By Emma Erskine–Fox, associate at UK law firm TLT LLP
When discussing biometrics with others, I find that two television programmes are inevitably mentioned: BBC drama “The Capture” and Charlie Brooker’s dystopian “Black Mirror”. But biometrics are no longer the realm of futuristic, TV production imaginings. They are increasingly forming part of our everyday life, from unlocking our phones with our fingerprints or faces, to iris recognition in airport security, to voice recognition when we talk to Alexa and Siri.
For the financial services sector, biometrics form a key part of upcoming regulatory requirements. The introduction of strong customer authentication (SCA) requirements in the Second Payment Services Directive (PSD2) puts biometrics front and centre in authenticating customer identity. When the SCA requirements come into force, payment service providers will need to authenticate customer identity using two or more of the following elements: knowledge (something only the user knows, such as a password or PIN); possession (something only the user possesses, such as a card reader); and inherence (something only the user is, i.e. a piece of biometric data).
The advantages of biometrics, both for businesses and users, are clear (and we’ll touch on some of these below). However, no conversation about biometrics would be complete without digging into the challenges posed by the General Data Protection Regulation 2016 (GDPR). Biometric data is a “special category” of personal data under the GDPR, meaning it is afforded higher levels of protection. Financial services organisations need to be keenly aware of the GDPR implications of processing biometric data to avoid weighty fines and reputational damage.
What exactly are “biometrics”?
The mention of “biometrics” immediately brings to mind dusting for fingerprints and scanning faces in crowds. Facial and fingerprint recognition are certainly prime examples of biometric technology at work, but the concept of “biometrics” extends much further than this.
The GDPR definition of “biometric data” refers to both “physical and physiological characteristics” (encompassing the traditional examples of fingerprints and facial images, as well as (for example), iris and retina scanning, palm veins, voice recognition and DNA) and “behavioural characteristics”. The GDPR does not define this concept further, but the European Banking Authority’s (EBA’s) opinion on SCA, released in June 2019, gives an indication of how broadly this may be construed. When examining what would constitute “inherence”, the EBA refers to “behavioural biometrics” as including behavioural processes created by the body. In a non-exhaustive list of characteristics that may fall within the concept of “inherence”, the EBA identifies (among others) heart rate, keystroke dynamics (the way a user types) and even the angle at which a user holds their device.
Biometrics use cases in financial services
SCA is the obvious example of where biometrics is already coming into play in banking and financial services. But the potential of biometrics in this arena is vast. In a world where security is key, the value of using a part of yourself as your password cannot be underestimated. After all, you can’t forget or lose your fingerprint. NatWest became the first bank, in October 2019, to issue a biometric credit card, using fingerprint recognition to authenticate identity and allow payments to be made. China has taken this a step further with “Smile-to-Pay”, which allows users to pay for goods simply by (you guessed it) smiling at a point-of-sale machine.
Biometrics also lend themselves easily to fraud detection and prevention. Take keystroke patterns; if my bank can detect that I always pause for a microsecond before the asterisk in my online banking password to find the right key, any failure to do so can trigger further authentication methods to make sure that it’s not a more adept, yet fraudulent, typist trying to access my account.
There’s a space for biometrics in customer service, too. Customers are increasingly expecting a smoother and more technology-enabled service from the organisations they engage with. It’s not infeasible to imagine voice recognition being used on customer service lines both to identify the customer without having to ask for authentication information, and potentially to inform how that customer is dealt with based on the customer’s tone and perceived mood.
Privacy challenges of biometrics
Despite the clear advantages of biometrics, organisations need to exercise caution when deploying biometric technology into their businesses. As mentioned above, biometric data is a “special category” of personal data within the GDPR definition, which means that it must be handled even more carefully than “standard” personal data. Just some of the privacy implications of using biometric technologies are as follows:
- Transparency: Any processing of personal data requires organisations to inform individuals how their personal data is being processed, in a “clear” and “easily accessible” form. Biometric technologies often don’t have a typical user interface that would generally be used to enable access to a privacy notice; for example, voice recognition on a customer service line. Businesses will need to think about how they give customers access to appropriate privacy information within those constraints and how they can make sure that users understand the information provided to them. Particularly when biometrics are combined with other privacy-intrusive technologies, such as AI, the standard for demonstrating that comprehensive information has been provided is likely to be high.
- Lawful basis: Businesses need to identify an appropriate lawful basis for the processing of biometric data. As biometric data is special category personal data, a processing condition will also be required. For some use cases, this will be straightforward; where there is a legal obligation to process this type of data, such as in the SCA example, organisations will have a clear basis for that processing. In other cases, this may be trickier to demonstrate. Generally, the business will need to be able to demonstrate that the processing of biometric data is “necessary” for a particular purpose, and it could be debated whether using biometric data will ever be “necessary”, where there are usually other ways to achieve the same means. Consent to use biometric data may well be required and where this is the case, businesses need to be careful to provide users with appropriate choice and not to make the provision of a service conditional on consenting to the use of biometric data.
- Accuracy and bias: The risks of bias in facial recognition technology are well-documented, but all processing of biometric data is subject to obligations to ensure that the data, including decisions generated using that data, are accurate. Businesses will need to think about what processes can be put in place to allow the accuracy of data to be challenged (for example, if an individual is incorrectly identified as a fraudster through keystroke patterns) and should continually test and audit biometric technologies to ensure inaccurate decisions are not consistently being made.
- Automated decision-making: Wholly automated decisions that have a legal or significant effect on an individual cannot be based on biometric data except in very limited circumstances or with the individual’s consent. Businesses should build mechanisms into their biometric technologies to ensure that there is a human review of a decision; for example, using the technology to flag suspicious activity which is then reviewed manually to determine if action needs to be taken, rather than freezing accounts immediately.
- Security: One of the key advantages of biometrics is simultaneously one of the key challenges. Whilst you cannot forget your biometric data, you also cannot change it, unlike a password or a payment card. Once jeopardised, there is a limited amount that a user can do to regain protection and control over that data. Security measures therefore need to be of the highest standards and businesses need to ensure that third party technology providers involved in the processing of biometric data implement and monitor equivalent security measures.
Addressing the challenges
A ‘privacy by design’ approach is key when designing and implementing biometric technology solutions. Data protection impact assessments (DPIAs) are mandatory for “high-risk” processing, particularly using new technologies. A DPIA will be indispensable not just to demonstrate compliance but to help businesses flush out where the key risks lie and determine and implement solutions to mitigate those risks.
Whatever the scenario, the processing of biometric data will always need to be proportionate, fair and justified. Businesses should think about the purposes they are intending to achieve; can those purposes be achieved using less intrusive means. If the answer is “yes”, it will be a challenge to demonstrate that using biometric data to achieve those purposes is proportionate. Ethical considerations should also be taken into account throughout the design and implementation process to ensure compliance with the overarching GDPR requirement that processing be “fair”.
The processing of biometric data will not always be at odds with the privacy legal framework, but a failure to consider the GDPR implications can land businesses in hot water. Thinking through the privacy risks from the outset can help organisations to design effective biometric solutions that respect individuals’ privacy and comply with the legislative requirements in place.
NextGen Communications – the future of customer experience
By Andrew Beatty, Head of Global Next Generation Banking at FIS
As software development increasingly resembles push updates in services, how can financial institutions best take advantage of their investments? The answer is leveraging today’s technologies to empower institutions to elevate their customer experience with personalised and integrated communications.
Long a staple of the British market, digital banks are expanding worldwide. The pandemic played to the strengths of these organisations. With branches closed or restricted, the accessibility and flexibility of these banks were major assets.
To better understand just why digital banks succeed, we need to look at their operating models. Using Software as a Service (SaaS) and Platform as a Service (PaaS) operating models rather than more traditional and slower alternatives allows them to supercharge development.
These new technologies can elevate customer experience (CX), with a specific focus on customer communications – an area often neglected in favour of purely aesthetic upgrades to flashy-looking front-end systems.
Every minute of every day, institutions globally generate 18 million texts, 188 million emails, 511,000 tweets, 232 VoIP calls and use 4.4 million GB of internet data. This colossal amount makes it difficult to provide a consistent experience that meets ever-higher customer expectations across all communication interactions and devices. Banks need to be accessible and provide a seamless experience through any and all of the channels their customers prefer, be that Native App Push, email, SMS, print, social media, Call Centre or bots.
FIs typically lack an integrated experience. What’s needed is enabled by a consistent data schema and workflow foundation that elevates the communications experience. Customers may not know to specifically request these, but they will notice their absence. Fundamental to these capabilities are application programming interfaces (APIs) that enable banks to pick and choose best-of-breed technologies, allowing banks to focus on improving the CX and increasing Operational Efficiency and Governance.
Banks succeed on the backs of loyal customers. What inspires loyalty in customers is a banking relationship that includes both listening and speaking. Research shows that 63% of customers would consider switching banking providers if communications don’t meet their expectations. For customers who said that their banks did not proactively offer them personalised services, the customer satisfaction experience rate fell to 39%.
Research shows that more than 70% of CX leaders struggle to design projects that increase customer loyalty. Contrast this number with 75% of enterprises aiming to beat their competitors by offering the best digital consumer experience, and we can gain a sense of just how crucial communications are; a seamless CX is more important than ever to meet these goals.
These last few months have been a testing ground for banks old and new. Every email, every statement about actions taken during the pandemic is a chance to prove (or disprove) that a bank has a robust, customised communication solution. Integration across all interactions is critical.
Questions to ask
Here are six questions executives who want to improve CX at their banks need to ask when evaluating infrastructure improvements:
- How will capabilities evolve without requiring extensive development to support new data schemas, workflow, communication types and new channels?
- Will the new solution allow accelerated change management (business user-enabled) of all communications to meet internal and external demand, or will we be handcuffed to an internal or external software release for these updates?
- Will our middle/back office and call centre benefit from this solution by having the capability to send ad-hoc communications from a previously approved library?
- Will we have end-to-end tracking of all our as-delivered communications for all stakeholders (call centre, back office, etc.)?
- How is delivery remediation handled? (e., failed email delivery to SMS)
- Are all required delivery methods supported in one centralised platform?
Consider these questions before embarking on a major project. This should help ensure the selected solution results in improved Customer Experience, superior Operational Efficiency, and better Governance for your financial institution.
FIs must take advantage of emerging technologies and investment in core technologies by considering service options for all key elements of their CX. A robust data integration and workflow layer along with API integrations allow the different components of technology infrastructure to have seamless real-time integrations with third-party Customer Communication Management technologies. This can accelerate existing digital transformation initiatives and take full advantage of a modern core transformation investment – putting technology to work for FIs and their customers.
5 reasons to rebrand now
By David Langton, president of Langton Creative Group and co-author of Visual Marketing (Wiley Publishers).
- Ineffective Logo. How well does your name and image support your company’s mission? Organizations must change and evolve and sometimes that cool logo from the 80s no longer pulls its weight. Are you defending your logo just because it’s old? We often hear about how an old logo has equity with clients. But just because it is recognizable as your logo, doesn’t mean that this is how you should be known. What impression is the logo making on your behalf? Is it classic, or just old-fashioned? One healthcare client had an old logo with bad typography that was difficult to reproduce. But the CEO loved his logo and told me that the old company logo wasn’t going anywhere, “I expect that to be on my gravestone,” he told us. And that’s exactly where it should be.
- Non-descript.Is your company or service getting lost in the shuffle? If your logo looks just like everyone else’s logo, then it’s not doing its job. You must distinguish who you are in your marketplace. What are the special attributes that make your company, product of service the right solution? Find that spark of novelty that makes you special. The FedEx logo is famous for its hidden “arrow” that implies forward-motion. (They’re ones who move your packages quickly.) The UPS logo is a golden shield. (They’ll protect your packages.) AT&T has a globe. (They want to be seen as world-wide, more than just an American telephone and telegraph company.) Designer Tom Geismar says, “Symbols don’t make clear what you do; it makes it clear who you are.”
- Leadership Change.Whenever the top management at a company changes there is an opportunity to inject new energy into your messaging and redefine your mission. Capture the vision of their leadership. How does your brand reflect their goals for the new year? When General Re acquired New England Asset Management (NEAM) the new company name became “GR-NEAM.” When a new leadership team took over they decided to reclaim the “NEAM” name since it was easier to say and it gave them an opportunity to promote their new vision for the organization.
- Mergers/Acquisitions. Newly combined companies usually are in a state of chaos. Inside and outside the company people are searching for what the newly combined company will be about. This is the time to reevaluate how your brand presents who you are and what your values and strengths are in the new combined company. A report in Harvard Business Review states, “Because a merger’s success relies in part on preserving positive feelings among customers and employees, it’s smart to pursue a branding strategy that explicitly seeks to transfer equity from both merging companies to the new one.” When United and Continental Airlines merged they kept the Continental logo and aligned it with the United Name. Companies that use this “fusion” method actually exceeded their market return by 3%.
- Technology.Is your field changing while you are being left behind? This is an important time for companies to re-evaluate how their brand is presented in the marketplace. An upstart may be perceived as quicker and more technological than an established player. Can you show how important your experience and know-how is for tackling the challenges in your industry? Domino’s Pizza keeps reinventing itself with new tech to stay ahead of newly emerging rivals like UberEats who use apps to deliver food. Fast Company shows how as early as 1973 Domino’s was introducing a 30-minute guaranteed delivery then continued to reinvest in tech that utilizes voice recognition, GPS tracking and artificial intelligence to keep on top of tech revolution. Successful companies develop tech solutions that keep them ahead of the competition and then make sure their brand communications reflect their inventiveness.
Be the brand you ought to be.
Keep in mind that even if your brand experiences any of these telltale signs, don’t embark on a rebrand without making sure your business can back up the brand promise. The key to effective branding is that you must be what your brand says you are. If you are rebranding to be more technological, then you must become more tech-savvy. Just rebranding yourself without improving your services and really redefining who you are is not going to be effective in the long run.
The key to a successful rebrand is in identifying a core story that expresses the brand’s connection to its audience. Why are you important in the eyes of your target customers? And how do you tell that story? The re-brand launch is just as important as the logo artwork and the naming of the organization.
More than regulation – how PSD2 will be a key driving force for an Open Banking future
By Ralf Ohlhausen Executive Advisor, at PPRO
Whilst initially seen as simply a regulation exercise, the second Payment Service Directive, also known as PSD2, has been a key driving force behind Open Banking, an initiative that presents a hopeful vision for the future of the financial services sector. Thanks to the advancement of technology, the payments industry is currently seeing disruption to legacy banking systems, and a move towards a world of Open Data. With Open Banking, third-party providers (TPPs) can offer customers a wealth of new and automated services beyond their standard bank offerings, such as what products to buy or even advice on who to bank with.
PSD2 has been created to ensure that banks create mechanisms to enable third-party providers (TPPs) to work securely, reliably and rapidly with the bank’s services and data on behalf of and with the consent of their customers. PSD2 requires EU member banks to give authorised, i.e. licensed TPPs, access to customers’ accounts either via Application Programme Interfaces (APIs) or their user interfaces. It also mandates the use of Strong Customer Authentication (SCA), which requires multiple factors of authentication from a customer to initiate electronic payments and grant access to transaction data.
Despite the progress of PSD2, however, there are still challenges to overcome to achieve widespread adoption and to meet Open Banking objectives. So, what are the current roadblocks that European banks and financial services need to overcome to make Open Banking a beneficial reality for all?
Delays to API development
A crucial factor standing in the way of the acceleration towards Open Banking has been the delay to API development. These APIs are the technology that TPPs rely on to migrate their services and customer base to remain PSD2 compliant.
One of the contributing factors was that the RTS, which apply to PSD2, left room for too many different interpretations. This ambiguity caused banks to slip behind and delay the creation of their APIs. This delay hindered European TPPs in migrating their services without losing their customer base, particularly outside the UK, where there has been no regulatory extension and where the API framework is the least advanced.
A lack of awareness
Levels of awareness of the new regulations and changes to how customers access bank accounts and make online payments are very low among consumers and merchants. This leads to confusion and distrust of the authentication process in advance of the SCA roll-out. Moreover, because the majority of customers don’t know about Open Banking yet, they aren’t aware of the benefits. Without customer awareness and demand it may be very hard for TPPs to generate interest and uptake for their products.
Recently some regulators and banks, such as the Central Bank of Ireland, have made decent efforts to raise awareness of the changes with PSD2 campaigns. But it isn’t reaching the general public. When it does, it’s often because of scaremongering or fear, uncertainty and doubts around data security fuelled by incumbents to protect their business. This also isn’t the right way to approach the issue as it will lead to people being more afraid, rather than aware. Instead, it is the role of payment service providers to educate their customers about Open Banking requests or opportunities, to ensure the public are aware of the changes to payment authentication procedures when SCA comes into play and are empowered to move their data.
TPPs have a real vested interest in getting customers on board with Open Banking. They should build on their customer relationships to grow trust and raise levels of education around the changes. When customers sign up for a new service, TPPs need to tell them explicitly what to expect before they have to do it, plus what explicit consent is required to access their account information in exchange for value-added services.
Outweighing the challenges with opportunities
Although the introduction of the PSD2 regulation hasn’t been seamless for the banking and fintech industry, it is set to offer many benefits and advantages for the end-customer, and the financial industry. In fact, the regulation will create an integrated and frictionless European payments system, that will provide the customer with more choice, control and security over their finances than ever before.
One of PSD2’s primary goals is to provide greater protection against fraud for banking customers, who may have previously been open to risk through weak authentication and unregulated data-sharing practices. The new rules insist on enhanced security requirements, including the use of Strong Customer Authentication (SCA) to protect customers while making electronic payments.
Furthermore, TPPs unencumbered by legacy technology have long been able to innovate faster than traditional banks. Now, this regulation will provide regulated and secure access to customer data, allowing them to develop products even more quickly. The new regulation also promotes technology on a European level and encourages fintechs to do what they do best: innovate.
It’s also important to not forget that PSD2 regulation increases market competition allowing customers to choose a wider range of suppliers for their banking and payment services without having to switch their bank for that. The decoupling of banking services from the underlying account infrastructure will make it easier for customers to opt for the banking services that best fit their needs. It also increases the number of financial providers, services and products which customers will be able to choose from.
The future of Open Banking
The financial services landscape is becoming a firmly consumer-centric environment. Across the UK and Europe, we’ll continue to see the rollout of technologies that put control in the hands of consumers. Open Banking will be pivotal in its role, opening up new avenues and opportunities for both banks and payment service providers (PSPs).
Thanks to Open Banking, the ability to share data securely in the retail banking sector has led to a sophisticated ecosystem where the customer is in charge of their payments and choice of banking services. Over the next decade, we should expect to see the same level of transformation in our digital services and data sharing, leading to a complete rebalance of services where customers will be able to actively own their data and use it the way they like.
Europe is currently leading the Open Banking race, so the successful implementation of PSD2 and SCA is extremely important to maintain the lead and build a future with Open Finance and Open Data as well.
Research exposes the £68.8 billion opportunity for UK retailers
Modelling shows increasing the proportion of online sales by 5 percentage points would have significantly boosted retailers’ revenues during the...
Want to serve your customers better? An effective online strategy is what financial institutions need
By Anna Willems, Marketing Director, Mention A strong online presence matters. Having a strong online presence, that involves social media...
The rise of AI in compliance management
By Martin Ellingham, director, product management compliance at Aptean, looks at the increasing role of AI in compliance management and just...
Simplifying the Sector: How low code can aid digital transformation in financial services
By Nick Ford Chief Technology Evangelist, Mendix From online banking to contactless payments and Apple Pay, it has been well...
Why the Boom is Long Overdue (and Here to Stay)
By Roger James Hamilton, CEO, Genius Group Virtually every aspect of our lives has been taken over by tech, so...
5 Sustainability Lessons That Are Crucial For Business Success
By Michael Stausholm, founder of Sprout World (sproutworld.com) Sprout World is the eco-company behind the world’s only plantable pencil, with...
Why financial brands need to understand consumer vitality
By Carolyn Corda, CMO at data consortium ADARA Our day to day lives have been turned upside down. Office workers have...
Why and how a modern marketing strategy should put customer experience first
By Jim Preston, VP EMEA, Showpad In 2004, the Leading Edge Forum coined the term ‘consumerisation of IT’, defining a...
Leading from the front – why decision makers must embrace automation
By Jeppe Rindom, Co-founder & CEO, Pleo Ask any decision maker at a business about admin and you’re likely to...
Business first, not compliance only is the future for accountants
By Peter Bracey, MD at Bracey’s Accountants. The past few months have underlined the need for better business insight to reduce...