Your Board Can’t Ignore Biometrics and AI


biometrics-10-19-17.pngAs the digital landscape continues to evolve and consumers increasingly turn to digital devices to conduct business, bank directors and executives have made it clear—most recently in Bank Director’s 2017 Risk Practices Survey, conducted in January, and 2017 Technology Survey, conducted over the summer—that cybersecurity is the risk category they worry about the most. Given their high level of concern on the issue, it’s surprising—and troublesome—to see a significantly smaller number of bank leaders indicate that they don’t believe that biometrics and artificial intelligence (AI) will impact their financial institution over the next five years, because these technology solutions are already being leveraged in the industry.

technology-chart.png

“Passwords are not necessarily safe,” says Charlie Jacco, cybersecurity leader, financial services at KPMG. People tend to re-use passwords, or default to easily guessed ones: Password manager Keeper Security found that 17 percent use the password “123456,” and the company’s list of the 25 most common passwords of 2016 accounts for more than half of the 10 million passwords analyzed by the company. Cybercriminals use bots to crack passwords, but oftentimes individuals will respond to a phishing attack in an email and unwittingly provide their information directly to the criminals. Eighty-one percent of hacking-related data breaches in 2016 used either a stolen or a weak password, according to the 2017 Data Breach Investigations Report published by Verizon. “If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned,” wrote the authors of the report.

And it’s not just customers that use passwords. Employees have to log into a bank’s core system, call platforms, and the other technology solutions needed to do their jobs. “From the security aspect of being able to improve logins, to move away from having to remember a zillion passwords, is not only good for the customer … ultimately I think it is a larger impact to the bank associate or employee,” says Charles Driest, the director of digital banking at $1.3 billion asset Essex Bank, based in Richmond, Virginia.

Multi-factor authentication—requiring a single-use numeric code, for instance, in addition to a password—is one solution, but the experience isn’t convenient for the user, whose expectations are informed by companies like Amazon that strive to make shopping easy. “How do I get that slick customer experience for my consumers that they’re expecting, and still make it safe?” says Jacco.

Customers are growing increasingly comfortable with biometrics as a security solution, according to Javelin Strategy & Research. Scanning the user’s thumbprint is probably the most commonly used approach in consumer-facing technology, and facial recognition has been getting more attention of late, with Apple’s introduction of the iPhone X, which replaces opening the phone with a thumbprint to a facial scan. Apple claims that facial recognition is more accurate, with a 1 in 1 million error rate, compared to 1 in 50,000 for the phone’s thumbprint scan. Banks have been experimenting with voice recognition, another form of biometrics, for roughly a decade, with a few deploying this biometric within their mobile app.

At its best, biometrics weds security with an optimized experience. It’s more difficult to steal a thumbprint, but it’s still possible, says Jacco. Companies that want to enhance their cybersecurity protections will begin leveraging multiple biometric authentications. USAA already allows customers to use thumbprint, facial and voice recognition in its mobile app, and remembers the user’s preferred biometric. Varying the biometric modalities used by customers will lead to personalized services. A teller may use facial recognition to know who a customer is when they walk into a branch, or a wealth manager, through voice recognition, will know the client on the phone. “This is something that all of the big banks are talking about, and it will make its way across the whole industry,” says Jacco.

The industry still has work to do to make biometrics a more secure solution. Most major banks use biometrics in their mobile channel, but the app defaults to a password if the biometric isn’t readable, says Al Pascual, research director and head of fraud and security at Javelin. “They default to what is arguably the weakest security solution.” Security questions used in enrollment aren’t safe from hackers, either. The data breach revealed by Yahoo in September 2017 included the security questions and answers that users had chosen as a failsafe in the event of a forgotten password.

For biometrics to be truly secure, banks need to ensure that the person enrolling their biometric “is in fact who they say they are,” says Pascual. But he adds that new account fraud is on the rise, and banks need to work on their initial identity controls—making sure they know the customer—before tackling biometric enrollment. With the recent breach of Equifax’s data impacting the identities of half of the American population, this is no small task.

Artificial intelligence also shows great potential in protecting financial institutions from cybercriminals and from fraud, and staying on top of compliance. “Banks are overwhelmed by cyber risk management, and I don’t see how they can afford to ignore AI technologies,” says Joan McGowan, a senior analyst at Celent who defines AI as “the application of analytics, bots, robotic process automation and report generation.”

KPMG’s Jacco says that robotic process automation can help sort through potential cyber incidents to better identify what warrants further investigation—a task still best suited for human intelligence. He adds that fraud and security teams are more frequently collaborating to leverage AI.

AI continues to evolve, so it’s not a technology that banks can set and forget. Banks will need to employ data scientists and improve their data analytics capabilities, says McGowan—no mean feat in an industry where just 13 percent of executives and directors believe their institution effectively uses data, per the 2017 Technology Survey.

Almost half of bank boards discuss technology at every board meeting, and 38 percent discuss the issue quarterly, according to the Technology Survey. So why don’t more boards—or senior executives, for that matter—see the value in biometrics and AI? It’s possible that up-and-coming technologies just aren’t discussed frequently enough. Ninety-four percent say the board focuses on cybersecurity in discussions about technology, but significantly fewer use that time to focus on other technology-related concerns, such as staying on top of technology trends (40 percent) and evaluating new technologies (24 percent). Without understanding the solutions available for banks today, it will be increasing difficult for boards to oversee the cybersecurity risk facing their institution.

board-focus-chart.png

The 2017 Technology Survey was conducted in June and July of 2017, and examined how banks strategically approach technology. Bank Director surveyed 145 senior executives—including CEOs, chief information officers and chief technology officers—and independent directors of U.S. banks above $250 million in assets. Technology solutions provider CDW sponsored the survey.

Fraud: An Uneven Playing Field for Banks and Fintech Companies


Fraud2.png

The role of banks and other financial institutions (FIs) as repositories for large amounts of money has made them prime targets for fraudulent activity over the years. As a result of this, a wide range of laws and regulations have been created governing the activities of FIs with the objective of helping to protect consumers from fraud—whether it’s from the inside or outside. In recent years the question of fraud involving banks and other FIs has arisen again in a new context. Innovations in financial technology have raised questions as to whether banks or the fintech firms developing and operating such technology are responsible when its use exposes banks and their consumers to fraud.

Fintech has changed the way financial firms do business in a variety of areas including investment management, loan sourcing and data aggregation. Along with the ability to more proactively manage customer financial affairs and data through the use of technology has come an increased threat of cyberattacks. These types of attacks give malicious outsiders access to sensitive consumer data. A recent example involved two fintech lenders that were defrauded by a man who misrepresented his financial situation to cheat them out of more than $100,000 in total. He was convicted in Tennessee on six counts of fraud stemming from his actions.

The newness of the fintech revolution means that current laws and regulations, for the most part, do not clearly specify who is responsible for fraudulent activity that occurs in conjunction with processes involving both banks and fintech firms. This is likely to change over time as the courts more clearly apportion responsibility between banks and fintech firms in specific instances of fraud. However, when it comes to the regulatory treatment of the two types of institutions, the situation is much clearer; banks face stringent anti-fraud regulatory requirements governing their activities, whether using traditional banking methods or innovative financial technology, while fintech firms are not subject to the same requirements.

This disparity has not gone unnoticed, with leading financial institutions commenting on the danger posed to them by potentially risky fintech practices such as scraping bank websites to collect consumer financial data. At the same time, industry participants and regulators around the world have noted that they are aware of the regulatory discrepancy and that actions may need to be taken to help level the playing field.

Peter Misek, a partner at the Business Development Bank of Canada’s Venture IT Fund, recently opined that Canada’s emergence as a top five global fintech hub poses major risks due to an inadequate legal framework for dealing with fintech-related issues such as identity theft and fraud. He states that, in this regard, “Canada’s structures, rules and laws are antiquated and, in many cases, actually harmful.” Misek would like to see “innovative solutions to this problem” from tech companies, and wrote that his fund is willing “to put real dollars behind the effort.”

Addressing similar issues, the director and general counsel of Malaysia’s Securities Commission (SC), Foo Lei Mei, warned that digitalization in the financial services industry brings with it increased risk of fraud. In an article in Digital News Asia, Mei said that the SC planned to issue regulatory guidance regarding engaging with industry firms about the issue. “Discussions and focused group meetings have provided invaluable feedback to the SC in designing the regulatory framework for P2P lending in the capital market,” she was quoted as saying.

In the United States, the Federal Reserve Board has weighed in on the risks facing banks when outsourcing risk, such as using third party firms to provide data aggregation or digital wealth advisory services. The Fed’s letter on the matter includes commentary on various issues associated with working with fintech companies. In an article by Robert Canova, senior S&R financial/policy analyst at the Federal Reserve Bank of Atlanta, Canova states that, with the increase in data breaches, website attacks and wire transfer fraud schemes, “Banks will need to become more sensitive to safeguarding any systems containing customer data that their digital vendors have access to, given the fact that hackers are getting increasingly sophisticated at breaking those systems down.”

Canova writes that as competition between fintech firms and banks increases, the former are likely to become subject to increased scrutiny. He cites a consultative paper by the Bank for International Settlement’s Committee on Payments and Market Infrastructures which calls for greater regulation of fintech companies as evidence of this, along with a whitepaper by the Clearing House (a trade association consisting of the 24 largest banks) that discusses “the absence of a level regulatory playing field.”

With fintech innovations becoming increasingly embedded in the fabric of banking operations, the potential for fraudulent use of banking infrastructure involving such technology grows accordingly. With banks and other FIs currently subject to strict anti-fraud regulations, they are unlikely to outpace less regulated fintech companies when it comes to technological innovation in the sector. As banks and fintechs become increasingly intertwined due to mergers, partnerships or head-to-head competition, it becomes more and more likely that regulators will take steps to address this dichotomy going forward.