"Omni-channel banking" is an in-vogue term for what bankers have known for quite some time: customers can access multiple channels to conduct their banking, have a preference for one over the others, and that preference to a large degree reflects their ages. Despite their primary preference, these consumers are likely to use multiple delivery channels, and when they do, they want a seamless experience when moving from one to another. The banking industry has struggled to successfully implement such an experience. Achieving this seamlessness is difficult because the industry has historically had a vertical organizational structure, in which each distribution channel has its own strategic plan and sometimes even an independent technology, which leads to differences among the channels. For example, if a customer were to check his or her account balance from an ATM or automated call center, the balance can be different from the balance they would get from a teller inside a branch.
Unfortunately, criminals have also adopted omni-channel usage, and at an even faster pace—they are not concerned with having a transparent or seamless experience. In fact, they seem to be more successful when there are disparate systems because that makes the detection of fraudulent activity more difficult. For example, we have seen criminal attacks move from in-branch armed robberies to ATM cash-out cyberheists. Why risk a physical confrontation and mandatory jail sentence when you can work anonymously and actually get a greater haul? We are also aware of cross-channel fraud activity within the electronic channels. In one case, e-mail phishing attacks led to a customer unwittingly disclosing online banking credentials (user ID and password) and then fraudulent payments or wires being initiated through the online channel. In a recent post, we talked about how criminals often target call centers. They use social engineering techniques to gain sufficient account information to fraudulently access accounts through a variety of channels.
A lesson from these incidents is that financial institutions must take a holistic view of fraudulent activity and not just a channel-specific view. For major losses, they have to perform forensics to determine the channel where the fraudulent effort began not just the channel where the actual fraudulent transaction occurred. Only after such investigative work can the financial institution identify the weak points in its system and processes and take the necessary steps to fortify them to provide a higher level of protection against future attacks.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed