I have long been an advocate for reimagining how we deliver fraud and scam education to customers. One way I have suggested doing this is to make security warnings interactive and force the customer to engage with the message in some form. There have been several studies showing what we are doing today isn’t working, and consumers are ignoring the warnings. A recent study of scam victims supports this and indicates customers want to have more involvement and choice in the online security experience.

Thus, it was a breath of fresh air to see UK challenger bank, Monzo, recently announce a trio of online security controls that involve the customer making choices about their use. A good friend of mine reminded me that this has been the norm for online commercial customers for quite some time. Commercial banks offer a number of additional security controls, and customers choose the ones they want to deploy. Yet, on the online retail bank side, this approach has not been widely accepted likely due to the pressure on fraud teams to keep any disruption to the user experience at a bare minimum.

Customer-Managed Fraud Controls

Before we get into exploring customer-managed controls, let’s look at the new fraud controls that Monzo has just released.

First, the customer can choose locations (e.g. home or office) where it is acceptable to execute high value transactions. Outside of the designated locations, the customer will be unable to perform large transactions and can set the limits involved.  

The second control is rather interesting, but quite good. The customer can define a second person, who also uses Monzo, to validate the transaction (just like what commercial banks offer). For older customer, this is very appropriate security. Think of romance scams and investment scams and how these scams could be stopped if this control were in place before the scam started.

The third new control involves using secret QR codes stored on a different device that is required to be used for transactions over a customer defined limit.

When you review these new customer-managed controls, we can see that they are probably not that expensive to deploy. There are some good location vendors out there that can quickly support the first control. The second control should involve just internal coding, and the third new control is quite simple as well.

These controls are important for Monzo, as starting in October 2024, all UK banks must reimburse for APP scam losses. And they want to get the customer involved in stopping these scam losses. As part of this preparation, Monzo also added a fourth new control late in 2023 called “Call Status” to help prevent bank impersonation scams. This control allows a customer to check within the Monzo banking app to see if it is the bank calling and not a scammer spoofing the phone number. According to Priyesh Patel, senior staff engineer at Monzo, “The Status tool has been used to report over 4,000 fraud attempts so far this year.”

Other financial institutions are offering customers choice for online security controls including:

Choosing alerts for changing password, adding payees, etc.

Letting customers create their own alerts

Turning credit cards on/off

Adding travel notices

Transaction approval in app

Empower Your Customers with More Choice

Despite all these efforts, there still needs to be more choices for customers. I want to empower the customer to help prevent fraud and scams because many banks still do not have sufficient controls. Here are some of the controls I would like to see:

Give the customer the choice to turn on/off real-time payments such as Zelle or retail wires. Zelle only offers limited reimbursement for bank impersonation scams and retail wires are excluded from Reg E coverage. So, help me protect myself.

Give the customer choice of how fast faster payments process. Yes, I know the bank marketing department wants a simple message “All real-time payment execute in real-time.”. But they don’t necessarily reimburse the customer when there is a fraud or a scam, do they? So maybe I only want overnight or a 4-hour hold. Maybe no real-time transactions after 6PM. Or deploy these additional controls if the amount is over $500 (so, my tennis buddies get their lunch money quickly).

Allow customers to verify who they are sending money to by validating the name and account on the receiving bank side. This occurs in the UK and Europe today and soon in Australia. At minimum, it will catch my fat finger errors and help to also stop scam transactions.

Allow customers to choose having no mobile transactions processed for X days after a SIM swap on my phone.

Offer customers high-end security like a physical token or FIDO2/WebAuthn authentication, at least to your high net worth and investment customers.

These are just some ideas I have. As fraud practitioners and bank customers, you will also have many more ideas. But the point is it is hard to stop some of these frauds and scams. By involving the customer in our fraud control solutions, we have better defense in depth. And not every online customer is the same. So, think about how to put the customer more in charge. It will lead to better outcomes.

Recent Posts