Bridging the crucial divide between security and customer experience 08 September 2021

Martijn Loderus, Global CIAM (Consumer Identity and Access Management) Leader at IBM, spoke with Efma about how the company creates an enjoyable and secure identification process for top financial institutions around the globe. 
Efma: We often hear about changing customer preferences, the importance of digitalization efforts, and the omnichannel experience in the financial services industry. Could you discuss some of the challenges banks face in creating secure, consistent, and enjoyable digital experiences for their customers?

Yes absolutely. First of all, within the banking and insurance industry, it's highly regulatory with regards to interacting with consumers. This has created different challenges over the course of many years, where instead of having a single data silo for consumers, we're actually seeing a lot of lines of business having created information systems around the services that they're providing. For example, banks have created systems for checking accounts, for savings accounts, for the insurance packages that they're doing within property, and casualty, life insurance, et cetera. Basically, banks and insurance companies have created a product centric view, and what's happening right now with true digital transformation efforts, is that organizations are starting their transformation towards a consumer centric view.

For the benefit of the consumer, consumers will have one profile, or one identity to manage, instead of having to re-register at every single line of business. So, you are actually registering once, and then you can easily opt into the other products and services, which is exactly the business benefit. Businesses and banks and insurance companies are driving towards easy conversion and upsell and cross sell opportunities for new parts of their business. And it makes it easier for consumer to look at products available and to manage their exposures.

From a security perspective, with one data silo per line of business, you basically created 4 or 5 different castles that you have to protect from a cybersecurity perspective. We're now working towards a single identity. That means all consumer behaviors actually have one drawbridge and one castle because we have one set of crown jewels that we need to protect. It makes it very easy for us to be able to create safety measures to keep those consumers safe.

Efma: I imagine that bringing those five disparate strands together is a complex undertaking?

Absolutely, because at every single system the nomenclature is not the same. It would be surname and last name, so we need to map the different fields together. We need to migrate that all into one profile, and consolidate and cleanse the data.

The good news is that consumers do that for us. If we do the migration in an effective way and showcase to consumers saying “Hey, is this your address?” and they validate it, why do we then need to look at all these other addresses? Therefore, the level of trust and the quality of your data will increase as well, because now I don't have to check into my insurance package to see if my address was correct in addition to my banking package. It's now in one place, and I update it once and everybody can use it.

Efma: Consumers have so many different digital interactions every day. What impact does the CX from top tech companies have on financial services providers as they compete for a customer’s attention?

The younger generation doesn’t accept friction-filled experiences anymore, because they've been trained to want what I call instant gratification. As a result, companies want to make sure that the consumer experience is enticing, but also to the point. People go to a website to order a pair of jeans, or to get a new product or a new service. They didn’t go there because they wanted to go through a lengthy sign-up process.

We wanted to make sure that the sign-up process captures the minimum amount of information required to actually sign up. We then apply what we call progressive profiling, where we gather and collect more information over time, instead of making that up front hurdle too high for people to clear.

Instagram, Facebook, or online gaming companies are doing a great job with that. Those type of innovations are now trickling into the financial services arena where the consumer experience is becoming a frictionless experience based on newer features and functionalities that we can provide while keeping the bank secure.

One security example is a feature called adaptive access, where we look at all of the information we can collect from a person hitting a website, like IP addresses, where they were before, what is their browser version, etc. And we do a trust ranking. How likely is it that this is the same person that was registering and logging in before, and based on the trust score, we can then remove the friction, because we already know that it's the right person.

The last thing I want to articulate here is that registration and authentication and profile management experiences are part of the digital identity of a company. This means that how you design the way people will have to register, authenticate, or manage their profiles, is an intricate part of differentiation between bank A and bank B. We're actually helping them redesign that so that it matches the identity they want to want to display for customers.

Efma: Cyber security is consistently mentioned as a primary area of focus for banking executives. What are some primary security principles that underpin CIAM?

First of all, security should never be compromised. What we're trying to do is optimize the user experience and remove friction, but there will still be friction. There will still be password rules to which a customer will have to adhere. We are collecting consumer information. Laws like GDPR dictate data subject rights. The data subject rights mean we are collecting data on behalf of the consumer and therefore we need to collect consent.

One of the security measures that's happening with consent collection is we are starting to collect consent for device and geolocation information. It enables us to better understand if this is a bad actor or if it is the real person. It also enables us to remove friction where possible. But we need to collect consent to be able to do that. Going to a single identity means that you have consolidated your threat footprint into one drawbridge. That's another security measure that we enable for businesses.

And lastly, but not least, of course, there's a lot of encryption methods that we're applying via different processes and segmentation of different API calls. We are applying what we call a zero-trust design principle. This means that there is no trust whatsoever between systems that communicate with one another to be able to provide services. You have to establish trust first before information can flow. There is no unencrypted data. There is no unauthorized data flowing without having that handshake first. That zero-trust design principle is key as we drive projects forward.

Efma: How does CIAM balance the need for a secure single point of entry (the CIO’s or CSO’s concerns) vs. the lead conversion and brand consistency needs (the CMO’s concerns)?

The key is actually bringing them into the same room. There are multiple stakeholders involved in consumer identity. A marketer has a couple of different agenda points. The first is branding. Second is the data that is collected from the consumer profile that is then used to market your product.

A CSO (Chief Security Officer) has to ensure compliance. This is the ability to execute on consumers' data subject rights, being involved with regards to what data is collected, how the data is being used, and demonstrating compliance throughout.

The third stakeholder is the CIO, which runs and operates the systems. The identity-as-a-service platforms that are being used in this space are usually in the hands of the CIO. The data is securely stored in encrypted storage.

There is sometimes even a fourth stakeholder that we see which is a CDO, the Chief Data Officer. Think about data lakes and data analytics. These are know-your-customer (KYC) activities, cross selling, and upselling based on consumer behavior and analysis.

There are multiple stakeholders that have a role to play. What we do is we bring them together and we discuss with them what a user experience should look like. We find agreement between all of them with regards to compliance. branding, and data capture. Then we build the user experience first. We do the screen design, the flow design. All of that in a clickable demo first, because the interesting thing is every stakeholder usually agrees on the visual aspects of what a consumer experience should look like.

Once you have that, you can then derive the feature function, and therefore the functional requirements from that to be able to make choices in the IT landscape. Then, it becomes a matter of what use case do we implement first. Which has the highest priority? How do you migrate the data? How do you inform your consumers that you have a new experience?

We see a lot of our companies in these projects create steering committees between the stakeholders? They look for a system integrator and not a product integrator to be able to help them with managing that motion toward a consumer centric type of platform.

Efma: Do you involve consumers in any part of this process?

That's a great question. We do persona mapping. We create personas that we think are subject to the use case. A consumer has multiple personas. They could be a minor or an adult. They could be a specific adult with certain disabilities. We map out the personas that need to need to be facilitated.

We define their wants, needs, and potential difficulties. Then we take that back to people within that category to get their feedback. Then we do the design. They are absolutely consulted as part of the design process and as we map out the personas and validate them. 

We use different tools for all of this. For instance, we use Adobe XD to create screens in the flows. We use a tool called Mural to do whiteboarding and different personas.

As I mentioned earlier, every design or project that we're doing is defining the identity of that company. Therefore, the process is repeatable, but the artifacts are not, because you don't want to have Bank of America look like Chase. You want to make sure that everybody has their unique identity. We have processes that we follow and then the artifacts are unique per client.

If you want to go deeper on CIAM, you can check out CIAM for Dummies, a manual written by Martijn Loderus on all things CIAM. 

Related Content

Humanizing the digital
Humanizing the digital 02 December 2021
Walking the security tightrope in APAC
What did banks agree to at COP26?
Creating frictionless security