Which security questions are best to use in a call centre and with so many scams about how can you be certain that you are talking to the right person?
Call centres handle a vast amount of data about people’s lives, and keeping this data safe is of paramount importance. Agents must be sure that a caller is genuine, to ensure no sensitive information is given out to fraudsters. To do this, they ask security questions. But which questions are best, and what other issues do call centres face when trying to verify a caller’s identity?
Under the Data Protection Act, companies and organisations are obliged to take reasonable steps to confirm the identity of a telephone caller before proceeding with a call relating to a personal account or information. They must have safeguards in place to prevent people calling in under a false pretence of acting on behalf of the customer. Companies also have an obligation to their customers to make sure their personal information is handled properly. Security questions build trust, as customers are reassured that suitable precautions are being taken.
Call Centre Security Questions
The exact questions asked by call centres during security checks vary across industries and organisations. However, there is common ground on the best basic questions. A three-question check comprehensively tests a caller’s identity. Most call centres ask for an account or reference number, then the customer’s name, and then their address, postcode or date of birth. The question asked as the third part of such a check may vary depending on the business of the contact centre. The options for each question are shown in the table below.
First Security Question
- Account number
- Reference number
- Contract number
- Telephone number
Second Security Question
Third Security Question
- Partial address
- Date of birth
- Payment method
- Last payment made
- Other contact telephone numbers
- Email address
“The circumstances when a security check is required must be clear to the agents, which will save ACHT (average call-handling time) so as not to prolong the interaction or annoy the customer. A minimum of two checks must be mandatory for confirmation if account details are required,” said Pinaz Hansotia, previously Business Unit Head and Relationship Manager at Seamless Connections.
Similarly, agents should be given list of situations in which a security check isn’t necessary. General enquiries such as “What new offers are available” only provide information that is readily available elsewhere.
Security in Numbers rather than Percentages
Financial service call centres may ask security questions with a numerical answer – ‘state the current balance of your account’, for example. A margin for error is allowed in the answer, as few people know their exact account balance off-hand. But this tolerance level causes trouble for call handlers, according to Jane Stuart, Senior Manager at Avertis Risk Solutions.
“We’ve found that if the tolerance is a percentage, say the caller has to be correct to within 10%, that’s far too complicated for the call handler to cope with. It’s difficult for them to calculate what 10% is and subtract it,” said Stuart.
A tolerance should instead be expressed as a defined amount, to assist less mathematically skilled agents. Rather than insisting the customer is within 10%, the call centre could require the caller to be correct to within £20 of the true balance.
Safeguarding sensitive information
The effectiveness of security questions may depend on the way in which they are asked. An agent may inadvertently give away information when asking a question. For example, asking a caller ‘Do you have a current account or a savings account?’ instantly narrows the chances of a possible fraudster guessing the answer to 50-50. Asking ‘What type of account do you have?’ leaves other possibilities open and gives nothing away. According to Jane Stuart, many call centre staff become relaxed about security questions and risk letting fraudsters through the net.
“Immediately after training, the security procedures are fresh in an agent’s mind. After a few weeks on the phone, when people become a bit more chatty and a bit more relaxed, those procedures can become diluted, not deliberately, just by human nature, unless they are reinforced,” said Stuart.
Avoid information that thieves can discover
Security questions should avoid information that can fall into the wrong hands too easily. Household bills are often thrown out intact. Handbags are stolen, cars broken into, and documents lying around could fall into the wrong hands. Some answers are easily guessed if a fraudster has even a tiny bit of information about a potential victim. If a caller is asked to state two direct debits on a certain account, the call centre shouldn’t accept an answer which only mentions utility bill debits. It is easy for a fraudster to guess which water or electricity company someone uses if they live nearby. A better question is one which asks something only held on record by the call centre and in the customer’s memory. ‘How long have you had this account?’, for example, or ‘Do you have any additional borrowings against this mortgage?’. The trick is to find the balance between something that a genuine customer can answer and something that doesn’t appear on many documents.
Security questions need to protect customers from information theft inside a call centre. It is important that staff only have access to data they need in order to do their job, including the answers to security questions. If a prearranged password is used, allowing an agent to see a customer’s password alongside other personal information gives that agent the ability to use that information illegally, should they be so inclined. To avoid this situation, security questions should only require agents to ask for part of a password, address or date of birth.
“We often ask for just certain digits out of a date of birth. We also operate strict security measures, for example staff aren’t allowed mobile phones in the contact centre and we run regular spot-checks,” said Maria Opuni, Contact Centre Director at DDC Outsourcing.
Such measures help maintain customer’s trust, especially after the high-profile government data leaks in the UK in recent years.
Don’t be afraid to challenge
The point of asking security questions is defeated if there isn’t a limit to the number that can be asked before a call is ended.
Customer service agents shouldn’t be afraid to politely refuse a caller who can’t give right answers.
“If a caller gets two questions or two types of question wrong then they should be terminating the call and saying sorry, you’ve not passed the questions today, get some information out and call back,” said Jane Stuart.
One approach to identity validation that looks promising (at least on paper) is using voice biometrics. Based on the individual caller’s unique voice print, voice biometrics claims to offer extremely high levels of security. It works with several factors called articulators, contributing to its uniqueness. These include: the size and shape of the mouth, throat, nose and teeth, and tension of the vocal cords.
“Voice biometrics can provide significant benefits to both the call centre and the customer,” said Dave Lee, Business Consultant at communication systems integrator, Datapoint. “For the customer, it can reduce the time taken to conduct the ID and Verification (ID&V) process and they don’t have to remember complex or infrequently used password or questions.”
Keeping information safe is difficult, and no security questions will provide total protection against people determined to obtain it under false pretences. But can security questions alone provide a substantial barrier against fraud, or does it ultimately depend on the individual agent who is asking those questions?
As emerging technologies such as voice biometrics become useful for security, will the security question ultimately be replaced? Call Centre Helper would like to hear your thoughts and suggestions, so please leave them in an email to Call Centre Helper