an article written by Michael Magrath, Director – Global Regulations & Standards at OneSpan, Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).
Branchless, online-only neo-banks (also known as challenger banks or digital-only banks) are prevalent across Europe, Latin America, and Asia, and are quickly gaining traction in the U.S.
Neo-banks typically offer customers greater convenience and superior online experiences. For example, customers opening an account with a neo-bank complete the process entirely online via a web browser or through the bank’s mobile app, with no requirement to sign paper forms or visit a bank branch. Since the pandemic, fewer people want to go into a branch to open a new account or conduct financial transactions, positioning neo-banks to capture consumers looking for a fully mobile experience.
Neo-banks need to keep growing to succeed. For many, growth is synonymous with geographical expansion. In this blog, we cover the most important regulations for digital-only neo-banks to consider if they want to grow rapidly and successfully.
All banks must onboard customers in compliance with relevant Know Your Customer (KYC) regulations. These regulations stipulate that banks must verify the identity of the person who is opening a new account, even if that user is remote and not physically present in a branch. Since neo-banks rely on mobile and online account opening, it is especially important to make sure that they conform to regulations covering digital identity verification.
In the U.S., the Economic Growth, Regulatory Relief, and Consumer Protection Act became law in May 2019. In section 213, the MOBILE Act (Making Online Banking Initiation Legal and Easy) enables financial institutions to digitally onboard new customers from a scan of the driver’s license or personal identification card. This mode of remote digital account opening reduces costs for banks and enhances the customer experience right from the start of the relationship, while complying with social distancing guidelines. The USA PATRIOT Act of 2001 mandates KYC for all U.S. banks. Included in this Act is the requirement for a Customer Identification Program (CIP), which mandates financial institutions to verify the identity of individuals prior to enabling them to conduct financial transactions.
In Canada, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) published a paper entitled Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation. It stipulates that when an individual is not physically present, financial institutions can use digital account opening and identity verification technology to enable that individual to open a bank account – provided the bank uses a solution that can assess the authenticity of the applicant’s ID document and verify that the individual attempting to open the account is the person on the ID document.
In the UK, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 mandates that financial institutions carry out strict customer identity verification measures. During the initial months of the COVID-19 pandemic, the UK’s Financial Conduct Authority (FCA) said it was “prepared to relax rules on financial services firms accepting customer phone photo ‘selfies’ to check their identity, as one of several measures to ease the burden during Coronavirus lockdown.”
In March 2020, the Financial Action Task Force (comprised of 39 countries representing most major financial centers across the globe) published further Digital Identity Guidance. Included in the guidance are details on the best way to apply customer due diligence to digital account opening processes using digital identity verification as part of customer onboarding. According to the FATF, “Reliable digital ID can make it easier, cheaper and more secure to identify individuals in the financial sector. It can also help with transaction monitoring requirements and minimize weaknesses in human control measures.” The FATF’s guidance is the blueprint digital banks should follow for “Non-Face-to-Face On-boarding”.
To meet these requirements, some banks have integrated automated ID document verification with facial comparison to digitally verify a prospective customer’s identity. This is where the customer would be asked to use their phone to scan their government-issued ID document (typically a driver’s license, passport, or ID card). The scan of the ID document is then analyzed using authenticity algorithms and machine learning to verify whether it is genuine.
Once the ID document is verified, the photo on the document is compared against the selfie photo using facial comparison technology. If a match is identified and both are determined to be genuine, then the applicant can move forward with the remote bank account opening process. Regulators define this as “Non-Face-to-Face On-boarding” and it offers a variety of benefits to the customer and the bank, including user convenience, operational cost reduction, and the ability to onboard customers in compliance with social distancing requirements.
Like traditional banks, neo-banks must integrate and maintain robust online anti-fraud and digital security systems. These include back-end security, the securing of front-end systems, as well as compliance and reporting.
Aside from regulatory requirements, neo-banks have another strong driver for securing their customers’ accounts – reputation management and consumer perception. While 90% of neo-bank customers in the U.S. and 88% in the UK say they are satisfied with their neo-bank experience, 61% of consumers say that they trust a traditional bank more with their money than a neo-bank, and 82% say that ensuring the security of transactions is a critical concern when choosing a bank. Unlike many traditional banks, neo-banks must earn the trust of consumers and rigorously protect their customers from all types of fraud – including mobile Trojans and attacks, phishing scams, and account takeover attempts.
Protecting customer accounts from fraud and unauthorized access is also a top concern for regulators. In the U.S., the State of New York’s regulator, the New York Department of Financial Services (NYDFS), imposes specific cybersecurity requirements. The requirements include, among others, requiring financial institutions to “use effective controls, which can include risk-based authentication or multi-factor authentication, in an effort to protect non-public information or information systems from unauthorized access.”
In the EU, the Payment Services Directive 2 (PSD2) mandates the use of Strong Customer Authentication to secure payments and transactions against fraud. PSD2 ensures that advanced authentication concepts, such as dynamic linking, device binding for mobile apps, mobile application shielding and transaction risk analysis become standard security tools in financial services. PSD2-like initiatives have extend beyond the block as Bahrain and Turkey have also embraced the E.U.’s approach.
While financial institutions are leveraging the security, redundancy, and financial benefits of cloud data storage, neo-banks should also take into account local cloud and data residency laws.
All banks, but especially branchless neo-banks, must implement robust security for the mobile channel, especially the mobile app itself. This is critical in the wake of the global pandemic, which has seen mobile threats surge for traditional banks, challenger banks and FinTechs. Just recently, the FBI warned consumers that an increase in mobile app-based banking Trojan activity was expected as a result of pandemic-driven increases in mobile banking activity.
For many neo-banks, the mobile app is the only customer touch point available. The mobile app is the channel in which the customer opens an account, accesses their money, carries out payments and transactions, solves support issues, and is informed of new products. With so much riding on the app, it needs to be excellent. It needs to deliver a flawless customer experience and it also needs to be secure. If the mobile app goes down due to an attack, the whole bank goes down. As well as denying customers access to their money, an app outage could seriously harm consumer trust. Negative headlines about challenger bank breaches can make persuading customers to trust neo-banks with their money even harder.
Furthermore, since mobile apps are downloaded to mobile devices which app developers at neo-banks have no control over, the security status of those devices can’t be trusted. Neo-banks must therefore take additional measures to ensure the security and integrity of the app.
It is imperative that financial institution do what it takes to arm themselves with the knowledge and the expertise to monitor and protect their channels and their customers’ data and transactions on a continuous basis, while delivering on customer experience at the same time.
To meet these requirements many banks rely on trusted, third-party solution providers to implement mobile app shielding for them. Application shielding protects a mobile banking app from the inside out. It allows the app to securely operate even in potentially hostile environments, such as jailbroken or rooted devices – and only deny service when absolutely necessary.
Given the well-publicized breaches over the past few years and the unauthorized selling and sharing of consumer data by data aggregators, neo-banks must protect their customers’ data from breaches and attacks. Beyond fines, data breaches and attacks can significantly damage consumer confidence in non-traditional banks. Privacy and data protection concerns can also stop consumers from switching to neo-banks.
At the end of July 2020, Mark Cuban-backed FinTech startup Dave reported a security incident resulting in the exposure of personally identifiable information of millions of their users. Although the FinTech released a statement that no fraudulent activity occurred, news of the breach and the need to notify 7.5 million customers and reset all customer passwords will surely impact consumer confidence.
Numerous data privacy and data protection laws and regulations have been enacted globally. These include:
European Union’s General Data Protection Regulation (GDPR)
U.S. California Consumer Privacy Act (CCPA)
Thailand’s Data Protection Act (compliance took effect May 27, 2020)
Brazil’s General Data Protection Law (enforcement begins August 1, 2021)
More such regulations are coming. Particularly so in the U.S., with other states rolling out CCPA-like legislation and the U.S. Congress having recently introduced federal legislation.
Over the past several years, many open bank initiatives have been implemented around the globe. Open banking enables third-party financial service providers (TPPs) to access customer data (with the customer’s consent) from banks or financial institutions through the use of application programming interfaces (APIs). Open banking aims to create better financial services options for consumers by allowing more players to enter the financial services market.
Neo-banks must comply with each regulator’s unique requirements and should be aware of both regulated and unregulated local open banking initiatives if they’re looking to move into a new jurisdiction. Neo-banks without the sizable compliance teams of larger banks should seek vendors and partners who can demonstrate deep subject matter knowledge in these fast-moving and varied initiatives.
While open banking has been well-defined and adopted in the EU (with financial institutions required to follow the regulations set out by PSD2), Asia Pacific, Hong Kong, Japan, Singapore and South Korea are also advancing their open banking initiatives. In Australia, the passage of the Consumer Data Right (CDR) in February 2020 served as the catalyst for open banking and on July 1, 2020 Australia’s “Big 4” banks were required to share “product reference data with accredited data recipients”.
In North America, Canada has been performing in-depth studies and renamed “open banking” to “Consumer Directed Finance”. Although the Government of Canada has yet to approve open banking, the studies are promising and consumer directed finance may be launched sooner than later.
The myriad of regulatory requirements can be overwhelming for any bank. This article is very high level in terms of the regulatory requirements faced by neo-banks and is not intended to be a road-map to compliance. However, it does highlight some of the nuances facing neo-banks globally.
Neo-banks looking to expand geographically face many challenges. They need to persuade cautious consumers that they can keep their money safe; they need to persuade regulators that they can operate safely and compliantly; and they need to secure their valuable mobile app against attacks and rising instances of fraud. They need to do all of this in a way that does not impact or lessen the superior online and in-app experience they offer their customers.
To do this, neo-banks should seek technologies that can help detect and stop fraud and attacks, without impacting the way a typical customer interacts with their app on a day-to-day basis. Technologies such as behavioral biometrics, digital identity verification and machine-learning based risk analytics can all help to achieve this balance. Importantly, they should also seek technologies that can assist them in addressing specific regulations, such as the requirements for Strong Customer Authentication and Digital Identities.
If they can do this, then the opportunities for growth and expansion are endless.
About the author
Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).
„Tendinţele pe care le-am remarcat înainte de începerea pandemiei s-au accelerat pe perioada stării de urgenţă. Am văzut acest lucru ca o oportunitate, un tipping point pentru bancă. Post-pandemie nu avem cum sa ne întoarcem la comportamentul financiar pe care îl aveam până în februarie a.c. Relaţia românilor cu online-ul s-a schimbat. In plus, cardul fizic se va dematerializa. Vom asista la o scădere a cererii pentru cardurile fizice, respectiv la o creştere a preferinţei pentru componenta digitală a acestora.”