as identifiers forestalled any common macro identifier for Joe.  The result is that the bank is not sure of Joe is the same in each system or not.  Similar addresses are a clue but hardly definitive.  I will have more to write on this later.

Lets return to the Tower piece in Finextra:

Meanwhile, companies should assume that traditional account information such as name, address, date of birth and account balance are useless as authentication factors. Instead they should consider using knowledge-based authentication and one-time passwords delivered via SMS.

Relevance to Bankwatch:

In other words, the very information that Banks do not fully control nor understand in context of customer identification, is the the same information that cannot be relied on any more.  The conundrum is that is the only information that banks have in place to rely upon.  This is hardly a recipe for success nor customer loyalty, and small wonder that customers accept and promote use of disaggregated financial services, spreading themselves between institutions as their own personal risk mitigation strategy.

Banks are very focussed on transaction security, using chip cards, two factor authentication and the like, but this does nothing for information security.  The Bank that can ever crack this nut by offerring complete information security, such that Joe in our example can feel confident about his financial information not being compromised might just give itself a leadership edge.

Written by Colin Henderson

June 17, 2009 at 08:40

Posted in Security

Tagged with ,

%d bloggers like this: