A recent Visa survey clearly demonstrated how critical a role banks could potentially play in helping the roll out of biometrics. While there have been many public announcements of the adoption of biometrics for account access, there still seems a long way to go. So what needs to happen?
The European regulators may appear to be sending mixed messages to the financial community today. On one hand, the PSD2 and other local domestic regulatory authorities indicate a clear appetite for open banking leveraging API’s, while on the other hand offering recommendations on SCA (Secure Customer Authentication) that many fear will be “conversion killers” with their level of impact on the transaction. This apparent inconsistency only adds to the current level of uncertainty and, until there is clearer alignment around exactly what is needed we are at risk of seeing inertia or significant market differences as each market bodies draw their own, differing conclusions.
Biometrics aren’t binary
New use cases, similar to Touch ID for Apple Pay transactions, will also emerge where biometrics will complement the user experience. New voice-controlled home sound systems are a “prime” example where voice recognition will be the obvious authentication method to access an e-commerce transaction. Unlike traditional authentication, it appears unlikely there will be only one form of biometric, just use-case appropriate choice of biometric that will then feed the data score for each transaction.
Mobile is critical
Linked to the “authentication as scoring” approach, it is critical to recognise the role other technologies will play in reducing ecosystem risk. Tokenisation is already having a huge impact in reducing the risk of sensitive data being shared in the ecosystem. Evidence from the US has shown that messaging post transaction has reduced fraud significantly in the US from customer detected fraud.
As part of a wider mobile banking app strategy the bank can use the typical mobile device – which carries a number of key capabilities to scan, record, hear, locate – can be used as a key customer tool to communicate and engage with the customer. This, in turn, increases the frequency of interaction and customer data that can help build the data points that help identify and validate the customer. In many markets, the customer is still driven to go to the browser for important transactions that could as easily and safely be performed in-app. Banks need to trust the app if they’re truly going to change behaviour.
Have we met before?
One of the key concerns often raised when reviewing some of the regulatory changes is the lack of differentiation between the first transaction and the subsequent, repeat transactions. This is surprising, because it is commonplace today for online best-in-class experiences and normal for ACH payments from bank accounts. Requiring stronger authentication for the first transaction when enrolling or registering the user will enable data attributes that can then be used to validate subsequent transactions.
Differentiating between “check-in” and “check-out” has the potential to vastly improve fraud ratios and customer experiences that don’t damage key merchant ratios. As token becomes increasingly prevalent, the requirement for strong authentication before provisioning a token that can then support subsequent transactions seems a sensible way forward to meet all the stakeholder needs. Banks may wish to take an active role in validating the customer when they provision the token and then rely on more passive, risk-based authentication methods for subsequent transactions.
The role of EMV
When EMV was first launched in Europe, there was much hype around the potential usage of the chip on the plastic. Years later, the potential is still there and maybe biometrics may be a good opportunity to enhance the functionality. Visa has been adapting its specifications to incorporate biometrics into EMV and VbV 2.0 specifications but uptake of the EMV option has been very limited to date. If the banks wish to maintain their key role, they may need to accelerate utilisation of their customer plastics and evaluate usage of their PINs on devices as authentication options that reinforce their role as a trusted partner.
If not, many other organisations will be keen to leverage the inherent capabilities that exist on their mobile device. Customers are clearly keen for their banks to be actively involved and trust them more than any other institutions to protect their privacy – the key risk is that new entrants will fill the void by offering new propositions that focus so heavily on convenience that customers are unaware or choose to ignore the critical importance of ensuring the data is neutralised and protected from improper usage.