The two year transition period for countries within the EU (including the UK, whose government has already confirmed that it will be implementing corresponding law with the same thresholds) to transpose the General Data Protection Regulation (GDPR) into national law comes to an end in May 2018. Although still nine months out, this deadline is beginning to loom large for financial institutions currently without an adequate solution to the problem of protecting whilst also allowing access to the huge volumes of personal data they amass on their customers.
The standout feature of the regulation is the fines that could be handed out to companies that fail to comply with the new rules concerning data, which could potentially run into the tens of millions of euros. It is therefore unsurprising that organisations are prepared to spend their budget allocations to ensure that have the best possible chance of falling on the right side of any compliance query.
Opportunity, not cost
One facet of the GDPR that is causing headaches for financial services is the challenge of granting access to data. Under the regulation individuals will have the right obtain access to their personal data and other supplementary information. The reciprocal issue is also generated by the regulation i.e. individuals have the right to insist that their data is accessible to only them.
However, for forward thinking organisations, the onset of the GDPR era will not be seen in a negative light. Customer data is one of traditional financial services’ key assets, particularly in the ongoing tussle with challenger banks, yet storage and access to this data is an area that has been neglected by R&D for a long time. In the main data is currently stored in legacy silos that only serve the purpose of hindering, rather than enabling the ability to unlock potential in a vital performance enhancing tool.
The compulsion to comply with GDPR can therefore be viewed the trigger for a much needed, historic, technology refresh. Firms can completely reassess every component of their data storage including their authentication processes, and develop a new GDPR-compliant system which also enhances customer user experience and additionally strengthens data security through the implementation of the most modern technology on the market.
The challenge for fintech is to develop the technology that facilitates these dual concerns in the GDPR environment.
Biometrics: The answer to the riddle?
Identification factors that have previously been industry standard, namely passwords, pins and tokens, should be considered inadequate in the post-GDPR world when the fines for data breaches are so hefty. In the overwhelming majority of data breaches, blame can be attributed to password authentication either through a password being too weak or the user maliciously or unintentionally revealing the password to bad actors.
New authentication methods that demonstrate physical presence of an authenticated person applying for access to data are the only way to strike a balance between creating the access GDPR dictates customers must have and preventing unauthorised breaches.
Of these, the most accurate and advanced is biometrics. Fingerprint and voice recognition technologies are currently available in the market that can be combined with other “what you have” (a smartphone) and “what you know” (password or security question) factors form a strong multifactor authentication process capable of withstanding the rigours of GDPR. Of these factors, however, “what you are” (biometrics) is by a distance the strongest authentication factor. Not only can this factor difficult to be replicated or stolen by bad actors, but it also carries significant legal strength, which will be important with GDPR fines lurking in the shadows following all or any data breaches.
Additionally, it is now evident that mobile banking customers prefer biometric authentication to passwords and tokens, which are cumbersome, implant friction into the authentication process, constantly require changing, and can be incredibly irritating to recover if lost or forgotten. In an age where traditional banking is struggling to match challenger banks’ user experience, a trait valued highly by Millennials (the target consumer group du jour), a slick and reliable authentication process is paramount. Locking customers’ data behind walls and walls of password-driven authentication systems in the false belief that this is adequate security, purely because this form of authentication is all that the legacy infrastructure can process, is the route to failure, not only through inadequate security, but also due to the fact that this will undermine rather than enhance customer experience.
The future of authentication
By considering GDPR compliance through the eyes of a much needed legacy architecture evaluation, financial institutions can take advantage of the opportunity the regulation presents to increase the security of their data.
Those that embrace the capabilities of biometrics are preparing themselves for the inevitable future of authentication. A multifactor authentication system with mobile biometric components as its cornerstone is the next step along the path to ultimate data security, guaranteeing the entity applying for access can be verified.
This will closely be followed by behviourmetrics, in which the actions of a user will be mapped and recorded in a similar way that biometrics does physically. AI will be able to generate a comprehensive understanding of a person’s habits to the point that it can recognise if a user is being impersonated purely through how the bad actor interacts with system. Coupled with biometrics financial institutions can develop a more and more accurate impression of who the user applying for authentication is.