TRENDING: Biometrics for Authentication
As developing economies continue to grow along with the need for instant-access information, the demand for consumer-led hi-technology solutions cannot be ignored. In fact, this evolution can be considered a driver of growth for new technologies and advancements in existing digital security measures.
One result of this global movement can be seen in the adoption of biometrics as a verification tool across multiple industries, including banking. Biometrics can take a physical form, such as a fingerprint or facial features; or it can be behavioral, such as a person’s voice. Incorporation of biometrics in this space helps to maximize customer security with truly unique verification components, as well as providing a more seamless execution of day-to-day activities without the need to remember or to worry about passwords or other sensitive information being compromised.
In this article we will explore:
* The lastest in biometrics trends within financial services;
* Where Asia fits on the global adoption scale;
* How Asian firms can stay ahead of the game.
Fingerprint and Voice authentication for proceeding payments and mobile banking has become increasingly popular around the globe. Popular products such as Apple Pay, Android Pay and WeChat Pay, allow mobile phones to scan and capture fingerprints as a method of personal verification.
Apple Pay: Touch ID Fingerprint verification for payment
In 2013, Apple launched the Touch ID device in its iPhone products. The Touch ID device can scan a users’ fingerprint and store the fingerprint inside the iPhone chip. After the fingerprint is recognized and stored, users can use their fingerprint as an authentication tool. Apple Pay is making use of this technology for payment. Users first need to link a credit card to the Apple Pay account. At time of payment, users need to scan their fingerprint by using the Touch ID device. The Touch ID device will then match the fingerprint with the one which is stored in the iPhone chip. The authentication is completed and the payment will proceed if it is a successful match. By using this technology, Apple Pay allows instant payment without using the one-time password (OTP) and can also reduce the risk of identity fraud.
WeChat pay: Sense ID Fingerprint authentication
In 2016, Qualcomm announced that its subsidiary Qualcomm Technologies would support hardware-backed biometric fingerprint authentication to conduct online transactions on WeChat’s mobile payment platform using their Sense ID technology. Sense ID uses ultrasound to penetrate the outer layers of skin and creates a 3D map of the user’s finger’s unique traits. This ultrasonic technology claims to be more secure in that it can even detect blood flow under the skin to and alert the software that the fingerprint is indeed real and part of a living person. This is different from Apple Pay’s Touch ID, which uses capacitive touch to detect and create a 2-D image of the user’s fingerprint.
FIs, such as HSBC, Barclays, Bank of America, and RBS, have developed their own mobile banking apps allowing customers to use their fingerprint as an authentication tool.
In addition to fingerprint, FIs are also using voice verification technology to replace PINs, passwords, and memorable questions for their phone banking services. For example, Charles Schwab in the US and HSBC in the UK will offer this service to its banking customers, approximately 10 million and 15 million, respectively.
Charles Schwab voice ID - Voice verification for phone banking
Charles Schwab in the US launched voice ID in April 2016, allowing customers to access their accounts using their voice instead of PINs and identity verification questions. Users enroll by repeating the phrase “At Schwab, my voice is my password” 3 times. The voice recognition technology will then record different behavioral and physical vocal traits unique to the customers’ voice. Later on, when customers want to access mobile banking services, they only need to repeat “At Schwab, my voice is my password” and the voice ID system will match the vocal traits with those which were recorded upon signing up. This service is meant to be faster and more convenient for customers to securely identify themselves when using phone banking services.
Current Environment in Asia
In 2014, Global Industry Analysts named Asia as the largest and fastest growing market for biometrics in the banking and financial services industry. On par with global trends, voice and fingerprint authentication is also popular within the APAC region, as seen with Apple Pay and WeChat Pay, who both allow fingerprint authentication. For voice authentication, Citibank has recently launched voice biometric technology for its consumer banking customers in Hong Kong, Taiwan, Australia and Singapore and is planning to rollout to 12 more countries in the Asia-Pacific region.
Citi Voice Recognition in customer banking
Citibank has launched Voice Biometrics Authentication in Singapore, Australia, Hong Kong, and Taiwan, with plans to continue roll out across Asia Pacific through 2017. Similar to Charles Schwab in the US, customers who want to use voice recognition will need to sign up and record their voice. Upon accessing banking services, the voice recognition technology will match the customer voice. However, instead of repeating a phrase for verification, customers who call into the CitiPhone Banking service hotline will be verified within 15 seconds while speaking to the CitiPhone officers. According to Citi, it is estimated that this technology can reduce the time spent verifying customer identities by 66%.
Room for Improvement
Leading in the physical world but lagging in the digital world
While Asia may be considered an early adopter, when it comes to the use of biometrics in the physical world, such as ATM and bank branches, the region has been lagging in the digital space, specifically around online or mobile banking capabilities.
According to a Text Road Publication Report from 2012, among the banks which have adopted biometric technologies, 52% of them are located in Asia. As early as 2006, Citi bank introduced ATM verification using biometrics in India. In the same year, Mizuho Bank, Sumitomo Mitsui Banking and the Bank of Kyoto introduced finger and palm vein verification to increase security for customers using their ATM machines.
Source: Text Road Publication Report 2012
Despite being a leader in biometrics, a report by McKinsey pointed out that Asia’s banks were generally lagging behind the rest of the world when it comes to digital banking. Only in the last 10 years or so have Asian FIs caught on to the digital banking movement. According to a projection by Digital News Asia, by 2020 approximately 15% of customers in Asia will be open to using digital-only banks, compared to the estimated 25% in the UK according to a report prepared by Accenture.
Large differences between countries
Adoption rates are seen to be inconsistent across the region. India and Japan have embraced biometric technologies, where as Hong Kong is only recently getting involved in biometrics and other digital or FinTech initiatives from a banking perspective.
As of 2010, Japan had already installed more than 80,000 biometric ATMs, serving over 15 million customers. In India, the government launched a digital ID project for all of its residents. Those who want to apply for a digital ID will need to provide biometric data to the government. Through this project, launched in 2009, the Indian government established a biometric database spanning its population. This database is now used in certain aspects of Know Your Customer (KYC) processes, which allows electronic and instant identity verification. This practice is rarely found in other parts of the world.
On the other hand, the Hong Kong Monetary Authority has only released guidelines for FIs to use a Fintech Hub (Sandbox) earlier this year to facilitate the adoption of biometrics and other digital initiatives taken on by FIs. An example of the regions slow adoption can be seen with biometric online payments, as Apple Pay was only made available in Hong Kong almost 2 years after its initial launch in 2014.
Challenges faced by Asia
Some countries in Asia have strict regulations surrounding biometric data, which increases the difficulty of implementing biometric initiatives. Regulators have concerns on the privacy, retention and security of biometric data. In Hong Kong for example, under the “Data Privacy Protection Ordinance” (PDPO), the government has published a “Guidance on Collection and Use of Biometric Data “, which clearly states the conditions for collecting biometric data. Below are some key requirements:
- The collection of biometric data is “necessary and not excessive”. A privacy impact assessment is encouraged to help determine what is “necessary and not excessive”.
- Strong justification is required if biometric data is to be collection on a large number of individuals.
- Data users should not use an individual’s biometric data for any purpose other than the original purpose for which it was intended at collection (including disclosure to third parties).
- Data users should regularly and frequently purge biometric data once it is no longer required for the purpose of which it was collected.
- All reasonably practicable steps shall be taken to ensure that personal data held by a data user is protected against unauthorized or accidental access.
Moreover, FIs and their customers need to realize the value add of these technologies prior to adoption. While digital advances may help increase the quality of day-to-day life for consumers, the fear of identity theft and personal data security grows in line.
According to a BBC News article, the number of fraud victims in the UK rose by 31% in the Q1 2015 compared to the same period in 2014. As technologies continue to develop, banks also need to consider how to protect their customers from increased exposure. The key consideration for banks is how to strike the balance between innovation and security:
- Fraud prevention: copying finger casts or voice recordings to mimic genuine customers
- Implementation costs: costs to implement new technology and subsequent security/encryption measures or update existing applications
- Benefits realization: decreased call handling times, long run cost savings
How to Overcome the Challenges
Regulatory Sandbox for new technologies
Regulatory Sandboxes are a supervisory arrangement with greater flexibility in favor of the development of biometric initiatives. Regulatory sandbox is considered a controlled environment where businesses can test innovative products or services in a live environment without immediately being subject to the full spectrum of regulatory constraints. By allowing this arrangement, a larger amount of real-life data and user feedback can be collected, therefore facilitating, and thus enhancing the development of biometrics.
Hong Kong, for example, is taking this approach to monitor FinTech. On September 6, 2016, HKMA issued a statement announcing the launch of “a Fintech Supervisory Sandbox (FSS) to facilitate the pilot trials of Fintech and other technology initiatives of authorized institutions (AIs) before they are launched on a fuller scale.” Under the FSS, AIs can conduct a pilot trial of its initiatives involving actual banking services and a limited number of participating customers. This helps to strike a balance between regulatory requirements and the needs of developing technologies.
In addition, the Monetary Authority of Singapore (MAS) has also adopted a similar approach with its release of a consultation paper in June 2016 with proposed guidelines for a “regulatory sandbox” that will enable FIs and non-FIs to experiment with FinTech solutions.
Another consideration for overcoming adoption challenges is to address fraud risk. Data collection controls need to be considered to ensure customers enrolling in and using these biometric tools are in fact the genuine customer.
Hong Kong, for example, has implemented a 2 factor authentication (2FA) rule for execution of most internet banking transactions:
1.Something you know (i.e. memorable questions)
2.Something you have (i.e. security token)
Specifically for biometric authentication, ‘Something you are’ has been added as an authentication factor. This factor accounts for biological characteristics, such as voice or fingerprints.
2FA can be fulfilled using any 2 of the 3 factors of authentication. The assumption with 2FA is it is less likely that multiple authentication factors would be compromised, therefore reducing the rate of successful fraud attacks.
Not to be forgotten, data risks such as privacy management, data security management and vulnerability management should be in place in order to appropriately mitigate risks generated by biometrics.
- Privacy management: Measures should be taken to ensure the biometric data collected will not be used for any purpose other than the originally intended purpose.
- Data security management: Effective data security measures should be in place. For example, FIs should encrypt the database(s) where biometric data is stored, as well as the channel(s) through which this data is sent; consideration for data access should also be taken into account.
- Vulnerability management: Relevant mitigation plans should be developed to ensure that mechanisms are in place to handle incidents when they occur, in an appropriate and timely manner.
There is little doubt that the collection and use of biometric data will continue to expand within financial services in Asia, and across industries as a whole. As countries and individual institutions begin to dive deeper into the biometrics trend and with the growing support of regulators, it is inevitable that banks will adopt one of these discussed technologies to roll out into the broader consumer market, if they haven’t done so already.
The extent to which biometrics will be incorporated into consumers daily lives in the coming years is something worth following to see where new disruptive technologies can enhance both FIs position in the market and increase security and convenience for a growing consumer base.