Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

September 29, 2014

Let's Talk Token, Part II: Distinguishing Attributes

Several weeks ago, Portals and Rails embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. Since writing the first post, payment tokens has jumped front and center in the payments community when Apple introduced Apple Pay, which uses tokenization. Also, the Mobile Payments Industry Workgroup just released a detailed white paper recounting their recent meeting on the current tokenization landscape in the United States.

In today's installment, we look at some distinguishing attributes of the end-to-end token initiatives currently under way and consider their impact on mitigating risk in payments transactions.

  • Token format: Common ground exists in the payments industry in terms of the token format. The end-to-end token solution relies on the creation of a token, known as a device account number (DAN), to initiate a payment in place of the original primary account number (PAN). To mitigate operational risks and make use of existing messaging rules and applications associated with the payment transaction, it is imperative that the format of the DAN preserves the format structure of the PAN. This means that DAN generation should be as random as possible, even while preserving the original PAN format structures to maintain basic card or account validation rules associated with the PAN.

  • Token type: Payment tokens can be dynamic or static. Dynamic tokens are valid either for a single transaction or for a limited number of transactions occurring in a very short time. By the time a fraudster intercepts a dynamic token, it has likely already expired, so the fraudster can’t use it. However, there is a slight down side to dynamic tokens—they can work against loyalty programs as well as some back-end fraud detection systems. Because each transaction has a different DAN, merchants and processors cannot consolidate multiple transaction information for an individual cardholder.

    On the other hand, static tokens are multi-use, so they allow merchants to connect the token user with past transactions. But given their multi-use nature, they are not as secure as dynamic tokens. For additional security, each transaction with a static token can include an additional element: a uniquely generated cryptogram.

  • Device coverage: Tokens can be created and stored either on a secure element on a mobile phone or in a cloud. Much industry discussion focuses on which approach is more secure, but the approach also has an impact on device access to the token. Storing a token only on secure elements limits tokens to mobile phones, a situation that does not address the significant volume of card-not-present payments that consumers conduct on computers and other devices. Alternatively, storing a token in a cloud would allow any connected device (mobile, tablet, laptop, or computer) to access the token, so all e-commerce transactions would be covered.

  • Token service provider: A number of parties can play the critical provider role. The provider is ultimately responsible for generating and issuing the DAN, maintaining the DAN vault, and mapping the DAN to the PAN for presentment to the issuer that ultimately authorizes the transaction. A network, issuer, processor, or another third-party provider can perform this role. We can make a case for any of these parties to play the role, but the critical risk mitigation factor to note is that the merchant should never see the PAN, thereby preventing a breach of payment card data within their systems.

To date, a standards body controlled by the largest global card networks and a company representing the largest global banks has driven most of the payment tokenization standardization efforts. Although these organizations have advocated for public discussions and input in an open environment, some critics argue that the management of standards development should be left to an open-standards body such as X9 or ISO. Tokenization efforts and standards will continue to evolve as tokenization may play a critical role in mitigating payment risk in the future. Still, security challenges will remain even with its adoption. In the next installment of this tokenization series, we will examine risks that that a tokenized payments environment won't resolve, and risks that will be all new.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


September 29, 2014 in authentication, fraud, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c6e9606d970b

Listed below are links to blogs that reference Let's Talk Token, Part II: Distinguishing Attributes:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 11, 2014

Improving Mobile Security with Biometrics

During the last year, the release of two smartphones with fingerprint readers by two different manufacturers was met with a lot of excitement. People in the payments industry were keen on the ability of the new phones to better authenticate mobile payments. Fingerprints are one of several biometric methods used today to supplement passwords.

Fingerprint

Biometrics refers to techniques that use measurable physical characteristics that lend themselves to automated checking techniques. In addition to fingerprints and vein recognition, biometrics can include voice, facial, and iris recognition, and even DNA matching, among others.

As the Federal Reserve's report Consumers and Mobile Financial Services 2014 noted, consumers' security concerns are a big barrier to the adoption of mobile banking. Mobile proponents believe this barrier can be reduced with the additional security features that mobile phones can provide, along with consumer education. There is no question that the mobile phone offers a number of ways to authenticate the user more positively, using both overt and covert methods. One well-known covert option is the smartphone's geolocation function, which allows verification that the phone is in the location it's supposed to be. Another covert method is "device fingerprinting," whereby a number of digital characteristics about the consumer's phone can be captured and used to verify that the phone being used is the one originally registered.

The most common overt biometric methods being tested today are fingerprint and facial recognition. While only a small number of mobile phones in use today in the United States have fingerprint readers, the vast majority have a camera that could support a facial recognition application. Both of these biometric methods are minimally invasive.

The key difference between biometric verification and user ID and password verification creates the greatest challenge for implementing biometrics authentication: with passwords, unless there is a 100 percent match between the data on file and the data the user enters in trying to gain access, the request is automatically rejected. It may be the legitimate user trying to gain access but maybe he or she forgot the password. Nevertheless, the system rules block access until the user's identity can be authenticated through some other means. On the other hand, the nature of biometrics is such that a 100 percent match between the stored template value and the live template value is rare—possibly because of differences in lighting conditions or angles when biometric measurements are made, or differences between readers, or some other reason. To deal with this gap, the manager of each application has to determine an acceptable accuracy level for both false-positives (whereby a party incorrectly matched is authorized) and false-negatives (whereby the authentic party is denied access). Naturally, false-positives pose the greater threat. False-negatives generally just involve some level of inconvenience until the individual can be authenticated and provided access.

No matter what biometric authentication methodology a system uses, the most important step is validating each customer's biometrics upon enrollment in the program. We will discuss this issue and other challenges for biometric programs in future issues of Portals and Rails.

 

Photo of Douglas A. KingBy Dave Lott, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 11, 2014 in authentication, biometrics, innovation, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a511f452e8970c

Listed below are links to blogs that reference Improving Mobile Security with Biometrics:

Comments

Dave,
PKI based digital certificates can also be used to secure mobile devices and provide a far more reliable means of device ID than geolocation or device fingerprinting

Posted by: Doug Parr | August 19, 2014 at 08:48 AM

When considering usability of biometric authentication on a mobile phone, there is no more "minimally invasive" method than voice biometrics. These devices are first and foremost voice-enabled.

Posted by: Brian Moore | August 12, 2014 at 01:00 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 02, 2014

Mobile Payments Fatigue

When I was an elementary school-aged kid, I looked forward to coming home from school and grabbing an ice cold Coca-Cola and a snack before venturing out into the neighborhood to play. And while I can't remember the exact discussions I had with friends around the lunch table when I was that age, I do remember our anticipation of the launch of New Coke in 1985. And oh my, how much my friends and I were disappointed when our lips first met New Coke. My reaction, with most others, was that we wanted our "old" Coke back.

Fast forward nearly 30 years and now my lunch discussions often revolve around payments. Each day I am reminded of my New Coke experience via an e-mail or news article touting or predicting an explosion in mobile payments. I'll admit it—I'm getting mobile payments fatigue. The payments industry has been anticipating mobile payments for years now, yet I find the developments to date mostly disappointing. Sure, I've made plenty of payments using a mobile device to purchase digital goods or even to purchase physical goods in an online marketplace. But outside of a few experiences of purchasing coffee with a closed-loop solution, my mobile device stays in my pocket when I'm making a purchase at the point-of-sale (POS) as I take out my reliable cards or cash.

And that is where my New Coke analogy comes into play. To many people, nothing was wrong with Coca-Cola, yet the coolness of a new product created a great level of expectation—which turned to immense disappointment. At the POS, payments are relatively seamless, yet the newness of mobile payments creates great anticipation, only to end up being disappointing and leaving me thinking, "What's wrong with my current payment choices?"

So much attention on mobile is focused on replacing a current payment form at the POS—perhaps the most seamless piece of the commerce experience. Often in mobile payment discussions, I hear that mobile payments are a technology solution looking for a problem rather than trying to solve a problem. However, I think the industry is looking in the wrong place as the problem isn't with the payment. It's with the overall experience in and around the POS. I believe mobile devices have the ability to transform this experience, but it's not by replacing my cards or cash as a payment method. It's by replacing the entire commerce experience. Are you experiencing mobile payment fatigue? And if so, what will it take to energize you?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 2, 2014 in emerging payments, innovation, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fd157164970b

Listed below are links to blogs that reference Mobile Payments Fatigue:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 12, 2014

The Art of Balancing Innovation and Regulation

Several factors have converged in recent years to add complexity to the regulatory oversight of retail payments. These elements include new regulation and oversight along with technology advances that have created new payment types. The challenge for regulators in an environment with an abundance of innovation is to align that innovation with appropriate regulation to ensure consumer protection, data security, and fraud mitigation, and to retain consumer confidence in payments.

The 2008 financial crisis led to an increased focus within the regulatory framework on retail payment risk factors. One new regulation was the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank). Dodd-Frank led to many changes—including the creation of a regulatory agency, the Consumer Financial Protection Bureau (CFPB), to focus exclusively on consumer protection. Since the CFPB was created, two of the payments types it has identified as deserving of its oversight are remittances and prepaid cards.

At the same time, evolving technology continues to change the nature of how consumers make payments—moving from the physical to the virtual—and has increased consumers' expectations for speed, control, information, and transparency. Options available for consumers to make payments and for businesses and financial institutions to participate in offering payment services have multiplied as Internet and mobile evolved, cloud-based solutions progressed, and virtual currencies expanded.

Technological advances have led to a retail payments system that is more transparent than ever before, in which all types of entities, from start-up companies to financial institutions, are able to innovate. Nonbank entities are flourishing in retail payments, challenging the historic role of financial institutions as primary payment participants by offering payments products and services in an ever-more complex payments landscape.

While some participants complain that there is too much regulation of payments practices, others call for more or different regulation when problems arise. Still others call for change because they believe the playing field is not level for all participants. Sometimes regulation can be a catalyst for innovation by legitimizing a payments practice after clarifying requirements for all participants. Whatever your perspective, it is a complex undertaking to attain the delicate balance between innovation and oversight.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 12, 2014 in innovation, mobile payments, regulations, regulators | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dc1c139970d

Listed below are links to blogs that reference The Art of Balancing Innovation and Regulation :

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 22, 2014

My Bleeding Heart

Over the past week, there has been much discussion about the OpenSSL coding flaw, the Heartbleed bug. OpenSSL is a commonly used implementation of Secure Sockets Layer (SSL). A diverse array of devices use OpenSSL to secure Internet communications. Heartbleed could allow someone to monitor log-in transactions as well as to grab and extract confidential data from affected websites and from hardware such as servers, mobile phones, and laptops. Research indicates that as many as 20 percent of all Internet sites could have been affected by this bug, including many high-profile sites. Google confirmed that phones operating Android 4.1.1 were also vulnerable to the bug, and they will remain so until the user installs its recent patch.

If there is a silver lining from the Heartbleed bug news, perhaps it is that the largest financial institutions have indicated they are not vulnerable. Even so, many smaller and mid-size banks and credit unions could still be vulnerable. Thus, the Federal Financial Institutions Examination Council issued a release urging financial institutions to incorporate patches on systems, applications, and devices that use OpenSSL. But unfortunately, this silver lining from the large banks isn’t enough to stanch this payments risk expert’s bleeding heart.

So what's the reason for my distress if the largest banks don’t appear to be vulnerable? I do not think that I am alone in admitting that I have used my credit card credentials all over the Internet. While I can count the number of cards that I have in my wallet, I couldn't begin to tell anyone the number of websites that those card credentials have been used or stored over the last two years—which is when Heartbleed appeared. Sure, I have a few go-to sites for online shopping, as I suspect many do, but I have used my cards and created accounts on many sites that I rarely visit or maybe even just visited once for a specific purchase. Are some of these sites vulnerable to this bug? I have a sinking feeling that the answer probably is "yes." And if my log-in credentials were extracted from websites other than my financial institution, I'll sheepishly admit that may be bad news as I have not always followed the best practice of maintaining separate IDs and passwords for each site. Is it really feasible to do that for so many sites?

No doubt talk and discussions in the days ahead will revolve around whether or not OpenSSL is a secure implementation of the SSL and transport layer security protocols. However, I think the heart (ahem) of the discussion of the Heartbleed bug should revolve around the use of passwords and card credentials on the Internet. This bug potentially exposes the flaws of relying on user IDs and passwords and highlights the vulnerability of using sensitive card data in the online environment. These flaws are well-documented, and fortunately, solutions are being discussed to mitigate these risks. My bleeding heart anxiously awaits their implementation.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2014 in cybercrime, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fcf4d8c6970b

Listed below are links to blogs that reference My Bleeding Heart:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 17, 2014

The Challenge to Create an Awesome Mobile Payments Experience

Almost every year for the last decade, those who have followed the mobile payments industry have heard the expectant statement, "This is the year for mobile payments." This year is no exception. We see the stories about mass adoption of mobile payments in other parts of the world, so we wonder, why not here in the United States? A U.S.-centric mobile payments conference I attended recently had as a recurring theme the notion that mobile payments in the United States had not yet caught on because providers had not yet developed an overall package of elements that would create a compelling mobile experience for the user.

In 1998, former Intel chief executive officer Andy Grove, coined the term "strategic inflection point" to describe a fundamental change in any business, technological or not. He said that for a change to achieve mass adoption by consumers, it had to be at least 10 times better than consumers' current experience—something Grove referred to as the "10X" factor. Achieving the 10X factor for mobile payments will likely involve lower costs, increased comfort with security and privacy, new functionality, enhanced user friendliness, increased convenience, or a "cool" factor, such as new technology often offers.

Conference panelists in general shared the view that the payment transaction itself is one small—but critical—element of the overall mobile experience. One point they made is that, because of their experience with other payment methods, consumers expect the mobile payment to be secure, fast, and accurate. These panelists echoed the work of the Mobile Payments Industry Workgroup (MPIW), a joint endeavor between the Federal Reserve Banks of Boston and Atlanta and the major stakeholders in the U.S. mobile ecosystem. The MPIW was created four years ago to facilitate the development of a vision for a mobile payments environment that will be effective, secure, and ubiquitous. This group has met frequently to address the issues of technology, standards, security, privacy, functionality, regulation, and adoption barriers. You can read results of these efforts on the Boston Fed's website.

Smartphone penetration levels continue to rise and are expected to approach saturation level within the next five years. Nevertheless, consumer research studies consistently show that not only are consumers very concerned about security and privacy when it comes to using their smartphones for mobile banking and payments, but they also are highly satisfied with their current payment method. The industry can address the security and privacy issues through a strong consumer education and awareness campaign. However, moving consumers from their current habits will require the achievement of a strategic inflection point—something that many payments industry stakeholders have tried to achieve over the years but have failed to do so.

Portals and Rails would like to know what you think are the other elements of the overall mobile experience needed to achieve the 10X factor?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 17, 2014 in innovation, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a511875735970c

Listed below are links to blogs that reference The Challenge to Create an Awesome Mobile Payments Experience:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 10, 2014

Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a51180c012970c

Listed below are links to blogs that reference Who Is Responsible for Consumer Security Education?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 03, 2014

An Efficient Mobile P2P Payment: The Paper Check

Having had the chance to spend some time reviewing the 2013 Federal Reserve Payments Study, I was struck by the lasting power of the check in the consumer-to-consumer (or P2P) space. Although overall check usage has declined (checks written by businesses and by consumers to businesses have all declined significantly), check usage in the P2P space increased between 2006 and 2009 and was stable from 2009 to 2012. And this has occurred when the number of bank and nonbank mobile P2P payment solutions that have entered the marketplace or matured during the past few years.

As a parent of two young children, I have acquired ample experience in the P2P payments space—that is, in paying babysitters. As a self-proclaimed payments geek, I am always interested in learning how the babysitter prefers to be paid. Cash remains king with most, at least the high school-aged ones. We have one college-aged sitter who likes being paid through a nonbank P2P payment provider. And most recently, another college-aged sitter wanted to be paid by check, which really caught me off guard. She informed me that she uses her mobile banking app to process her checks through mobile remote deposit capture (RDC) and that she prefers having access to the funds through her debit card over cash. The amazing thing that has struck me from these weekly transactions is the efficiency of this P2P payment transaction.

If the babysitter makes the mobile deposit before 9 p.m. (ET), she has access to the funds the following day. If after 9 p.m. , the funds are available to her in two days. On my end, the transaction appears in my banking activity the morning following the deposit. Talk about efficient—fast and inexpensive (no fees paid by either of us)!

Obviously, the efficiency of this transaction would have been diminished were this not a face-to-face transaction. And maybe that is where the true value of online or mobile P2P payments comes into play. However, the resilient check and mobile RDC banking application worked really well in this face-to-face setting. According to a recent report, mobile RDC was offered by approximately 20 percent of U.S. banks in 2013, up from 7 percent at the end of 2012. As more financial institutions roll out the offering in the upcoming year, maybe it will be the case that the old paper check is here to stay and will flourish in the P2P payments space. And based on my experience, that might not be a bad thing!

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 3, 2014 in checks, mobile banking, mobile payments, payments study | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5117ad29c970c

Listed below are links to blogs that reference An Efficient Mobile P2P Payment: The Paper Check:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 28, 2013

New Portals: Established Rails

Rails Do consumers understand that the consumer protection rules that apply to a mobile payment depend on the payment source—such as a debit or credit card—and not the portal—the mobile device? Purchasing goods and services using a mobile device appears to be a brand new way to make payments. But the mobile device is merely a new portal that leads to the same underlying rails: traditional retail payment sources.

Mobile wallet applications, whereby the consumer can access payment options through a mobile device, are typically sourced to the consumer's debit or credit card. The mobile carrier's billing option allows the consumer to charge an inexpensive product directly to the mobile phone bill. The consumer then pays that bill using a traditional method, such as a check. A Federal Trade Commission study of payment funding sources for 19 mobile providers in 2012 reports payment by credit or debit cards as the most common payment type, with 15. Next are bank account debit (7), multiple funding sources (7), then billing to a mobile carrier account (4).

It is important for financial institutions to educate their consumer customers about the rules and regulations related to traditional retail payment sources that support mobile purchases. Consumers should know about the mobile wallet, for example. Consumers can "carry" many payment sources in their mobile wallets, but they should be aware that each source has different consumer protection provisions. For example, the time periods for reporting disputes and liability limits are different. Education by banks can reduce confusion about the process consumers must follow if they experience a problem with any purchases. Additionally, education can make consumers more aware that the rules that apply to card payments, for instance, apply whether they make the payment in person, on the phone, online, or with their mobile devices.

Banks are in a critical position to be able to share their expertise on traditional retail payment sources as consumers increase their usage of the mobile device to initiate payments. How is your institution educating consumers about mobile payments?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 28, 2013 in consumer protection, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b0066e1cf970d

Listed below are links to blogs that reference New Portals: Established Rails:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 13, 2013

Which Is Riskier, Change or Avoiding It?

There is no denying that any level of change brings with it some level of risk. However, sometimes avoiding change can result in even greater risk. That is the quandary many retail banks find themselves in today as they grapple with the issues of mobile banking and payments and their role in the bank's overall delivery-channel strategy. Sustainability and regeneration are principles normally associated with the community development and environmental arenas, but they can be easily applied to the banking industry and its consumer delivery channels.

Numerous research studies document a large gap in banking attitudes and product or channel usage between the Gen Y or millennial customers and the older customer segments (those who are over 35, if you consider that old). (The Retail Payments Risk Forum discussed some of this research in a paper posted on our website in April.) Younger customers have less loyalty to bank brand, readily adopt new technology, are highly influenced by advertising and peers, expect free or low-cost banking products and services, and are driven by convenience. While they do have a higher overall trust level of banks compared to nonbanks, the gap is not anywhere near as large as that of the older customer segment. The younger segments have eagerly adopted online and mobile banking and are viewed as the early adopters of mobile payments. In fact, when they select a financial institution, the quality and expansiveness of the mobile banking offering is a major factor in their decision.

So what does this changing landscape have for the future of the traditional brick-and-mortar-branch delivery channel? For some time, banks have tried to establish branches primarily as sales centers while moving basic service transactions to alternative automated, less-expensive delivery channels. This effort will continue, but banks must also regenerate their overall delivery-channel strategy to provide sales and service capabilities through virtual channels in order to attract and retain the growing Gen Y customer segment. This regeneration and sustainability effort involves the "right sizing" of each channel to provide their existing and future customers with the appropriate level of services and features as well as capacity to meet service quality goals. Not only will this effort require risk assessments to be continually made for each delivery channel, but also to develop a holistic risk assessment of each customer across all delivery channels.

Let us know what changes, if any, you are making in your overall delivery-channel strategy to address the changing demographics of existing and potential bank customers.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 13, 2013 in mobile banking, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0191021786d2970c

Listed below are links to blogs that reference Which Is Riskier, Change or Avoiding It?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in