How Monzo is rewriting the rulebook when reporting data breaches

Monzo is one of a new breed of digital-only UK challenger banks, and it is ripping up the rulebook when it comes to informing customers of technical issues - but can its attitude towards total transparency change attitudes in an inherently risk-averse industry?

Take 29 June as an example, when Monzo tweeted to its 60,000 followers: "We were notified this afternoon that Typeform, a company we've used to collect survey results in the past, suffered a data breach. No-one's bank details have been affected, and your money and account are safe."

The company's CEO Tom Blomfield followed up: "We were alerted of a @typeform breach a couple of hours ago. I've just emailed affected @monzo customers letting them know that some limited personal details (mainly email addresses) have been leaked - we used Typeform in the past to conduct surveys."

Ripping up the playbook

Tristan Thomas, head of marketing and community at Monzo explained to Computerworld UK that when it comes to reporting issues, most risk-averse organisations tend to wait until they have all the information before telling customers. Monzo on the other hand takes the approach of: "What do we know now that we can get across?"

When communicating with customers Monzo always looks to give as much detail as possible, which often means throwing a supplier under the bus.

"We aren't trying to point the finger at third parties," Thomas said. "We often take the blame on ourselves even if they are at fault, the key is helping customers understanding what is happening so that they can protect themselves."

He gives the example of the recent Mastercard outage, where Monzo tweeted: "The Mastercard network had a partial outage starting at 6:05pm that caused some payments to decline. We are seeing card payments succeed as of 7:40pm, Mastercard have told us that the issue has been resolved. Thank you so much for your patience ❤."

Monzo kept its customers informed via its social channels in this instance and will sometimes publish a blog post for a more detailed breakdown of what went wrong after the fact.

The bank can also alert users within its mobile app if the issue is major by displaying a banner. It also maintains an issue status page showing the status of everything from the core app and public API, to bank transfers and card payments, complete with a full history of past incidents.

Changing the rules

Other, established UK banks tend to take a more reactive approach when it comes to technical issues afflicting its customers.

Take Barclays for example, which has a far more passive approach, employing an army of customer service and social media agents to respond to customer issues case by case.

If there is an issue UK banks tend to apologise first and explain never, Monzo on the other hand publishes blog posts like this: Protecting customers from the Ticketmaster breach: Monzo's story.

In the wake of a data breach at the ticketing website Ticketmaster, many users' bank details were subsequently at risk. Monzo noticed the issue at the time and sent out new cards to those affected, but, going beyond standard practice, it also published a blow-by-blow account of that investigation.

In the post, Natasha Vernier, head of financial crime at Monzo writes: "We spotted signs of this breach back in early April and proactively replaced the cards of all Monzo customers who could have been affected, so our customers have nothing to worry about.

"In the spirit of transparency, we want to share what happened, and what we did to protect our customers behind the scenes."

In what reads like Monzo's All The President's Men moment, Vernier explains how: "After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.

"Within four and a half hours, the team rolled out updates to our fraud systems to block future transactions on other customers' cards that looked suspicious in a similar way. That evening, we reached out to other banks and the US Secret Service (who are responsible for credit card fraud in the US) to let them know what we'd seen and ask if they'd seen anything similar. At the time, they hadn't."

That post received 97 comments, most overwhelmingly positive regarding Monzo's approach to pulling back the curtain when issues like this arise.

Thomas doesn't point the finger at the established banks for their approach however, saying: "I don't think it's nefarious, it's just a case of that being how things have always been done and why should it change? In general it is a slow moving industry and that makes it difficult to affect change. I think that's the case here and before smartphones you couldn't tell people when things were happening and that simply hasn't changed."

"I really hope that as we grow and go from a small bank to a large one that we can affect that change in the industry."

How not to do it

This isn't just because Monzo has the benefit of being a startup though, some startups can be the worst practitioners of hiding breaches from their customers.

Last year, as the ride hailing company Uber was fighting multiple public relations fires, it emerged that the company had hidden a 2016 customer data breach affecting 57 million customers and drivers.

This case of all of your chickens coming home to roost could have been easily avoided with a more transparent approach taken upfront, but Uber's culture didn't exactly value transparency and honesty under Travis Kalanick's leadership.

Monzo must be doing something right then, as it has recently surpassed 500,000 current account users and has a net promoter score - the likelihood to customers recommending it to someone else - 74 points above the UK average for a bank.

Obviously this encompasses way more than simple transparency, but the bank's approach here reflects its general approach to customers: that they deserve to be told the truth as long as you work as hard as possible to resolve any issues as quick as you can.

Thomas says this approach is simply baked into the way Monzo does things. "It's integral to every way we run the business," he said.

"We try to be even more transparent internally and that means ensuring emails that people send are copied into so people can see and get the same context as everyone else. That goes the same for meetings and decisions, we try to be totally transparent so that everyone has the same information that Tom [Blomfield] has."

Copyright © 2018 IDG Communications, Inc.

Shop Tech Products at Amazon