Blog article
See all stories »

Biometrics and the Window of Opportunity

2018 will be all about Digital Identity. 

I am sure everyone is aware that the revised EU Payment Services Directive (known as PSD2) comes into force later on this week. Within the new PSD2 regulations, there is Strong Customer Authentication (SCA) and Common and Secure Communication (CSC), regarding all electronic payments, under Article 98 of the EU Directrive 2015/2366.

Although PSD2 comes into effect on 13th January, European Banks and Payment Service Providers (PSPs) have been given an 18-month deadline to adopt new security measures that includes SCA. SCA will now be considered actionable 18-months after the relevant Regulatory Technical Standards (RTS) are published in the Official Journal of the EU, so the SCA deadline is scheduled for September 2019.

This means that all European banks and PSPs will have to fully comply with the RTS and SCA guidelines.

PSD2 is designed to make payments safer, increase consumer protection, and foster innovation and competition while ensuring a level playing field for all players, including new ones. PSD2 introduces account access for new types of service providers; IE payment initiation and account information, or known more commonly as Open Banking using APIs. Under Open Banking, customers will supposedly have greater flexibility to switch accounts or open new ones, and banks will be permitted to share customer data as a result, with permission from the customer of course.

SCA will apply to most payment transfers in existing channels such as online and mobile banking. This will have an impact across many verticals from retail, ecommerce, corporate to cards. As you know, in the past three years there has been a huge increase in mobile banking, and in recent surveys issued by both Visa and MasterCard, there has been a huge surge in popularity for biometric authentication. More customers would trust using a biometric than having to remember a password. In part, the amount of data breaches has been responsible for this trend as well as the explosion of smart devices.

With this in mind, this now presents a window of opportunity for the biometrics industry because the RTS has defined minimum requirements such as two-factor authentication to secure electronic transactions in order to prevent data theft, impersonation and fraud.

You are now probably familiar with the criteria. SCA is going to be an essential part of the payment process, as two independent factors are required from these categories:

Knowledge (IE a PIN, password or secret)

Possession (IE a phone, tablet, PC, card or token)

Inherence (a biometric, IE your face, voice or finger)

The important area is that they must be totally independent of each other as a breach of one must not compromise the reliability of the others.

The key area for the biometrics industry and many technology suppliers will be of course “inherence”, as naturally proving who you are, is going to be one of the main methods for the 2FA payment process, and now there are many different ways of proving exactly who you are.

There are two different types of biometrics; IE physical and behavioural. Physical biometrics refers to things such as facial recognition, iris, palm, vein, fingerprint and even DNA. Behavioural refers to your behaviour traits such as keystrokes and the way you type, the way you hold your phone, the way you walk known as your gait, even your signature and hand writing. Voice recognition is also considered to be a behavioural biometric.

Behavioural biometrics is increasingly becoming one of the main kinds of biometric identification method because it actually requires the user to not do very much other than what they are already doing. It’s a kind of non-biometric as it is very hard to spoof how someone behaves. It is possible to detect whether a person is left or right handed, using one touch or multi-touch typing, how often we use our mobile devices, which apps we use regularly, even the way we use a mouse or touchpad with a PC. Combining all these with Geolocation and IP addresses too, you are creating a human footprint. Yes, we hate those cookies, but there are so many different signals we give off which form regular patterns in our behaviour without us realising it.

However, biometrics is just one of the key elements to prove your identity. The issue for physical biometrics is that it is important to recognise its limitations. How biometric technology works is using measures and probabilities. Some areas of biometrics can be easily spoofed, such as with photos or mimicking your voice for example. We have all seen how Apple's new FaceID on iPhone X (10) has been spoofed by family members or twins impersonating each other, so it is necessary to ensure that there is an element of what is called “liveness detection”.

Liveness requires an action by an individual in real time during an authentication process. For example, providing a selfie via your smartphone, you may be required to nod your head, blink, speak a random phrase or read a set of numbers. This is all to combat the potential for fraud and someone trying to impersonate you. Therefore, to ensure a high level of security and also reassure the general public, liveness detection is essential, particularly regarding the process for remote digital on-boarding of new customers. Fraud is still an issue for all PSPs when signing up new users, and having strong KYC methods and background checks are necessary.

So the compliance deadline for the SCA has now been set. In terms of the digital transformation that the majority of UK and European banks are currently undergoing, this is a very short window for all banks to fully implement solutions that meets the above criteria for multi-factor authentication. Severe fines for non-compliance could be significant to the bank’s overall turnover. In other words, banks are being compelled to improve their security measures for customer accounts and payments and this is going to have a substantial impact on banks as well as their end users.

However, generally speaking, this revolution is already taking place. Some banks have traditionally offered a poor user experience with their existing customers, in particular over complicating their security measures for accounts by introducing stronger more complex passwords. This has led to further customer dissatisfaction and endless problems of resetting your passwords when we can't remember them.

Banks are now finally considering new innovative ways to improve the user experience and the customer journey by introducing new remote digital on-boarding and biometrics authentication methods, chiefly as an alternative to the issues surrounding weaker passwords. So it is with this emphasis that the EU will now regulate payments more strongly and biometrics is going to play a vital role in the area of proving your identity. There are added benefits too of being more convenient over pins or passwords.

The banking landscape is changing. Many new start-up and fintech companies are offering a variety of different solutions for banks to consider. Some traditional banks are being left behind by their legacy systems and a new wave of digital challenger banks are offering better and more efficient services.

In the past year, we have started to see these legacy banks beginning to acknowledge the threat and recognise that they need to catch up in the digital world. It has undoubtedly been a slow process because the deployment cycles for adopting new technologies have more than doubled in the past two years with so much technological change expected and in part, they had been waiting for a clearer understanding of the new regulations before moving forward. There have been a number of rare exceptions, where some smaller-medium size banks have embraced these new technologies and are at the forefront of this pioneering digital transformation. This has made everyone else pay attention and now many banks will have to adapt.

The importance of these new challenger banks cannot be under estimated. These are digital only, with a leaner cost base and offering new trendier services, particularly with their mobile app functionality. New digital banks such as Atom Bank, Monzo and Starling Bank are going to be noteworthy players. Larger banks should not misjudge their appeal to a new up and coming generation, as well as other financial offerings including P2P platforms and mobile wallets such as ApplePay for example. While many of them are still in their early stages with modest adoption rates, they have shaken the tree. Over the next three years or so, we are going to see these new digital banks becoming quite well established, and while they might be small now, if they survive a buy-out, they could be a force to be reckoned with. 2018 will see many more challengers entering the market.

2018 should be another successful year for biometric innovation and digital identity. We will see more and more devices supporting biometric systems. There are already nearly two billion devices with biometric security enabled in the market today, and by the end of 2018, this is expected to reach 3.5bn units shipped*. 

By 2020, biometric security will be standard on all mobile devices, with around sales of 2.4bn devices sold each year, and electronic payments using biometrics as a form of authentication will reach over 1.37 trillion US Dollars*.

Therefore, now Strong Customer Authentication has been mandated in the EU, using our face, voice or fingerprint as part of our digital identity footprint will become very much part of our everyday lives for electronic payments.

Many of us are already using biometrics to unlock our smartphones or for authentication in mobile banking, so it will be fairly common place by September 2019.

I am seeking a new opportunity within the biometrics/fintech industry and I am going to be available from 1st March for any potential openings. I have over five years' experience in the biometrics industry, a strong background in financial services and a high level of key banking contacts. Please review my LinkedIn profile for further information. If anyone is interested to speak with me, please can you send me a PM. Thanks.


Comments: (0)