Posts Tagged ‘banking’

The thing is: no one really cares about banking products. There’s no idolizing of the guys who started AmEx Cards or CapitalOne, no queue outside HSBC the night before a new card is launched. This is a problem because people only buy things they care about, or things they need and for which there is no alternative.

Banks used to keep outside competitors away with the huge capital and regulatory costs of setting-up a payments system but as more commerce moves online and as these other costs drop, those barriers will fall.
The problem is cards are essentially commodities. With a few exceptions, a credit card is a credit card is a debit card, even. This is especially true as the actual plastic starts to play a smaller role in the transaction. In freeing customers from location-specific branch and ATM networks, online banking has also removed the personal relationship that may once have made a bank something more than a logo on a card.
The credit card survives – and indeed still thrives – because it is the most convenient way for most people to make most payments, at the moment, but this is changing. With more and more online and mobile alternatives, banks will have to start competing with more retail-savvy competitors and to do that they need to reconsider the way they consider and market their products.
Traditionally banks spent large amounts on above the line advertising to attract customers and retain customers who they offered a suite of standard products; a one-size-fits-all model. Then, stand alone credit card issuers and other niche companies started to attack the banks’ market share with tailored products offered through direct marketing campaigns; an altered-by-the-in-store-tailor, still not 100% customized.
Direct marketing is no longer enough because it works on a some key principals which are being undermined: the contact must be made at a time and place where the customer is open to the idea of a new card, but in a flooded market the chances of your contact reaching a customer before a competitors in this window period is getting smaller and you’re almost always contacting them at home; the contact must come in a medium that is relevant to a customer, both mail and email are becoming less relevant to customers; and the offer should appeal to a particular niche, but a direct marketing campaign, even a niche one, must involve a degree of choice compromisation.
A new model is needed that can reach customers at a convenient time and place, through a relevant medium to offer products tailored to their needs, cheaply. The last word is especially important because banks have long used vague pricing structures to protect themselves from commodity prices but new laws and competition from more transparent – and even ‘no cost’ –competitors will drive prices down, making only the most efficient banks profitable.
This article is an attempt to run with that idea, sometimes beyond the limits of practicality; hopefully in doing so I will raise some interesting questions about what is and isn’t important in the modern, mass market credit card business.

That’s where the idea for the credit card vending machine took root: it is a symbol for efficient, convenient, and ‘productized’ transactional banking. Turning the credit card marketing model around to offer customized cards to customers in convenient locations, without paper work and at low cost.
I envisage a customer approaching a machine in a shopping mall, choosing a card design from the display, entering the relevant data, selecting product features, paying a fee based on the feature bundle, and then waiting while the machine embosses, encodes and produces their card.

The concept is simply an amalgamation of components that are all already available and automatable:
·        an online application form,
·        a means of automated customer verification (ID card scanning in HK and fingerprint reading in Hong Kong for example) ,
·        a secure communications channel,
·        a card embossing machine

Data Capture
I hate forms, especially hand written forms. Every time someone asks me to write out my name and address I immediately assume they value bureaucracy over customer service.
Instead, the data capture process should be designed to leverage stored data, focusing on verifying data rather than capturing it. In Hong Kong I can use my government-issued identity smartcard and a scan of my thumbprint to enter and leave the country, the same tools could provide my demographic which could then be supplemented by bureau and internal databases, requiring me to enter only minimal data. An ATM card and PIN code might do the same thing.
Where this is not possible, the interface would need to provide a vivid and easy means for manually capturing data.
Customer Acquisition
Credit acquisition strategies should already be automated. Very little about them will change, they’ll just be implemented closer to the customer. Hosting them in a vending machine – or doing it via secure link to the bank’s system – is also no different, just a lot of smaller machines processing the data rather than one big one. In fact if there is anything in your processes that can’t be automated in this way you should probably revaluate the cost:benefit trade-off of them anyway.
In terms of marketing, by being located closer to the point of use also makes it easier to do short-term, co-branded campaigns.
Product Selection
Once the data has been captured and the credit and profitability scores have been calculated, a list of product features can be made available, either explicitly or as shadow limits. The obvious way to do this would be to allow a customer to add features onto a low cost, low feature basic card: higher limits, a reward programme, limited edition designs, etc. all with an associated higher fee.
But I’m not threatening anyone’s job here. Any number of strategies can be implemented in the background. The product characteristics might be customer selected, but the options provided and the pricing of those options will be based on analytics-driven credit strategies.
Even target market analysis is still important. In fact, you’ll have one more important data point: the demographic data will allow you to model risk and behaviour based on home address, but you’ll now also now where they shop, allowing you to model behaviour in more detail.
Just because credit card designs don’t obviously affect the standard profit levers, it doesn’t mean they can’t be important influencers of application volumes, but most banks offer only two or three options in each product category.
In part this is because the major card companies want to protect their visual brand identities, but mainly it is because it is hard to advertise hundreds of different card designs to your customers without confusing them.
By filling each machine with a unique selection of generic and limited edition designs, though, you could offer a selection of designs to the market that is never overwhelming but which presents more opportunities for individualism across the market. You might even be able to offer an electronic display of all possible designs to be printed on white plastics.
Look, I started out managing fraud analytics on a card portfolio and I know my old boss will be fuming at this stage; there are risk involved in storing blank plastics and especially in storing the systems for encoding chips and magstripes. However, ATMs have many of the same risks and I believe that they are sufficiently controllable to support the rest of the idea at least in its intended purpose here.
Connecting the card to a funding account could be done offline afterwards, but I would prefer a model that had the customer link the card to their savings account by inserting their ATM card and entering the PIN; the bank could to the debit order/ standing order administration in the background.
Finally payments, I would propose a single cost model where the actual card is paid for by debiting the funding account when the invoice is created or by cash as with any other vending machine purchase; a single cost model makes the process more transparent and helps to reposition the card as a product purchased willingly.

The systems that make the credit card vending machine could also be leveraged for other, revenue generating purposes.
It provides a channel that could revitalize card upgrades. Instead of linking card upgrades to hidden product parameters, they can become customer initiated and feature driven: learning from the internet’s status-badge mindset, banks could allow customers to insert a card into the machine, pay a small upgrade fee and have it replicated on a new, limited-edition plastic made available based on longevity and spend scores for example, even linking it to retail brands so a Burberry Card might become available only if you spend $5,000 or more in a Burberry store on a vending machine card, etc. Multiple, smaller upgrades would create a new and different revenue stream.
The machines could also act as a channel for online application fulfillment. Customers who have applied online, who have a card, or who need to replace a lost card could have those printed at the most convenient vending machine rather than having to visit a branch.

The way I have spoken about the credit card vending machine is as a new and somewhat quirky sales channel for of generic cards in a generic market place – a Visa Classic Card with a choice of limits, reward programmes and designs, for example. In other words, I have positioned it as a better way to make traditional credit cards relevant in a retail environment.
But it could also offer opportunities in other ways too, for example in the unbanked sectors in places like South Africa where branch networks are prohibitively expensive to roll-out in low-income, rural areas. There customers incur significant costs to reach a bank for even simple services. Though mobile banking is making inroads, there is still room for card based transactional banking. A credit card vending machine would be more difficult to get right in this sort of environment, but if done right it would be a cheap way to expand market share for innovative lenders.

This article is not intended to stand as business proposal, but rather to highlight the parts of the traditional lending business that I feel are most at risk from competition and irrelevance. A review of your marketing efforts and team structures with this in mind might reveal functions that are no longer needed, product parameters that are too complex or attitudes to customer service that need to be improved.


Read Full Post »

The importance of card not present fraud is growing as more commerce moves online. The major card networks have reacted with systems to control the risks but the coverage of these defences is still limited. However, since chargeback rules generally protect the issuer from direct fraud losses it is common to see efforts to control this type of fraud being de-prioritised.

But the cost of fraud doesn’t only include direct, financial losses; the full impact of card not present fraud can only be seen when indirect costs are also considered. These indirect costs are both financial in nature as well as reputational. The indirect financial costs of card not present fraud include the cost of replacement plastics, the cost of the admin staff needed to manage chargebacks, the cost of funding the charges until the refund is received, etc. Reputational costs, on the other hand, are incurred when customers are inconvenienced by the forced closure of their accounts and the re-issuing of new plastics.

Both of these costs are relatively minor when card not present fraud happens on an irregular and fairly random basis. Most customers understand that fraud does happen and will not be too upset if the bank contacts them to replace a card once fraud has been detected, unless they have incurred a financial loss in the process (unlikely on credit cards if there is a decent detection system in place due to the delay between transactions and payments but fairly common for debit cards).

However, both types of indirect costs can be significant if the card issuer finds themselves under attack from a persistent fraudster. Due to the electronic nature of card not present fraud, a common weakness in the card issuing process can be exploited to make this a realistic threat. That weakness is the sequential issuing of card numbers.

Credit card numbers conform to a certain format in order to convey the specific information needed to enable international interoperability. One key part of this universal format is that the numbers are all validated by the Mod 10 check. I’m not going to discuss the mechanics of that algorithm here, the only important take-away is that it uses all the previous numbers in a fixed way to set the final number in the credit card sequence. So, working backwards it is possible to calculate whether any purported credit card number is a potentially valid one. I say ‘potentially valid’ because the algorithm cannot establish whether this number has been issued, just that it conforms to the pattern.

Unfortunately, this does not just enable international commerce it also enables fraud. If a fraudster wants to create potential credit card numbers they need only use this algorithm and a bit of basic knowledge about the other numbers to do so.

The numbers created have one major gap though, that stops them being useful – they don’t have an expiry date. Note, they also don’t have the 3/ 4 digit CVV number but not as many online transactions validate this. Without the correct expiry date the fraudulently created card number will not work, even if it matches an existing open account. Fraudsters can use trial-and-error in an attempt to establish the correct expiry date for a given number but multiple incorrect attempts will usually trigger an alert at the issuer and since there is no way for the fraudster to know for sure that such a number actually exists, the process can be interminable. As a result, card not present fraud using created numbers is not usually a major problem.

Unless card numbers are issued sequentially that is. A typical 16 digit credit card number may appear a random selection of numbers at first but as I mentioned they conform to a standard format. The first few digits identify the card network and issuing bank, the next few digits are usually used by that issuer to identify the sub-product while the last six to eight digits before the final check digit remain available for any use and it is these digits that are sometimes issued sequentially.

In an example I have seen before, the last six digits were split in two and issued sequentially so that the first card issued in a new product would end 001001X where X was the check digit, the next one would end 001002, the thousandth card would end in 002001X and so on.

This system had been used for years without problem until a specific online attack revealed its inherent weakness. A fraudster need only find one match between a valid, issued card number and its expiry date to be in the position to create the next card in the sequence knowing full well that the expiry date was almost certain to be the same. They could continue this process until the expiry date no longer worked in which case they could assume with much certainty that the expiry date had now moved up by one. So, be it through chance or trial-and-error, if a fraudster knows that card number XXXX XXXX XXXX 123X expires in May 2012 then they can be sure that card number XXXX XXXX XXXX 124X does too – using the Mod 10 algorithm to calculate the new check digit being the only other required step.

This knowledge allows the fraudster to create thousands of credit card numbers with a high probability of validity (around 80% once closed accounts, re-issued numbers, etc. are taken into account) and to use these for a large-scale attack. It is under such an attack that a card issuer can suffer significant financial and reputational costs. In the case I alluded to earlier, the premium card portfolio had been compromised in this manner and at one time cards were being compromised so quickly that some affected customers were contacted were issued new plastics only for those to be compromised too before they had even been delivered. Given that this was the premium card product it is easy to see how large the reputational costs were despite actual financial losses being insignificant.

To prevent a repeat of this situation, the issuer in question switched to randomised numbering thus breaking any logical link between the card number and its expiry date. In the new system batches of ten thousand numbers were created at a time, ordered randomly and then assigned in that order. At the same time there has been a drive to increase the coverage of Visa and Mastercard’s respective online fraud defence tools and to use the CVV code in online authorisations – something which had not been technically possible in the past. Both of these other projects address the same problem and so, to the extent that they’re implemented, will negate the benefits of random number issuing. However, where they are not widely used, random number issuing remains a low-tech but pro-active defence.

Read Full Post »

Managing transactional fraud is like searching for a needle in a haystack.  Except the needle is moving and the haystack is growing!  Faced with an environment as complex and daunting as this, banks invest large amounts in increasingly sophisticated fraud detection systems.  These systems are typically built around a statistical model and aim to identify those transactions which most closely resemble previous fraudulent transactions.  These systems seek to increase the efficiency and effectiveness of the system by increasing the probability that each customer contact will detect and confirm fraudulent spend while simultaneously increasing the total number of fraudulent transactions detected.

Investment in large transactional fraud systems is justified by the ever-increasing cost of fraud losses.  However, the idea that they alone can solve the problem is based on an old paradigm.

Traditionally, communicating directly with customers was expensive and time-consuming.  To confirm fraudulent transactions banks needed to contact customers telephonically.  Since it was not financially viable for banks to contact every customer to confirm every transaction, they invested in systems and analysts that could screen the mass of transactions and identify only those transactions likely enough to be fraudulent so as to warrant the cost of a confirmatory phone call.  This was true even while the configuration of those systems necessarily resulted in fraudulent transactions being ‘missed’.  The companies that produced these transactional fraud detection systems, meanwhile, focused their efforts on making them ever better at calculating the probability of any one transaction being fraudulent.

But the key underpinnings of this paradigm – namely that staff and communication are both expensive – are no longer true.  Once the old paradigm is abandoned, it is possible to find significant value in simple and cheap solutions like SMS transactional alerts.

An SMS transactional alert is an informative SMS that is automatically generated whenever a transaction meeting pre-set criteria is processed on a credit card.  These SMS alerts typically include some basic information about the transaction and ask customers to phone or text the bank in the event of that transaction having not been originated by themselves.

SMS alerts are inspired by a new fraud management paradigm, one that is underpinned by the assumption that ‘staff’ can be free and that communication is very cheap.

SMS alerts clearly don’t change the direct costs of employing staff.  Rather, they transfer the workload of screening alerts from paid employees to unpaid customers.  If the bank sends an SMS alert to a customer, it is that customer who takes the time and effort to validate the transaction.  So, where once a large team of employees was needed to analyse transactions and to contact customers to confirm suspected frauds, it is now possible to screen almost all transactions with a small team of employees and a very large ‘team’ of customers.

It was the high cost of communicating with customers that made it essential for suspicious transactions to be manually screened and reduced before customers were contacted.  But, none of this is necessary now that banks can contact customers instantaneously and very cheaply through SMSes.

As a fraud prevention tool, SMSes do not preclude the need for traditional fraud management tools.  Rather, they free up manual resources and allow staff to focus immediately on the highest risk as identified by these systems.

When implementing SMS alerts, it is important to avoid two common mistakes that are often made when old paradigm thinking is allowed to persist.  Customers should not be charged for the service – though in some markets the practice does exist – and the triggers should be easily understood.

The value of an SMS alert system increases with its coverage, not with its efficiency.  Every SMS alert saves more money than it costs.  Therefore, the bank saves more money as each additional customer is enrolled in the programme.  By trying to recover the running costs directly from its customers, a bank limits the scope of its programme and, in so doing, limits its savings.  Though, in some markets banks have successfully charged for the service without major reductions in customer take-up rates.

Alerts should be sent for all transactions over a nominal value-based trigger – either enforced or customer-selected.  It may be more efficient to send alerts based on calculated fraud rules but this, again, is false economy.  Because staff are free and communication is cheap, it is now cheaper to send alerts for all transactions than it is to risk missing a fraud.  It is also preferable to meet customer expectations by generating alerts when – and only when – they are expected.

These alerts are not just a cheap way to limit fraud, they’re also a very effective way to do so.  When used fraudulently, an account that receives SMS alerts is likely to suffer losses fifty to seventy percent lower than those experienced by a similar account not receiving SMS alerts.

The benefits are not restricted to fraud savings either – customers value SMS alerts.  An SMS alert programme is therefore a win-win offering that reduces fraud losses while improving customer service.  The second non-financial benefit is an improvement in customer contact data.  Because customers expect and appreciate SMS alerts, they quickly become aware of any breakdown in communication between the bank and themselves.  And, because they appreciate these alerts, when they become aware of these broken communication lines they are more likely to pro-actively contact the bank to update their contact details.  Since all functions of the bank can access this information, they too benefit from better contact rates for their strategies.

In summary, a bank with a good SMS alert programme is likely to have lower fraud losses, lower fraud operational costs, happier customers and better customer contact details.

Read Full Post »



An earlier article in this category constructed the profit model as an equation.  However, in certain circumstances, it is also possible to use a diagram to achieve the same goal.    

A diagrammatic profit model is a useful communications tool when the intended audience is non-technical and may feel uneasy with equations.  On the down side, although a diagram can highlight the interactions between profit models it can’t easily show the size of each interaction.  This means that it doesn’t facilitate accurate calculations in the same way that an equation would.    

In practice, therefore, the two formats compliment each other.  As a piece of analysis progresses though its life-cycle, the dominant format of the profit model will change.  

Usually, an analyst’s first step would be to draw a draft profit model in diagrammatic form.  This helps the analyst to identify the key profit levers and the interactions between them.  In this format it is easy to manipulate the profit levers and to understand their relationships.  

The next step would be to translate that draft model into a series of equations and to populate those equations with actual data from the business.  These equations will be calculated and the results interpreted in order to determine the optimal strategy for the situation in question.    

Once the analyst is sure of their answer, they will need to communicate their findings and the logic behind them to a broader audience.  At this stage, the equations will be put back into a diagram.  This should contain enough information for the majority of the audience members.  In cases where more detail is required, the analysts would answer those questions by referring back to the equations.   


Read Full Post »

Older Posts »