Identity Safety: How do Banks Rate? - James Van Dyke, Javelin Strategy & Research
Javelin Strategy & Research has just released a new Banking Identity Safety Scorecard that ranks the major institutions. In an exclusive interview about the report, James Van Dyke discusses:
Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.
TOM FIELD: What is the banking identity safety scorecard and what does it mean to you and your institution? Hi, I'm Tom Field, Editorial Director with Information Security Media Group. I am talking today with James Van Dyke, Founder and President of Javelin Strategy and Research, about the banking identity safety scorecard. Jim, thanks so much for joining me.
VAN DYKE: Tom, thanks for having me.
FIELD: Just to get us started here, why don't you tell us a bit about this scorecard, how you developed it, what it measures and really how the scores are calculated?
VAN DYKE: Certainly. Glad to. You know, the scorecard is something that has evolved quite a bit, and it will continue to evolve because criminals evolve their methods in this very confusing crime known as identity fraud, or what some people call identity theft. It is in its fifth year, and it is now up to 50 individual criteria, which we measure the top 25 banks and the credit unions that represent 50 percent of all consumer deposit relationships, and then we do this for credit card issuers in the spring of each year. We are just now releasing the banking scorecard, which of course was in the fall of this year.
What is very interesting about identity crimes, because they involve impersonation of the customer, so there are three main reasons, just for quick background, to understand why we chose the methodology we chose of looking at so many customer facing areas. It is a very deliberate reason, and when you look at the four main reasons that criminals do what they do when the target the financial institutions it's either, generally speaking, terrorism, cracking, which means just for fun or enjoyment, insider crimes, which are embezzlements and so forth, possibly extortion, or identity crimes.
Now identity crimes totaled $48 billion dollars last year by our measure, and if you look at the cost to industry, it is so much larger than that because that doesn't include all the mitigation efforts and certainly the relationship efforts. I mean, certainly the cost to merchants alone was $100 billion in the U.S., which surprised us in its enormity.
So this last area of identity crime, this is the main money-maker for criminals at this point in time, and it is absolutely the most misunderstood area that we research because some customer spends all their time and efforts building up a great reputation so that they have access to credit, they can keep their funds with you, the depository institution or the credit card issuer, and the criminal comes along pretending to be somebody else. And the reason they do that rather than taking a direct line into the institution is they can get a lot more done; they can pull a lot more funds out of the business,' and that is why it is so hard on banks.
Therefore, that is why we came up with this scorecard to measure how well institutions are working with the customer, the person who is being impersonated, and what we frankly found is that institutions tend to work in isolation because it is so hard to engage the customer. I would say there is an incentives problem where institutions aren't really structured well because they are not necessarily measuring how well the stickiness of the real customers relationship and how products that are launched under the banner of security, how well those help hang onto the customer and even encourage more cross-selling and acquisition of new customers along with obviously the reduction in losses. So that was a whole mouthful, so let me get into a couple of things about it.
Customers primarily choose financial institutions based on perceived security; period, end of story. It's like Maslow's Hierarchy of Needs, until you feel safe, nothing else matters. And they are willing to be deputized. There are the urban legends that go around like, people saying that zero liability policies lessen people's motivation to protect themselves...there isn't a shred of evidence for that.
People not only choose an institution based on safety, they want to get involved. They don't just want to be reassured that they are okay, and this scorecard has 50 criteria -- they evolve every year in the way that we build the criteria. We are looking at crime trends because we have the biggest victim study that's around. We also look at what seven years of consumer data says and what are people willing to do and what kinds of protections are they actually seeking. What makes them feel most secure. Now, hopefully the things that make the customer feel most secure are the things that actually do make them most secure, but you actually have to consider both separately because sometimes perception and reality don't come together.
Lastly, we use web review methods and mystery shopping methods, and we score the typical financial institution, the average financial institution I should say, seven times because we want to make sure we get accurate information when we report on how well one institution stacks up against another.
FIELD: So, Jim, give us an overview of this year's results, and now that it is in the fifth year, how these rankings evolved and really what do they tell us?
VAN DYKE: You know, they have evolved a lot. This year I was very surprised by the results. I'll start off where I wasn't surprised and then end of with the areas of greatest surprise. Resolution within our trademark model, prevention, detection resolution, that is stopping the crime, spotting it earlier and then making people whole once they have been victimized of a new or an existing account fraud case. The resolution keeps getting better every year, and it has always been the area in which banks are strongest; that is what we see. So it's kind of like if you think of disasters like Katrina, you know the first thing that you have to do is pick up the victims on the proverbial rooftops and assure them that they are going to be okay and that they will survive to see another day. It is the same with identity crimes, and therefore banks do the most--score the highest in resolution crime.
Detection we saw almost no change in results. The average bank went from 50 to 56 percent of our scored areas, so just a slight increase, and that is really where the most help is needed. Banks need to work with customers to detect crimes earlier, identity crimes, crimes committed in their name, and particularly with fast-evolving mobile technology and some core providers even providing real-time data, the technology is there we are just not using it. The area that was wonderful news, completely unexpected by our researchers on this project, was in identity fraud prevention. Those capabilities which stop crimes from occurring in the first place -- we were just bowled over by seeing the average bank move from 52 percent to 79 percent of all the areas that we scored.
FIELD: So Jim, give us a preview; who scores highest in this year's scorecard?
VAN DYKE: Well, overall Bank of America yet again just swept the results. Bank of America has held that top spot, but it is very interesting -- it's not like they are even 10 percent ahead of the next highest-ranked provider, so Bank of America has scored the highest in our scorecards on both issuing and depository, but they just have a couple of points that they are eeking out a win of the others, so it is very, very competitive. Surprisingly, the next highest rated provider overall was not one of the largest banks, it was Regions. So we actually--that told us that you can't necessarily buy your way through like this arms race of security spending into the top rings. It is also about innovation and ingenuity. There were some others that were right up there, just a little bit behind the top scores, literally just separated by a few points, less than a handful. Wells Fargo, PNC and Citibank, followed by US Bank, were right up near the top.
FIELD: Jim, what do these rankings really mean to the institutions, but more importantly to their customers?
VAN DYKE: You know, what institutions need to do, and they really have my empathy here, it's tough because these criminals are changing what they do in these crimes of impersonation where they are sowing confusion. They are attacking institutions. The institutions try to come up with effective security spending policy across all the silos. Institutions, number one, need to measure security as a total area across all lines of business, of course, with a central data protection and fraud prevention group that engages the latest technologies, especially those that are quite literally in the customer's hand. And the device to be looking at for that, by the way, is the iPhone on a couple of accounts.
One, people are mistakenly looking at smart phones as the phones of the future; focus on smart phones. There are so many metrics I could give on that, but if you look at that, the profile you will get of the end users, the end users of tomorrow, it was very different from a typical smart phone user. For example, mobile banking usage among iPhone users is at 53 percent; for smart phone users, it is in the mid 30's.
So these are just worlds apart, and some of the technologies that we need to be using around mobile are certainly real-time alerts and SMS with browser, and how they all work together. In the mobile device, absolutely it is something that we need to be worried about from a standpoint of new security threats, but it has more advantages than any other security channel at how we can roll back the total cost of fraudulent activities because of its powerful detection capabilities and its ability to be the single authentication device that authenticates all other channels. So if the security people aren't as focused on the advantages as they are about the downside, they are missing some opportunity, and it is also the opportunity to tap into the real-time core, real-time reporting capabilities of both transaction processing systems and, eventually, core processing capabilities as some of the banking technology providers are offering.
FIELD: Now you mentioned a lot of the larger banks a few minutes ago; Citi, Wells Fargo, Bank of America. What do you find to be the state of identity safety at community institutions?
VAN DYKE: You know, it's a really good question. It certainly is very much a mixed bag, and this is where what we call today cloud computing, what we used to call ASP computing or any number of labels, but providing hosted services or vendor backed services can allow any community bank that has the right technology provider and the right set of technology solutions, with smart spending, smart and aware spending, to be as effective as a large bank. They may not have a staff in-house that can interact on a daily basis with all the leaders in this entire space, but they are more reliant on vendors, and if they make sure they are using the right vendor solutions, they can be just as effective. But it will be a mixed bag where you are going to get some people that are great at the smaller bank level, or credit union level, and you will get others that are going to be sorely exposed and need to be worried.
FIELD: Well, Jim, your eyes are probably rolling just having looked at this year's results, but I have to ask you: As you look them over, what do you find to be the biggest lessons learned?
VAN DYKE: You know, there are some great new technologies rolling out; that is one. And vendors are doing a great job making them available, and I don't envy banks and having to sort through them. And I just got off two calls a little earlier this morning with bankers and vendors trying to make some of these decisions. So, the complexityï¿½a lesson we are learning is that bankers need a systematic way of prioritizing their technology investments, and I could give you an hour long answer on that (and I promise I won't), but the short answer is with new security threats coming along minute by minute, you need to ask yourself, as a banker, 'Do I have a prioritized way that causes me to not be over-reactive or under reactive to the latest threat where I can actually assign a weighted value to the solutions that a vendor is pitching at me and a call that I am going to get from somebody in my team that says we have got to lock everything down because some new threat or somebody is inside of our system?'
FIELD: Well, given what you have learned then about the bankers, about the fraudsters, about the threats, what trends are you going to be tracking as we go into 2010?
VAN DYKE: Well, we are adding more backend capabilities. We have added a lot to those we measured in our scorecard already, among the 50 individual criteria that are based on the evolving criminal trends. You are going to see even more backend capabilities of measure in next year's scorecard that we are already working on the one for 2010.
But among those that we are already seeing, among the 50 criteria, we have the big opportunity right now on top of banks' great accomplishments that they did in prevention, in our current scorecard it is all laid out there inside of it, is the big opportunity to tap into literally the palm of all of the people that are walking in the streets that are willing and able to get in the game of helping their bank protect a common enemy, which is the criminal, if the banks will just let them in the game. And the way to do that is to use the mobile device and see it as as much of an opportunity as it is a threat and start notifying people real-time.
And I will tell you the payoff for this is not just to reduce losses, it is so much, so much bigger than that. It is all about actually getting more transactions, more new customers, and hanging on to more of the customers you have. So we need to have holistic ways of measuring the ROI of security, and as we do that I believe security specialists will find more funding for their projects.
FIELD: So, really it is a matter, as you said earlier, of deputizing the customers and when you do that you get greater loyalty from them.
VAN DYKE: You really do. And you stop the criminals more effectively, you engage the customer, and you can do it. It sounds complicated, but there is a lot of research data to help prioritize that and so actually there are a few very clear paths that will provide profitability on a near term basis.
FIELD: Jim, if you can, let people know where they can find out more information about this scorecard. And at the same time, if you could boil it down, what would you say is the single biggest message about this scorecard to the banking institutions whose leaders will be listening to this?
VAN DYKE: You know, thanks for asking. Our website is www.javelinstrategy.com, so if you go to the website and you click on the reports tab or the research tab and right away you will be taken to our most recent research reports, the banking safety scorecard is listed right there. We just released it, and people can purchase a copy there.
The single biggest message is, since we are focused on crimes of impersonation, bankers and technology vendors work with the person who is being impersonated. You get a double payback of not only reducing more of the losses, but you get to increase the total volume of legitimate transactions. So you get a double profitability improvement when you do that, and the stuff works; the method works in keeping customers for life and stopping more of the bad people. And the real opportunity around there is to look at what is going on with the iPhone and look at the way internet radio works and let people have as much control of their transactions as they do in the music industry today. It sounds like a small example, but it is actually the big trend of the future.
FIELD: Jim, as always I appreciate your time and your foresight.
VAN DYKE: Thank you, Tom. Great to be talking with you again.
FIELD: We have been talking about the banking identity safety scorecard and we have been talking with James Van Dyke of Javelin Strategy and Research. For Information Security Media Group, I'm Tom Field. Thank you very much.