Banks and financial services organizations have accelerated their adoption of biometrics, facial recognition and artificial intelligence (AI) to enable the use of digital identities and continue operations during the pandemic. However, these technologies are in need of strict regulations to protect users.
Biometrics can add an extra layer of security when unlocking a smartphone using a person’s face or fingerprint. But other technologies have raised privacy concerns among consumers, such as law enforcement leveraging facial recognition to identify wanted criminals via security cameras in a public space. This has led to outright bans of facial recognition technology in several cities, including Boston, San Francisco, Oakland, Portland, Oregon and Portland, Maine, to name a few. As these technologies become mainstream, we’ll need regulations to retain (or in some cases, regain) the trust of consumers and policymakers.
As a step forward, we see international organizations push for global standards around the use of biometrics, for example, the FIDO Alliance and the Financial Action Task Force (FATF), which recently issued guidance on how to apply a risk-based approach to using digital identity systems for customer identification and verification. However, the U.S. lags behind other regions, which have been more progressive in their adoption of regulations, such as the General Data Protection Regulation (GDPR) in Europe.
In lieu of federal standards, states such as California have implemented their own regulations, such as the California Consumer Protection Act (CCPA) and its upgrade, the California Privacy Rights Act (CPRA). Recently approved by voters, CPRA addresses privacy and puts forth minimum technical requirements that business must implement to protect consumer data. But consumer privacy and security must get properly addressed at the federal level to drive growth in the digital economy.
Significant federal regs on the horizon
Under the upcoming Biden administration, we can expect to see a tsunami of new regulations as well as the restoration of many regulations that were in place during the Obama administration. Let’s take a closer look at the most significant regulations coming into focus and how they will impact banks and consumers alike:
- The Consumer Financial Protection Bureau (CFPB) issued advance notice of a proposed rule-making that would implement Section 1033 of the Dodd-Frank Act, considered the first step in setting standards in the U.S. around Open Banking. If passed, this would create a standardized approach for banks and financial institutions to work from.
- Issued in 2019 and still evolving, the Federal Trade Commission announced proposed amendments to the Safeguards and Privacy Rules under the Graham-Leach-Bliley Act. The proposal includes several changes. Among them, financial institutions and applicable businesses are required to encrypt customer data, implement access controls to prevent unauthorized users from accessing customer information, and use multi-factor authentication to access customer data. The rule would apply to banks and businesses providing financial services.
- Banks are also focused on fraud prevention and the Federal Financial Institutions Examination Council (FFIEC) will probably update its guidance on Internet Banking Authentication. The guidance was last updated in 2011 and will take into account a decade of technology innovation across authentication solutions. We consider this important given the Financial Crimes Enforcement Network (FinCen) recently presented that more than $1 billion per month is lost to identity-related cybercrimes, including $350 million per month lost to Account Takeover Fraud.
Here are four steps banks can take right now to comply with the regulations impacting the financial services industry in 2021:
- Follow closely the Advance Notice of Proposed Rulemaking (ANPRM) from the Consumer Financial Protection Bureau on Open Banking in the coming months. If Open Banking becomes the norm in the U.S., we’ll see banks and payment service providers also leverage biometrics for various authentication approaches.
- Implement API’s to share customer data, as its unlikely a U.S. Open Banking policy will permit screen scraping, which provides credential-based access to bank customers.
- Modernize authentication approaches to combine multi-factor authentication with biometric modalities such as face, fingerprint, voice and iris scan to protect customer data and provide a frictionless, secure user experience for customers under the pending new regulations.
- Combine AI with machine learning (ML) to detect the likelihood of an action being anomalous, or the likelihood of fraud, in real-time. Banks should also leverage ML to adapt biometric authentication types to the level of risk through continuous risk monitoring.
The cost of fraud has escalated with synthetic identity fraud expected to reach $4.1 billion by 2023 according to Aite Group. This past fall the Federal Reserve convened a focus group to develop an industry-recommended definition of synthetic identity fraud. The Federal Reserve says this type of fraud has flown under the radar for years at many financial institutions because of misclassifications or simply a lack of understanding. The Fed anticipates a more specific definition will help improve measurement, reporting and detection of synthetic identity fraud within organizations and across the payments industry.
The focus group plans to publish a recommended definition in early 2021 which could lead to new regulations to guide the banking industry’s use of technology in the coming year.
Moving forward, expect banks and financial institutions to balance the usability of their platforms with security tools for identity verification and authentication, leveraging biometrics along with AI and ML to combat the rising wave of fraud targeting digital channels.
Michael Magrath, director, global regulations and standards, OneSpan