Do Banks Need Biometric Security Standards?

Overly prescriptive standards for biometrics could create friction in transactions and potentially stifle innovation, experts warn.

From fingerprint and voice authentication to facial- and iris-recognition software, the financial industry has led the way in developing biometric verification tools. And they’ve had to keep one step ahead of malicious hackers and other fraudsters in order to prevent them from easily compromising account passwords and stealing sensitive information—and even customers’ identities.

Due to regulatory compliance pressures, including anti-money-laundering requirements, many banks are making biometrics an integral part of their Know Your Customer (KYC) verification process. London-based Goode Intelligence, a cybersecurity research and consulting firm, predicts that by the end of 2020, 1.9 billion bank customers will use biometrics.

“[Using] a biometric, such as facial recognition or fingerprint data, provides much greater assurance that the bank is dealing with the correct individual,” says Carol Alexander, head of product marketing for CA Technologies’ Digital Payments Security business. “Providing biometric information also helps customers feel more confident that they are entering into a secure transaction.”

According to a new Mastercard study, one in four online transactions will demand a higher level of authentication by next year, and biometrics are poised to play a role in many multifactor authentication processes.

But as the prevalence of biometrics in the highly regulated financial services industry grows, an inevitable question arises: Should all financial institutions adopt formal security standards for biometrics in order to standardize customer data protection?

Innovation or Standardization?

Currently, informal guidelines exist for biometrics—but there are no set rules or laws. In the United States, for example, the Federal Trade Commission has recommended best practices for companies using facial recognition technology. The International Organization for Standardization (ISO) describes a security framework for banks to follow when authenticating customers. And the European Union’s (EU) General Data Protection Regulation (GDPR) points to biometric data as a “sensitive” category of personal information that should be well protected.

Additionally, the Biometrics Institute has several initiatives underway to help meet privacy challenges in the emerging biometrics environment, noting that “privacy protection is a critical component in the responsible use and development of biometrics technologies.”

Alan Goode, CEO and chief analyst for Goode Intelligence, says that privacy and consent are indeed “big issues” around biometrics because many consumers want to know exactly how institutions and businesses are collecting, storing, and potentially sharing their data. And if banks get it wrong, the legal, financial and reputational fallout could be significant.

“How banks can protect this very personal information we provide—our face, our voice, our fingerprints—is where you see a lot of debate about regulations,” Goode says. But any standards or other measures that are intended to regulate the use of biometrics in the financial industry should not be “overly prescriptive,” he cautions.

“Standards shouldn’t be too detailed or technology-specific because they will restrict innovation and limit banks’ choices in terms of what they can deploy,” he explains. “They could also alienate users.” In short, banks should have the flexibility to offer solutions that make the most sense for their business and their customers.

Alexander agrees that overly prescriptive regulations for biometrics in a rapidly changing technology environment would likely create challenges for banks—and their customers.

“If a standard would require use of a particular version of a mobile operating system, for example, that could prevent banks from using certain biometric solutions to authenticate the identities of many of their customers,” she says.

Coming Soon: More Biometrics Guidance

Although standardization may not be imminent, Goode Intelligence projects that banks will soon start to see regulations specifically referencing biometrics as part of the financial industry’s guidance on two- and multi-factor authentication. The EU’s second Payment Services Directive (PSD2), which takes effect in September 2019, is just one example.

A strong business case can be made for banks and other financial services providers to continue widening their embrace of biometrics. According to a recent Forrester study, banks using biometrics for customer identification may see a return on their investment of as much as 191 percent.

“Biometric solutions meet two essential needs for today’s digital consumers in that they provide both security and convenience,” says Alexander. CA Technologies and Frost & Sullivan’s Global State of Digital Trust Survey and Index 2018 found that 86 percent of consumers prize security over convenience when choosing online services, but that doesn’t mean they can’t expect both from their financial services providers.

Despite the appeal of biometrics for both banks and their customers, financial services providers must be transparent about how they are collecting and using customer data, Goode warns: “Financial institutions should have clear policies and follow the best practices that are already out there.” Guidelines set by agencies like the FTC, standards organizations such as ISO, and data security and privacy measures like GDPR can help guide banks well on the road to meeting compliance requirements in the event of a move toward greater standardization and oversight of biometrics in the future.

About the author

Jane Irene Kelly, who has two decades of professional writing, editing and reporting experience, writes about business and technology. She is a graduate of Syracuse University’s S.I. Newhouse School of Public Communications and resides in Pennsylvania.