We recently commissioned a survey of 5,000 people across 10 countries to better understand how people view security when they open or use their accounts. This shows that most have become relaxed about using biometrics in order to identify themselves to a range of providers including their banks. They report they are happy to give their bank a biometric such as facial, iris, or fingerprint scans.
Independent survey of 5,000 adults, carried out on behalf of FICO, Feb 202
With acceptance of biometrics becoming mainstream, and the need for fraud protection ever front of mind, how can banks use biometrics in order to be more effective and efficient?
Intelligent Orchestration of Multi-Factor Authentication
Biometric checks can certainly be robust, but no method of authentication is completely infallible — especially when you’re faced with adaptable and clever criminals. A robust identity authentication system needs the layered controls provided by multi-factor authentication. This requires the use of two or more factors, each from a different category:
While this is best practice in many regions, in the European Union it is a regulatory requirement for many banking activities, mandated through the second Payment Services Directive (PSD2), where it is referred to as strong customer authentication.
While the deployment of layered controls is well established, the sophisticated orchestration of such controls is yet to become ubiquitous. Forward-thinking organizations will use solutions that thoroughly analyze all aspects of an activity to determine which factors to deploy for every authentication needed, based on circumstances that include:
- The location of the customer—for example, are they in an area with poor mobile signal?
- Customer preferences—for example, does your customer have trouble scanning their fingerprint?
- Cost—if you are already reasonably sure it’s your customer, will a lower-cost but less robust authentication method be enough?
- Fraud—do you need to change your approach to thwart a change or increase in attacks.
The Importance of Context
While an accurate decision may be possible in most cases, those that fall into a grey area are more complicated and getting it wrong can have serious consequences. Either you are letting criminals set up and access accounts or you are stopping legitimate customers from opening accounts or using their existing accounts. For these borderline decisions, the more information you have, the more likely you are to get it right.
Authentication decisions can be supported by other information you have about the customer and their circumstances. For example, if your fraud analysis suggests that the customer is making an atypical transaction and the biometric required to initiate a payment is also questionable, it bolsters a decision to deploy step-up authentication or stop the transaction. Similarly, if a biometric authentication is questionable but you know that the person is in the same geographical location where they made a legitimate EMV (chip and PIN or chip and signature) transaction five minutes before, you can make the decision not to invoke step-up authentication or simply send them an SMS or app message to check.
For many financial institutions, sharing the data required to make these more informed decisions throughout the organization is difficult. Taking a siloed approach to data sharing and maintaining multiple legacy fraud and money laundering systems means that knowledge in one area is never transferred. For example, it isn’t unheard of for one part of a financial institution to close an account due to fraud, only for another part of the same organization to open a new account for the fraudster. To take advantage of such contextual knowledge, financial institutions must have fraud, identity authentication, and communication systems that work together.
Consider Using ‘On Server’ Analytics
The ubiquity of mobile phones gives users a tool to capture their biometric data with capabilities that allow facial images and fingerprints to be assessed—for example, to unlock a phone—which is convenient and fast. The question is, can financial institutions rely on the level of surety provided by the device provider?
This was illustrated in October 2019 when several UK banks withdrew support for fingerprint authentication for Samsung Galaxy S10 phones. In the Samsung case, this meant customers were no longer able to use their fingerprint to access their banking app.
To ensure sufficiently robust authentication, financial institutions may need to take analysis of the biometrics into their own environment. Biometric authentication generally relies on the use of template;, this technique takes data points from the biometric and creates a mathematical representation, and at future interactions the presented biometric is compared to this template. When device providers use templates for comparison, they control the constituents of the template and the number of data points used – these may not be enough for financial institutions that have more faith in their own templates.
Financial institutions may also want to deploy more sophisticated AI and machine learning analytics than are available on-device. The right analytics can provide a higher degree of accuracy to stop fraudsters getting through and limit disruptive false positives. An additional benefit of holding the templates for comparison within the financial institution’s environment is that if a customer changes or loses their device, the underlying ability to authenticate them is still in place.
More Precise Analytics
It is well recognized that a rote correspondence between a newly generated image and a stored reference image is insufficient. The machine learning algorithm in the background must account for variations in the way a face, fingerprint, or voice will present. Presentation will be affected by ambient conditions or the user’s mood, health, or age.
One of the variables that image-based biometric systems should be trained to flag as suspicious is a match that is too perfect to the reference image. Images should be expected to vary, even under perfect conditions, and this should be taken as evidence of authenticity.
Recent innovations have focused on the development not only of an image or voiceprint, but on building a more comprehensive biometric profile, using multiple variables (static and behavioral). The profile represents the customer’s biometric history, which the system can use for calibration. Thus, a wider range of variation in the data can be considered and a range of deviation calculated that provides a score for authenticity.
Research is also discovering ways biometric data can be applied not just to individuals but to archetypes— biometric characteristics that may be common to various classes of known fraud actors, or simply to behavioral personas. Accountholder populations are segmented into psychographic personas that have measurable behavior patterns in common—these are known as archetypes. In addition to spotting deviations from an individual’s normal patterns, the model detects when an interaction veers outside the norms of behavior that would be expected for that customer’s archetype.
The use of biometrics in banks is growing and developing quickly, organizations wishing to benefit from the undoubted benefits must keep track of new technologies, consumer attitudes, regulatory changes and fraud trends. Look out for the results of our comprehensive study of 5,000 people in 10 countries (coming soon!) and have a read of our series of three white papers looking at how biometrics are being implemented and developed in financial services organizations.