Your Board Can’t Ignore Biometrics and AI

biometrics-10-19-17.pngAs the digital landscape continues to evolve and consumers increasingly turn to digital devices to conduct business, bank directors and executives have made it clear—most recently in Bank Director’s 2017 Risk Practices Survey, conducted in January, and 2017 Technology Survey, conducted over the summer—that cybersecurity is the risk category they worry about the most. Given their high level of concern on the issue, it’s surprising—and troublesome—to see a significantly smaller number of bank leaders indicate that they don’t believe that biometrics and artificial intelligence (AI) will impact their financial institution over the next five years, because these technology solutions are already being leveraged in the industry.


“Passwords are not necessarily safe,” says Charlie Jacco, cybersecurity leader, financial services at KPMG. People tend to re-use passwords, or default to easily guessed ones: Password manager Keeper Security found that 17 percent use the password “123456,” and the company’s list of the 25 most common passwords of 2016 accounts for more than half of the 10 million passwords analyzed by the company. Cybercriminals use bots to crack passwords, but oftentimes individuals will respond to a phishing attack in an email and unwittingly provide their information directly to the criminals. Eighty-one percent of hacking-related data breaches in 2016 used either a stolen or a weak password, according to the 2017 Data Breach Investigations Report published by Verizon. “If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned,” wrote the authors of the report.

And it’s not just customers that use passwords. Employees have to log into a bank’s core system, call platforms, and the other technology solutions needed to do their jobs. “From the security aspect of being able to improve logins, to move away from having to remember a zillion passwords, is not only good for the customer … ultimately I think it is a larger impact to the bank associate or employee,” says Charles Driest, the director of digital banking at $1.3 billion asset Essex Bank, based in Richmond, Virginia.

Multi-factor authentication—requiring a single-use numeric code, for instance, in addition to a password—is one solution, but the experience isn’t convenient for the user, whose expectations are informed by companies like Amazon that strive to make shopping easy. “How do I get that slick customer experience for my consumers that they’re expecting, and still make it safe?” says Jacco.

Customers are growing increasingly comfortable with biometrics as a security solution, according to Javelin Strategy & Research. Scanning the user’s thumbprint is probably the most commonly used approach in consumer-facing technology, and facial recognition has been getting more attention of late, with Apple’s introduction of the iPhone X, which replaces opening the phone with a thumbprint to a facial scan. Apple claims that facial recognition is more accurate, with a 1 in 1 million error rate, compared to 1 in 50,000 for the phone’s thumbprint scan. Banks have been experimenting with voice recognition, another form of biometrics, for roughly a decade, with a few deploying this biometric within their mobile app.

At its best, biometrics weds security with an optimized experience. It’s more difficult to steal a thumbprint, but it’s still possible, says Jacco. Companies that want to enhance their cybersecurity protections will begin leveraging multiple biometric authentications. USAA already allows customers to use thumbprint, facial and voice recognition in its mobile app, and remembers the user’s preferred biometric. Varying the biometric modalities used by customers will lead to personalized services. A teller may use facial recognition to know who a customer is when they walk into a branch, or a wealth manager, through voice recognition, will know the client on the phone. “This is something that all of the big banks are talking about, and it will make its way across the whole industry,” says Jacco.

The industry still has work to do to make biometrics a more secure solution. Most major banks use biometrics in their mobile channel, but the app defaults to a password if the biometric isn’t readable, says Al Pascual, research director and head of fraud and security at Javelin. “They default to what is arguably the weakest security solution.” Security questions used in enrollment aren’t safe from hackers, either. The data breach revealed by Yahoo in September 2017 included the security questions and answers that users had chosen as a failsafe in the event of a forgotten password.

For biometrics to be truly secure, banks need to ensure that the person enrolling their biometric “is in fact who they say they are,” says Pascual. But he adds that new account fraud is on the rise, and banks need to work on their initial identity controls—making sure they know the customer—before tackling biometric enrollment. With the recent breach of Equifax’s data impacting the identities of half of the American population, this is no small task.

Artificial intelligence also shows great potential in protecting financial institutions from cybercriminals and from fraud, and staying on top of compliance. “Banks are overwhelmed by cyber risk management, and I don’t see how they can afford to ignore AI technologies,” says Joan McGowan, a senior analyst at Celent who defines AI as “the application of analytics, bots, robotic process automation and report generation.”

KPMG’s Jacco says that robotic process automation can help sort through potential cyber incidents to better identify what warrants further investigation—a task still best suited for human intelligence. He adds that fraud and security teams are more frequently collaborating to leverage AI.

AI continues to evolve, so it’s not a technology that banks can set and forget. Banks will need to employ data scientists and improve their data analytics capabilities, says McGowan—no mean feat in an industry where just 13 percent of executives and directors believe their institution effectively uses data, per the 2017 Technology Survey.

Almost half of bank boards discuss technology at every board meeting, and 38 percent discuss the issue quarterly, according to the Technology Survey. So why don’t more boards—or senior executives, for that matter—see the value in biometrics and AI? It’s possible that up-and-coming technologies just aren’t discussed frequently enough. Ninety-four percent say the board focuses on cybersecurity in discussions about technology, but significantly fewer use that time to focus on other technology-related concerns, such as staying on top of technology trends (40 percent) and evaluating new technologies (24 percent). Without understanding the solutions available for banks today, it will be increasing difficult for boards to oversee the cybersecurity risk facing their institution.


The 2017 Technology Survey was conducted in June and July of 2017, and examined how banks strategically approach technology. Bank Director surveyed 145 senior executives—including CEOs, chief information officers and chief technology officers—and independent directors of U.S. banks above $250 million in assets. Technology solutions provider CDW sponsored the survey.

How Poor Communication Practices by Directors Increase Cyber Risk

cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.

Innovation Spotlight: First Internet Bank


David Becker, President and CEO

Before he understood banking, David Becker understood technology and its ability to shape the customer experience. Highly attuned to how people would want to bank in the future, Becker started First Internet Bank in 1999, now a $2.4 billion asset institution in Fishers, Indiana. In his 35 years working in financial services technology, Becker has created five companies listed in Inc. magazine’s 500 fast growing companies and continues to engage in philanthropic initiatives to support the economic growth of central Indiana.

When you first told people you were starting a branchless bank, what reaction did you receive?
Nearly 20 years ago, I had an idea to create a bank that lived entirely online. At the time, I had three financial services software companies. Today, we would call them fintechs. My experience as a service provider to the financial services industry, and my years as a consumer and business bank client, gave me deep insight into how banks worked, and, candidly, how they could improve.

How did bankers react? I initially presented my concept to a traditional bank, explaining how a bank could build a nationwide business with an all-online presence. After the presentation, though, the bank’s CEO rejected our concept. He claimed computers weren’t fast enough and the alleged consumer wouldn’t buy in. Essentially, he said it couldn’t be done.

Fortunately, consumers did not share the same skepticism. What’s unique about our story is that this online banking model was born following a focus group with my friends and neighbors. I asked them about how they’d prefer to bank. The ideas flowed. Eighteen years and $2 billion in assets later, we have demonstrated the success that can follow when you remain focused on the customer.

What lessons did you learn working in the technology sector that later helped you as you were growing First Internet Bank?
Before launching First Internet Bank, I worked in and around financial services for years. I saw an opportunity to improve upon the industry’s shortcomings—primarily improving efficiency and the customer experience, both of which rely heavily on technology paired with a human touch.

What’s helped us grow so quickly is that we’ve recognized that we need talented people who can handle anything that comes in the door. Because we have no tellers, per se, everyone who works on our retail banking team, for example, needs to be trained across multiple technologies to handle multiple functions, from complex IRA transactions to mobile functionality to starting new deposit accounts.

And because we’re using technology like mobile banking and biometrics, to revolutionize the banking process, there really isn’t any limit to our potential growth.

How can bank boards start to adapt an entrepreneurial mindset that allows for innovation?
Because we were a pioneer of the branchless model, we’ve learned to use technology to help us adapt to challenges and reinvent ourselves. Technology enables us to expand our business, enter new verticals to diversify our revenue streams, and serve customers across the country—without a costly branch network.

Technology is an increasingly important part of our business, and there is much to be said about the ways fintech is changing the landscape of our industry. However, I would caution boards against looking to a fintech solution as a quick fix to bring innovation to your organization. If you truly want to foster a culture of innovation, look to your existing team.

Today, our hire is the “dissatisfied banker.” We look for the banker who says, “What if we did this instead?” We want the people who challenge the status quo and offer solutions to help us make it better. At First Internet Bank, we call this our “entrepreneurial spirit,” and it permeates the organization.

Our people are the key to our success. Some are bankers that have finally been empowered to do what they’ve always wanted to do. Others are industry outsiders that we’ve hired to bring new solutions to old problems.

Combating Identity Fraud Through Biometrics


The Know Your Customer (KYC) process, which is the identification and verification of a bank’s clients in order to understand and better manage risks, is a central requirement of the federal anti-money laundering regulations. Today, technologies such as mobile and biometrics have a strong impact on the redesign and digitization of the registration process, significantly improving operational efficiency and customer satisfaction.

A range of financial institutions have been exploring opportunities through biometrics in one capacity or another, but in most cases employ biometrics for identification and authentication purposes for existing accounts, aimed at making passwords obsolete once and all. With increasing multipurpose adoption, by 2021 the market will reach a value of $30 billion with its primary revenues shifting from the government sector to banking and consumer electronics.

Experts from M2SYS, a biometric identity management technology provider, suggest that as more banks and financial institutions begin to augment their customer identification security policies, the evaluation of using biometrics for KYC management will increase rapidly.

The use of biometric identification management technology for accurate customer identity verification has proven to deliver efficiency and convenience for organizations that have adopted it. The technology also helps comply with government regulations to prevent identity theft and money laundering. Due to inefficient KYC management, nearly 9 million Americans are victimized each year, costing consumers $5 billion, and banks and corporations $56 billion, annually.

Industry expert David Benini, vice president of marketing at Aware, a biometric software developer, wrote recently that “More than just —something we are,’ biometrics allow us to permanently bind ourselves physically to digital information; a powerful capability that enables us to not only biometrically authenticate, but also to biometrically deduplicate.” The idea behind biometric KYC management is quite simple–instead of the customer being required to present official identifying documents in person upon application, a biometric-based search can eliminate the need for a lengthy check with additional tapping into public and private records to ensure the absence of copy records.

Biometrics allow banks to be sure that a particular person does not exist in the database with different data. Benini emphasizes that the power of the idea behind biometric identity proofing rests in the ability to combat identity theft at its source by ensuring the integrity of identity data at the point of enrollment.

Given its unique properties, biometric-based KYC management in the financial services industry enables institutions to speed up the customer verification process without compromising the accuracy. Implementation of biometric KYC management solutions can ensure higher accuracy and efficiency, eliminating the risk of financial fraud and its legal and financial consequences for consumers and organizations.

The critical benefits of transitioning to biometric KYC management include:

Enhanced Operational Efficiency
KYC management has traditionally been a resource-consuming process requiring time and manpower (hence, substantial financial expenditure) to verify a person’s identity, since KYC compliance involves a tedious process of verifying the customer’s original documents of proof of identity and proof of address in person, among other things. Biometric KYC cuts corners without compromising accuracy and security, as biometrics carry unique and arguably impossible-to-forge information and are permanently tied to one’s records.

Improved Cost-efficiency
There are a couple of ways biometric KYC management saves money for financial institutions: reduced time to verify information about the person, and as a result of increased accuracy, reduced expenses on fixing issues that appear as a result of inefficient KYC procedures. It takes an average of $1,173 and 175 hours to clean up one’s credit report and associated complications, and when you multiply that times the vast customer base of a medium-sized bank (not to mention much larger banks), it’s obvious that biometric KYC can become a real cost saver, facilitating a better allocation of resources.

Greater Security
Today, biometric-focused technology and software has reached a level of sophistication where providers can ensure higher levels of protection against identity fraud and all compliance consequences because of it. Behaviometrics are the last word in secure identity verification, bringing together machine learning and continuous tracking of user behavior. A separate class of companies is delivering biometric-focused anti-fraud solutions, including NuData Security, BioCatch, BehavioSec and AimBrain.

Gains in Convenience and Customer Satisfaction
The speed of identity verification affects overall customer satisfaction and is more convenient since it ensures an easier and more efficient user experience. And an enhanced customer experience translates into a better reputation and higher customer retention.

Organizations that aim to keep up with the latest technological advancements for efficient KYC management cannot miss out on the application of biometric-based solutions. Today, there is no lack in technology companies powering biometric KYC management through sophisticated software and biometrics screening technology. Recognized leaders include Daon, EyeVerify Qualcomm, with such companies as BioConnect, M2SYS, HooYu, Aware, Hoyos Labs, ID Global, Socure, physiSECURE and many more comprising an expanding list.

Secure Payments in Real Time: You Can’t Have One Without the Other


In the race for faster payments, it seems that many consumers place a higher value on convenience over security. This doesn’t mean banks’ focus on security is or should be any less critical. Rather, it highlights the need for authentication to become more than just a seamless experience for the consumer. It also needs to be both invisible and deterministically consistent.

Any bank’s plans to offer real-time payments is unquestionably accompanied by initiatives to ensure fraud mitigation can also occur in real time. Most fraud programs in place today are simply not built to support the imminent speed of payments. While banks already have access to many sophisticated systems that make real-time payments technologically possible, are they equipped to guarantee funds are sent to and received by the correct, authorized individual? Unfortunately, the answer is no.

Accommodating customers’ desire for faster funds availability means putting them at the center of authentication process. The risk banks must mitigate as they strive for a faster payments process lies in confirming that the person transacting is the right person, transacting on the right account. With millions of customer interactions daily, organizations must be able to authenticate who is interacting, and on what device. This information is critical to assessing the risk of a specific transaction and deploying optimal authentication technologies accordingly.

Authenticating consumers also requires fast, broad access to a variety of industry data sets. There is no way for a single financial institution to gain a complete financial picture of a consumer. Instead, a broad and collaborative view of identity and transaction activity creates the type of holistic customer profile needed to quickly authenticate.

Lastly, behavioral biometrics are proving essential to the introduction of a real-time payments ecosystem. How a person interacts within an app, and even with his or her mobile device itself, is quickly becoming a critical risk management factor that banks need to understand to successfully launch their real-time payments offerings. If not already, banks should be exploring biometrics as part of a multi-factor authentication strategy, to leverage —what you do’ characteristics in concert with those indicating —what you know’ and —what you have.’

Authentication is not about mitigating fraud at certain points in time–it should be ongoing. Continuous authentication is important to facilitating faster, safer payments for a couple of reasons. First, fraud doesn’t necessarily occur at the onset of a transaction; organizations must be equipped to detect fraud at any stage of the transaction. Additionally, only when authentication is continuous can it truly remain in the background, requiring the consumer to do nothing more than assume his or her normal behavior.

By focusing on putting the right technology and authentication capabilities in place first, banks will be able to provide the faster payments environment that customers want. Instead of looking at security as a distinct challenge, consider how enhanced security and authentication enable faster payments and create the most convenient payments experience possible.

FinTech Day Recap: Rapid Transformation Through Collaboration

Over the next few years, the financial services industry will continue to undergo a major transformation, due in part to the speed of the technology movement. With continuous pressures to innovate, how can banks leverage these new technologies to stay relevant and competitive over the next five years? Filmed during Bank Director’s annual FinTech Day in New York City at the Nasdaq MarketSite, industry leaders in the banking, technology and investment space share their insights and perspectives on the challenges and opportunities facing traditional banks.

Is It Time to Bid Adieu to Passwords?

10-3-14-biometrics.pngThe humble password could soon be extinct, and biometrics could take its place—a technology that, in the past, was more apt to be found in a sci-fi movie than at your local bank. New uses for biological markers may offer consumers a safer, faster and easier way to make purchases and access accounts.

Passwords aren’t perfect. They’re easily forgotten or hacked. “[It wasn’t] envisioned that it would turn out the way it has, that people would have multiple accounts… all requiring passwords that are long and complex, yet the password is key to security for many people,” says Michael Kaiser, the executive director of the National Cyber Security Alliance, a nonprofit organization promoting cybersecurity.

Some banks and companies serving the financial services industry are working together to change the way we log into our accounts and make purchases through the use of biometrics—identifying a consumer through a certain feature or features of his body. It’s not only easier for the user—no more remembering and keying in a complicated password—it’s safer. Even if the user has a strong password, “that doesn’t do you any good if it’s stolen. The biometric becomes something that you have that no one else can have,” says Kaiser. The recent iCloud hack revealed vulnerabilities in traditional online security, where a group of hackers obtained and released the private photos of several famous actresses. Apple said it was “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”

“Passwords are flawed,” says Kaiser. “What we’ve seen lately [are] some very stark examples of how problematic they can be.”

Michael Barrett is president of the FIDO Alliance, an organization working to create standards to authenticate users with biometrics. “Fingerprint will be one of the most commonly used biometrics,” he says. Fingerprint readers are increasingly embedded in mobile phones and personal computers. Eighty-three percent of iPhone 5s owners use a fingerprint scan to unlock their phone, according to Apple, and the company’s introduction of Apple Pay, which incorporates a fingerprint scan to approve purchases, should make the fingerprint even more pervasive. Apple Pay has partnered with banks such as Bank of America Corp., JPMorgan Chase & Co., Citigroup Inc., and Capital One Financial Corp. But fingerprint authentication doesn’t work well for people with jobs or hobbies that wear on their hands, according to Barrett, and can be problematic for the elderly—an important consideration given the aging Baby Boomer population. In both cases, the fingerprint is less prominent and more difficult to read.

Denise Myers, director of marketing for EyeVerify, a biometric technology startup based in Kansas City, Kansas, also says that because people leave fingerprints everywhere, they’re easier to fake. The chief technologist at EyeVerify managed to make one out of a common kid’s toy: Play-Doh.

EyeVerify scans the user’s eyeball, using the camera available on most mobile phones. The user is identified by matching the pattern of the blood vessels within the whites of the eye. “You are the lock and the key,” says Myers. She says the eyeprint is more secure, since it is stored locally on the phone—not in the cloud, where it could be hacked by cyberthieves. Wells Fargo & Co. was intrigued enough by the concept to invest in EyeVerify, making it one of three inaugural participants in the banking giant’s Startup Accelerator program. The relationship is non-exclusive, leaving EyeVerify free to work with other banks and vendors. Beyond that, it is unclear how the relationship will work and whether Wells Fargo will implement the technology for its customers, says Myers.

The eyeball isn’t the only biometric the financial industry is looking at. Multinational financial services company Barclays, based in London, plans to roll out a biometrics reader, available to corporate banking clients, that confirms an online user’s identify based on the vein patterns in his finger. Barclays also uses voice biometrics to authenticate wealth management clients who use the bank’s call center, which it plans to make available to retail clients early in 2015.

Kaiser doesn’t see any downside to the use of biometrics, but says some customers may need to be persuaded that this new form of security is safer. With most biometric solutions, the financial data is stored locally, reducing the likelihood that a hacker could steal the biometric, along with the person’s identity. And unlike some Hollywood movies, a villainous rogue won’t remove a body part to access an account. Many forms of biometrics detect whether the blood is circulating, ensuring that the user’s eye or hand is attached to a living person.