I had some interesting (sic) experiences with two separate banks with regards to two business accounts that we keep with each recently. The problem highlighted two issues that were both in some ways intertwined:

1. False positive flagging of online transactions
2. Identity Management between bank departments

First let me set the scenario. I am CEO of Storage Made Easy, a business that can be categorized (in bank speak) as an online internet business. We are a business that spends a fair amount on online advertising through various different channels and who also uses best of breed online services to make our life easier. Therefore we spend money with other online based internet companies including companies like Google, Amazon etc and we pay certain providers through merchant gateways such as Paypal. I suspect we are not that different to other similar companies in this regards.

We have  a recurring issue with our bank in which they regularly flag transactions as fraudulent even though the transactions are fine. These are what are referred to in the industry as 'false positives'. A false positive is a result that indicates a given condition has been fulfilled, in this case a transaction being flagged as fraudulent, when the condition was not or should have been fulfilled, and in this case the result is that the transaction should not have been flagged. The end result is that the credit card used to pay for such services is suspended until the end user (us) has negotiated with the fraud department of the bank to lift the ban and transactions that are flagged have to be re-submitted, a time consuming and costly process as it means all adverts stop running, payments are not made and someone within the business has to take time out of their day to sort the whole mess out.

You would think it would be fairly straightforward problem to fix. After all the transactions in question have a regular history of being paid each month, in most cases going back over 2 years. Unfortunately this is not the case, the bank merely says "our fraud detection system highlights these transactions as possibly being fraudulent and there is nothing that can be done". My ongoing question is why ? Why are you flagging transactions as being fraudulent that have a historic basis for payment in which the amount in most cases are identical to what was previously being paid over the past two years. This is largely a rhetorical question as no-one in the bank can answer it or even seems to care that it is a perfectly valid question that should be investigated.

The second issue involves getting in touch with the banks fraud department to arrange to have the block lifted. Normally when we speak with the bank we go through a telephone banking authentication process. The bank set this up with us and we have a pin and other personal and password details we have to give. The PIN relates to a challenge / response two factor authentication process. As a company we have a good knowledge of Identity Management, from Active Directory / SAML / Kerberos / LDAP through to OAuth OpenID etc and we also understand the challenges of integrating between the various identity management systems.

When we contact the fraud department they do not use our pre-defined identity management process at all. In fact they ask obscure questions about the account, such as "What was the debit amount for a transaction on 2nd January "etc. These are almost impossible to answer as a by-product of the fraud block is that online banking is also blocked and as we have paperless statements, there is no way to check or validate any of the questions being asked (which in any case are not in anyway related to the identity management process we have in place with the bank). When challenged as to why the fraud department is not using the existing identity management that we have in place the response is "We do not have access to that system". My guess is that as the fraud department seems to be outsourced to Mumbai, this is why, but this is not something we should care about or be impacted by.

My conclusion is that retail banking is akin to web 1.0 companies in a web 2.0 world. They have not changed their processes to work within the dynamics of the internet world, which is driven by online transactions, and their outsourcing exposes the lack of cohesion within their internal systems in which the customer suffers the consequences. There is also a certain type of arrogance within the culture of the bank that leaves me a little cold. There is a real "don't care' "can't do" type attitude.

It seems the option we have is to change banks but I really have little confidence this will solve the underlying issues as we already similar behaviour from the two banks we already use.

Banks now fail in the most fundamental thing you want them to be good at ie. lending money, storing your money and providing transparent secure access to it. They retain their position purely through lack of choice but it has often crossed my mind that a much better solution would be a consortium of similar minded tech companies who function as their own club that administer and provide their own financial services to each other.

• Novell Enables Rapid Adoption of Identity Management by Open Sourcing Key Technologies
• Universal Insurance is First to Offer Free Identity Management to Policyholders in Puerto Rico
• ID Experts Joins the Center for Applied Identity Management Research