What is customer onboarding?
Customer onboarding is the process of enrolling a new customer when they open an account with a bank or other financial institution. It involves two key security steps as part of an onboarding checklist that protects the digital banking experience and helps prevent fraud:
1- Device registration
First, the customer’s laptops and phones must be registered with the bank to be recognized as secure and trusted devices every time they are used for online or mobile banking.
2- Customer authentication enrollment
Second, the bank must enroll customers for authentication. This can take many forms, such as biometrics, a PIN, or a hardware token. The customer will need to be setup for authentication so that they can authenticate each time they access their account as part of the user experience. Many banks also use authentication so that customers can authorize their financial transactions, such as funds transfers and payments.
Desktops have often been the starting point in user onboarding, but now some customers have set expectations about doing the entire process on their phone and receiving all onboarding tools and onboarding emails on their mobile device as part of the onboarding program. More banks, and especially digital challenger banks, offer consumers the ability to apply for a new account and get onboarded at the same time -- directly through the mobile banking app. However, in a 2020 UK study analyzing the ease of opening new bank accounts, UX consultancy firm Built for Mars found that “not all of the banks let you actually open an account through their apps.” Some require a phone call before the customer journey begins, while others require one or more visits to the bank’s website before the account is activated.
How customer onboarding fits into the bank account application process
The bank account application process is the overall process for a new customer to open an account, step-by-step through a series of touchpoints. It starts with the applicant completing an application, having their identity verified, and being accepted as a new client by the bank. Customer onboarding happens either at the time of application or in a second step afterwards. In either scenario, it takes place before the new customer begins transacting on the account.
While this process varies by bank, it typically involves the client receiving a kickoff package, including a welcome email and welcome package in the mail, which is a resource or knowledge base for customers. The welcome letter includes information about the bank, their services, customer support, and the new account. A new customer could also receive in-app messages as part of the check-in process. The package is typically delivered with the new debit card or credit card, and in some cases, a hardware authenticator token for one-time passcodes. The process is designed to be smooth, to help keep the churn rate low because it can impact customer lifetime value.
Digital security technologies support customer onboarding
Several digital security technologies are used to make sure the new account opening and customer onboarding process are secure for the customer, their devices, and the financial institution. Here are some of the technologies that make that possible:
- Digital identity verification
During the account opening process, the new customer has to be identified. For financial institutions that offer remote bank account opening and customer onboarding, this involves digital identity verification technology. Digital identity verification is designed to detect fraudulent ID documents (e.g., passport, driver’s license) and prevent application fraud and identity fraud in real time.
- Fraud prevention system
As part of the customer onboarding strategy, the bank’s anti-fraud system will start gathering data about the customer’s device during the device registration process. A fraud prevention system such as OneSpan Risk Analytics gathers this data to determine, among other things, whether the phone has been previously used in a fraud attempt, and whether it is stolen or from a restricted country.
- Mobile app shielding
This is another digital security technology used during customer onboarding to protect the bank’s mobile app and make sure it is protected before starting the onboarding process. App shielding will detect mobile malware and other mitigate malicious attacks aimed at a stealing a customer’s data or money through their apps. Among other things, it allows a mobile app to operate securely, even when there is a risk of malware if a phone is jailbroken or rooted.
- Authentication technologies
A combinaiton of authentication technologies, such as mobile authenticators and biometrics, are also part of the step-by-step onboarding experience. Mobile authenticators and hardware tokens have to be issued to onboarded customers. And in order to use biometric authentication, customers first have to enroll their biometrics with the bank. Most banks offer biometric authentication, such as a fingerprint or facial scan, and some also rely on behavioral biometrics behind the scenes, including how the person holds their phone, swipes it, or how fast they type. Biometric authentication enhances customer satisfaction because it’s easy for the customer and adds another layer of protection against account takeover fraud, session hijacking, and other types of fraud attacks.
It’s important to note that fraud monitoring, mobile app shielding, and authentication are used not just in successful customer onboarding, but over the customer’s entire digital lifecycle with their bank.
Device registration during effective customer onboarding
After a customer’s identity has been verified by the bank, they need to register their desktop or their mobile device. To register their desktop, they go to the bank’s website and follow the sign-in procedures to create a secure link between their account and their desktop.
For a mobile device, the bank will ask the new user to download a mobile application from their mobile app store. This application is called a mobile authenticator and is used to respond to dynamic authentication requests. When financial institutions are using technology from OneSpan to secure this process, the customer will then be asked to use the mobile authenticator app to scan a color QR code (also known as a Cronto code) that is displayed in the browser of their desktop computer. This starts the registration process and establishes a secure channel for communication between the customer and the bank.
It is best practice for banks to use mobile app shielding at this stage. When it is embedded in the mobile authenticator application, app shielding scans the mobile device to ensure it is secure. The user is then asked to create a PIN code. The PIN will be used when the customer needs to authenticate on login to their account. Financial institutions can also configure this stage to require the new account owner to register a facial biometric or fingerprint biometric. At this point, the customer is registered and securely activated and can now access their account.
Authentication credential issuance
Banks can also issue the new customer hardware or software authentication credentials. A hardware device requires the customer to memorize and manually type in a 6-digit numeric code when authenticating. Software authentication gives the customer the advantage of not having to remember or key in a number because they can copy and paste from one app to the next.
Best practices for biometrics during customer onboarding
In addition to using a smartphone for banking, the mobile device can also be used as means to authenticate the first-time customer. Due to the popularity of mobile banking, it is common for banks to offer biometric authentication, such as a facial or fingerprint scan (also commonly referred to on Apple devices as Face ID or Touch ID; for Android users, it’s Google Fingerprint and Face and Samsung Fingerprint and Face).
A challenging aspect of onboarding can be registering a customer’s biometrics because it doesn’t take place behind the scenes and is dependent on them taking the steps to register their own traits.
However, it can be done easily and quickly by a customer, adding to positive first impressions and customer engagement. Customer onboarding best practices include asking a customer to register more than one biometric trait. This ensures that the bank can step-up security and apply additional authentication challenges if a transaction appears risky. In addition, a bank should not only ask a customer to register a fingerprint, but also a facial scan that includes different forms of “liveness” detection, such as getting them to smile, stop smiling, blink, close their eyes, or turn their head from side to side. Most biometric enrollments can be done so quickly that a customer can barely notice that liveness detection was done.
In addition, it’s important for banks to know that they are not limited by what biometrics are supported by the consumer’s device manufacturer. For example, OneSpan supports Apple TouchID or FaceID, and Google Fingerprint and Face, and Samsung Fingerprint and Face, in addition to offering its own facial biometric and voice biometric module.