Defeating identity fraud in Hong Kong banks
By Lawrence TsongIdentity (ID) theft and fraud are on the rise in Hong Kong. The recent news, reported by a local newspaper, about the gentleman whose identity had been stolen to apply for a loan of HK$ 300,000 from a major local bank has brought the issue to the forefront.
The incident serves to highlight that banks are underestimating the seriousness of the issue. What's worrying everyone about this particular incident is the fact that the bank had not been negligent in any way – the application had been made in person, and staff had carefully checked the authentication records as per normal procedures.
Banks have to think innovatively to beat ID theft for a number of reasons.
First, the increasing competition among banks, particularly for the personal loan business means that to attract customers banks are vying with each other to offer convenience and efficient processing – via online application, for example.
Consumers, while taking to e-banking and e-commerce enthusiastically, are extremely concerned about ID theft, and banks are also concerned about losses resulting from ID fraud.
The Hong Kong police chief said earlier that cybercrimes are the hardest cases to detect and the toughest to crack, as figures showed technology crimes surged by 70 percent last year despite the overall crime figure dropping to a 10-year low.
In a recent survey, 68% of Hong Kongers said they were 'worried' or 'very worried' about identify theft. However, they have no idea how to protect themselves and the onus is on the banks to exercise due care to protect them.
Know-your-customer (KYC) guidelines, under which banks can be prosecuted for providing banking services to customers with links to banned or illegal organisations for example, are getting stricter across the world to prevent ID theft, money laundering, and financial fraud.
Many of the world's leading banks from the UK to India and Indonesia, have faced fines and penalties to the tune of millions of dollars. It is only a matter of time before Hong Kong's banks come under the regulatory spotlight for not knowing who exactly their customers are.
The Hong Kong Monetary Authority has also published increased customer due diligence needs for non face-to-face channels.
Dual authentication or two-factor authentication, which pairs a username / password with a physical device such as a security token, are widely used in Hong Kong. While this approach can be effective, it causes problems if the security token is lost, or forgotten.
The problem is worse if the customer is overseas: often, the customer cannot use any e-banking services, might miss a payment, or be unable to apply for that crucial loan. We all can recall the case of the customer of a major bank in Hong Kong who had to fly 16,000 kilometres from his native Australia to Hong Kong to access his own account due to a breakdown in communication with the bank over his signature!
The above case clearly shows that banks and financial institutions face the challenge of balancing security and convenience. While physical security tokens are sound, customer convenience is sacrificed.
Therefore, many financial institutions and banks around the world are beginning to adopt new, more advanced authentication technologies that help rebalance that dynamic. Examples of these new technologies include biometrics and electronic identity management.
In the UK, business customers of Barclays bank are being provided with finger vein recognition devices that scan the pattern of veins inside their index finger. While the security of this approach is promising, it is expensive for the bank and does not cater well to the needs of the business customer, as only one user can be authenticated, creating a bottleneck in a busy finance department where several individuals might need to conduct banking transactions.
In some countries such as the US, Canada, South Africa, India, and China, banks are trialling new electronic identity authentication technology for ebanking transactions. This takes the form of a dynamic "Q&A" session, where the system poses certain questions to the customer, for which the answers would only be known to him or her.
These questions are mostly related to the individual's financials and the information is typically stored in the bank's internal database or a third-party private credit bureau. The authentication system verifies the customer's responses to these questions against the information stored in the database or credit bureau.
This approach is promising as it provides a more robust authentication process without compromising on convenience. No additional devices, scanners, or documentation. Everything is done online or via phone banking within minutes.
Physical tokens and biometrics such as touch ID for iPhone 6 work well only if you have the device with you. This 'knowledge-based' authentication approach is increasingly being adopted by banks in the US, Europe, and some Asian markets since it works on all platforms and does not require any expensive "upgrades".
Eliminating the need for physical security devices makes the whole process customer-friendly while adding an extra layer of security. All this simply adds up to better customer service, which is important in today's competitive marketplace.
Electronic ID authentication is new to Hong Kong but is slowly seeing adoption by banks. Whatever solution is adopted needs to be intuitive and simple for today's e-commerce savvy customer to use while providing a robust and effective layer of security.
It is dangerous and foolhardy to underestimate the threat posed by ID theft and fraud to the e-banking world. As one of the world's leading financial centres, Hong Kong needs to set an example to the region through its modern approach to addressing the problem. And in this battle, technology plays a key role.