Today’s columnist, Bill Mann of Styra, says forward-thinking traditional banks such as Bank of America understand that security and privacy has become central to the continued growth of the business. (Credit: Corporate BoA Office via Getty Images)

Customers have more choices than ever when it comes to banking. The rise of neobanks, banks born in the cloud, have upended the industry with built-in agility and responsiveness, elevating customer expectations of convenience. That expectation has extended to the entire spectrum of banking institutions, whether or not they’re cloud-based.

Today, most banks are adopting app-based banking to meet increasing demands. In this new landscape, neobanks have a leg up on traditional banks. And yet, traditional banks are moving quickly, and a well-crafted online presence muddies the nuance between neobanks and forward-thinking traditional banks.

Elements like speed, ease of use, and enticing features are driving customer demand – but there’s one factor plaguing any bank operating online: security.

Security breaches and the corresponding media coverage have heightened consumer awareness on the risks of trusting online operations with sensitive data. There are few items more sensitive than our identities and financial resources, both of which are seen as vulnerable in online banking.

Security – and the authorization strategy at the core of that security – are integral to any bank’s ability to attract and retain customers. Indeed, security might, for the first time, become part of the customer experience. Done right, security can serve as a critical differentiator in this increasingly crowded space – especially when so many other banking features are being quickly commoditized. Why choose one bank over another when they all have such similar UX and features? Simple: Which one will protect the user and his or her assets?

What banks need to do now

Banks need to earning and retain customer trust. Whether it’s a brick-and-mortar bank, cloud-based, or a hybrid model, the solution remains the same: a security plan built for the current landscape, communicated clearly and candidly to customers.

Step one? For brick-and-mortar banks, that means embracing the reality that an online presence functions as a cost of entry – and they can’t do it with shortcuts.

For banks born in the cloud or those wishing to compete with those born in the cloud, the first step means taking a hard look at authorization. Banks have long been in the business of managing entitlement. In a cloud-based landscape, entitlement has become just one component of a larger authorization challenge, and it’s simply not realistic to manage this challenge manually – and it’s not secure.

Modern banks are complex software houses, and mobile stacks present diverse sets of technology with infinitely more moving parts than in the previous monolithic app environment. Where years ago there were dozens of components, now there are hundreds. Where there once thousands of decisions made per day, now there might are millions. That’s why it’s so critical to do authorization right. While many banks are stuck focusing on authentication (e.g. “are you who you say you are,”) the banks that survive will also focus on authorization (e.g. “who and what can access what information under what circumstances”).

How authorization builds trust

Solving authentication determines who’s at the front door. Solving authorization means that even if a person gets in the front door, they only have access to the rooms and controls that they need to execute the transaction. It sounds simple, but it’s a massive challenge.

Some solutions offer capabilities at certain levels, but don’t span across the entire architecture. A successful authorization policy, like those enabled by the Open Policy Agent and the product around it, decouple authorization and policy from the systems that need to have policy and authorization. With decoupling, policies can adapt to up-to-the-second needs without involving developers needing. That allows for faster, more secure action.

The crux of the issue: Solve the authorization problem on the back-end while maintaining a streamlined, seamless customer-facing operation. It’s the classic scenario of a duck paddling hard under water while it appears visibly unbothered above the surface.

It only works when the company communicates

Most customers can’t be bothered to confirm that a bank has an industry-leading authorization policy in place or holds certain security certifications, much less read up on the specifics of those certifications. They want to know, in their language, how exactly a bank prioritizes security, what they’re doing better than their competitors, and what they’ll do in the event of something going awry.

And then when something does go awry, the bank needs to clearly articulate exactly what happened, who was affected, and what that actually means for them. A great authorization policy also works as a tool for demonstrating compliance, since it can keep a record of incidents and pinpoint issues.

If a customer doesn’t feel secure in their banking environment, there’s very little stopping them from switching to another provider. Transitions are increasingly seamless – and increasingly incentivized. Again, so many elements of modern banks are identical right now (rates, fees, limits), so security and privacy – and how that security and privacy are communicated to customers – are the factors that can make all the difference.

Bill Mann, chief executive officer, Styra