Of biometrics, banks and the need to develop standards and learn more

Biometric systems are on the horizon and looming large – that is, if the reports we’ve been reading for years are anything to go by. With phishing and card skimming on the up, there are an increasing number of calls for more security in the banking industry. But at the same time, people want convenience and sensible costs. One thing is certain: biometric systems do have what it takes to fulfil stringent security requirements, but they always have to slot in as part of an overall solution. To really work out if biometrics should be part of a bank’s security system – and how to incorporate it – the thing you need first and foremost is the right experience. And experience with biometrics is exactly what’s so hard to come by at many financial institutions.

Despite the enthusiasm for all the technical feasibilities and some pretty specific user scenarios, there still aren’t any signs of a proper banking biometrics breakthrough – at least not on a broader scale. There were too many hurdles until now. The real need has been too insignificant compared to the anticipated costs. With recent mobile payment and mobile banking developments, this could be about to change, however. And in recent months the topic has received a boost from another direction.

Biometric authentication – now recommended by the ECB

The European Forum on the Security of Retail Payments (SecuRe Pay) has called for a voluntary alliance between the authorities responsible for supervising payments and the providers of payment services. It has also appealed for recommendations on the security of online payments and mobile transactions. For the first time, biometric factors are being named as one of three valid authentication parameters. In May 2014, the European Central Bank published a list of recommendations which it says should be implemented by 1 February 2015.

The European Association for Biometrics (eab), of which GFT is the only independent consulting company to have been granted membership, has been focusing increasingly on investigating ways to use biometric systems more in banking. It has been looking into this since late 2013, but the focus has not been selective use – as is the case right now – but whether and in what ways biometrics are suitable for more widespread use – ie, mass market applications.

From ATMs to mobile payments – the many ways to make good use of biometrics

There is strong demand in the banking industry for secure biometric applications – and a myriad of ways to use applications. Whether it’s online, on a smartphone, on an ATM or on a POS terminal – these are just some of the possible application areas. As mobile transaction methods expand, the role played by voice recognition and voice biometrics could also grow.

Biometric processes bring a number of benefits. For a start, the implementation costs are relatively low and it is possible to use existing infrastructures (communication networks) as well as end devices (smartphones with integrated technology). On top of this, with a growing awareness for security needs, users are becoming more open to security technology like biometric systems – with one condition: everything works within data regulations and consumer protection laws.

To test whether biometrics would be accepted on ATMs, in 2009 and 2010 a leading German banking association joined forces with consultants to carry out a pilot study. The biometric identifiers tested on the ATMs were fingerprints and scans of veins in the hand. The results showed that the biometrics – which in this case were used to replace PIN entry – were felt to be an improvement in convenience for the majority of the customer sample.

Still key conditions to fulfil before biometrics enter wide-scale use

And what has the banking industry been doing since the pilot study? Lots, but not enough. Most solutions stay in the test lab. It’s questionable whether they will survive in real practice. Sophisticated technologies will only stand the test of time if they can prove themselves under everyday conditions. Some technologies have made major progress in terms of maturity, but there are still some important conditions to meet before biometrics can enter wide-scale use.

• There are no jointly agreed technical standards. These are needed to enable interoperability. In a similar way to the current system for verifying transactions with PINs, the banks have to agree clear standards. Moving away from PINs or TANs would result in a discontinuation of the current system, initially resulting in costs and risks for the banks. Without some sort of harmonisation when it comes to interoperability, this won’t happen.
• Registering and processing biometric identifiers is an organisational challenge and sufficient care will need to be taken with data protection and consumer protection – in times of increasingly tight regulation, this entails even more work in terms of organisation.
• Even if an increasing number of users accept the new systems, the solutions must be user-friendly, convenient and secure. There has to be an appropriate cost-benefit ratio.
• Many providers have insufficient certification, making it more difficult for the banks to introduce biometrics, even if they are ready to use.
• The financial institutions and systems providers in Germany still lack experience with the use of biometric systems in more wide-scale consumer applications.

So what are the prospects for customers in terms of biometric solutions? How can people be sure that biometric identifiers stored on computers are being kept safe? What can be done to maintain security in the long term? For wide-scale use of biometrics to work, the banks need answers to these questions.