Has the media been overly strident in pointing out the numerous online security and privacy breaches in the financial services industry?
"If you listen to the press, you would be under the impression that the sky is indeed falling and that all hell is breaking loose, nobody's safe, and it's not safe to go on the Internet," says Richard Parry, a Chicago-based senior vice president for consumer risk management at JPMorgan Chase (JPMC, New York; $1.16 trillion in assets), speaking at an industry conference sponsored by Forrester Research (Cambridge, Mass.).
Parry offers a contrarian view to the common perception of the Internet as the Wild West of commerce. "The very vast majority of the fraud that we incur -- such that it is, because we enjoy industry-low levels, both in instance rate and in dollar value terms -- is greater in transactions that involve speaking to someone over the phone or having the culprit standing in front of you at the branch," explained Parry.
Although Internet fraud certainly exists, it has a limited financial impact, with adequate methods to contain the damage from identity thieves. "Internet risk, in financial terms, is really quite modest," Parry said.
"Ironically, it's probably the safest delivery channel that we have," he added. "It enables us to see activity and behaviors close to real time, rather than wait for batch cycles to clear."
The mouse click doesn't move money, Parry explained. Rather, the mouse click sends an instruction to move money at a later point in time. As a result, Internet transactions have a built-in delay relative to other channels such as the ATM, branch or the point of sale. The delay provides banks with an opportunity to detect behaviors indicative of a fraud attempt. For example, if a customer appears to be sending money to a type of business with which he or she has never transacted before, the bank has an opportunity to call the customer to investigate.
However, rapid response to customer interactions requires access to real-time enterprise data. "If it's not a real-time transaction data warehouse, if it's just a storage house, you're operating in batch, and you're not detecting anything," noted Parry.
Other customer channels also could benefit from this approach. "Nothing that we do on the Internet is anything that we shouldn't be doing at the ATM and at the branch," said Parry. "Centralized, real-time, transaction-level data warehouses help you accomplish that."
Rather than a lurching, stopgap approach to security that attempts to foil every attempt to steal information in a data-rich world, Parry instead advocates that banks focus on actual customer interactions, including non-financial interactions such as a change of address.
Such an approach can benefit a bank and its customers alike. "To say, 'We've lost some money, but don't worry, Reg E will ensure that you're [made] whole,' is quite different from, 'We detected an attack on your account and we've taken care of it,'" said Parry. "That's a very different customer experience around fraud management."
While it may not stop the parade of embarrassing data breaches nor silence the gleeful press watching the parade, the transaction-centered approach may be enough to protect both customers and shareholders alike. "You have to manage risk on the assumption that all data is out there, because to not do that is simply irresponsible," said Parry.