Lloyds Banking Group – Best practices from implementing Voice Biometrics and Network Authentication

[00:00:00] Matt: We might as well make a start because no one wants to listen to me talk. So I’ll do a quick bit of housekeeping to get us started and then we’ll be straight over to Andrea. Just bear with us a few minutes. For those of you who don’t know, know me, I’m Matt Smallman. I’m the author of Unlock Your Call Center and my work is really helping organizations improve the usability, efficiency, and security of their call center security processes. Both identification, authentication, and fraud prevention. But above all that, my real mission and passion is getting rid of, eliminating, frustrating, time consuming and pointless security processes wherever we might find them.

[00:00:28] And that’s really how we came to launch the modern customer security community because whilst I think I do a great job as a, an individual for my clients, I am just one person. And I heard from many people that they wanted to take the advantage of experience of others to help them along this journey, but that they didn’t really think existing forums allowed them to do that in a way that was sensitive to the nature of the topics being discussed..

[00:00:53] This is clearly about security and customers and many organizations would like to keep that quite private. Again, for those who don’t know I always use the term modern security to contrast with what I see as the traditional knowledge-based authentication questions like mothers maiden name, date of birth and others that you are familiar with. Or even the kind of transitional approaches that we’re also familiar with, pins, passwords, s m s, notifications that address some of the some of the security challenges, but often do so at the cost of usability and efficiency. You can of course read more about this and my approach to these problems in my book, but that’s not what today is for.

[00:01:28] The purpose of the community then really is this flywheel you’ll see on the screen in front of you. We want to provide engaging content that attracts people in a position to do something about it and make a change. Provides them with the information they need to make the case internally and be successful when delivering change that has real customer impact.

[00:01:46] And that therefore attracts more people and more people can get involved, more people informed, more change. And hopefully one day, maybe no one ever gets asked for their mother’s maiden name or date of birth when they call an organization for service. So that’s the purpose of community. I’ll be facilitating the session today.

[00:02:05] A few other housekeeping points. Just bear with me. Everyone is on mute and videos are off. And we operate under what we call Chatham House rules. So those who aren’t familiar with. With the exception of Andrea’s prepared remarks, which are clearly attributable to her. All other discussions can be freely used in internally within your workplace, but shouldn’t be attributed to any of the organizations and individuals who might make them on the call today.

[00:02:30] On the call today, we have about a dozen people from a cross section of financial services organizations in the UK, Ireland, and the US and you are all free to share as much or as little as you like. But what I’m really hoping to do having kicked out almost 20 different vendors in advance of this session is that you feel free to ha to ask Andrea and me and each other questions that are relevant to your work and to improving the experience of your customers.

[00:02:56] So without further ado I’m delighted to introduce Andrea Ayres from Lloyd’s Banking Group.

[00:03:00] Andrea’s going to do a bit of an intro to herself in a minute, but she leads the automated services team at Lloyd’s Banking Group, her team is responsible for something like 30 million calls a year that pass through the I V R and routing infrastructure for Lloyd’s Banking Group, Halifax, Bank of Scotland and probably a dozen other brands that I can’t remember.

[00:03:17] I’ve known Andrea for almost a decade now, which is a bit scary when I tried to work it out earlier. Both as a client and hopefully as a friend. And I can tell you that everything she does is driven to get the best possible outcome for her customers. So she has been a healthy skeptic, I think would be the right words in, in many of our interactions and has challenged me to think differently about many aspects of the work you’re about to hear about.

[00:03:39] So I’m delighted she’s agreed to share her story of how Lloyds have implemented different modern security approaches over the last few years. And without without further a do I think it’s probably fair to turn over to Andrea.

[00:03:51] Andrea: Okay.

[00:03:51] Thank you. I’m just gonna get my, share, my presentation and then we’ll kick off Still the horrible, techy bit first.

[00:04:07] Okay, good afternoon everybody. Hopefully you can see the slide. Got so about 20 minutes or so that I’m gonna chat through on the story. So I’m gonna start off, I’ll do a bit about myself. Just touch on Lloyd’s Banking group for anyone who’s not familiar with it. And a bit on some of our automated services.

[00:04:24] I’m then gonna move on to what we call our voice id. So that’s active voice biometrics, why we did it, what the results look like and the challenges and so on. And then gonna finish up looking at the work we’ve done over the last couple of years. And that’s why I’ve called this Closing the Gap.

[00:04:42] Thank you, Matt, for the introductions. I think that was probably pretty good summary. I am really passionate for anyone who’s ever worked for me. I’m really passionate about what I do. Just totally interested in that customer journey, how we can make it better, easier, quicker for the customer, and really exploiting technology.

[00:04:59] So I’ve been involved with a lot of the changes we’ve done in Lloyd’s Banking group and. Just very briefly on Lloyd’s Banking Group it’s a financial services. It’s focused mainly on retail and commercial customers, millions of customers across the uk and we’ve got presence in pretty well every community.

[00:05:17] The strategy and purpose is helping Britain prosper. So within the banks of everything we do relates back to that in some way or another. As Matt says, there’s various brands. It includes many household names. I’m sure most people are know Lloyd’s, Halifax, Bank of Scotland, but there’ll be a number of others maybe that you’re not so familiar with or come under the Lloyd’s banking banking group banner. Again, Might not be aware, but Lloyd’s Banking Group now has been going for over 250 years. It’s one of the largest financial services organization. Got just over 30 million customers and 65,000 employees. . It actually started in 1765 by someone called John Taylor and his two sons, and they all invested 2000 pounds into it.

[00:06:08] Just come on a bit. Since the like the early days. Just a few figures here. As I say, a lot of the focus now from the bank, everything relates back to this Helping Britain Prosper. And it’s just a couple of figures that’s, that’s been published. 22 figures haven’t come out yet, but , hopefully it’ll illustrate the, like the desire the bank has to support Britain.

[00:06:31] , so that’s just a very quick intro to Lloyd’s Banking Group for any of those people. Not familiar with it. If I move on now I’m gonna talk a bit about the automated services and the journey.

[00:06:42] So in 2005 the current I V R application we’ve got at the moment went live. It’s grown over the years expanded, and we’ve built different functionality on there. Today the, this application across the group takes nearly a hundred million calls per annum. That’s across the group.

[00:07:02] My talk today is gonna be talking about the personal banking ivr. Which takes the majority of the calls. And that takes approximately a million calls a week. Substantial part of the total volume. So in 2005, the IVR went live a normal standard with ID&V and a directed dialogue menu with please state balance recent transactions you as was very popular then.

[00:07:27] 2010 we did what we call our migration with Halifax and Bank of Scotland. Scotland probably from the customer domain. Didn’t see much of a change, just like changing the IVR and so on, but from our perspective, that was like a massive change. Doubled the size of IVR really overnight.

[00:07:43] In 2013, we introduced natural language. So internally we call it say anything, but that’s where the customer can give their demand in their own words. So I was led that project really good. Very challenging and that led us to two years later where we put this upfront. So today when you call, we will ask you the demand, your calling reason first before we go into ID&V.

[00:08:08] So that leads me now into three changes that are more recent. The first is introducing what we’ve branded as Voice ID, so that’s our active voice biometrics technology. Then we did some improvements to ID. And then finally we did some network authentication changes. So today I’m gonna focus on those three changes.

[00:08:32] Okay. So I will move on to Voice ID. So. . As I said, the change went live I think was in spring 2018. So as any large project, the work starts on and it probably is probably about 18 months earlier than that.

[00:08:50] So the first decision we had to make was. so right. Definitely an appetite from the bank’s perspective. Yeah, we definitely want to go voice biometrics, but do we do with, go with an active or passive version?

[00:09:02] Initially the discussions were, we would do passive, we would do it on the desktop with a colleague. So raised a challenge to that which I’ll go through in a second. As a result, the bank’s gone with active One of the things, and I’ll probably make this point a couple of times with the different technologies we’ve deployed, it’s really all about knowing who your customers are what they want, what your stats are, and then also what your business is. What’s your strategy? Where do you want to go?

[00:09:34] So some of the key things we looked at, first of all, from a wider industry, what were other banks doing so a lot were going live with the passive. And that’s not, I’m not saying that if everyone does that should be the reason.

[00:09:46] But it was one of the things that we fed in when we were making the decision is like, what is everyone else doing? So I think when we did this, there was a clear mix of active and passive. I think it’s fair to say most companies seem to be going passive first then active, but there were probably a few the other way around.

[00:10:03] But we did do some research on what other companies were doing. That was UK, US and actually I spoke to some companies or banks in New Zealand and Australia. So really tried to find out what was going across the wider industry.

[00:10:17] IVR performance. This was really key to me, and I think this is something that was, it’s probably not unique to us as a company, but we had a really strong IVR performance.

[00:10:27] My concern going down the passive route was we would be starting to move authentication from IVR to the desktop and I was concerned we’d be then moving more course the desktop. So, Yes, you would get your benefits from a quicker and easy authentication process. But were we gonna start because we’re breaking out more calls, actually, we’re gonna have an impact to the AHT and start increasing it from a colleague perspective. So that was one of the key things that we had to consider when making the decision.

[00:10:57] Customer data, this is really important. What are our customers calling? How many actually identify and verify? How are they doing it? What do they want? Are they likely to use this technology? All those types of things. We looked at.

[00:11:09] Fraud prevention. We had a number of discussions on this. We were keen to put this as a strong part of the business case. In the end it went in, but probably on a lighter touch. We now know that this has been really successful.

[00:11:24] And then the customer proposition, so whichever way you went, what would that look like from a customer perspective? So the customer calls, they phone IVR they give their demand. , what would that enrollment process look like? Is that within IVR? Is that with a colleague? So we spent a lot of time mapping out those journeys. And at the end of it the decision was made to go down that active route.

[00:11:46] I will just mention that there was a very brief discussion of, actually, should we do both at the same time? I don’t think that lasted too long. I think everyone agreed that was probably a step too far. Not saying another company couldn’t, but. Lloyd’s Banking Group was like, right, we think we can just cut with doing one or the other first.

[00:12:03] So that was the decision we made to go with active. I’ll just talk just briefly about some of the obstacles we had or challenges, opportunities, which whichever way you, you want to look at. The first. That , I remember , you know, looking back over it was we were part the way through the requirements and the GDPR regulations changed.

[00:12:26] So we were lucky or unlucky enough to have to redo everything to make sure we were compliant with that. But anyone looking at this today, my advice would be get your head, round that like as soon as you can. It’s not really. from a customer journey, you would say, oh, well that type of thing doesn’t, isn’t important initially, but we found that until you get your head around that you were just redoing all the work all the time. So my advice would be speak to people and understand what those rules are.

[00:12:52] Identifying then educating key stakeholders. I think we did a good job on this. Could we have done better? Yes. When you’re going through a project, yes, people are interested, they ask questions and so on. What we found is when we went live, people were very, very interested. And there were probably a couple of stakeholders that actually if we’d done a little better job during the project, it might have made that implementation maybe a bit smoother. Hindsight’s a wonderful thing and it’s difficult to judge, but that would be one of the key things I would say. Just really keep an eye on.

[00:13:22] Agreeing the options for how you’re gonna enroll customers. Again, we have lots of decisions on that. In the end, we did a multi approach. So prime way was we do the offer in IVR so we could offer set up the enrollment in IVR from a colleague that was like free because we didn’t need to use colleagues.

[00:13:41] We had the ability for colleagues to do registrations. And then we had a enrollment line, so again, we could signpost it in different places and customers can also enroll from the mobile app. So we ended up with a shopping list at different places that customers could use.

[00:13:57] Make sure you look at it from the customer’s perspective. Again, I think we were good at doing it, but now and again, you saw, felt yourself getting dragged almost in, right? Well, this is what the technology can do, this is how it performs. And you get, you can get dragged into oh, well this is the best way to do it because the technology, rather than saying actually step back, what does that customer journey look like?

[00:14:15] Finally, and for me, this was, this would be probably the most important one, I think of all of them. Make sure you understand and you document your processes for false accept and playbacks. My recommendation would be to make sure you’ve got a really robust process. You’ve got your stakeholders lined up, definitely, you know exactly what your going to do.

[00:14:37] So since we’ve gone live with Voice ID we hit 6 million customers this morning. I said to Matt the other day, I said, we’re not far off. And I did smile this morning when we, we actually got there and just over 90 million verifications and over 50% of our callers are now using Voice ID.

[00:14:55] So success story and obviously this, it hasn’t finished, you know, we are continuing to enroll customers and so on. Okay. I’ll just pause. Matt, you happy for me to continue? Is there any questions?

[00:15:08] Matt: Just while if we stick on, on, on voice ID and voice biometrics for a start. Yeah. So I I joined this project somewhere around this decision point about active versus passive. I’m just curious as to whether you would and for those who, who are on the call, who. Necessarily recognize those terms, although I’m sure most people do.

[00:15:22] Active is the text-dependent form of this technology. So in Lloyd’s case, customers phone up and they enroll usually in an automated system saying My voice is my password. And that when they phone back, they say that same prompt, my voice is my password in order to authenticate.

[00:15:39] The passive form of the voice biometrics technology is often done in the background during an agent conversation. So as the customer’s talking to an agent, they’re offered enrollments and give consent and enroll. And subsequently when they call back, they are authenticated as they start talking to an agent, or sometimes when they give an utterance with the, into an IVR.

[00:15:58] So that’s the two different technologies. Andrea, would you given your time again, would you still do active or passive?

[00:16:06] Andrea: I’d still go with the active probably for the same reasons. I know sometimes you , you’ll do something and you’ll go, oh now I know what I know cause it’s because you’ve, you’ve got it live.

[00:16:16] You think I probably would’ve changed my mind. I still believe that it was the right decision. So Lloyd’s Banking Group obviously has got we’ve got an IVR application that faces into all the calls. and if we reduce the, either the ID the verification or our containment rate, that has an impact on colleagues and it means basically there’s a cost to the business.

[00:16:39] I still believe that if we’d gone down that passive route first, we would’ve had a negative impact from that perspective. What active is meant is we, we now authenticate more customers than we ever have. I say over 50% with Voice ID.

[00:16:55] Now, a lot of those would use other tokens. What Voice ID has given us is the, is also a fraud protection. What we’ve found that since we’ve gone live with Voice ID we’ve had a drop in about a drop of about half. I’m gonna say about 50% of customers propensity to fall, victim to fraud because we’ve gone down the Voice ID because of the way we’ve done the process. We sent letters, SMSs when they register, so we were alerting customers and fraudsters have seem to be just avoiding it, so we are getting very, very little fraud on the avenue.

[00:17:32] Matt: Cool. I think there’s, I mean, there’s some really interesting point. I mean, my, my default recommendation is to a advise people to use the passive form of this technology for, for a whole variety of reasons that won’t go into here, but I think Lloyds is a particularly interesting use case.

[00:17:44] And if you picked up on the numbers at the start of the call and You’ve definitely said these, so I’m not betraying any confidences, but Lloyd’s takes a hundred million calls a year, but only forty or so million of those ever get to agents. So that just gives you a a scale of how much automation takes place within the Lloyd’s estate and how important, therefore, being confident about the authenticity of people going through automation is so in many cases, like I think it’d be right, say, Our, our primary objective was not to mess that up.

[00:18:12] Yes, but to . Yeah, . But to make it more secure and more convenient at the same time and move more people through automation where possible. So whilst again, I would say my default recommendation would be used the passive form actually in Lloyd’s case. And exactly as Andrea said, when you run the numbers on this and when you really understand your customers it’s, it was an obvious choice. I think we, we spent a lot of time kind of looking at the pros and cons of different technologies, but when we actually looked at our customers in this case, it was really obvious what the right decision to, to do was.

[00:18:42] So I think that’s a Yeah. Really interesting point.

[00:18:44] Andrea: Yeah. Yeah. Prob probably just to add on their Matt I’m a massive advocate of passive really keen that we do deploy that. . And I can see like the benefits it has over active. So that would definitely be , if we’re able to do it, that would be one of the first things I would look to do in the future.

[00:19:00] Matt: I think that’s a really interesting point. And it relates to a couple of your other ones on here that, that this, that number.

[00:19:07] Is tiny, but it is a real number and it is real. There are real instances and there are losses associated with those significantly orders of magnitude less than with other technologies, but they are a function of this stuff. And from bitter experience, I think your final point is exactly spot on.

[00:19:23] If you’re not prepared for this to happen, then when it does happen, and it inevitably will happen, not very often. Occasionally then that’s when all hell breaks loose and and things can be in real trouble. So I being realistic about the limitations of this technology is always important.

[00:19:39] And there is an emerging threat from synthetic voices and we need to we need to stay on top of that. Have procedures and processes in place to, to manage the, and mitigate the risks associated with it. Which I think and there are a few other questions, but I think leads really neatly on to the next bit of the discussion, which was, around network authentication.

[00:19:56] So having interrupted your flow I’ll pass back to you if that’s alright.

[00:19:59] Andrea: No, that’s absolutely no problem.

[00:20:01] Matt: There are some more questions. We’ll come to those in a second though.

[00:20:03] Andrea: Yeah. Okay. So I’ll go through the next few slides quite quickly so I can get onto the network authentication. Now got wind back probably, what, three years?

[00:20:12] So we’ve got Voice ID in. It’s got over a couple of the, obviously the few little bumps. And then just the numbers are rolling in. Everything seems to be working well. So then we took a step back and said, right, okay, well where are we? So approximate figures, so our identification rate was at approximately 80%.

[00:20:32] We were about 72% of verification, containment around, sort of 59 to 60%. And very much our question is, right, well, okay, where do we go? So what can we do to improve identification, verification and containment? , and I guess I , this is , probably the key part of my role is always looking forward to, okay, what can we do next?

[00:20:50] How can we improve it? It’s very much, how can we make it better? How can we make the customer experience quicker, easier? And so on. So if we just, I’ll just do a quick bit on what we did from an identification perspective. So we had about let’s say 20% failure and identification. But the question we had to ask ourselves, what was the real gap? So did we really have 20% of customers who couldn’t ID? So if we put, say a number of other tweaks in, we can actually get that a hundred percent.

[00:21:19] The answer was no. What we did was we looked at the data. So who’s calling? Why are they calling and what type of customers are they? So some of these people would never identify either due to their demand, new customers, they wouldn’t have any details or their other companies. We looked at what was unique to a customer what would make things easy.

[00:21:39] If you make it easy for the customer, they’re obviously gonna get better ID rates. And we sort looked at the design as well, how we were gonna design it. What we did was we changed the way we ID’d customers. We added in some additional features. For example CLI the call line identifier and date of birth.

[00:21:58] We then had a selection of rules, so dependent on what the customer wanted to do, because we had this the reason for call at first. We then based the type, the identification questions on what the customer wanted to do. It actually added quite a lot of complexity in, so from the backend perspective, we definitely made it more complex, but we increased the identification.

[00:22:23] Anyone managing IVRs know that you’ve, when the customer comes in, get, the more you can, ID means the more you can verify means, the more you can contain. So we put that change in. That was a couple of years ago, and we bumped the identification rate up a couple of percent. So that leads me then onto the verification.

[00:22:43] So we then looked at network validation so we introduced a technology it’s basically a call DNA technology. I like the call DNA because I think, well, that, that sort actually summarizes what it is. It looks at the call before it even comes into IVR and it examines more than 200 features t hat it takes from the carrier level call signaling data.

[00:23:09] And what it will do will identify what it considers to be suspicious calls before answering. So what happens is, so you’ve got, if the customer calls the bank at that point it then roots through this new software. . And we get a score. The score actually will be from no 0.1 to 0.9, 0.1 is really good. 0.9 is really not good. So we have a score. So this score is presented at the top of IVR what we do is we use that score, we’ve matched it with the customer CLI and if we get a match on those, we then use that score as an authentication token. So we’ve introduced this new technology as sitting at the top.

[00:23:52] Customer does absolutely nothing, but if we get a good score, we can match the customer’s calling number with something that we hold on our records. We basically say, do you know what? We trust you. On the other side, if we get a high network score, then we flag that to our fraud colleagues.

[00:24:10] So, a new authentication token. But this one, I was gonna say it’s probably better than voice id. That’s not true, but it was, I was really like excited about this one just because it’s it’s a double whammy. You get this one number in, you build a couple of rules and we were going down both, we were catching catch ’em both sides.

[00:24:33] So, Very much when you look at authentication, if you look at it from a customer perspective, you’d make those questions or that process as easy as possible because you want to do business with them. Obviously, if you make it really easy, you are opening the doors to the fraudster. So this was, this technology give us a tick in both camps.

[00:24:53] By introducing it, we were able to identify more fraud and also we were able to increase our authentication rate. So put a few bullet points here. so technology helping both.

[00:25:06] The other key thing for me really was. It was like no effort at all to the customer. It’s all going on in the background without us asking them to give us further information, remember information.

[00:25:17] One of the key things from doing the project was, from my perspective, was. The internal side as well. I’m champion sort of IVR I wanna get as many customers as I count through the authentication. And then I’ve got my fraud colleagues sat on the other side saying you know, we can’t do this, we can’t do that because obviously they need to keep the fraud down.

[00:25:34] So it was, really closely liasing between what ourselves to make sure we got that balance just right. What numbers do we, we think we want to trust? What numbers do we need to go down the fraud route?

[00:25:47] Okay, and I will pause again just quickly there, Matt, just to see if there’s any questions.

[00:25:55] Matt: Someone’s asked if you can name the software, which think’s okay.

[00:25:58] Andrea: That’s what I put on the slide it was Smartnumbers.

[00:26:00] Matt: Yeah so network authentication’s really interesting and I think. Comes back to one of the questions that another participant asked is that the world’s moved on considerably since 2015, and device-based authentication is a primary factor now, if you would start again, would you still consider voice and network authentication or pivot to device-based factors? It might be worth just adding what else is in, in the mix here, because there are other security tokens in the mix here, but these, these are your primary methods, right now?

[00:26:25] Andrea: Yes. Yeah. So overall we’ve got seven different ways customers can authenticate. That’s within IVR I agree like the world is moving on, technology is moving on. But at the moment that, that’s a really good question actually. I don’t think I would change what we’ve done up to.

[00:26:45] We’re still using, so another one of our tokens is a six digit number, like a PIN. And we keep saying, the days of pins and how to remember these things are gone. But we are finding in, and it’s only a small number of cases, but in a small number of cases, that is still the best token for a customer.

[00:27:03] it’s yeah, I’ll be interested to see how it pans out. I still believe there’s definitely a place today for definitely the voice biometrics and the network authentication. Definitely.

[00:27:13] Matt: And I think we do look at this periodically and like there, there is Lloyd’s customers are able to create a secure call from their mobile app to your call centers, and a chunk of customers do that, but they are very different to the chunk of customers who call you frequently and engage with the automated system to get their balances .

[00:27:31] Yeah, and they’re different again from the customers who call you about. Payments being declined or potential fraud? I think what’s interesting about Lloyd’s is that you keep adding stuff. , but not being able to take stuff away. And I think the perfectionist in me would like to have one, one to rule them all, but in practice we just end up figuring out different ways of orchestrating it. And that’s what happens with network authentication, for example. So that, that is that is a very effective mitigation, if you don’t mind me saying to some of the risks we see with recordings and other attacks because we now have two factors to authenticate a call to just one. And now it’s not necessarily foolproof, but when we start combining them, then we get down to extremely low probabilities of fraudulent activity and that. That’s how this kind of all works together.

[00:28:15] So I think the, device-based questions are really relevant. and it’s definitely part of the mix and will be in the future, I’m sure.

[00:28:23] Andrea: Yeah, yeah, yeah. So we have got like the authentication from our mobile app. But back to what you’re saying, Matt it’s who’s calling us.

[00:28:30] So customers who are doing their banking on the app. The majority of the time they will do that and never call us. So yes, we see calls coming through there, but from a percentage perspective it’s, it’s a lot lower than customers calling, for example, using Voice ID. Because a lot of those customers will either not use the app, not have it, don’t want to use it or whatever other reason.

[00:28:52] So it’s, yeah, it’s just a numbers game and you are right. I do keep adding additional authentication processes and not removing. . Maybe one day we will start taking some away, but you know, it’s back to that. I just want to give every customer the chance to be able to to identify and verify and the more options you give them, the more you’ll get through.

[00:29:11] Matt: And how have you found the relative adoption rates of these technologies? The difference between those two? So getting people enrolled for Voice ID is different to switching on network authentication, for example?

[00:29:22] Andrea: Yeah. Yeah. The network authentication from a customer perspective was really, really easy because they don’t do anything.

[00:29:28] So the way we’ve delivered it is the customer calls in and all the, that authentication process runs in the background. So the customer doesn’t know they’ve been authenticated like that. We will ask a question, something maybe like their date of birth. So that’s there from a customer perspective, that’s how they’ve authenticated with us.

[00:29:49] We don’t say, oh, by the way, we’ve used your telephone number some smart software in the background. So from a customer perspective, that was totally transparent

[00:29:58] Matt: And in many cases that’s an that’s an ID disambiguation step as much as it is an authentication one. Yes. But it’s interesting that customers feel the need for some friction.

[00:30:07] Andrea: Yeah. And that’s, again, we’ve spent a lot of time discussing that. And it might be that we are wrong on it. But when we’ve tried to do things in the past and we drop a step we made ID easiest, we dropped one of the question. and from a customer perspective, we just had a load of complaints.

[00:30:22] Then it’s you’re not asking me this information anymore. And this was identification, not authentication and then we got really concerned. So our perception is customers almost expect to be asked a couple of questions or it’s almost like they haven’t earned the right to do business and discuss their account with us.

[00:30:39] Dunno how much of that will be as well. That, there’s a lot of press now on fraud and you everyone is aware that you’ve got these fraudsters calling up now pretending to be the bank. So I think that’s another part of it. At least they know they’re through the right place if they’re going through these barriers.

[00:30:54] Matt: Yeah, we’re definitely talking about some of those challenges in some later sessions. I think just as we talk about that network authentication, it’s worth bearing in mind that you, I think you said, did you say 50 or 60% of callers are authenticated with Voice ID?

[00:31:08] Andrea: 50

[00:31:08] Matt: 50. So you are already really sure about half of your callers?

[00:31:12] Andrea: Yes. Yes.

[00:31:13] Matt: So the the. The place left to play for the real benefits of something like network authentication exist in those other half of those callers. And you’ve already talked about being maybe 20% of those aren’t even real customers aren’t ever gonna demand some services. Yeah. So actually in this case, because of the sequence in which you deployed, the benefits from that technology are increasing the security of voice ID and helping you authenticate that gap in between.

[00:31:38] Andrea: Yeah. Yeah. That where I’ve got to know is where we’ve got to as a bank. Obviously I definitely don’t want stand still. There’s a gap of something like, I would say about 8 or 9% now between our identification and verification, and it’s like what can we do next?

[00:31:53] To reduce that gap. So I’ll probably upset you again, Matt, and introduce another token and not take another one away. .

[00:32:01] Matt: I had one probably in the kind of one or two minutes we’ve got left. , would be setting thresholds. Just explain how you think about that process. Like you’ve got like a number, how do you figure out what the right number is? How secure should you be?

[00:32:17] Andrea: With specifically with the Voice ID the voice biometric?

[00:32:20] Matt: Yeah.

[00:32:20] Andrea: Yeah. That’s a really good question. So how we handled it was we use the experts you use your supplier use any mats already said he was involved in this. I’d be, we did a lot of research on voice biometric, so we got ourselves upskilled. But you know, this was a whole new ballgame.

[00:32:39] So definitely use your experts. And then what we did then was looked at all the different, if you like, the scenarios. So initially we focused, if we take the sort of like the false accepts first, because that was the first one we looked at. What we did was we mapped out the different ways you could get false accepts and so you’ve got like your difference of scenarios and then against each then you can put what you think the risk is going to be.

[00:33:04] Matt: Did you just wanna give an example on those scenarios because I think we had some quite amusing ones in?

[00:33:09] Andrea: Yeah. Yeah. So you’ve got your say mother daughter.

[00:33:12] So daughter phones up this, she’s banking for her mother and she just accidentally verifies on her voice. We’ve not found those to be so much of an issue. Just explain what’s gone on.

[00:33:22] Matt: I think the other interesting case is just the volume of self-testing that the number of people who immediately post-enrollment decided they were gonna try this thing out and see if it worked for them, and then the small proportion of those who then decided to get their mate to try it as well.

[00:33:35] Andrea: Yeah. And yeah,

[00:33:36] Matt: And in practice there were orders of magnitude, more people trying to break the system as genuine customers than there were fraudsters trying to break in. And that, oh, yes. Probably caused us our biggest challenges.

[00:33:48] Andrea: Yeah, yeah, yeah.

[00:33:49] We’ve had a few, but we’ve had very few on false accept fraudsters our biggest risk is media. So with the false accepts our biggest concern as a bank, and I’m not saying if that was right or wrong, that, we’d get someone, someone deliberately trying to get in on someone’s accounts and this was all, a lot of this was collusion.

[00:34:08] And then go to the media and say Lloyd’s Bank have deployed this. It’s not safe. Look what I can do. So that’s where a lot of our focus was on Matt, just to your point on the numbers, so when you set the threshold, you’ll set it as say 0.1 or 0.5. They’re just like numbers.

[00:34:26] It could be anything. What we did was, I say work, we worked with Matt, we worked with suppliers to actually turn those into what does that really mean against those different scenarios that you map. So then you could work out what your risk is. We ended up having sort of different thresholds.

[00:34:38] So if we were say, set it at 0.1, that would mean that you could impact, I dunno, say a thousand customers or whatever the number was, of which of that percentage may actually try and do it. And then you you’ve got your like varying options because the other thing you need to look at yet, you can set it really, really aggressive.

[00:34:57] So your chance of getting false accept is really low, but your false reject rate will probably rocket up. And then you’re like almost defeating the object of deploying it if loads of customers get rejected.

[00:35:09] Matt: I think turning theoretical probabilities into real customer impact, both positive and negative is the key to this, because that’s the only way you’ll get senior stakeholders to engage with the problem. I’m picking numbers out of thin air. Like we, we see 5,000 fraud attempts a year, and with this risk might increase that, but it might result in 50 instance per year.

[00:35:32] Are we prepared to accept it given that the benefit side is, 20,000 extra authentications or 20 fte or whatever it might be. So I think it’s important to bring it to real numbers. That’s just, which is what you said, so. Yeah,

[00:35:45] Andrea: Yeah. And it’s not, again, it’s not, we are seeing very little fraud. In fact, we’ve definitely seen a massive reduction of fraud that used to occur from customers using telephony to now.

[00:35:59] So Voice ID has had a massive benefit on that and say it’s probably the, it’s the media side map I would say. We’ve had the real concerns about Yeah. Reputational and that’s still an impact. Yeah. It’s the reputation on that’s obviously, important to the bank as well.

[00:36:14] Matt: So Andrea, thank you so much for joining us this afternoon.

[00:36:17] It’s been really interesting discussion and I’m hopefully people have got got a lot from it. Oh, someone’s sending you a heart, so that’s good. Just for the benefit, everyone on the call this is our first real kind of face-to-face session that we’ve had in this series.

[00:36:29] There are usually every other Thursday four o’clock to four 45 or just over. UK time. Next in a fortnight’s time, we’ll be talking with Douwe Korff who’s a privacy lawyer on GDPR, CCPA and BIPA, and their impacts on voice biometric adoption. So Andrea’s given us the kind of the 20,000 foot view and we’re gonna go really deep.

[00:36:48] But hopefully answer some people’s specific questions when we look at how those affect voice biometrics. I’m then gonna have a session on the 23rd about the best practices we’ve learnt from adoption and improving enrollment. And then network authentication and full prevention 101 which a little bit more of a deeper dive than Andrea’s given us today into the the state of these technologies.

[00:37:07] So thank you very much for your contribution and time this afternoon. I would love to get your feedback. I think you’re probably going to get an automated feedback request after this session. We’re trying to build a community where people feel that they can come to for expertise and knowledge and insight.

[00:37:19] Everyone on this call’s feedback is really valuable in doing that. And I’d love to hear what we can do more of, less of differently. So thank you again for attending and I’ll speak to you all soon, I’m sure. Thank you very much.