WHITE PAPERExecutive Summary . 1Top 5 Areas of Digital Opportunity for Today’s FI . 2FinTech . 2The API Economy . 23D Secure 2.0 . 3Mobile Banking . 3The Internet of Things (IoT) . 4Enabling Technologies: Embracing Opportunity by Managing Risk . 5Next-Generation Authentication: Stop Fraud—Not Customers . 5Secure Omnichannel Architecture: Toward a More Efficient,Effective Whole . 6Automated Fraud Case Management: Keeping Pace with Growth. 7Conclusion . 8

WHITE PAPEREXECUTIVE SUMMARYThe age of digital transformation has arrived, revolutionizing the financialservices industry with new ways of doing business anytime, anywhere. Witha growing array of digital banking channels available, customers seeminglyhave infinite possibilities for conducting financial business. At the same time,this expansion of banking channels increases the risk of fraud. The latter is aprospect that weighs heavily on financial institutions (FIs); according to thebusiness management consulting firm McKinsey & Company, 70 percent ofbanks have digital risk “prominently on their radar.”1“Our customers don’t benchmark usagainst banks. They benchmark usagainst Uber and Amazon.”Hari Gopalkrishnan, CIOBank of America Merrill LynchRSA believes the critical question is whether FIs will confidently pursue theopportunities digital transformation presents, or focus instead on the risk itcreates. This paper describes a third alternative in which opportunity and riskare not either-or choices, but rather two sides of the same coin. From thatperspective, the ability to manage the risk of fraud can become what freesorganizations to embrace business opportunity. To put it simply, digital riskmanagement can be a way for banks to win, not just a way to avoid losing.Winning in the digital era means rising to the challenge of meeting an entirelynew set of customer expectations. As the CIO at one of the world’s largest FIsputs it, “Our customers don’t benchmark us against banks. They benchmark usagainst Uber and Amazon.”2 To succeed, FIs must manage digital risk so thatit doesn’t stand in the way of digital opportunity. In the pages that follow, wewill explore new areas of opportunity and risk that are the result of digitaltransformation in the financial services industry, including:1. FinTech2. The API Economy3. 3D Secure 2.04. Mobile5. The Internet of ThingsJust as importantly (if not even more so), we will look at specific enablingtechnologies that can help create a hospitable environment for growth andopportunity by keeping risk at bay.1

WHITE PAPERTOP 5 AREAS OF DIGITAL OPPORTUNITY FORTODAY’S FI1. FINTECHIn every financial services space from payments to insurance, FinTech—shortfor financial technology—has been exerting competitive pressure on FIs byoffering innovative digital alternatives to traditional offerings. Digital wallets,cryptocurrency, blockchain and other FinTech phenomena are redefiningbanking and financial services in a multitude of ways, putting traditional FIsat risk of losing business to them. But in this, as in the larger picture of digitaltransformation, on the other side of risk lies opportunity. The opportunity for FIs is to beat FinTech at its own game, by innovatingand providing more of the kinds of digital services FinTech companies offer.This move toward FinTech among traditional financial services providershas already begun. JP Morgan, for example, has invested 600 million in“emerging fintech solutions,” according to a recent annual report.3 AndReuters reports that Wells Fargo has started an artificial intelligence (AI)initiative to provide more personalized customer services and strengthenits digital offerings.4 (The data analysts at CB Insights have mapped outwhere these and other top U.S. banks are investing in FinTech.5) The risk is that by embracing FinTech to offer more services and createmore channels for customers to conduct financial business, FIs createmore avenues for fraud. The very diversification that affords them moreopportunities to deliver services to customers also creates new openingsfor fraudsters. As a result, FIs will find themselves in the position of havingto manage fraud risk on a greater scale than ever.2. THE API ECONOMYDeveloping technology to compete with FinTechs, or acquiring large stakesin FinTech companies, may make sense for large enterprises like JP Morganand Wells Fargo. But for smaller organizations with fewer resources, anotheroption is to take the “if you can’t beat ’em, join ’em” approach and partner withthird-party application providers to deliver innovative offerings. A growingopen API economy provides the technology foundation to support this. The opportunity for FIs in the API economy is to be able to offer customerscapabilities such as being able to link their accounts with other services(utility payments, for example) without the FI having to build out a complextechnology infrastructure to support the new capability. In some cases, thismay be more than an opportunity; it may be an obligation. For example, theEuropean Union’s (EU’s) Payment Services Directive II (PSD2)6 requiresbanks doing business in the EU to open access to their systems to paymentservices and data aggregators.2 The risk is that the growing use of third parties can cause a securityweakness, with open APIs potentially opening a new attack vector. As the

WHITE PAPERU.S. Office of the Comptroller of the Currency (OCC) warns, increased useof third-party service providers, particularly for critical operations suchas merchant card processing, “can create concentrated points of failureresulting in systemic risk to the financial services sector.”73. 3D SECURE 2.0FIs in the business of issuing credit cards have started or are planning toembark on the journey to adopting 3D Secure (3DS) 2.0,8 the newest versionof the 3DS security protocol for online credit and debit card transactions.Unlike the previous version of the protocol, 3DS 2.0 supports a morefrictionless shopping experience through the use of risk-based authenticationto identify potentially fraudulent transactions. The opportunity with 3DS 2.0 lies in its adoption of consumer-friendlyfeatures such as the elimination of enrollment pop-ups, full integrationinto the shopping experience and faster authentication. By reducing theannoyance factor, these changes have the potential to reduce the currenthigh rate of cart abandonment online—thus leading to more completedtransactions and more revenue for issuing banks. The risk is similar to that posed by FI adoption of FinTech, with moretransactions being associated with more risk of fraud. Even thoughauthentication improvements in 3DS 2.0 are expressly designed to improvesecurity, its adoption by merchants can be expected to bring dramaticgrowth in transaction volume, which inherently means greater fraud risk.64%of overall fraud originates from amobile deviceSource: RSA4. MOBILE BANKINGSince the first mobile banking service was announced nearly 20 years ago,mobile banking has become a staple of FI consumer offerings. Recent datafrom Federal Reserve surveys shows that 89 percent of FIs already offermobile banking services, and 97 percent expect to be doing so by the endof 2018.9 And according to a recent survey by Bankrate, 63 percent ofsmartphone users have at least one banking app (and more than half have atleast one full-service banking app).10 The opportunity with mobile banking is it offers yet another channel for FIsto provide new services to their customers while meeting their demandsfor secure, convenient account access. Mobile banking has become thepredominant and preferred channel for consumers to interact with FIs. In2017, 55 percent of transactions originated from a mobile app or browser,and in the last three years, transactions from mobile banking apps haveincreased more than 200 percent.11 The risk with mobile banking is clear, given that 64 percent of overall fraudoriginates from mobile devices.11 As mobile transactions continue to grow,FIs will need to address the risk of mobile banking fraud if they want toavoid financial losses and loss of customer confidence.3

WHITE PAPER5. THE INTERNET OF THINGS (IOT)You’re not likely to find banking leading the list of today’s top IoTapplications,12 but the prospects for IoT-based financial transactions lookgood nevertheless—particularly in the payments segment. Citing a survey ofglobal banking and insurance executives, the Financial Brand reports that 59percent expect wearables to become a common payment mechanism withintwo years.13 The opportunity for FIs in the payments segment is multifaceted, as humannot-present transactions become more prominent in the next evolution ofshopping convenience. RSA expects IoT devices to ultimately interact directlywith payment systems in a variety of areas to enable personalized services,make automatic payments, facilitate usage-based fees and much more. The risk of IoT in payments is that when a human is not present for atransaction, there’s no way to directly confirm the person’s identity. There’sliterally no one there to answer qualifying questions that establish that thetransaction is authentic and intentional. Moreover, there may be multipleentities buying on the consumer’s behalf, and they may not all be wellsecured. FIs in the IoT economy will have to establish ways to determinethat a transaction has been authorized and to detect fraud by entities.4

WHITE PAPERENABLING TECHNOLOGIES:EMBRACING OPPORTUNITY BY MANAGING RISKIn the areas of digital opportunity described in this paper, security technologyhas an essential role to play in enabling FIs to pursue the opportunitieswithout putting themselves or their customers at risk for fraud. The followingtypes of security capabilities will be key to preventing and detecting fraud inways that are frictionless for customers.NEXT-GENERATION AUTHENTICATION: STOP FRAUD—NOTCUSTOMERSAs the array of digital banking channels grows, so does the need for risk-basedauthentication, which gives FIs the ability to confirm in more than one way thatthey are dealing with legitimate customers attempting legitimate transactions.There’s just one problem: If FIs ask every customer to provide additionalauthentication upon every transaction attempt, the process will becomecumbersome for the customer. Since one of the main reasons for offeringdigital banking options like mobile banking or 3DS 2.0-based payments isto make things faster, easier and more convenient for customers, one couldargue that the imposition somewhat defeats the purpose of having digitalbanking capabilities in the first place.95%Risk-based authentication rate of frauddetection at a 5% customer challengerateSource: RSA5The solution lies in risk-based authentication, sometimes referred to asadaptive authentication, or the ability to assess fraud risk based on contextualinformation such as device identification, IP address, user behavior and fraudintelligence. Risk-based authentication leverages various machine-learningmodels that enable new fraud patterns to be learned quickly by the risk engine,and it accepts additions of new predictors such as data from other channels orcybersecurity tools. The self-learning capability of risk-based authenticationis crucial to keep up with the speed at which cybercrime evolves and, moreimportantly, to minimize false positives and customer friction.Its nonintrusive nature, flexibility and ability to manage fraud risk acrossmultiple channels makes risk-based authentication an ideal solution forFIs looking to deploy strong security to large customer populations. Frauddetection rates of 95 percent can be achieved with minimal customerintervention, whereby the risk engine will only recommend anotherauthentication factor, such as biometrics or SMS, when the probability offraud is high.11 This ability is a hallmark of standards such as 3DS 2.0, where apositive customer experience is promoted as the central theme.

WHITE PAPERFigure 1: Risk-Based Authentication Weighs Numerous Risk Indicators toDetermine the Probability of Fraud with High AccuracyCase study: Leveraging data from thephone channel, one large U.S. financialinstitution was able to enhance riskassessments across its web and mobilechannels, increasing fraud detection ratesby 2.2 percent and saving an additional 500,000 in potential fraud losses.Source: RSA6SECURE OMNICHANNEL ARCHITECTURE: TOWARD A MORE EFFICIENT,EFFECTIVE WHOLEA critical consequence of the proliferation of digital banking channels is theproblem of having multiple channels that operate independently of eachother. Back when “multiple channels” at most meant a branch bank and anATM network, this wasn’t so much an issue. But today’s banking channelsare also likely to include online banking, chat support, mobile banking, callcenter and third-party services, with more channels likely on the way. In thisenvironment, independent operations are both