The second part of a discussion about biometric technology and its use in making our digital world more secure and less vulnerable to threats. The intense use of online tools in recent weeks accentuates the need to be on guard.

Continuing our focus on the cybersecurity and data protection challenges exacerbated by COVID-19, we now turn to the boom in biometric authentication. (Part one of the feature is here.)

This second part of the feature digs into the technological choices and hidden risks wealth managers need to be aware of; Part 1 unpicked the compelling business case for verifying the identity of staff and clients using this technology. To jump into the conversation email tom.burroughes@wealthbriefing.com and jackie.bennion@clearviewpublishing.com

As the first part of this feature set out, the costs and risk surrounding passwords have been pushing financial institutions towards Multi-Factor Authentication and then biometrics for some time now, a trend which experts say is being hugely accelerated by the COVID-19 crisis. Surging cybercrime, remote working - and very often the need to enlist employees’ own computers and mobiles in it - have created an acute need for wealth managers to beef up security around systems, devices and data. At the same time, clients are likely to be logging on to monitor portfolios and transacting business digitally like never before. Nor can verifying that a caller is who they say they are be neglected amid a rise in “vishing” attacks by phone.

Coupled with the desire to create a seamless user experiences, the heightened cybersecurity and data protection dangers facing the sector have added to the already impressive momentum driving the industry’s adoption of biometric authentication methods. Even before the pandemic struck, biometric technology was predicted to grow at a CAGR [compound annual growth rate] of 22 per cent between 2017 and 2024 in the banking and finance sector. (1)

Add in the productivity gains to be had from eradicating the pain of password resets and expiration, the business case for biometrics is compelling. However, careful choices must still be made, the experts warn.

Which biometric?
First is the institution’s choice of biometric from what is actually quite a wide range. Some institutions have been using voice recognition with clients for years, but the prevalence of facial recognition and fingerprints via smartphones has brought these to the fore (vein patterns, iris/retina scans and even electrocardiograms are also possibilities). Here, James Stickland, CEO of Veridium, advises firms to be strategic in deploying the right method for the use case, but to give particular weight to the maturity of the method.

“Fingerprint authentication is the most mature and accurate,” he says. “They are harder to spoof than other methods and less likely to suffer from interference from external factors, such as the problems with lighting or headgear you encounter with facial recognition.” Importantly, he observes that institutions like the US National Institute of Standards and Technology recognise standards for fingerprints, which they haven’t done with other biometric technologies.

As Part 1 noted, fingerprint technology has the very great advantage of already being baked into smartphones – as are the high-quality cameras needed for facial recognition and scanning documents like passports. As a further boost to the digital onboarding movement, UK regulator the Financial Conduct Authority recently confirmed its acceptance of selfies and videos as a means of verifying clients’ identities. 

That there is no need to invest in hardware already in the hands of staff and clients means that institutions are eagerly adopting biometric authentication for all kinds of purposes - and the technology is clearly proving invaluable to helping businesses carry on as close to normal as possible. “Use cases include remotely onboarding clients and employees; secure access to systems, applications and devices; self-service password resets and encryption recovery keys,” says Darren James, technical lead at Specops Software. “Firms also use it to verify directors dialling in for virtual board meetings.”

The creation of legally binding e-signatures and consents for transactions is, of course, another hugely important application - and one which underscores how immensely important security around biometrics will be. Here, implementation choices become more complex.

Security risks
Institutions looking to implement biometric authentication may encounter grave concerns about the theft of this data. Hackers will naturally salivate at the thought of stealing biometric markers and one cannot, after all, reset face or fingers if a theft should occur. Just as important is the fact that biometric information is specifically included in the GDPR’s definition of special category personal data under Article 9 and so exposes firms to the highest possible fines for breaches.

Here, James first advises firms to pay close attention to the jurisdiction in which the technology provider resides (ensuring data isn’t transferred to countries with weak protections for personal data is a concern not limited to the EU’s protection regime); and second to ensure adequate encryption of data, both in transit and at rest. Strictly limiting access to data internally, potentially through a Privileged Access Management system, is also strongly advised. 

Most importantly, he says, firms should never trust any vendor with their users’ data and should instead “only store the data in their local environment - typically something resilient such as an Active Directory or a clustered database with sufficiently strong access controls and backups in place.”

To be even safer, Stickland explains that firms need never be the custodians of an individual’s biometric data at all. “Techniques such as the distributed data model can be used, which encrypts biometric data in multiple places by leveraging decentralised technology such as blockchain,” he says. “In this way, the data is secure and the individual remains the sole owner of their biometrics.”

Data protection compliance
The current crisis may be accelerating the sector’s digitisation in a positive way, but as these technical caveats highlight, it is vital that wealth managers adopt new technologies in a very considered way. 

As Sorcha Lorimer, CEO of Trace AI, a software vendor for data protection compliance, points out, the high risks associated with biometric data call for deep - and documented - thought. 

“Extremely robust data protection measures will need to be considered upfront, and across people, processes and technology,” she says. “You would need to work through a detailed Data Protection Impact Assessment to comply with GDPR, along with considering relevant country-specific frameworks protecting biometric data. The US has Health Information Technology for Economic and Clinical Health (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA), for instance.”

With no vaccine in sight, the world is pinning its hopes of fighting COVID-19 on technology. The gathering and analysis of health and biometric data through our own devices seems an ineluctable trend. This is not without significant fears also being voiced from many quarters, however. Wealth managers must tread extremely carefully here, and not just in terms of security.

The French data protection authority, the CNIL, has, for instance, excluded biometrics from its recent standards for employers processing data for human resources, saying that they are “subject to special supervision”. Meanwhile, the Irish Data Protection Commission has recently come out to say that biometrics “in themselves raise serious data protection and privacy issues” and “should only be considered where other authentication methods are demonstrably insufficient”. 

A significant warning shot has in fact just been fired: on 30 April 2020, the Dutch Data Protection Authority issued its biggest fine to date (€725,000) against a firm it held to be unlawfully processing employee fingerprint data for security and attendance purposes. 

Particularly pertinent here is the data minimisation principle under Article 5 of the GDPR, which requires that only data strictly necessary for the purpose is processed. The fact that other means of authentication could arguably be sufficient could land firms in hot water. Added to this are a host of issues around the explicit, informed and freely given consent necessary for processing special category data under Article 9. 

As Lorimer points out: “There are particular issues with employee consent. Is there an open culture which allows people to say no or challenge the use of their data? Might biometric data be used for employee surveillance, such as monitoring productivity from home, and how then do you ensure it's not used to discriminate against individuals?”

There are weighty ethical issues bound up in the broader biometrics piece. But one way of alleviating those around consent and data minimisation in wealth management use cases is to offer choice. “It’s always good to have alternatives available to the user,” says James. “Our solution enforces enrolment of multiple factors, but when the user wishes to use those ID services, they only need to use enough factors to grant access to the system. This could be a single biometric or multiple ‘weaker’ factors.” 

And so, like so much with technology today, biometric authentication represents an intersection between convenience, privacy and security issues that warrants very serious thought on the part of institutions and individuals alike. This technology clearly has a great deal to offer the sector, yet much depends on the specific technologies and vendors wealth managers select – along with their continued observance and documentation of good data protection practice. 

Once again, the richness of data now at wealth managers’ disposal is proving to be a double-edged sword.  

Footnote:

1,  Global Markets Insights, 2016