was successfully added to your cart.

Biometrics for banking – best practices, drivers and barriers to adoption

By November 22, 2018

As banks seek to better identify new customers, securely authenticate their existing customers, verify identity for high-value transactions and combat fraud, they are increasingly adopting biometric technology and deploying these systems across a wide variety of banking channels; from the traditional, physical branch to the latest digital platforms. And, as our research at Goode Intelligence shows, biometric technology is proving to be the only reliable method to identify, authenticate and secure bank customers in all channels.

Significant digital events mean that the environment for the adoption of biometrics in banking has evolved rapidly with the result that the market is now quite different to just three years ago. These events include the Open Banking revolution where banks are being forced, either by regulation such as the EU’s PSD2 or by pressures from FinTech providers, to open up their digital infrastructure to third parties using APIs.

Open banking is also driving the need for seamless methods for banks to engage with their clients and enhance their experience. Proving who the customer is (identity) and gaining access to their authorised banking services (authentication) must be convenient, enable them to access banking services any time, any place, anywhere (the Martini principle) and make sure that fraud levels are kept at acceptable levels. It’s in these three inter-connected areas of identity verification, authentication and fraud management that biometrics is really establishing itself as an important tool for banks and FinTech suppliers to deploy. As Cheng Li, CTO of Ant Financial speaking at Money2020 Asia said, “KYC and authentication are still the pain points for customers to get digital financial services.”

The trends driving adoption are numerous and include:

The rise of mobile and multi-modal mobile-based biometric authentication

Mobile banking is a real growth area and banks are moving away from legacy authentication technology, including passwords and hardware tokens, to more agile and convenient methods more suited to the mobile device. Biometrics is one technology that is seeing rapid growth as a password and token replacement. A mixture of on-device (local authentication) and in-cloud (Biometric Identity as a Service –BIDaaS) biometric technologies are being utilised to enable banks to comply with strict financial regulations and reduce the friction of identifying and authenticating their customers through the mobile channel.

 The arrival of biometric bank cards – say goodbye to the PIN

Fuelled by the growth in contactless payments for small purchases, these cards are expected to impact traditional payment cards and the way customers use them. Equipped with fingerprint sensors, they are seen to be a viable and convenient solution to strengthen security without damaging customer experience.

Biometric cards are also seen as a bridge to mobile banking services in developed world scenarios and linked to National ID (NID) schemes where supported – cards are still a vital part of a bank’s delivery mechanism.

Adoption by the banks

Biometric adoption is taking place in all bank channels supported by open banking APIs, regulation such as PSD2 that supports the use of biometrics in multi-factor authentication scenarios, and IoT devices that support voice and increasingly face biometrics.

Deployment of biometric platforms

We are beginning to see deployment of single biometric platforms to support multiple bank channels and identity, authentication and fraud management functions. A single biometric platform that supports multiple biometric modalities that can match the relevance of the channel; voice for contact centre and IoT, multi-modal for mobile and web, fingerprint or vascular for ATM.

Growth of biometric identity verification (proofing) harnessing mobile face biometrics

Biometric technology is increasingly being used to aid online identity verification especially to facilitate digital on-boarding for new bank account opening. In accordance with AML and KYC regulation a bank needs to verify the identity of people who want to open a new account or banking service. Trusted identity documentation such as passports, driver licences or national identity documents, with proof of address had to be physically presented. For banks seeking to streamline this process and move the identity verification online (digitally) the AML and KYC regulations proved problematic.

To enable digital customer on-boarding and to comply with AML and KYC regulations, banks are turning to a combination of electronic document and identity verification (eIDV) and biometric identification. In the USA, this is being aided by the repeal of the Dodd-Frank legislation and its replacement by the Economic Growth, Regulatory Relief, and Consumer Protection Act (May 2018).

This law removes many of the regulations imposed on banks in the wake of recession and is applicable to digital onboarding using mobile devices. The new law includes a provision called the MOBILE Act (Making Online Banking Initiation Legal and Easy). This provision makes it easier for banks to onboard new customers remotely without the need for them to travel to a branch to complete the process. Banks are able to support digital customer onboarding using identity verification mechanisms including ID document verification (scanning in passports and driver licences).

Tighter integration between solutions

There is now tighter integration with fraud detection, fraud management and risk-based authentication solutions including adoption of behavioral biometrics / analytics.

Different speeds of adoption and regional differences

For example:

  • Mobile will drive the market in the EU, North America and China
  • Where a region has a mature National ID (NID) system that supports biometrics for identification, we’ll see use of these systems by banks seeking to leverage this infrastructure resulting in biometrics as a service operated jointly by the private sector and the state
  • Industry regulation will start to specifically reference biometrics as part of its guidance on two and multifactor authentication e.g. EU PSD2, USA FFIEC guidelines and Bank of China and Korea legislation

 Growth of face biometrics

 The growth of face biometrics as a biometric technology that is versatile and can support identity verification and authentication. There have been great strides in the development of accurate and spoof-resistant facial recognition solutions aided by Machine Learning (ML) and Artificial Intelligence (AI) technologies both in-chip and in-cloud. These improvements have resulted in greater confidence from banks in deploying this technology for a range of applications and use cases.

Artificial Intelligence and machine learning

Leveraging the power of machine learning (ML) and Artificial Intelligence (AI) technology to improve biometric performance and spoof / liveness detection. This is essential for banks to have the assurance that biometric technology is spoof resistant and reliable.

ATM solutions

Cash is still king in many regions and the ATM is the main delivery mechanism. The adoption of biometrics for ATM access will increase in regions where it has already been deployed (Japan, Eastern Europe and South America) and will start being deployed in other regions where the PIN is still the predominant authentication mechanism. This includes leveraging the biometric capability of a smartphone to provide out-of-band biometric authentication (OOBBA) when accessing ATMs and the emergence of biometric payment cards.

Despite strong growth in the adoption of biometrics in banking there are still a number of barriers that are holding growth back. The main barriers to adoption include:

Anti-spoof and liveness detection weaknesses

Most smartphone-based biometric systems have been attacked successfully including Apple’s latest facial recognition system, Face ID. Whether they offer criminals a scalable attack vector is questionable but this may restrict banks in adopting the technology for higher-risk banking transactions.

 Privacy concerns

Biometric data is about as personal as you can get and if you cannot adequately protect it from unauthorised access then there will be serious security and privacy concerns. Biometric data is also classified as personally identifiable data and must be protected in accordance to data protection laws, including EU GDPR.

 In addition, some regions may disqualify biometrics from being used for certain bank functions.

 Lifecycle management

A biometric authentication and identity solution should support a manageable lifecycle that ensures that it is easy to revoke a biometric in the event of a security incident or a stolen mobile device.

Best practices for implementing biometric technology in the banking world

So what are the best ways to use biometric technology to identify, authenticate and secure bank customers in all channels while at the same time enhance customer experience and convenience?

The first key area is biometric identity and document verification. Increasingly being used to aid online identity verification, biometrics can especially facilitate digital on-boarding for new bank account opening. In accordance with AML and KYC regulation, a bank needs to verify the identity of people who want to open a new account or banking service. Traditionally, you needed to physically present trusted identity documentation such as a passport, driver licence or national identity documents, alongside proof of address – usually in the shape of a utility bill. For banks seeking to streamline this process and move the identity verification online (digitally), the AML and KYC regulations proved problematic. To enable digital customer on-boarding and to comply with AML and KYC regulations, banks are turning to a combination of electronic document and identity verification (eIDV) and biometric identification.

Another area that delivers outstanding results is continuous customer authentication. Biometric technology is fast becoming the glue that binds this technology together; passively verifying a person’s voice while they talk to their smart speaker and allowing them to pull up their latest account balance with a voice command, then actively requesting a face or palmprint when the bank’s risk engine decides that a money transfer request is outside the normal risk appetite – for example, that rideshare through the streets of central London is a riskier transaction than the one initiated at home. This linking of fraud management, adaptive authentication and a choice of passive and active biometric tools will be crucial for banks seeking to engage with their customers and achieve their business performance goals.

Biometrics technology is also supporting emerging bank channels. The availability of secure banking APIs is allowing third parties to integrate banking services into their devices and services allowing bank customers to better manage their day-to-day finances. Goode Intelligence predicts that with the rise of smart home voice-controlled devices, Amazon Echo, Google Home and Apple Homepod, this will led to an explosion of conversational commerce banking applications that will use voice biometrics to identify bank customers.

Millions of bank customers in countries such as Brazil and Japan are eliminating the use of a PIN, and often the card, when they access banking services at ATMs and other unattended banking terminals. Banks with the assistance of their ATM hardware providers have integrated biometric sensors including fingerprint readers, finger and palm vein sensors, cameras for facial recognition and iris scanners to enable their customers to securely and conveniently withdraw cash and gain access to other banking services from these bank terminals. With so many branches under rapid automation, biometrics enables branches to transform themselves and stay relevant.

Fraudulent access to bank services via contact centres using a mixture of social engineering and the use of stolen bank credentials, including knowledge-based authentication credentials, is an ongoing problem for banks. Voice biometric solutions have the ability to identity these fraudsters and also passively recognise authorised customers.

In summary, biometrics for banking is increasingly a vital part of a bank’s toolkit in the never ending task of reducing financial fraud and ensuring that their customers can conveniently prove their identity when accessing bank services across a complex mixture of physical and digital channels – smarter identity verification and authentication for the customer-first bank. Biometric technology is already being rapidly deployed to support a wide range of banking services, from the traditional – ATMs and branches – to the new banking channels of mobile and IoT. Customer experience and convenience are major drivers for the adoption of biometrics by agile third parties seeking to differentiate their services with each other – it will be an ultra-competitive market and biometric authentication could prove to be a key differentiator.

The emergence of new channels is being driven by the Internet of Things (IoT) and we are only at the beginning of a movement that allows bank customers to access banking services from a wide range of intelligent connected devices that include the smart home, smart car and smart city. As a result of the availability of biometric technology, banks are rushing to support biometrics in a variety of applications. Goode Intelligence forecasts that by 2020 biometrics will be in use by 1.9 billion bank customers around the world with US$4.8 billion in revenue for companies involved in delivering biometric systems to the banking industry.  However, treating biometrics as an important tool for banks, rather than thinking of it as a silver bullet, is vital in ensuring that digital transformation projects that leverage biometric technology are successful.