How can a business tell that you are who you say you are, in the fastest, most consistent and most effective way?
Along with cybersecurity, this may be the hottest topic in financial crime and fraud prevention today: authentication. As one of the founders of the MIDAS Alliance, I’ve just spent a day with experts at the front lines of this topic, as we met in the auspicious surroundings of the Reading Room at the Law Society in London’s Chancery Lane.
The MIDAS initiative seeks to redress the disparity between especially European regulation and the practical capabilities of the payments sector to meet onerous new authentication requirements in a sensible and cohesive fashion. Interest in this topic brought together more than 60 registered attendees to hear from representatives from the British Standards Institute (www.bsigroup.com), the Payment Systems Regulator Advisory Panel, Identity Assurance Programme (IDAP) provider Experian, biometrics specialists Facebanx, and the Conservative Technology Forum, amongst others.
The focus of the day was creating a new standard. In a lively discussion, the payments sector and the respective regulators were encouraged to “broaden their horizons” in considering the holistic impacts of a new standard. They were also asked to ensure that any well-meaning creation of an initial Publicly Available Specification draft does not have unintentional knock-on consequences to other actors in the payment and identity assurance space.
The multi-factor identification requirements being introduced through SecuRe Pay by the European Central Bank mean that payment facilitators are having to widen their security thinking from traditional user names and passwords to a broader church of factors: something a customer has, something a customer knows, something a customer is. Biometrics are seen as a logical extension for helping to secure financial payments and provide identification assurance, but the approach there may – for organisations with legacy systems and processes – be a significant technological challenge, especially where biometrics need to be multi-modal (e.g., fingerprint, face recognition, voice recognition, iris scanning, “live-ness” tests or whatever).
While biometrics for authentication has gained increasing acceptance through Apple Pay, and also elsewhere in society such as at border controls, wide-scale implementation in the payments space may not occur for many years. Indeed, one only has to reflect on the slow pace of adoption for chip and PIN in the past to realise that a new technology-reliant change may be the long game.
The presenters and attendees also tackled the thorny subject of achieving relative anonymity of payment data (to help prevent compromise) versus the compliance needs surrounding Know Your Customer, anti-money laundering and, especially, counter terrorist financing. There was also a sense that, for reasons of customer choice as well as inclusiveness, there is a need to consider exceptions management for those unable to validate and verify their bona fides through any new means adopted. We also need to factor in commonality of authentication challenges across channels, such that organisations observe the principles of accessibility and Treating Customers Fairly (TCF), and fraud does not simply migrate to the weakest link.
This many-faceted topic is exercising some of the industry’s most experienced advisors. But the journey toward common standards is gathering pace.