Tuesday, October 6, 2009

Jacob doesn't mind

Let's say there's a guy names Jacob. This guy, he's 23 years old, has somewhat of a steady job, largely sales and maintenance for a nice apartment complex in southern California. He uses PayPal, a lot more than he would like. He also has a Facebook account and a MySpace page; he follows friends on Twitter (and sometimes updates his own status messages there). He has an iPhone 3G; he's on top of things. If he was ever hit by fraud, he would probably tell his friends about it.

You know what? The industry is missing on many of Jacob's friends. Not because they don't have credit cards or because they don't shop online - it's because we haven't changed with them. Why? Because Jacob doesn't mind - he doesn't mind his information being out there on the web (as long as it's kept with a privacy policy). He doesn't mind some interaction with risk controls because web 2.0 and post 9/11 safety education taught many users that it's ok to be asked questions by those with authority. And in the land of risk management online, we are the authority. And we are limiting our business. Jacob and his friends don’t mind working with us to make their lives better – we simply won’t let them.

Proper interaction upon signup and in preliminary stages, and requesting relevant information in a layered friction model (meaning that the riskier you are, we ask for more information and introduce more challenges) makes for the bulk of needed verification prior to a transaction. True, it's a good question whether you're asking for the right type of details; no one benefits from a 5-page signup process that says "this is the last page, we promise!" somewhere along the way. You have to have a decent interface. But making a religion out of not asking for details or challenging the user, then scrambling to pile controls and limitations in the background takes away users' control over their account, and this will drive people away - little to mention those that you would be able to verify and just won't accept. Having all this information on the web and becoming more and more technological sends us a clear message – “we want to be involved and take responsibility over our online identity”. To get to the next level, we have to take the challenge ourselves.

How do you do that? A professional I know compares this to an airport's security system. Have you ever flown El-Al? Have you noticed the fact that there are a few "bands" of security people, each with a specific function planned to interact with the passenger, layed out in a pipeline that you can either pass or fail? If you have, then you have the first principle of proper interaction along the risk management pipeline. Note how face to face interaction is highly important - not only because it allows for more close up profiling, but also because it engages the passenger with the process. The 1st line interrogators actually debrief the person they are talking to: have you been asked to pass an item by someone you don't know? do you understand why I'm asking? This goes way beyond passive checks like AVS, DOB and SSN - this is a call for proactive actions by the user. It's a highly intelligent approach, not fail safe on its own, but unprecendented in its ability to tap into the user's mind as an additional layer of risk management. And it's working.

Bottom line, then: engage with your users. Let them know what you're worried about and how can they mend it, as early as possible. If you do it right, you'll earn highly engaged customers and open up to many more you've rejected or have been rejected by in the past. It's worth a try, as long as you do it right.


Seventhlife said...

Hi Ohad,

The only hic is the user experience teams will say "we cannot create any friction in the consumer flow, current drop off rate is X %, we cannot afford ..."

I guess the point is dissecting our user base into GenY and GenX and addressing them differently from a risk management perspective.


Ohad Samet said...

Well, it's always a good question whether we can segment the population properly to adjust how we treat different segments. I personally think that this is a way of interaction that will expand immensly and already quite popular, even with people who cannot be classified to genX, genY or others. I also think that as risk people we can be enablers of new business and concepts in addition to being the guard at the gate.

Tal Kedar said...

I guess if a user proves he has access to his Facebook account, giving you access to the information in the process, that's not a bad start - and the friction is fairly low. For example, offer a Facebook app that could get one $200 off on next purchase, chances increase as you spread the app to your friends :)

Ohad Samet said...

yup, FB have a killer data source. it's not enough, but it's a LOT...

Elaine H said...

I guess you wouldn't really need to separate your customers into GenX and GenY - if you give all your customers the options, then the ones who are happy to go down that route will, and those who aren't won't. And maybe along the way, you'll pick up one or two that you didn't expect to! I'm over forty, but considered to be a GenY thinker, even though I'm firmly in the GenX age range! There are some GenX people who think with a GenY outlook.