By Jonny Williams, partner, and Emma Radmore, legal director, at law firm Womble Bond Dickinson
Banks are at the forefront of constant technological innovation to offer bigger, better and more user-friendly services to their customers. But with innovation and change comes risk. And with cyber-criminals ever adapting to the opportunities they see to benefit from any security loopholes, consumers are right to worry. Regulation is also constantly evolving, in an attempt to minimise the risks and maximise good customer experience. Jonny Williams and Emma Radmore of Womble Bond Dickinson look at the pace of change and current initiatives.
Why so much change?
Online banking is obviously not new, with many customers using it regularly for quite some years. However, the pandemic undoubtedly led to existing customers using the service more, new customers signing up, adjustments to the way the services operated and, perhaps more crucially, the rise in mobile banking apps.
Surveys have shown gradual increased usage over recent years, and that the ease and quality of the online experience is critical when selecting a bank. And, it seems, the younger the consumer, the more likely they are to bank using their smartphones or even smart watches rather than their computers – older customers have been slower to convert to banking by smartphone, maybe because of concern over scams and other financial crimes.
What are the regulatory risks?
Any customer experience that does not happen face to face involves a number of regulatory risks. Key among these are:
- impersonation risk – that an account is opened in the first place using a false identity or that login details and passwords are stolen
- transaction risk – that the legitimate account holder is tricked into making payments
- cyber risks – that data breaches and cyber attacks reveal secured details
- theft risk – that the device will be stolen and manipulated before the customer can alert their bank
- harmful links being clicked on, whether in messages purporting to be from the customer’s bank or otherwise and how banking apps can respond to this
While consumers are of course responsible for being sensible, the regulators, particularly the Financial Conduct Authority (FCA) and Payment Systems Regulator (PSR) are constantly striving to make the digital experience as safe as it can be, and to ensure consumers don’t lose out when they have not been at fault.
What are the regulators doing?
The UK regulatory requirements on the onboarding of customers, in particular on identifying them, verifying their identity and understanding the likely patterns of their transactions are stringent. But, concerningly, we continue to see FCA imposing large fines on banks whose procedures and systems have failed to spot the potential for, or actual, money laundering. Additionally, although so far falling short of published regulatory action, FCA’s review of the financial crime controls at challenger banks, particularly digital banks, highlighted serious shortcomings of some business models including in the onboarding process. This is particularly concerning considering the popularity of digital banks especially among younger consumers.
Separately, regulatory initiatives around authorised push payment (APP) scams and frauds have been ongoing for some time. The Government is now looking to use the Financial Services and Markets Bill, currently going through the legislative process, to require mandatory repayment to customers who have lost out.
Increasingly, banks are introducing as many safeguards on payments as possible, and many payments now require two-way or multi-factor authentication. Again, the requirement stems from legislation – in this case the Payment Services Regulations 2017, but banks are left to work out the best way of implementing controls to enhance the security of payments. For many customers, though, this now means authenticating via an app – whether the payment is initiated by the app, by online banking or otherwise. It makes the smartphone an accessory which is both powerful and potentially dangerous.
FCA is also taking great account of consumer behaviour in its initiatives. It will be aware that younger consumers expect to be able to do everything quickly, and that banks wanting new customers will not want to risk losing them through overly complicated onboarding and transaction approval processes. Yet it is crucial for consumer protection that banks carry out proper due diligence and that safeguards are in place so that consumers understand and agree the payments they are making.
What next?
We can expect to see more changes in future. As mentioned above, the Financial Services and Markets Bill is looking to address APP fraud, as is the Online Safety Bill in respect of scams stemming from use of online platforms and social media. FCA will continue its close inspection of banking models and its engagement with firms who do not meet its standards. The Consumer Duty, which must be implemented by all regulated firms by the end of July 2023, will require banks to take yet another look at how they provide their services. They must comply with the new overarching principle to act to deliver good outcomes for retail customers, which requires a deep dive into every element of products, pricing and customer service. Digital banking will only increase in popularity, and FCA also set up a “digital sandbox” to enable firms to test digital products and solutions. While in testing phase, it looked at solutions to address the prevention of fraud and scams.
So the future probably holds an uncomfortable mix of more prescription for banks, more clicks and taps for consumers, and continued consumer education, all continually battling against new criminal techniques.
