By Nick Caley, Vice President Financial Services and Regulatory, ForgeRock
Biometrics, which in security terms means measuring unique physical characteristics for authenticating an individual, are not a new concept. However, the latest technological developments in this field do pose fresh challenges for retail banks.
The potential benefits of biometric authentication, in terms of enhanced customer experiences and improved security, are huge, but while consumers are readily adopting certain early forms of biometrics, the gap in consumer trust around data sharing could prove to be a major barrier to adoption in the future.
Fingerprints have given consumers and banks their first taste of biometrics
Fingerprints have long been considered a reliable and stable form of identification. In fact, Sir Francis Galton proclaimed the benefits of fingerprints as an incomparable validator of identity as early as the 1800s. In recent years, fingerprints have become a mainstream daily authentication option, thanks to Apple’s iPhone and other advances in consumer products. This shift has also been driven by increased regulatory requirements such as those mandated by PSD2, and a sharp rise in fraud, forcing banks to implement stronger authentication.
Research shows that biometrics have quickly become consumers’ preferred authentication method: one survey found that that 85% of banking customers preferred biometrics over passwords. And this is not a trend that is confined to Millennials or typical ‘early adopters’; with 68% of those aged over 71 preferring biometrics.
Biometrics are also becoming a competitive differentiator: research conducted by Visa, released at the start of this year also found that 53% of respondents would switch banks if their current provider didn’t support biometric authentication. The potential for biometrics to improve customers’ experiences, reduce the need to remember multiple passwords (cited as the biggest benefit by 42% of Visa’s respondents) and strengthen the safety of their information, is obviously being felt and appreciated.
The regulatory pressures from PSD2 and Open Banking, which demand that banks apply Strong Customer Authentication (SCA) to their transaction processes, also point to the value of biometrics. Fingerprints and other biometrics methods already provide a strong multi-factor authentication (MFA) solution, a crucial form of SCA. Likewise, PSD2’s drive to open up the financial services market means banks are now increasingly challenged by nimble, digital-first fintechs.
There are also significant internal benefits for banks. Improvements in digital banking authentication have enhanced risk management, and led to greater accuracy, making fraud less likely – effectively addressing SCA concerns. Meanwhile voice biometrics have led to tangible improvements in customer service offerings, realigning them with consumers’ expectations, and reducing costs by taking up less time of call centre staff.
Continuous authentication: trailblazing through a privacy minefield?
Despite this promise, the biometrics revolution is still fledgling, and there is much more to come as the ecosystem around these technologies matures. As well as “multi modal” biometrics, which incorporate multiple biometrics in a single scan and thereby result in an even higher level of security, the dynamic and complex technologies of continuous authentication are coming to the fore.
Continuous authentication involves continually capturing and evaluating behavioural characteristics, contextual clues like GPS and interactions with a device to build a profile to authenticate a user. It has the potential to unlock immense value for banks and their customers, amplifying the benefits outlined above, while extracting more value from legacy systems, reducing friction and improving security. Next-generation technologies such as behavioural biometrics could make the potential of continuous authentication a reality and allow financial institutions to embrace a more dynamic form of authentication and risk profiling.
It could also provide a wealth of data that could benefit both banks and their customers: banks will be able to build more comprehensive customer profiles, leading to a wealth of opportunities and information to personalise their offer as well as streamline and automate KYC and AML processes (“Know your customer” and Anti-money laundering, two current business-critical authentication procedures for banks). For example, it should be easier to capture an individual customer’s intention at critical moments in their daily activities. This opportunity is significantly increased with the roll-out of 5G, as well as the rise of connected devices in our daily lives. Such real-time data-driven insights into the customer’s life provides marketing teams with an ability to offer the most relevant incentives in a true value exchange.
With behavioural biometrics working in the background to protect consumers without introducing unnecessary friction, continuous authentication can deliver greater personalisation, choice, security and convenience. Crucially though, behavioural biometrics will not – and should not – replace valid security prompts designed to authenticate and authorise transactions that require the full confidence of the customer. Therefore, new solutions must augment legacy methods, injecting the right amount of friction where necessary, while still improving user security and experience.
But as we push towards a world of continuous authentication, it comes back to the ever-present question of trust: can banks convince consumers to embrace the value of these new solutions? To reap the rewards of the next revolution in biometrics, banks must lay the foundations of consumer trust now.
Transparency is the foundation of consumer trust
Despite the benefits these technologies can bring, confusion around data collection could stall innovation and limit consumer acceptance. Consumers are rightfully taking a greater interest in their data and, without education, banks’ promises over privacy and personal data may sound inconsistent with their drive to collect the levels of data necessary to enable greater personalisation and continuous authentication.
The lessons we’ve learned from GDPR and PSD2 in terms of how control, convenience and compliance relate to trust provide an instructive starting point when addressing these concerns. Banks need to make consumer consent a central part of their data sharing and management strategy from the get-go..
Transparency is vital to building and retaining consumer trust – as we’ve seen with recent privacy scandals. By putting customers in control now, providing centralised visibility and clearly educating them as to how and what information will be collected by continuous authentication, banks will be able to lay the foundations for consumer trust that will allow them to reap the benefits of the coming biometrics revolution.