Photo: Marie Hortense Raharimalala / IFC
By: Paul Makin and Chrissy Martin, CGAP
Biometric technologies are rapidly changing how financial services providers (FSPs) verify people’s identities and meet know-your-customer requirements as well as customer due diligence (CDD) requirements more broadly. India’s use of biometrics is perhaps the best-known example, but it is not the only one. According to an estimate by Juniper Research, over 600 million mobile devices around the world will use voice and facial recognition by 2021. While biometric technologies have a great deal of potential to reduce error and fraud in CDD, they can also pose risks if not implemented correctly.
As noted in a previous blog post, “KYC Utilities and Beyond: Solutions for an AML/CFT Paradox?” identity verification can be a difficult and costly process. For this reason, FSPs in some countries are finding ways to collaborate and share the burden of CDD. Biometrics, if employed correctly by these collaborative groups, may be a more reliable means of supporting identity verification at a large scale than data generated by human processes. But for a biometric solution to be effective, it must carefully balance several considerations: security, cost, convenience, inclusiveness and accuracy. Often, prioritizing one comes at the cost of another.
Security is a crucial aspect of any biometric solution. Centrally storing biometric data on a national identity authority’s server is convenient because it means people do not have to carry their data with them on a physical device, such as a smartcard or a smartphone. However, if the server is hacked, every registered person’s biometric data could be vulnerable to theft. If a fraudster obtains someone’s information, he or she can be remotely authenticated as the victim and potentially take over their affairs in a so-called replay attack.
There are security measures against these attacks. To start with, the identity verification system can be set up to accept biometric submissions only from trusted devices. Another possible countermeasure is to collect several types of biometric data and store them differently. For example, facial recognition data could be collected and stored in a central location to initially register someone in an identity system. The person’s fingerprint data could also be collected and stored locally, rather than in a central database, to be used for verification purposes whenever they conduct transactions. This way, even if the facial biometric database is hacked, the person’s financial services cannot be accessed.
Cost and convenience
Security is of the utmost importance in a biometric solution, but it is also important to recognize that enhanced security features can be expensive or inconvenient. For example, a trusted device system limits the number of devices that people can use to conduct their financial transactions. Additionally, physical devices such as smartcards that increase security can drive up costs, since issuing cards at scale is expensive and relying on smartphones instead is not an option in many countries. If these costs are passed on to users in the form of a fee for card issuance, it is likely to inhibit adoption. For instance, the high fees charged to users for card issuance (which resulted from many costs, including the cost of the cards) was one reason for the initially slow adoption rates of the SNIC electronic identity cards in Pakistan. Finally, users may feel that physical devices are inconvenient, because they can be lost or forgotten. On the other hand, if prioritizing user convenience, one might rely on behavioral biometrics, such as someone’s gait or patterns of cell phone use, instead of physical ones. These systems, which have yet to be implemented at scale, promise a frictionless user experience but may present other risks, as noted below.
In addition to balancing security with costs and convenience, a biometric identity solution must be as inclusive as possible. Based on India’s experience, we already know that fingerprint scans are not fully inclusive. Those who are over age 50 or under age 6, work in hard labor occupations or have leprosy likely will be unable to successfully scan their fingerprints. This has led Aadhaar to offer a wider array of authentication methods, including iris scans. From July 2018, the options will include facial recognition. The use of behavioral biometrics to improve overall user convenience will inevitably lead to other inclusion issues. One obvious example is that people in wheelchairs will not be able to use gait recognition. Less obvious cases will have to be considered as new biometric modalities are introduced.
Inclusiveness is not only a concern on the demand side; it also is an issue for FSPs. Certain biometric technologies may be out of reach for a wide variety of FSPs, such as FinTech startups, microfinance institutions and financial cooperatives, if those technologies require extensive resources to implement. Such institutions may not be able to afford expensive point-of-sale terminals or sophisticated artificial intelligence software. If a biometric solution is so expensive that it excludes some providers, it could limit competition in the market and even push some FSPs currently serving poor customers out of the market entirely.
Accuracy and reliability
Governments, FSPs and citizens all need to have confidence in a CDD mechanism for it to work. As with security, accuracy and reliability are important factors in establishing confidence, yet they may be more complicated than they first seem. To begin with, a fingerprint scan is not actually a fingerprint; it is a set of data points derived from someone’s fingerprint. This is true of all biometric modalities, and it means that a data profile created from a biometric scan is not guaranteed to be unique or to always work.
Another factor related to confidence is reliability. Aadhaar provides a case in point. The Indian government has successfully registered over a billion people, an impressive feat indeed. However, documents recently submitted to the Supreme Court of India stated a nearly 9 percent failure rate for iris scans and 7 percent for fingerprint scans – arguably, a high percentage for a system that is so ubiquitous and necessary for life in India.
Biometrics hold significant promise and are more than likely the future of identification and identity verification. As FSPs increasingly look toward collaborative methods for CDD, biometrics may offer a way forward to reliable, at-scale identification, verification and authentication that is less subject to human error and fraud than passwords, PIN codes and paper-based identification systems. However, biometric technologies are complex and evolving. Understanding the trade-offs involved will ensure we can make biometrics as trusted, secure, affordable, user-friendly and inclusive as possible.
This post was written by Paul Makin and Chrissy Martin and originally published on CGAP’s website.