In financial services, in the eternal war to keep customers (and themselves) safe from online fraudsters, banks may lift a mantra from the real estate sector:
It’s all about location, location, location.
Geolocation services are proving to be a powerful weapon against phishing attempts, account takeovers and other schemes.
And increasingly, those services are being leveraged in verticals such as online sports betting, where location must be verified at the time of the wager (to make sure the activity is in a legally permissible area) to help banks comply with international Know Your Customers (KYC) rules.
But as GeoGuard CEO David Briggs and People’s United Bank VP of Financial Crimes and Fraud Intelligence Karen Boyer told Karen Webster, realizing the full benefits of using geolocation will take a bit of education – for consumers, yes, but also for banks.
Not all data are created equal, of course. In the age of increasingly sophisticated scams, geodata no longer can be limited, simply, to internet protocol (IP) addresses. Those IP addresses used to be the gold standard of determining a device’s location, but in the age of the remote workforce and virtual private networks (VPNs), fraudsters can co-opt and spoof IP data. That means financial institutions (FIs) that rely on IP-sourced location information for users and companies to give the “go ahead” for fund flows could actually help send money right into bad actors’ coffers.
The better way to guard against illicit activity, they said, is to leverage geodata from apps that enable banks to determine the location of devices right at the time of the transaction (think: Google Maps, or a favorite ride-hailing app). They can put additional safeguards in place – such as stepped-up authentication protocols – that help cement trust between end corporate or consumer users and their chosen FIs.
Only about a third of banks’ apps ask for robust location data, said Briggs. But moving ahead, traditional FIs will have to adapt to, and adopt, geolocation data usage in order to “connect” the right “data dots” and deliver a safe, seamless customer experience.
The challenges that lie ahead can be captured in recent PYMNTS research, which shows that consumers are more willing to share their location data with food ordering apps than with their own mobile banking apps.
At the same time, said the panelists, the banks themselves are lagging a bit in technology, where the IP address detection methods dating back a couple of decades are not enough to defend against fraudsters’ new attack vectors.
As Boyer noted of those IP-centric defenses, “it’s mostly what banks have now. And it worked relatively well through the 1990s and even early 2000s. You could successfully find a fraud track, those subnets, track the IPS and then subsequently find other customers who were being accessed with those same IPs – and hopefully identify fraud before it occurs.”
But with the advent of virtual private networks and all manner of advanced technologies (and mobile devices, of course), those methodologies are not enough. As Briggs said, there’s also been a general desensitization toward breaches themselves – a new one hits the headlines seemingly every day – and banks (and customers) have come to consider fraud potential as part of the everyday risk of doing business.
In reality, said Boyer, there are strides that could significantly mitigate that risk and fraud. With a nod toward GeoGuard’s own offerings, Briggs noted that upon the buildout of the firm’s geolocation compliance system, the goal had not been, explicitly, to craft a geolocation anti-fraud system.
“It came as a surprise to us when some of our customers explained that when they used us in the territories where geolocation compliance product was necessary – New Jersey or Pennsylvania, compared to European markets or Canada, where it wasn’t required at all – the fraud rate went from about 3 percent of purchases to 0.2 percent,” he said.
That improvement came as fraudsters were shifting their efforts from masquerading that they were in lower-risk territories. Being asked for geolocation data effectively scared them off. Call it an accidental byproduct, said Briggs, but it was an important and beneficial one.
Sifting Through Complexity
But in the bid to bring geolocation services to greater prominence in financial services, said Boyer, complexity reigns – chiefly over the data that are most valuable, who owns the data and how that data are being used.
“Customers – and some banks – don’t realize where their actual data lies, and it’s not as easy as flicking a switch and saying ‘okay, now we’re going to track geolocations,” said Boyer. Banks must determine who is collecting that geodata – whether it’s the bank itself or core providers – and whether it must be done state by state. The complexity is heightened as individual states are rolling out their own individual privacy initiatives or are mandating opt-ins.
As Boyer posed to Webster: What if somebody declines tracking?
“Do we have to track that, or treat that lag differently than if they agree to [geolocation tracking]? Should it be considered more suspicious? Do we assume that only fraudsters will do that? Obviously not, as there are a lot of customers out there who will automatically decline [geolocation services] if that’s prompted,” she explained.
Against that backdrop, partnership models, coalitions and careful marketing efforts can ensure that banks’ returns on geolocation efforts and marketing outreach are efficient ones. Banks large and small will have to embrace those efforts, noted Boyer – even if it’s an incremental embrace over the next three to five years – because no single institution wants to be the last one to embrace geolocation, and thus be perceived as the weakest player in the financial services ecosystem.
What The Customers Want
As always, of course, the customer’s perspective and desire matter – and may prove to be a tailwind to a larger deployment of geolocation. It’s a truism that nothing motivates a business to take an action more than what a customer says they will or won’t do if a new service is made available.
PYMNTS has found that 55 percent of millennials say they would switch to an FI that uses geodata to enhance the security of users’ accounts. That number is even higher for those individuals who earn higher wages – and taken together, higher earners and younger demographics are the sweet spot of banks’ customer bases.
In part, explained Briggs, that’s because younger users – conditioned by Venmo, Revolut and any number of digital-first offerings – have been more open to data sharing. Geolocation services power everything from ride-hailing to finding the nearest coffee shop.
“It’s how they find where they’re going. It’s how they tell the parents where they are,” he said of these consumers.
The Disconnect
Yet there’s a disconnect when it comes to geolocation, maintained Briggs. Many individuals just assume the services are part of digital banking, but that’s not the case. Crypto exchanges have increasingly been duped by fraudsters funneling cryptocurrencies, lured by a false sense of security that the trading is coming from legitimate users who are transacting where they say they are.
“I don’t think any bank or payment service provider that is offering an app or a digital service can legitimately claim to a regulator or even some consumer affairs group that there’s all this fraud going on and they’re not stopping it,” Briggs said. “The downside risk is that there’s no real defensibility to any bank’s position that they are doing all they could to confirm their customer’s location.”
The Framework And The Friction
Bit by bit, then, we may see the emergence of a technical framework, tied to KYC and anti-money laundering (AML) compliance. As Briggs cautioned, there may not be an industry-wide standard put in place to direct FIs to the appropriate geolocation strategy. He said standards already exist when it comes to geolocation – chiefly through the IP address itself.
Briggs stated that in the continued debate over tracking, there must be education at the regulator level. Banks face a challenge when, say, a user logs in sporadically, and where users’ locations can be varied (if they travel for business or pleasure, for example).
“I am advocating that the bank should take in the data that’s available for them to make good decisions,” Briggs told Webster. Making the point that the bank won’t track users every time they take their cards and tap and spend can go a long way toward easing concerns over geolocation. Alerting a customer that transactions are being attempted from, say, Los Angeles, California and Austin, Texas within a few seconds of one another, and gaining consent or decline, can help stamp out fraud and cement clients’ relationships with their FIs.
After all, “you’re not tracking for the sake of tracking your customers,” added Boyer. “You’re using that data to figure out who’s the customer – and who’s pretending to be the customer.”
There will be additional tailwinds underpinning geolocation use, as cloud-native and digital-first service providers gain market share at the expense of traditional FIs, with the right mix of geolocation used in the service of product development and anti-fraud initiatives.
“If you’re putting your product roadmap together at any of these big five or big seven banks, if you’re not getting asked at the board level how you’re making the most out of geolocation data, then you might get asked, ‘where do you have an ATM or branch finder tool?’” noted Boyer.
At a high level, Boyer and Briggs told Webster, geolocation can be leveraged to eliminate friction. After all, it’s a pain point to have to inform your bank every time you travel to avoid card declines.
But even if the technological tools are there, the balancing act between friction and security must be top of mind for FIs – especially when it comes to older customers.
As Boyer noted, banks don’t want to scare customers away by asking for their locations, in an age where scams are widespread. Older customers are also among banks’ wealthiest clients, and thus are conditioned to not give out too much of their private information. All too often, the perception is that the FI is following their every move.
Here, outreach is key. Boyer noted that if banks can illustrate to customers how often fraudsters might have hypothetically tried to log into a customer’s profile from Nigeria, while trying to look like they were in a legitimate customer’s living room, for example, acceptance might be easier.
The FI’s goal, she said, “can be easily communicated. It is to protect the consumer. And it has to come with guardrails that state ‘no, we’re not tracking your every move.’” Banks can benefit from explaining to their clients that, with many mobile apps, settings can dictate that location is tracked only when that app is being used. It’s also critical to educate them that card controls can help insulate them from hacks and fraud, Boyer said.
“There are ways to make consumers comfortable,” she said. “They obviously trust their banks with their money, and they expect them to keep their money safe. If a consumer can contribute and be part of that, why wouldn’t they – if presented with the right way to do so – want to participate?”