Why Behavioral Intelligence is Crucial for Banking and Insurance Compliance
GDPR, Equifax, CapitalOne – turn on the news any day of the week and you will see an alarming headline that prompts your subconscious to touch your wallet to make sure it’s still there.
Today, as data has become the modern-day gold, organizations are increasingly aware of how precious this commodity really is. And as the demand for data increases, there is a positive correlation with the need to move that data. And as the need to move the data increases, there is a subsequent increase in data vulnerability, putting companies at risk of loss, leaks, and theft.
While many see compliance as an unnecessary additional expenditure, its importance cannot be overstated. NONCOMPLIANCE costs nearly three times as much as compliance does.
Think of it like insurance – it’s annoying to pay the monthly bill, but when you inevitably get into that fender bender and the bill is a few thousand dollars, you’ll be thanking your lucky stars you had it.
As with anything else, however, it all comes down to a cost-benefit analysis.
Some more risk-prone folks are willing to gamble with their compliance standards when they believe the cost outweighs the benefit.
What those companies don’t realize is, according to Ponemon and Globalscaepe, the average cost of noncompliance is 2.71 times more costly than simply spending the money to become compliant.
While that is an abstract figure to most, especially when you haven’t been whacked with an Equifax-sized fine, not to mention the reputational damage and loss of customer trust, the importance of protecting your organization is paramount.
When you fail to meet compliance standards, especially banking and insurance compliance, costs can come at you fast. Business disruption, productivity loss, revenue loss, and fines, penalties and settlement costs, just to name a few.
This is why companies are turning to more sophisticated banking and insurance compliance software solutions to save costs in the long run.
And while there are ways to save (see chart below), taking compliance shortcuts can be dangerous.
From 2011 to 2017, the cost of attaining compliance has grown by 43%. But, again, the alternative is far more costly.
Perhaps more frightening is the fact that, despite the rise in costs, the overall spend by companies has remained largely flat.
The Globalscape study mentions an average increase in IT spend on compliance of 2.5%, versus a 43% rise in costs.
This proves that, despite all of the headlines and government warnings, companies are still rolling the dice on risk.
And despite the fact that companies are continually missing the mark when it comes to compliance standards, they continue to invest, if only slightly, in the same technologies.
Even with new cutting-edge AI compliance and oversight software out there, they’re stuck trying to keep Wall St. happy, and that typically means maintaining or lowering costs.
While traditional compliance software approaches might be enough to get you compliant, doing the bare minimum is a risk in and of itself.
New AI-driven banking and insurance oversight software like ForMotiv’s Behavioral Intelligence solution helps businesses reduce risk and lower costs, both from a ‘safety of compliance’ standpoint, as well as a reduction in risk and fraud.
The bottom line: Companies are not doing NEARLY enough to hit the acceptable threshold of compliance, and if it hasn’t hurt them yet and they don’t start adding new solutions, it will.
The Current State of Compliance
With the requirements growing every year, it can be seemingly impossible to keep up.
Common industry compliance regulations include PCI (credit card and payments), HIPAA and HITECH (health data), Sarbanes Oxley (accounting), and GDPR (consumer protection in the EU).
HIPAA fines can be as much as $1.5M per incidents and GDPR can reach 20 million Euros or 4% of annual revenue (whichever is greater).
And with so many new laws, rules and regulations being created every year – JWG in London may have said it best, “It seems that much like Moore’s law in the field of computing there is a ‘Regulatory Law’ that means the operational burden of controlling regulations will double every few years.”
With that in mind, if you are your organization’s financial service, banking, or insurance compliance officer – whether your role falls under CIO or IT manager – the more information you have about various compliance issues, as well as your customers, agents, and employees, the more confident you’ll be when your company faces an audit.
To combat this, enterprises typically deploy a multi-pronged approach when it comes to compliance:
- Identity and Access Management
- Logging and Monitoring
- Company Policy and Training.
Identity and Access Management
According to CSO, Identity and Access Management is a layer of compliance software “about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. Those users might be customers (customer identity management) or employees (employee identity management). The core objective of IAM systems is one digital identity per individual. Once that digital identity has been established, it must be maintained, modified and monitored throughout each user’s “access lifecycle.“
These compliance software tools must “grant access to the right enterprise assets to the right users in the right context, from a user’s system onboarding to permission authorizations to the offboarding of that user as needed in a timely fashion.”
IAM compliance systems give administrators the ability to change a user’s role, track activities, create reports on those activities, and enforce policies on an ongoing basis.
Most of these tools are limited, however, and don’t provide a full, end-to-end picture of the user’s behavior.
It’s very likely that IAM compliance software tools will begin integrating behavioral intelligence and analytics solutions soon to close the gap.
In the meantime, here are some examples of IAM tools that exist today:
- API Security
- Customer Identity and Access Management (CIAM)
- Identity Analytics (IA)
- Identity as a service (IDaaS)
- Identity Management and Governance (IMG)
- Risk-based authentication (RBA)
Forrester Research sums up the use cases of this compliance software well…
API Security enables IAM for use with B2B commerce, integration with the cloud, and microservices-based IAM architectures. They are commonly used for single sign-on (SSO) between mobile applications or user-managed access. This allows security teams to manage IoT device authorization and personally identifiable data.
Customer Identity and Access Management (CIAM) allow user authentication, self-service and profile management, and integration with CRM, ERP, and other customer management systems and databases. This makes it easier for administrators to quickly give or remove access to the different system tentacles that move throughout an organization.
Identity Analytics (IA) simply allows security teams to detect and stop risky identity behaviors using rules and machine learning.
Identity as a Service (IDaaS) includes “software-as-a-service (SaaS) solutions that offer SSO from a portal to web applications and native mobile applications as well as some level of user account provisioning and access request management,” according to the report
Identity Management and Governance (IMG) provides automated and repeatable ways to govern the identity life cycle. This is important when dealing with compliance with identity and privacy regulations.
Risk-based authentication (RBA) solutions “take in the context of a user session and authentication and form a risk score. The firm can then prompt high-risk users for 2FA and allow low-risk users to authenticate with single factor (e.g., username plus password) credentials,” according to the report.
The need for the IAM systems to constantly evolve is more prevalent today than ever before as computing environments used to be largely on-premises.
Believe it or not, this access management can relate to physical assets as well like swiping into an office at certain hours.
Leading technology providers include Saviynt, Oracle, and SailPoint.
Logging and Monitoring
Organizations perform event logging and monitoring by examining electronic audit logs for indications that unauthorized activities have been attempted on an application that processes or stores confidential information. When correctly implemented, logging and monitoring helps organizations determine suspicious events and the appropriate data to analyze those scenarios.
Logging and monitoring include events:
- Log On
- Log Off
- Authentication Failure
- Add/remove Employees
- Application Access
- Password Changes
- IP and Network Device
And while logging is extremely helpful in uncovering malicious activity, adding behavioral intelligence into your banking and insurance compliance software gives you even more granular data to assess risks and threats.
Knowing how users, not just malicious users, but every user, interacts (down to the keystroke) within your application gives you unprecedented insight into user flows, compliance oversight, and risk and fraud monitoring.
Policy and Training
Enterprises spend billions onboarding and training their employees on their jobs, workspaces, and applications. In fact, enterprises in the US and UK lose $37B per year from keeping poorly trained new hires.
JP Morgan is spending $250M over 5 years to properly train their new hires. The cost of unproductive employees is too great. In fact, it’s estimated that it is 2X salary for senior hires.
So how do organizations ensure they have engaged employees who are acting in the best interest of their businesses?
They have to closely monitor their employees and agents with behavioral intelligence.
Sometimes an employee’s intentions aren’t always aligned with the carrier.
Companies like ForMotiv monitor an employee’s behavior (distinct from D2C behavior) and alerts carriers when an individual agent is potentially manipulating an application in order to get through underwriting.
For example, a carrier can be notified if a certain application screen is completed in under 50% of the expected time, or uses the same account and routing number for multiple policies.
Behavioral intelligence for employee training can also help understand which employees, such as call center sales representatives, are most or least efficient.
From that data, you can properly train ones who struggle during certain parts of the application, ensuring they are following protocol and avoiding any additional unintended risk.
Using Behavioral Intelligence for Compliance and Training
Compliance is often the most unheralded mission-critical business function at Fortune 500 organizations.
Requirements are rarely understood by technical teams making a proactive compliance program nearly impossible to implement and maintain.
Furthermore, compliance programs often focus on the firewall but not what happens when an employee, customer, or call center agent gains access.
ForMotiv enables businesses to maintain every employee, customer, and call center interaction with your enterprise applications down to the keystroke.
Companies are commonly using Behavioral Intelligence data for three reasons:
- Anomaly Detection
- Forensic Behavioral Records
- Workforce Training, Insight, and Optimization
A proper compliance strategy must not only have status quo tools but also implement new and innovative ways to protect organizations from rogue (Looking at you Capital One!) and malicious (cough…Wells Fargo…cough) employees.
ForMotiv’s Behavior Intelligence solution for banking and insurance compliance software does not only store the data it collects but also alerts companies when employees exhibit behavioral anomalies or behave in ways they shouldn’t.
This prevents catastrophic financial and reputational losses for organizations of all sizes.
The Bottom Line
Businesses today have a tall task when it comes to compliance. It’s difficult to accomplish, expensive, and hard to understand. But by no means does that give these companies an excuse to skirt the rules, take shortcuts, or use inadequate methods to get up to par.
Integrating advanced AI solutions such as behavioral intelligence for banking and insurance compliance solutions can help keep costs palatable while increasing their ability to prevent and reduce risk.