Back in 2009, people thought it was creepy—or as one banking leader puts it, “They were not cool with it.”
Hess says that Fiserv gathered more than 30 consumers to test some banking features that would allow people to open their checking accounts with eye scan and voice-recognition technology. But instead of being impressed, they were distressed. They especially didn’t like the retina scan; 80 percent of the consumers said they would not use it as an alternative to a bank password.
But nine years to adapt to new technology—and capitalize on its conveniences—can change a lot of minds. In late 2011, Apple introduced Siri; countless consumers have embraced it since, as well as Alexa and Google Voice. So it’s safe to say voice activation is here to stay, even if consumers are still turning a blind eye to computers staring down their eyeballs.
Be that as it may, this much remains certain: Banks utilize biometrics more than ever before. The term refers to measuring and analyzing physical or behavioral characteristics, such as fingerprints, faces and voices, to identity people. And banking and biometrics are in sync for good reason. A talented hacker has a decent shot at figuring out your password; on a recent BAI Banking Strategies podcast, David Bryan of IBM’s X-Force Red said that a determined malefactor could use brute force to pummel past a weak password in less than an hour.
Compare that to a biometric security checkpoint—where unless you meet up with a sci-fi villain straight out of a James Bond flick, you probably won’t have your facial features stolen. Already, some banks utilize biometrics in sophisticated ways. For instance, TD Bank offers a voice recognition technology that verifies customers by phone—so call center representatives know for sure who they’re talking to and can thus circumvent fraud.
Biometric growing pains
Still, biometrics as a mainstream security feature isn’t quite foolproof. Last year, a BBC reporter set up an HSBC account and found that his non-identical twin could imitate his voice and access the account (though on the eighth try). Some hackers are trying to exploit this chink in the armor by stealing “calls recorded for quality and training purposes” from banks and retailers.
Some banks have found that senior citizens’ fingerprints aren’t always able to identify them; wrinkles get in the way. (You may have experienced much the same opening an iPhone if there’s grease or a smudge on your phone.)
And similar to those nightmares some have about the abuse of artificial intelligence, the ill wind of government overreach is raising a biometric stink in some parts of the world. Earlier this month, the New York Times reported that India is scanning the fingerprints, eyes and faces of its 1.3 billion residents and connecting the data to everything from welfare benefits to mobile phones. Civil libertarians are horrified—viewing the program, called Aadhaar, as George Orwell’s Big Brother brought to life.
Still, that’s hardly reason enough to stop forward progress in financial services. Hess thinks honing a biometrics program is worth a bank’s effort–especially if banks and their customers want to keep their money safe from criminals.
And who doesn’t want that?
“If you have a password, that can be compromised,” Hess says. “But you can’t change your biometrics.”
Biometrics best practices
If you’re looking for a way to develop a robust biometrics program, what’s a bank to do? Keep the following three principles in mind.
Be flexible. Make your biometrics program agile and malleable, “one that is easily changed, dynamic and has some components of adaptivity to remain sustainable,” says Seth Ruden, a principal fraud consultant in the payment risk solutions department at ACI Worldwide.
“Being able to change strategy on the fly is critical,” Ruden stresses. In other words, expect something to go wrong with your biometrics program—just as you would any security protocol—and plow that expectation back into spending more time getting things right.
Don’t rely on biometrics alone. Biometrics can and will play an important role in separating consumers from identity thieves. But Ruden says that in an ideal world, banks will use two of three identifiers to verify who someone is: what you know (PIN, password, debit account balance, account-related questions), what you have (your debit card, mobile device) and who you are (biometric identifiers).
And if you can provide more than one type of biometric identifier (or allow consumers to opt out of biometrics and use other ways to verify themselves), all the better, according to Kimberly Sutherland, a senior director in fraud and identity management strategy at LexisNexis Risk Solutions.
“One of the largest barriers to biometric adoption had been concerns around the impact to customer experience, due to added friction during the enrollment process,” Sutherland says. “Giving consumers a choice regarding their preferred authentication methods is one of the best ways to minimize the customer experience impact.”
Follow the lead of the consumer. Do you want to go with voice-recognition technology, an eye scan, fingerprint technology or some other biometric? Before you settle on a certain type, be careful you aren’t getting too far ahead of consumers, according to Lindsay Sacknoff, based out of Philadelphia and a senior vice president and head of the U.S. phone channel at TD Bank.
“There are so many options out there already and new technology is constantly making its way to market, so sometimes the challenge lies in having so many choices,” Sacknoff says.
Hess concurs, well remembering the lesson of that focus group back in 2009. That’s why he recommends that bankers “be conscious of what the device manufacturers are building. Don’t build in advance of that. Let the devices support the technology, and then add it to your banking platforms. When technological advances become popular, that’s when people expect it.”
After all, you don’t want to be the bank that wastes a lot of time and money on biometrics features that no consumer wants. That would truly be creepy.