How Fraud Victims 'Punish' Their BanksStudy: Some Customers May Leave Institution Even When Losses Refunded
Would you leave a bank after an unauthorized charge on a credit card or a strange debit from an account? It's a question for financial institutions evaluating the impact of a security breach.
See Also: How to Defend Your Attack Surface
A new study by Carnegie Mellon University researchers suggests that some customers will, in fact, leave even if they receive quick refunds of losses due to fraud. The study is one of only a few correlating the impact of a fraud incident on customer loyalty.
The stock price of a financial institution often takes a hit after a data breach. But it wasn't known to what extent customers may take action after an information security lapse, writes Rahul Telang, a professor of information systems and management, and Sriram Somachi, a Ph.D. candidate in information systems and public policy.
They found that a user is three percentage points more likely to move their money elsewhere within six months of a fraud incident.
"Our research highlights that users, when being aware of the fraud, do take expected actions," they write. "That is, they are willing to punish the firm leading to possibly larger security investments by the firm."
Part of the importance of the study is that it points to the effectiveness of mandatory data breach disclosures laws, which are on the books in 47 U.S. states.
Of course, changing banks doesn't necessarily make someone's money more secure. Financial institutions closely guard information related to their security defenses. It can be difficult even for experts to gauge from the outside how well an institution is defended, and lapses in policies or procedures from the inside are opaque.
The researchers drew on a rich data set that came from a U.S. bank. The bank was not named but has a large presence in Allegheny County, Pennsylvania, according to their research paper.
The data came from 500,000 customer records between 2008 and 2013. It included details on all customer accounts, debit and credit card transactions and calls to customer care numbers. The data was anonymized and represented a "full geographic stratified sample" of the U.S., they write.
Their research focused on those customers who called the bank to report fraud on their accounts. In all cases, the bank refunded any money lost to the customers within 10 days. Most of the incidents financial information that had been stolen and re-used.
Trigger Point: $500
Attribution for a loss would appear to play a role. The study also looked at customer churn rates after losses that could not be attributed to another party but later could be traced, such as to a merchant problem or to a legitimate transaction mistakenly at first thought to be fraud.
There were no significant quit rates among customers who had contested a charge but had either been made whole by a merchant or later realized that a transaction was indeed valid. "In the case of unauthorized transactions, since the matter remains unresolved, it is likely that users may hold a bank indirectly responsible and it may adversely affect their relationship," they write.
The lingering doubt may leave customers with the impression that fraud could happen again, they write. Unsurprisingly, the larger the loss, the greater the churn rate. The average loss was about $125, but customers who lost more than $500 were more likely to leave.
For banks, customer churn due to fraud and breaches is another cost to calculate in a rapidly changing computer security landscape, they write. The findings would point to mandatory data breach disclosure regulations as having some effect.
"Our research seems to confirm the efficacy of some of the regulations whose goal is to highlight firms' security and data protection practices," they say.