star twitter facebook envelope linkedin instagram youtube alert-red alert home left-quote chevron hamburger minus plus search triangle x

Should I Stay Or Should I Go? Bank Data Breaches And Customer Loyalty

By Scott Barsotti

Heinz College Professor Rahul Telang’s study, published by the Federal Trade Commission, suggests consumers not only value security, they demand it.

I’ve got good news and bad news.

The good news is that your bank was breached and some hacker now has your financial and personal information and spent several thousand dollars at Best Buy, BUT the bank caught it pretty quickly, flagged the charges, froze your account, issued you a new credit card, and promised you a provisional credit for the dollar amount lost. Hooray!

The bad news is...right, your bank was breached. Oh, and some hacker still has your personal information. Sorry.

Now, some big questions emerge for you: Stick with the bank that allowed your sensitive information to be compromised, or defect to the institution down the street? What do people do in this situation? And is the bank down the street any safer?

Heinz College professor Rahul Telang is an expert in the economics of information security and privacy. His new paper published by the Federal Trade Commission, “Security, Fraudulent Transactions and Customer Loyalty: A Field Study,” answers these questions and fills a research gap in the area. His findings suggest that it is in financial firms’ best interest to invest heavily in security not just to protect accounts, but to improve user confidence and loyalty.

Data protection: a matter of trust

Ideally, banks will take steps to protect consumer data as a course of service. Their institution has been selected by customers in a very competitive financial landscape, and there is an incentive to avoid negative outcomes and subsequent negative press. However, many would further argue that it is not just a service but a responsibility of banks to insulate customer information from exposure, and that the bank should pay a price if that trust is broken.

Consumers, it would seem, align with that sentiment. Telang’s research, which he completed in collaboration with Sriram Somanchi (Telang’s PhD student at the time), compiled a unique data set of 500,000 anonymized financial services users over a five-year period, in order to study how they reacted to adverse events.

Telang and Somanchi observed that users who had their information compromised were significantly more likely to terminate their relationship with the bank in the six months following the event, even if the user was fully compensated and thus did not suffer a monetary loss. This churn was especially seen when the bank was not able to trace the fraud to a specific party or clearly explain to the customer what had happened.

“This lack of attribution is a significant source of uncertainty for end users,” said Telang. “When the attribution is clear, the effect of fraudulent transactions [on loyalty] is much smaller.”

This would seem to indicate that it is not financial loss but rather diminished confidence that drives consumers away from banks following a breach—many are preoccupied with nagging questions regarding who was responsible for the fraud, how they pulled it off, and if fraud can occur again. These doubts translate to an emotional cost that, while non-monetary, proves to be a strong driver for customers to leave the bank.

At the same time, there is incentive for banks to stay current by rolling out online and mobile banking services, such as mobile deposit, app-based money transfer, and so on. Telang says that banks need to make these offerings as secure as they can be.

“They have to do that risk analysis. If [app-based banking] increases the chances of a fraud, are they willing to eat that fraud? Because they are ones who will eat that fraud, most of the time,” said Telang.

The costs and benefits of regulation

Financial firms have been compelled by regulations to protect customer accounts from fraudulent activity as well as to be increasingly transparent about how breaches are reported to their customers and to the public.

The costs of regulation show up in multiple ways. For one, firms must invest in identifying fraud, which most customers have come to expect. But once fraud occurs, the banks must spend resources on requisite customer service and resolution, investigation, communication, and compensation against losses.

Even if the bank was not directly responsible for a loss and does everything it can to reassure a customer, it’s still very possible the bank will lose that customer. Other research has shown that firms’ stock prices tend to suffer after a breach (though prices typically rebound).

The blend of pressure from regulations, markets, and consumers have pushed greater focus on responsibility among banks and driven investments in security. While the industry may not be thrilled to be under that microscope, consumers—whose accounts are in the crosshairs—would surely call that a step in the right direction. Certainly, those investments validate that the regulations are effective.

While banks incur costs to comply with new regulations (and therefore routinely oppose them), the resulting increase in transparency improves competition as consumers become more aware of and informed about fraud. As consumers show themselves to be willing to punish a firm for a breach, it becomes even more crucial for banks to prioritize cybersecurity.

After a breach, what can banks do?

If a bank wants to minimize the likelihood that a customer will leave following an account breach, Telang has a straightforward idea that has as much to do with customer service as it does with information security.

He suggests that banks should be as proactive as possible, and reach out to consumers about suspect transactions rather than simply reacting to users’ reports of fraud.

“It engenders more loyalty. You feel good that someone is watching out for you,” said Telang.

Aside from compensating consumers for any financial losses as the result of a fraud—which banks are typically required to do by law anyway—Telang suggests that banks should take a more personal approach in communication and follow-up to let consumers know what actions are being taken and the outcome of any investigation.

In this world of uncertainty and growing cyber crime, consumers are sure to value relationships with companies that not only invest in better security, but that extend a friendly hand when something goes wrong.


Telang and Somanchi's paper for the Federal Trade Commission is entitled, "Security, Fraudulent Transactions and Customer Loyalty: A Field Study." You can read it by following the link below.


Read Telang and Somanchi's FTC Paper