Biometrics: assessing the opportunities and risks as regulations loom

Biometrics: assessing the opportunities and risks as regulations loom

Aliya Alikhanbayova ([email protected])

Biometric technology can enhance fraud and anti-money laundering processes, but can carry big risks. As it becomes more widespread, financial firms and tech vendors must develop the security and governance frameworks to realize its potential – before regulators force them to.


Biometric ID solutions, increasingly seen as efficient and cost-effective technology options, use specific physiological or behavioral traits – such as fingerprints, iris scans, and voice and facial recognition – to identify individuals. Biometrics is a growth area, and as biometric technology becomes more accessible and affordable, financial institutions (FIs) globally are starting to experiment with it, mainly to enhance and streamline their payment, anti-money laundering (AML) and Know Your Customer (KYC) processes. NatWest in the UK has trialed fingerprint authentication for payment cards, for example, while Wells Fargo has introduced an eye-scanning feature for accessing accounts

When onboarding a customer, the use of unique identifiers can deliver greater visibility and accuracy, by lessening the likelihood that multiple bank accounts are created by the same person, or by tracking individuals who are avoiding detection by using multiple passports. Biometric technology can support a faster and relatively more streamlined onboarding experience for customers by, for example, reducing the time spent on manual and repetitive verification checks of paper documents (such as national identity cards, passports and driving licenses) that are more vulnerable to fraud. Similarly, removing traditional passwords and PINs can save money, because the cost of deploying fingerprint verification is less than the recurring expense of replacing stolen cards or forgotten passwords.

Fundamental risks…

But while the use of biometric technology is increasing, so too are the concerns surrounding it. Its application poses fundamental questions about risk – not least concerning ethics and accuracy, and increasingly around privacy and security. The risks of hacking or inadvertent breaches – of stored data and the hardware used for biometrics – can be high for some varieties of the technology. Masks and simple photographs can be enough to fool some facial recognition terminals into allowing payments or access. And where biometric vendors rely on consumer devices to authenticate identities, the security of devices is just as integral to data privacy as the security of stored data.

The recent security flaw identified in the facial-scanning system of Google’s Pixel 4 smartphone, for example, which provides access to an individual’s device even if their eyes are shut, highlights the importance for vendors of carefully evaluating device security. Elsewhere, the leak of more than a million fingerprints from the biometric security tool BioStar 2, along with facial recognition information and other sensitive data, demonstrates the risks and potential damage that could arise if biometric databases are compromised. While the average customer can recover from a stolen password or PIN, stolen biometric data could be far more serious, since the data encoded in someone’s biology is near-impossible to change, and once it’s been stolen it could be open to permanent abuse.

Regulating the issue

In light of growing security concerns, regulations have emerged and evolved to govern the collection, storage and use of biometric data. Table 1 summarizes some of the main initiatives.

Table 1: Key regulatory initiatives around biometrics

Table 1: Key regulatory initiatives around biometrics

Source: Chartis Research

Addressing the impacts

Like all emerging technologies, biometrics is far from perfect, and as it becomes more prevalent, the incentive to steal stored biometric data or tamper with devices used for authentication will only increase. Globally, regulations for emerging technologies will take time to evolve and will eventually catch up with those for more established solutions.

Tightening data regulations will require FIs to invest time and money in compliance solutions. But they will have a more limited impact on institutions that already have sophisticated compliance departments. By contrast, vendors, especially smaller ones, may lack the same capabilities for collecting, managing and storing KYC data. If those vendors that are already using biometric data – or are considering expanding their services to include it – lack effective processes and systems, they and their clients could suffer large fines and reputational damage.

Firms can take several steps to mitigate these risks, however. Part of the solution is accurately collecting, storing and transmitting data when customers are enrolled in a system, and adopting strong encryption and other security measures to protect databases. Vendors’ privacy policies should be updated regularly; while knowledge of what data is being collected and how it is being used needs to be periodically updated – and users must be made aware of this. Transparency around the process of collecting, storing and disposing of biometric data is integral to vendors’ success and the ongoing trust and security of the public. Enforcing strict cybersecurity procedures, such as hashed storage for fingerprint- and face-based credentials (whereby data cannot easily be ‘reversed’ to identify a user), are also an advantage. They can enable easy user verification at the point of transaction, and allow any enrolment to be revoked if data is compromised.

Ultimately, when partnering with biometrics vendors and/or buying their offerings, FIs must carefully consider the compliance, reputational and cybersecurity risks involved. Vendors, meanwhile, will have to decide whether the risks of a potential security breach are worth the rewards they could gain from providing improved and faster KYC and AML data services.

Further reading:

Beyond Detection: Driving Automation and Artificial Intelligence into Financial Crime Risk Management

(January 2019, Chartis and NICE Actimize)

Benchmarking and Trends in Financial Crime Compliance Screening

(September 2019, Chartis and Accuity)

Financial Crime Risk Management Systems: Enterprise Fraud: Market Update and Vendor Landscape, 2019

(October 2019, Chartis)

Financial Crime Risk Management Systems: Know Your Customer: Market Update and Vendor Landscape, 2019

(October 2019, Chartis)