How Risk-based Authentication Cuts Fraud Losses and Improves Customer Satisfaction

Tim Bedard,

The fourth quarter is a time when many financial institutions are deep into strategic planning for the coming year. Whether you are on the business or security side of the house, it is the time to re-evaluate how to protect and simplify the customer experience with the right security technologies, increase customer loyalty, and reduce exposure to fraud and data breaches.

The risk of cyberattack on financial institutions cannot be overstated. In the past year, there have been more than one billion cyberattacks on financial institutions1. That is 300 times more than other industries such as retail, insurance, or healthcare. At an average cost of $18 million2 for each successful attack, the cost of cybercrime includes:

  • Regulatory fines
  • Litigation
  • Additional cybersecurity technologies to be purchased and implemented following the breach
  • Response to negative media coverage
  • Identity theft protection and credit monitoring services to customers affected by the breach
  • Lost business due to reputational damage

In fact, in the first six months of 2019, 4.1 billion records were exposed in some 3,800 breaches, according to a study3 published by Risk Based Security, a security research firm. According to Ponemon Institute’s consumer sentiment study4, data breaches are in the top three incidents that affect brand reputation, along with poor customer service and environmental incidents.

Cybercriminals will continue to get more sophisticated in attacking their prime target: financial institutions. In this blog, we discuss risk-based authentication as an important element of your security strategy – and how it enables you to improve customer satisfaction, cut fraud losses, and better meet strict regulations.

Risk-based authentication is a fast and cost-efficient way to improve security. With so many financial transactions moving to digital channels, the potential for increased fraud and attacks is inevitable. And while new regulations guide FIs to better fight fraud by requiring new security technologies, they can also introduce more friction to customer transactions. This is one of the greatest challenges for FIs today. How to drive down fraud and meet compliance requirements, in a way that is easy and convenient for the customer?

The answer is risk-based authentication, also known as adaptive authentication or step-up authentication. Risk-based authentication is the process of applying the precise amount of security, at the right time, into each unique customer transaction based on the level of risk – no more, no less. It is the risk score that drives the level of security required (e.g., push notification, fingerprint, facial recognition, etc.).

Risk-based authentication provides a wide range of benefits across your organization, including the winning conditions for growth, reduced fraud, and an optimal customer experience.

Risk-based Authentication Benefit #1: The Winning Conditions for Growth

As fraud increases, so does the need for stronger authentication and security. At the same time, however, the customer’s patience for additional security measures is dwindling. Add too many authentication layers, and users will get frustrated spending too much time trying to access their accounts.

Transacting with financial institutions has to be as easy as it is secure. It should be so easy and frictionless that customers don’t even think about the security. Studies show that consumers generally don’t think about security until it breaks. When that happens, people tend to blame the financial institution. Clearly, security has to be done well in order to create the best possible customer experiences, since this will drive growth through improved customer loyalty, retention, and use of bank services.

Risk-based authentication is key to unlocking growth for banks by improving the customer experience across all channels. This can be done with frictionless authentication, such as biometrics, facilitated by better fraud detection that leverages the combination of advanced machine learning and customized rule sets. As banks add new online services and new ways to serve a more mobile population, risk-based authentication can help keep pace with security and provide the least intrusive experience possible for customers.

Risk-based Authentication Benefit #2: More Robust Defense against Fraud

There is a clear need to continuously improve your overall security defenses as bad actors grow more adept at fraud and compromising systems. Static passwords are easily hacked and, as a result, they are a key cause of security breaches and account fraud. Part of the problem with passwords is that modern fraud methods are so sophisticated, a simple password has no hope of preventing them. These attacks can make use of a variety of malware tools to penetrate a network, establish themselves across various servers, and use different methods, such as Brutus, RainbowCrack, Wfuzz and others to compromise credentials, disable various protective measures, and hide from detection.

The best way to combat this is to couple risk-based authentication with a risk analytics engine to provide a more flexible layered, risk-based approach to authentication. Good risk-based authentication platforms can examine a wide variety of inputs across all channels and make real-time decisions about the precise level of authentication security required for each unique transaction.

Risk-based authentication assembles a series of risk scores to evaluate each transaction. As the predictive models “learn” more, the risk score becomes more accurate as it accepts various inputs. Over time, it will become a more reliable indicator of account compromise and emerging fraud patterns. Because the level of risk is based on the total contextual view including user behavior, transaction data, and device data, it is very difficult to impersonate.

Risk-based Authentication Benefit #3: Achieve Regulatory Compliance

Banking regulations are constantly changing to help banks stay ahead of hackers. The security compliance requirements can be quite extensive and have sizeable penalties for non-compliance. To comply, your organization must be agile and ever vigilant, continuously refining your compliance strategies and implementing new technologies.

One specific regulatory requirement facing financial institutions today is PSD2 compliance – the regulation focused on payment services and payment service providers throughout Europe. PSD2 mandates monitoring of transactional risks, detection of known and emerging fraud methods, and strong customer authentication. It provides a framework that enforces different risk-based authentication methods, protects mobile applications, and performs transaction data signing (also known as dynamic linking).

Achieving compliance is one of the key benefits of a risk-based authentication solution. If a risk-based authentication solution uses a risk engine with machine learning to better detect fraud – and combines that with turnkey rule sets specifically designed to address compliance requirements quickly – financial institutions will see a significant time savings for testing and deployment.

Building Risk-based Authentication into Your Strategy

As you build out your 2020 strategy, look to new technologies and approaches that bring together all three strategic pillars: user experience, fraud prevention, and compliance. While financial institutions will face a growing list of cybersecurity threats in 2020, we see risk-based authentication that leverages machine learning technology as one of the solutions central to building digital trust and long-term customer loyalty.

Adaptive Authentication

Adaptive Authentication: Superior User Experience and Growth through Intelligent Security

Download this paper and achieve the twin goals of reducing fraud and delighting the customer.

Download Now

[1] Forbes “Laughing All The Way to the Bank: Cybercriminals Targeting U.S. Financial Institutions”, August 28, 2018
[2] Ibid
[3] RiskBased Security “2019 on track to being the “worst year on record” for breach activity.”, 2019
[4] Ponemon Institute “The Aftermath of a Mega Data Breach: Consumer Sentiment”, April 2014



Tim is Director of Product Marketing at OneSpan and responsible for the company’s identity verification, e-signature, and secure agreement automation solutions. Tim has held leadership positions in product strategy, product management, and marketing at leading security organizations.