David Poole, Business Development Director, MYPINPAD
Identity and verification are interlinked concepts which have a critical role in the continued digital evolution of retail banking.
From showing photographic ID to completing a transaction in person, to demonstrating proof of address when applying for a financial product, customer ID&V is something long-familiar in retail banking.
But these methods of identification and verification still rely on the presentation of a physical document, a practice which defies the nature of digital banking, and conflicts with its main benefits like convenience, speed and remote access.
Consumers are abandoning the branch in favour of mobile apps and online banking. Banks are now in a situation where traditional ID&V methods are being quickly redefined for the digital banking era, especially with the forthcoming PSD2 evolution.
The growth and impact of digital banking on ID&V
In 2007, 30% of UK consumers used online banking. In 2016 that figure had doubled to 60%. At the same time, there has been an unprecedented increase in the closure of high street branches with over 1,000 closing between April 2015 and April 2016.
Online is now the dominant platform for retail banking in the UK. Consumers enjoy its ease of use, with banking literally at their fingertips through mobile apps, and banks have embraced the cost-benefits of a smaller physical presence to achieve larger online presence.
Yet, this has had a significant impact on ID&V, raising questions and demanding solutions, some of which have been answered but others which remain a challenge.
The fundamental question is that without direct interaction with bank staff in branch, how can customers accurately and securely demonstrate that they are who they say they are?
How banks are responding to this challenge
Banks are responding to this challenge by exploring a number of next-generation ID&V models which have the potential to make retail banking ID&V fit for the digital age. Some of them are:
Biometrics use one or more human characteristics to verify someone’s identity. It is a method that is increasingly entering into the world of ID&V for everyday life; anyone who owns an iPhone, for example, will be used to using a fingerprint to unlock it.
A variety of methods of biometric based authentication are currently being developed and tested although each has its own drawbacks as well as benefits.
- Voice recognition – Voice recognition can verify someone in around 15 seconds. Yet, questions remain about the accuracy of this method. What if someone is in a crowded room or restaurant? Could the technology cancel out the background noise?
- Facial recognition – Also known as “selfie” authentication. For this to work, the lighting of the photograph will need to be of sufficient quality which isn’t always guaranteed.
- Fingerprint recognition – It’s widely used, it’s trusted, it’s easy, but it is not perfect. Fingerprints can be copied by fraudsters using easily obtained chemicals. If a fraudster has your phone and wants access to it, they can have it.
One of the principal barriers to biometric adoption is trust. However, in recent years there has been positive news around consumers trust in biometrics. A recent survey showed that far more UK consumers (60%) would trust a bank with their biometric data than the government (33%).
The use of biometrics is a growing security trend with more and more adopters every day. But alone, they are not enough for a completely secure ID&V process. Even looking back to the experiences of travellers at US Immigration, they still have to produce their passport along with their fingerprints.
Machine learning is a branch of artificial intelligence study that concentrates on induction algorithms and on other algorithms that can be said to “learn”. It is a discipline with a wide variety of applications in the digital world, and it has considerable possibilities in the world of authentication.
Taking the use of mobile as an example, each of us have our own individual quirks in how we use a mobile device. We will hold it in a certain way, we will enter key strokes in a particular way, we will have certain and unique ways in which we interact with specific apps. All of these can be “learned” by a mobile device which can then tell if the person using the device is the same person who should be using it.
Machine learning is a highly invested and developing field but, like biometrics, on its own it is not enough to deliver strong, multi-factor authentication. A password or PIN code still has to be entered for the device to know if it has been entered in the way it has come to recognise.
Passwords and PIN
Fundamentally, there is still a critical role to be played by authentication via manually entered information in the form of a password or PIN. Users of iPhones, for example, will be used to entering a four or six-digit passcode to add an extra layer of authentication alongside their thumbprint when restarting their device.
Security works at its best when it is multi-factor. And this is widely supported by the European Banking Authority (EBA) and the PCI Security Standard Council. A mixture of what you have (your device, for example), what you are (a biometric characteristic) and what you know (a password and PIN). So the physical entering of a passcode still has a place in ID&V.
2017 will see the banking sector preparing for the new landscape that will be created by PSD2. A critical element of this will be the European Banking Authority’s (EBA) Regulatory Technical Standards (RTS) which mandate “strong customer authentication and common and secure communication.”
On 22nd February, the EBA published the final draft RTS for PDS2. Section One of this states – “Payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. The authentication procedure should include, in general, transaction monitoring mechanisms to detect attempts to use a payment service user’s personalised security credentials that were lost, stolen, or misappropriated and should also ensure that the payment service user is the legitimate user and therefore is giving consent for the transfer of funds and access to its account information through a normal use of the personalised security credentials. Furthermore, it is necessary to specify the requirements of the strong customer authentication that should be applied each time a payer accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuse, by requiring the generation of an authentication code which should be resistant against the risk of being forged in its entirety or by disclosure of any of the elements upon which the code was generated.”
The draft RTS do not mandate what that form of authentication should be.
The EU says what is to be done. Not how it is to be done. This could be a matter for UK regulators to decide on what this authentication could and should look like.
The ID&V element in this RTS is found in the phrase “personalised security credentials”. The RTS, again, doesn’t specify what these should be but this is where digital ID&V will play its role within PDS2 digital banking.
What is the future?
The dominant form of ID&V currently used in digital commerce, the password, is no longer strong enough to provide strong user authentication. Passwords can be cumbersome for consumers and, if long, hard to remember. There have been calls to replace passwords and PINs, but we believe they still have an important role to play.
ID&V works best when it is a mixture of factors. Something you have (a mobile device), something you are (a biometric characteristic) and something you know (a passcode) working together ensure the greatest protection.
And this multi-factor ID&V is also critical in the battle against data breaches. If biometric information is compromised, for example, without the addition of password or PIN it would be useless to criminals.
The personalised security credentials as mandated by the EBA RTS have to be strong and secure in order for banks to remain compliant with PSD2. How they do this is, fundamentally, up to them. Yet it would be next to impossible to manage this without recourse to multi-factor ID&V.