Vulnerable Customers and the Evolving Responsibilities of Financial Institutions

In Episode 7 of Digital Tells we speak with Iain Swaine, Director of Global Advisory for BioCatch in the EMEA region. Iain reviews four different drivers of vulnerability as defined by the Financial Conduct Authority in the UK, how different regions’ authorities are approaching financial institutions’ responsibilities when it comes to vulnerable customers, the challenges that faster payments present, particularly when dealing with scams perpetrated on vulnerable customers, and how institutions can help identify and protect vulnerable customers by leveraging behavioral biometrics.

Peter Beardmore

When I was first married in the mid-nineties, my wife at the time was a part time bank teller while she was finishing college. She'd often come home with stories, often heartwarming stories about interactions with all sorts of people elderly clientele. There was a regular in her branch who was cognitively impaired, who worked at a grocery store across the street. He'd come in every week to deposit his paycheck. There was another regular who was visually impaired, and it was evident from her descriptions that she really liked and cared about these people. In all the tellers there, looked out for them, took extra time with them, and cared about their well-being. According to the Financial Conduct Authority definition, a vulnerable customer is someone who, due to their personal circumstance, is especially susceptible to detriment, particularly when a firm is not acting with appropriate levels of care. In the era of digital banking, identifying and caring for vulnerable customers isn't as straightforward as it once was. And arguably, in an age of increasing scams and other financial crimes, these populations are increasingly at risk. The topic of vulnerable customers has continued to gain in frequency and momentum over the past several years. The aforementioned Financial Conduct Authority in the UK, the Consumer Financial Protection Board in the US, the Monetary Authority of Singapore, the Royal Banking Commission in Australia and many other regulatory and standards organizations around the world have been looking at what classifies a banking customer as vulnerable and what sorts of obligations do banking institutions hold with respect to safeguarding vulnerable cohorts within their customer base and the population at large? I recently had a conversation with Ian Swain, who has served as director of Global Advisory for BioCatch in the European Theater for about six years. All the while, the narrative of what makes up a vulnerable customer and how to take care of them has evolved. Here's Iain.

Iain Swain

The Financial Conduct Authority, which guides the UK bank to put out an advisory last year about vulnerable customers. And it wasn't explicitly looking at fraud. That was one of the things they was looking at, treating them fairly, making sure that they were not left out in this digitized world. And it looked at everything from potential disability. So hearing vision, cognitive impairments, people where English wasn't the native language. It looked to age on their very young teenagers then into the twenties where they might not have the knowledge about the financial world. But of course, the one which is, I think, showing more traction with promoted statutes that the older generation, the non digital natives, you know, the 65 plus where particularly with COVID, they were being forced into a digital world which maybe they were ill prepared for.

Peter Beardmore

So I learned from speaking with Ian that the FCA had actually gone into some greater detail defining vulnerable customers by various drivers health, life events, resiliency, and capability. So I asked Ian to offer some insight into each of these areas, starting with health. And he started by making the point that vulnerability is not a binary concern. The degree to which someone is vulnerable may evolve over time.

Iain Swain

I think vulnerability we need to say, is not just a binary vulnerable or not vulnerable could be a trendy thing on health. You could have, say, a chronic condition which might be going to end to life that might actually make you more vulnerable due to that. Or you could be a temporary vulnerability with a health where it could be a short term illness rather than a terminal one. They may not be able to make the same level of choices. And again, that that could be everything from someone who needs a carer to look after them and do that, or someone who's actually who previously been in good health and then have an accident where they're no longer capable of making decisions or the decisions they make can be quite full.

Peter Beardmore

Okay, so there's health. Let's talk about life events.

Iain Swain

Okay. Well, life events can be something that happens. It could be similarly, you know, a longer term or shorter term thing. So one life event could be that you and I retired, annihilated another life event could be bereavement. So you have a bereavement and you've just lost a mother, father, child, partner. Where does that leave you? In an emotional state on there. And it covers really things which might cause you not to be capable of dealing with stuff that otherwise it would be in your stride. And I think that that's more of the transient species thing where it's a temporary period of vulnerability.

Peter Beardmore

So tell me about the resilience category.

Iain Swain

The resilience. Most of it is around financial resilience. So have you got the fact that you're in debt, you can't actually cope with any financial shocks? Have you got low savings? Have you got your outgoings exceeding your income? Is it erratic? I think resilience is one of the things you have vulnerability, which is going to rear its ugly head globally by Q3, Q4 of this year unfortunately. In Europe we've seen the awful spike in gas and electricity prices because of events.

Peter Beardmore

Ian touched on a topic that I think will be fodder for a lot of future conversation. If you believe global markets are heading into recession as a result of world banks trying to head off inflation, large segments of the population may soon become less financially resilient than they may have been in recent years. What does that mean in terms of their susceptibility for financial fraud and scams? Finally, I asked Iain about capability as a category of vulnerability.

Iain Swain

Capability really looking at how well people can actually look after the financial side of their life, both digitally and just in the real world. So do they actually have the knowledge to manage their finances? Have they actually got the numeracy skills to even go back and look at the money flow and looking and understanding where money is going in and out? We've got people who don't have English language skills, but we've considered things like the Ukrainians coming in as a refugee there. They don't know the English. How are they going to cope with some of this? What does the bank need to do to make sure that they are looked after and they can deal with it?

Peter Beardmore

And so clearly, when you look at health, life, events, capability, resiliency, there can be some overlapping circumstances. And it may lead one to ask, well, how could a financial institution even tell when a customer may be vulnerable and what's their obligation to do anything about it? We'll get to the how in a few minutes. But the what is just as important? What are the obligations? I asked Ian about how governments and standards organizations are looking at this, and not surprisingly, this is an area that seems to be evolving and there are similarities and differences in different countries and regions.

Iain Swain

Okay. So I think it depends where in the world you are. As I was saying earlier, the UK has taken the lead, the Financial Conduct Authority put out the guidance for its in that to quote, they’re were obliged to treat vulnerable customers fairly with a level of care that is appropriate given for the characteristics of the customers themselves. The Australian Commission put something out there which is more around the mis selling of it, but I think what I've seen, it's not become a regulation yet. They're actually guidances and they're trying to say to the banks, get your hands is in order. If you don't, you're going to get regulation.

Peter Beardmore

Iain went on to explain that other regions have come at it differently. In Australia, for example, the financial industry has been more proactive, recognizing the effects of hyper digitization and the dangers of faster payments on vulnerable populations. In the U.S., the Consumer Financial Protection Bureau has been slower to act, partially due to political hurdles, but also because the dangers of faster payments and peer to peer payment apps are just coming to the forefront of public awareness. I asked Ian about faster payments. In the U.S. systems like Zelle in Cash App and Venmo come to mind. But while this is a fairly new phenomenon in the U.S., it's been an ongoing issue in Europe and Asia for some time.

Iain Swain

I think when we look at faster payments, it's literally that instantaneous, real time payments. So that money comes out of your accounts. You press the confirm button and there's a certainty of fate within less than 60 seconds in most of the faster payment systems around the world. And that certainty of fate means that that money is debited from your account real time. It'll go across from a bank to bank network, or in the more advanced ones it will be a hub and spoke mechanism on there, which then routes it through and then it's at the other end they to the other person to actually get access. When we look at that compared to other things, we've got the traditional clearing day cycle, clearing cycle. It was three days, it was more batch driven. I think one of the things about faster payments is that it closes what would have been a gap for people to realize that they've been a victim of fraud. And this is especially true of a vulnerable person. So if you've got someone in the sixties and seventies, they might have the light go on why did I do that? In a non-real time system they can actually ring the bank using the number on the back of the said, you know, I think I've just been scammed and the bank can actually get stop on the payment. And even though it's gone into the payment rails, it's not gone through to the person, the other side. They can actually claw it back. The certainty of fate in a proper, real time system is that if you click confirm, even if you got that little thing at the back of your mind saying, Do I really want to do this? You click it and then you realize 5 minutes later, God, what have I done? Or you've got an elderly person who speaks to one of their children. Mum, mum! What have you done? You need to ring the bank. The bank will say, I'm sorry. The money's gone.

Peter Beardmore

Finally, I got to the question what can be done? In some cases the customer self-identifies that they are in a vulnerable category. It may come out of a questionnaire during the account opening process, or it may become apparent during an interaction. Let's say a customer updates their account due to the death of a spouse. In that case, the account can be flagged. But what can the bank do in some cases in a purely digital environment to identify a customer who is in a vulnerable category and therefore may need a different level of protection?

Iain Swain

Yeah. So when we looking at the digital channel, the banks are asking us and it's a very hot topic because I was speaking to a number of them yesterday. And five banks came to me and spoke to me about this. I said when we're looking at behavioral biometrics, the behavior insights behind the device, what can we do to actually identify and really through the lens of fraud prevention and customer protection, to make sure that that person, if we see indicators of vulnerability, is adequately protected in a manner which is transparent and non-intrusive and is following legitimate public interest because we are protecting them, knowing that they may well be more susceptible to certain types of attacks. An example that we were already doing is we get year of birth coming through. We don't collect full personal information. We never do that with the behavior biometrics. But by giving you a birth, we know which cohort they're in. And we've got a bunch of analytical models which actually are predictive to say if we say someone is over the age of 70. Are they behaving in a manner with eye hand coordination the cognitive choices that's consistent with someone of that age. If they're not, we can return the flag back which as you said, you know we've got an age mismatch. They’re younger this doesn't look like it's actually that stated person behind there. Now, we use that typically in a fraud prevention piece, but actually we have the fact that when we don't see any indications of fraud, we don't see any of the gross population level changes that a fraudster would do. But it actually looks like genuine behavior. At the moment, the bank just consuming that. They’re saying, well, that's something we'd like to consume. We can get an insight as to who's really operating the accounts.

Peter Beardmore

Iain went on to explain a number of other indicators of potential vulnerability that BioCatch can identify using behavioral biometrics. But it begs the question what to do with that information. Is a behavioral biometric indicator worthy of a conclusion that a different banking decision should be made? Should there be, say, more authentication? Or should this lead to a more thoughtful process?

Iain Swain

As you were saying Peter, when we look at the traditional mechanisms for saying we see something anomalous, we actually want to double check things they might not all in most cases are not fit for people who would fit into one or more of the vulnerability categories. So if we see something that's suspicious that's going on in an account, traditional information security or IT security or any form of orchestration would be, well, let's confirm, it really is the right person behind the account to add another level of security. So we say, well, here's an extra match that's coming through to you or we need you to confirm this by clicking a link in your email. These kind of things where you're adding a lot of complexity, you're taking it out of the channel where the customer's interacting. That's going to cause drop, is going to cause more confusion. It can lead to them being digitally isolated because they get scared of it.

Peter Beardmore

So taking care of vulnerable customers is not just about identifying vulnerable customers. It's about validating those indicators and then tailoring customer experiences that lead to positive outcomes.

Iain Swain

And the banks have taken the behavioral signals and the behavior of the device, but importantly, the behavior of the human, not just in how they're charging and sort of thing, but what it means when you combine it together cognitively. Are they confident of what they're doing? Are they distracted? Are they showing signs of stress? Does it actually look as if they've been guided by someone as they're doing this? You sort of feed those insights in we use them include in actual prevention models, but we can actually pull some of these pieces out, the banks are saying feed them to us and not necessarily going into our fraud engine but actually go into the banking decision piece some form of orchestration was a combination with a couple of banks we're talking about can we do behavior choreography? Can we actually guide the user experience by taking in the cognitive signals, the things that putting out the things we know about them internally in the bank, the things that are just slightly off now or often that's standard profile and tailor the experience for them.

Peter Beardmore

There's a lot of non-binary data to draw insights from, to figure out how best to connect the dots, and then to facilitate an experience that is, on one hand, protective, preventing scams, for example, and on the other hand, just helpful because while it may not be inherently obvious when an elderly or a cognitively or visually impaired client enters your digital bank, our obligations, while they may not be there from a regulatory sense yet, they certainly are there from a moral and ethical sense to do our best and to take care of them. Digital Tells is written and narrated by me Peter Beardmore, in partnership with my producer Doug Stevens of Creative Audio and Music and with support and sponsorship from BioCatch. Special thanks to Iain Swain. For more information about this episode, behavioral biometrics, or to share a comment or idea, visit biocatch.com/podcast. Until next time. take care.