Neo banks are fighting an uphill battle. Not just because they have to convince consumers to choose them over long-established institutions, but also because legislators often lack the understanding of technology as well as the eagerness to give them a fair chance. From strict AML laws and KYC processes to fraudsters and criminals looking to take advantage, neo bank security is a major concern.
With a market size of $34.77 billion last year and a projected growth rate of 47.7% in the next seven years, most insiders expect neo banks to prevail against the odds. Yet, some of the various startups and players will prove more resilient than others. And, for a new player to belong to the former group, there is a need to invest in smart and efficient neo bank security that is holistic as well as proactive.
Let us look today at the building blocks of neo bank security for risk managers.
1. Data Enrichment
A valuable weapon in efforts to weed out criminals who may be looking to take over customer accounts, launder money, or enable any number of other scams, data enrichment is the act of locating and combining several data points about a user or customer.
These can range from someone’s stated location to whether they are accessing the app through a proxy, or even how old their email address appears to be, based on whether it has been listed in known data leaks. Data enrichment is the process of finding, sourcing and collecting such data –which may not seem so useful at first glance but, once combined, can provide clearer indications of the user’s intentions and motives.
From there, risk scoring algorithms following best practices for the sector – as well as fine-tuned using the particular neo bank’s historical data – will assign scores to each user, automatically triggering hard KYC protocols, or manual reviews, or even blocking the person.
2. Browser Fingerprinting
But what techniques work under the hood to enable data enrichment? There are several. One of the more widely adopted yet ever-evolving is fingerprinting.
Browser fingerprinting gathers non-private information about a customer’s browser, configuration and device, processing it through a hash function and storing it server-side.
Data points that can be gathered through this method include user agent, audio context analysis, CPU class, OS language, touch support, accelerator, proximity sensor, etc. The goal is to use all this information about a user to be able to identify them in the future, as well as make comparisons between users, and against others known to be fraudulent according to historic data.
So, for example, user A’s browser hash shows them to have a specific configuration made up of 65 data points. From what the bank knows, their account is known to be active only in the UK. If user B logs in seconds after user A, and user B’s hash contains the exact same data for these 65 data points, although B is located in South Africa, this is a red flag.
How did this device/browser end up so far away within seconds, if both are legitimate? This could be a case of account takeover. To address this, the neo bank’s customer might be asked for additional verification or even passed on to a risk analyst for manual review.
3. Reverse Email Lookup
At the manual review stage, risk analysts working either on-site for the neo bank, or for an anti-fraud company if the process is outsourced, will take several steps to assess whether the flagged user is the person they claim to be. The scenarios where this might be needed are various, for neo banks and fintech startups, and range from someone trying to sign up for a new account using stolen or synthetic credentials to suspicious transactions.
For example, thousands of very small sums are paid within a couple of days, which could indicate money laundering.
One of the most effective tools for manual reviews is leveraging OSINT data, which is also used for pen testing, as we have seen. The analysts will be conducting reverse email lookups and/or mobile phone number lookups, specifically. This is when someone starts with an email address or phone number and uses a tool to gather all available open and public data associated with this number or address. Many of the results will be associated with social media such as LinkedIn, Facebook and Twitter, and some will be related to messaging apps, including WhatsApp and Viber, as well as specialised web-based services, such as Booking.com, Pandora and Github.
Further, the information gathered through reverse email lookups can include whether an email address has been found in any publicly known data leaks, or if a phone number is on any marketer opt-out lists.
The usefulness of having such data available cannot be understated. When fabricating accounts, fraudsters will seldom take the time to set up an entire online presence for the fake person, and even if they do, this will be limited in scope.
Therefore, someone who is found to have no accounts on social media or other known platforms and their email address is from a throwaway domain that’s free to sign up for is less likely to be trustworthy than someone found to have and use Twitter, and whose email address was involved in a data breach five years ago (and is therefore at least five years old rather than created a few days ago by a fraudster).
4. KYC and AML Processes That Prevent Churn
In almost every locale in the world, neo banks have to abide by strict anti-money-laundering (AML) legislation, follow guidelines related to politically exposed persons (PEP), as well as conduct at least some KYC checks at sign-up. Moreover, several countries even require customer due diligence (CDD) controls of both traditional bank institutions and neo banks, for which customers might need to upload personal/identifying documents every few months or years.
We very well know, however, that users do not appreciate having to go through long, tedious processes to sign up for a service, or to conduct their banking. This is where the aforementioned building blocks of mobile security for neo banks shine – because they are either entirely frictionless or involve minimal friction (the extent required by law).
Reverse email lookup tools simply use the customer’s email and phone number, which are details they would have provided anyway, rather than requiring elaborate documentation and additional identification. Therefore, the customer does not have to go through hoops to open an account. Fingerprinting is equally frictionless because it is based on browser, device and cookie hashes that are generated and stored server-side, without any input from the user.
As for data enrichment, it enables the combination of all these data points into potent risk scoring, which informs the process that will be followed for each user: hard or soft KYC? Manual review or quick approval?
What exactly happens in each scenario will either be determined by industry presets and known risk vectors, or even rely on custom risk scoring rules per neo bank, generated using machine learning from historical data. This way, a known and trusted user who accesses the system from their usual device will have a smooth experience. And, on the other hand, a new customer who is signing up with an email that has no identifiable online presence whatsoever and who is, for instance, using a proxy, will be flagged for rigorous vetting that will keep out any ambitious fraudsters.
What is impressive about the new generation of anti-fraud tools and risk management is that they prove that the dichotomy between mitigating risk or optimizing the customer experience is false. There is no need to balance between the two because an advanced, 360-degree anti-fraud solution can do both, by leveraging the latest technology to enable neo banks to keep customers happy and safe whilst providing them with innovative banking products.