By Don Peppers and Martha Rogers, Ph.D.
When the Federal Financial Institutions Examination Council released guidelines in late 2005 that advocated multi-factor user authentication during electronic transactions, banks online and off were spurred into action. The big words - "multi-factor user authentication" - made the task sound more daunting than it actually was, but banks quickly understood that before too long they'd have to require more than a user name and password for transactions and account access.
Somerset Trust Co., a regional Pennsylvania bank, heard the message loud and clear. At the same time, it feared that changing its privacy/security/authentication practices could not only prove difficult to implement and communicate but also spook set-in-their-ways customers.
Dick Stern, Somerset's Senior Vice President and Treasurer, said the company considered any number of solutions.
"One vendor suggested a token that customers would have to keep with them at all times," recalled Stern. "Another said that we should have a series of questions and answers. Another wanted to give customers a card that would help them do a translation for privacy and security purposes."
Ultimately, Somerset went the keep-it-simple route, tapping voice-biometrics firm VoiceVerified for a new security protocol. "The main appeal is that it is easy and intuitive," Stern said. "Tokens, cards, all that other stuff - sometimes, the medicine is worse than the cure."
Banks, such as Somerset, are certainly aware that securing their customers' information is as basic as counting the money back correctly when a customer cashes a check. Customers choose banks in part because they trust that their financial institutions are going to get it right, time and time again. This dynamic bears out in research done by the Ponemon Institute, which found in a 2006 survey that 68 percent of respondents who gave their banks accolades for privacy believed in their banks' commitment to protecting their personal information.
"Preventing data breaches has become a top priority for banks, partly due to state notification laws, but primarily because customer loyalty depends on it," said Joseph Ansanelli, Chairman and CEO of Vontu, Inc., which sponsored the 2006 Privacy Trust Study for Retail Banking. Ansanelli, in a news release issued with the survey results, added that the study "clearly demonstrates how much banking customers care about data loss prevention."
With the introduction of new technology, Somerset and other banks increasingly have new options to consider and vet as they carefully choose a solution that will help the institution achieve its security protocols and earn consumer approval.
"Voice verification has been around for 20 years now, but it's never had market acceptance," explained John Lazzaro, VoiceVerified's Vice President of Financial Services and Fraud Solutions. "With phishing and so many other scams out there, it's becoming pretty clear that user names and passwords aren't strong enough to prevent abuses."
Here's how the VoiceVerified technology works: A customer either calls into a system or is called by the system, and is asked to recite six, five-digit phrases. >From that, the system creates a mathematical representation of his or her voice. For subsequent transactions, the customer is prompted to recite a random five-digit number; if the voice matches the voiceprint, he or she is granted access or approval.
Somerset selected VoiceVerified mostly because of the simplicity of its offering.
"We're not asking customers to do anything complicated," Stern said. Convenience also comes into play, in that the VoiceVerified technology can be used from land lines, cellphones, voice over IP and more.
"Customers have to want to use it in order for it to be effective and, on our side, for it not to be a nightmare to support," Stern said.
Right now, Somerset is nearing the end of a pilot program in which about 25 people are test-driving the new system. Some of their feedback already has been taken into account, especially in the way the proposed changes will be communicated to existing customers. Somerset may also tweak the enrollment and verification processes.
When Stern ventures into Somerset's call centers or surveys other customer touchpoints, he senses a great deal of frustration with existing privacy and security measures. He believes that the VoiceVerified technology, when rolled out on a larger scale, will end such problems.
"You have to spend a few minutes in [the call center] to understand just how [dissatisfied people are with ordinary call center technology]," he explained. "You hear people getting really upset. They're saying 'I answered those security questions right: I gave my first dog's name, I gave the high school I attended.' The simplicity of just using your voice has to be better than that."
Somerset doesn't plan to roll out the VoiceVerified system until the pilot program has been completed, but Stern believes the simplicity will prove a quick hit with customers. "What we're asking the customer to do, through VoiceVerified, is nothing more than the things they do every day: dial a number and repeat a series of digits," Stern said.
Assuming no major hiccups, look for a full rollout within a year.