View more on these topics

Ian McKenna: Security solutions must not be client barriers

A couple of weeks ago, I was asked to present to a group of entrepreneurs and venture capitalists at New Finance London, the meet-up group which looks at new opportunities in finance and technology run by former Lighthouse IT director Eddie George. I was asked to talk about meeting market needs but found myself focusing on the extra issues that technology solution in financial services needed to address.

First is the need to be able to meet all the additional regulatory requirement obligations. Perhaps even more important is the need for security. It is, after all, consumers’ money we are dealing with.

But while recognising that security must be sacrosanct, it is equally important that the security solution does not become a barrier to customers doing business with the company. I have recently had first-hand experience of what happens when an organisation loses sight of this.

While slightly outside the normal scope of this column, I believe the following example is worth summarising as an object lesson in behaviour to avoid when planning a system upgrade. There are certainly valuable lessons which everyone from major life offices to the smallest adviser firm can learn from my experiences of a so-called upgrade.

Having been a user of Bank of Scotland’s online banking system for well over a decade, I have been able to access both my business and personal accounts using a single set of login credentials. The first thing I noticed when accessing the allegedly “improved” service was that my personal account information was nowhere to be seen.

If you are going to roll out a new system to established customers, it is essential that it delivers all the functionality provided by the system being replaced. I recognise there may be minor elements of functionality that cannot be replicated but losing all the information about a specific product, especially one you use every day, has to be about as basic as it gets.

Initial enquiries to the Bank of Scotland helpdesk suggested that there were some problems with the systems upgrade and it was suggested that restoring the missing accounts was being addressed as a matter of urgency.

A few days and a few calls later, I finally spoke to the internet helpdesk who informed me there was no error but the improved proposition meant I could no longer access business and personal accounts via a single service.

It was at this point it became clear that, despite having been a long-standing user of the online banking service, “improving” the service meant I would need to register separately for personal online banking.

This brings me back to the issue of, do not make it difficult to do business with you.

For many years, using the Bank of Scotland service has required a token which generates a six-digit code. In the past, these were anonymous items carrying no branding.

The new token now has nice Bank of Scotland branding all over it, just to make it clear to a potential thief that it may be worth stealing. While such tokens are considered necessary for business banking, apparently, no such security device is considered necessary for personal account customers.

Having completed an online application as a new user of a service which I have used for over 10 years, I was then told I would have to be sent my new ID credentials, so I was without online banking for a few days longer. Add to that the fact they needed to send me a new phone access code and I was without phone or online access to my account for nearly a week.

The user ID I previously had was a combination of my name and some numbers but Bank of Scotland has decided I must have a nine-digit number. When I asked to change this, I was told I could have a new number but I could not have a name.

To compound the insult, when I pointed out a nine-digit number was rather hard to remember, it was suggested I write the number down. That is a great attitude to security.

So, the new, supposedly improved Bank of Scotland service now requires me to remember both a ninedigit online banking number and a six-digit phone banking number. Business banking security warrants a number-generating token but private banking security does not.

I would like to report there are many features of the new online banking service that make it worth all the changes. Sadly, space will not permit me to list all the ways in which the supposedly improved service no longer offers facilities provided by the system it replaced but one area I am compelled to comment on is the changes to the format of data downloads, which is unacceptable.

The previous system allowed us to download a CSV file which could be automatically populated to our online accounting system but this no longer the case.

As stated previously, any system upgrade must maintain services previously offered. In creating new propositions to meet the needs of the RDR, providers and advisers will doubtless plan extensive new services.

The above identifies the importance when delivering these new services of maintaining existing services and dealing with customers in ways that do not become a barrier to what you are trying to achieve.

Ian McKenna is director of the Finance & Technology Research Centre

Newsletter

News and expert analysis straight to your inbox

Sign up

Comments

There are 2 comments at the moment, we would love to hear your opinion too.

  1. Hi Ian

    I couldn’t agree more.

    The other thing that gets me with token generator is it’s real lack of portability when a bank forces you to use it to sign on. This is all very well and good if you have it with you (mine is locked in a draw in my office), but quickly becomes a real hurdle if you want to log into the site and have forgotten it (e.g. at home or on holiday).

    I just think the idea of using a piece of hardware to log in to something on the net a backward step and a potential barrier to regular customer usage.

  2. Ian

    Totally agree. I bank with HSBC and they have introduced these fobs, I have 2, one for each account. The whole thing is a backward step from a customer point of view and i echo Dan’s Comments about usability.

    Needless to say, I have reverted back to calling their telephone staff whenever I need to make a
    banking transaction. How many others will have done the same?

Leave a comment