How TD uses voice to bring a retail experience to digital banking

The more sophisticated online and mobile experiences become, the more difficult is for people to prove their true identity — especially when it matters.

It’s a problem for both banks and their customers. Not only does it put a dent in the customer experience, it presents fraud and privacy risks for both parties. That’s why TD Bank is implementing voice recognition technology at its customer call center.

“One of the largest irritants our customers had was with authentication and having to answer all those questions we had to ask them in order to verify they were who they said they were,” said Robert Ghazal, TD’s head of U.S. contact centers.

The technology, branded as TD VoicePrint, reads about 150 different characteristics of a customer’s speaking patterns to create a “vocal fingerprint,” without recording the voice itself or storing any kind of voice biometric that can be stolen. After capturing the voice print, customers can phone in and TD will verify their identities by their voice prints instead of by answering security questions, and the customer service representative will prompt them to speak more if it doesn’t recognize them. The bank worked with agency TBWA/Chiat/Day to create an experiment to test the technology.

The identity problem gets more complex as customers choose to bank through multiple channels — at the branch, in their mobile apps, through their desktop computers or on a call — and banks try to make their presence more ubiquitous, positioning themselves wherever the customer is and whenever. Plus, customers have accounts with multiple financial services providers — they have deposits at more than one bank, they have PayPal and Venmo accounts, they share those credentials and data points with their various online shopping accounts — making the whole process more complex.

The modern banking experience is often characterized by mobile and online experiences, but by investing in voice tech, TD is saving customers’ time as well as translating its human-first store and retail experiences to all of those various channels, said Arianna Orpello, senior vp of brand, acquisition and digital marketing.

“The idea of being able to recognize people by the sound of their voice — what a great human moment,” she said. “If you think about the people in your life that recognize you by your voice they’re usually all people with whom you have a personal relationship… that’s the bar we hold ourselves to: we should be able to recognize you when you call us, just like when you walk into our store.”

TD’s mobile app has a secured in-app call feature that accounts for nine percent of the bank’s total call volume, Ghazal said.

Authentication had been a pain point for TD for a long time, Ghazal said. Its parameters around respond acceptance are very tight. For example, if a TD customer calls and is asked to verify a recent transaction to confirm his or her identity, TD needs to know the exact date it occurred and the exact amount.

“It’s a very small margin,” he said. “Often we hear that people have to log into their online banking or mobile banking in order to answer their security questions.”

Of course, the alternative of loosening authentication is even worse; doing so would expose customers even more to potential fraud.

Last year, TD also invested in fingerprint authentication provider SecureKey, whose technology is at the center of a Canadian bank consortium effort to let customers self-identify in a digital world. Biometrics aren’t a perfect solution yet — should a cloud database of customer fingerprints be hacked, they’re not replaceable like passwords are — but they’re proving to be a good enough solution for now in the right direction as customers largely favor speed and convenience over security and privacy.

“Security is a major concern for people,” Orpello said. “We’re trying to figure out how to protect but also enable the convenient experience… deliver it in a human way in your normal life. What better way than the equivalent of your fingerprint?”

What it will take to make digital identity real

The biggest problem with digital identity is that it’s just a pain in the ass.

As banks, governments and e-commerce giants try to solve the issue of customers having account overload and password amnesia, the problem becomes that security is just inconvenient: there are so many required security specs for passwords and so many different passwords to remember, it’s just easier to create an easy-to-remember password and use it for everything — and at the end of the day, if an account is hacked, the bank can just return the money. No big deal.

Passwords are how customers identify themselves for every service they use. They know the system is hackable but still entrust companies their data, even if they don’t actually trust them. Fixing the system means there has to be a single identifying entity that people trust, that has an established history of collecting and holding personal information. Banks are the best positioned to do so, but trust has to be part of the process of designing identity verification services and it should be clear who owns customer data and what happens to it.

“The use of digital identity will exceed the use of physical identity when more digital identity solutions emerge in the market — that’s what’s lacking today,” said Matthew Thompson, director of digital business development at Capital One, which launched a digital identity application programming interface (API) this week that lets websites and apps authenticate the identity of their customers against the identity information stored by their banks.

“We have to design for trust in the solutions: trust with the relying party or business partner that they can trust the assertion we’re making, and trust with the consumer that they want to use or share the information in this ecosystem. When those things come together you’ll see digital identity exceed the use of physical identity.”

Who has my data?
Collecting customer data is in the interest of the customer, banks (or any company, really) will tell you. By doing so, banks say, they can improve their products and services. Knowing more about customers — their preferences, routines, where they save and when they splurge — helps them personalize their offerings and deepen connections with customers, which makes them feel even more comfortable granting the banks even more of their data.

Right now, it’s not clear who owns customer data, whether it’s banks and our payment information or Facebook and the details we put on social media. Banks are held to higher standards of privacy and security; that’s part of what makes them so well positioned to take the lead on providing digital identity services.

“We don’t know who really owns our data but I bet you the large banks absolutely don’t want that” to be made explicit, said Pascal Bouvier, a venture partner with Santander InnoVentures, the Spanish bank’s fintech venture capital arm. “There [would] be clear liabilities as well as clear asset and cash flow streams that people either have access to — or don’t. In order for us to fully actualize federated digital identities built off data streams we create directly or indirectly, we need to have some type of clarity on that ownership.”

The ownership question is also more important now than ever, as startups and technology providers look to increase their data-sharing agreements with banks. Intuit has landed agreements with JPMorgan Chase and Wells Fargo; Finicity just signed one with Wells; Xero established similar deals with Wells, Silicon Valley Bank and most recently, Capital One. These initiatives also give banks safer ways to move data and help give customers control over how their data is used — the holy grail of digital identity — by using application programming interfaces instead of the more commonly used screen scraping method, in which customers log into the third party site or app with their bank credentials and that company “scrapes” the information to log in as the customer to retrieve account data as necessary.

Convenience over safety
The widely agreed upon solution is data minimization: That an organization will collect only the data it needs, using it only what it agreed to use it for and getting rid of it when the purpose is achieved. A bartender doesn’t know customers’ ages to serve them, she just needs to know it’s greater than or equal to a certain age.

One way is to let the customers opt in to having their data shared. The Canadian banks have a solution to this. Or put a disclaimer on the bank website that spells out how the data is going to be used. But that’s slightly inconvenient. And even when customers are cynical toward banks, they seem to be trusted enough to continue serving them.

“Consumers will always choose the path of least resistance, and if you rely on your consumers to be interested in their best interest when it comes to security, that’s probably not going to happen,” said Ryan Fox, director of consumer identity at Capital One. “We’re always two-step or multi-factor authenticating our customers. It’s always dynamic, always risk-based, aways multilayered.”

In 2015, Capital One launched SwiftID, which removes the friction of passwords by letting people authenticate biometrically from their phones when signing in from an unknown device. By designing security right in the banking experience, Fox says, the bank can send the customer a push notification they can respond to in a second instead of requiring them to read a lengthy security statement, Fox said.

The important thing for banks to remember when building on their security is that people don’t think about it in terms of what’s most secure; they think about what’s easiest, he said.

“That’s why touch ID had such an adoption rate,” Fox said. “We went away from knowledge-based login to something I can just touch. It was adopted not because it was a pattern they understood but because it took half the time. Is it easier? Yes. Do I have a cognitive load associated with doing this? No? Then I’ll do it.”