As the digital landscape continues to evolve and consumers increasingly turn to digital devices to conduct business, bank directors and executives have made it clear—most recently in Bank Director’s 2017 Risk Practices Survey, conducted in January, and 2017 Technology Survey, conducted over the summer—that cybersecurity is the risk category they worry about the most. Given their high level of concern on the issue, it’s surprising—and troublesome—to see a significantly smaller number of bank leaders indicate that they don’t believe that biometrics and artificial intelligence (AI) will impact their financial institution over the next five years, because these technology solutions are already being leveraged in the industry.
“Passwords are not necessarily safe,” says Charlie Jacco, cybersecurity leader, financial services at KPMG. People tend to re-use passwords, or default to easily guessed ones: Password manager Keeper Security found that 17 percent use the password “123456,” and the company’s list of the 25 most common passwords of 2016 accounts for more than half of the 10 million passwords analyzed by the company. Cybercriminals use bots to crack passwords, but oftentimes individuals will respond to a phishing attack in an email and unwittingly provide their information directly to the criminals. Eighty-one percent of hacking-related data breaches in 2016 used either a stolen or a weak password, according to the 2017 Data Breach Investigations Report published by Verizon. “If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned,” wrote the authors of the report.
And it’s not just customers that use passwords. Employees have to log into a bank’s core system, call platforms, and the other technology solutions needed to do their jobs. “From the security aspect of being able to improve logins, to move away from having to remember a zillion passwords, is not only good for the customer … ultimately I think it is a larger impact to the bank associate or employee,” says Charles Driest, the director of digital banking at $1.3 billion asset Essex Bank, based in Richmond, Virginia.
Multi-factor authentication—requiring a single-use numeric code, for instance, in addition to a password—is one solution, but the experience isn’t convenient for the user, whose expectations are informed by companies like Amazon that strive to make shopping easy. “How do I get that slick customer experience for my consumers that they’re expecting, and still make it safe?” says Jacco.
Customers are growing increasingly comfortable with biometrics as a security solution, according to Javelin Strategy & Research. Scanning the user’s thumbprint is probably the most commonly used approach in consumer-facing technology, and facial recognition has been getting more attention of late, with Apple’s introduction of the iPhone X, which replaces opening the phone with a thumbprint to a facial scan. Apple claims that facial recognition is more accurate, with a 1 in 1 million error rate, compared to 1 in 50,000 for the phone’s thumbprint scan. Banks have been experimenting with voice recognition, another form of biometrics, for roughly a decade, with a few deploying this biometric within their mobile app.
At its best, biometrics weds security with an optimized experience. It’s more difficult to steal a thumbprint, but it’s still possible, says Jacco. Companies that want to enhance their cybersecurity protections will begin leveraging multiple biometric authentications. USAA already allows customers to use thumbprint, facial and voice recognition in its mobile app, and remembers the user’s preferred biometric. Varying the biometric modalities used by customers will lead to personalized services. A teller may use facial recognition to know who a customer is when they walk into a branch, or a wealth manager, through voice recognition, will know the client on the phone. “This is something that all of the big banks are talking about, and it will make its way across the whole industry,” says Jacco.
The industry still has work to do to make biometrics a more secure solution. Most major banks use biometrics in their mobile channel, but the app defaults to a password if the biometric isn’t readable, says Al Pascual, research director and head of fraud and security at Javelin. “They default to what is arguably the weakest security solution.” Security questions used in enrollment aren’t safe from hackers, either. The data breach revealed by Yahoo in September 2017 included the security questions and answers that users had chosen as a failsafe in the event of a forgotten password.
For biometrics to be truly secure, banks need to ensure that the person enrolling their biometric “is in fact who they say they are,” says Pascual. But he adds that new account fraud is on the rise, and banks need to work on their initial identity controls—making sure they know the customer—before tackling biometric enrollment. With the recent breach of Equifax’s data impacting the identities of half of the American population, this is no small task.
Artificial intelligence also shows great potential in protecting financial institutions from cybercriminals and from fraud, and staying on top of compliance. “Banks are overwhelmed by cyber risk management, and I don’t see how they can afford to ignore AI technologies,” says Joan McGowan, a senior analyst at Celent who defines AI as “the application of analytics, bots, robotic process automation and report generation.”
KPMG’s Jacco says that robotic process automation can help sort through potential cyber incidents to better identify what warrants further investigation—a task still best suited for human intelligence. He adds that fraud and security teams are more frequently collaborating to leverage AI.
AI continues to evolve, so it’s not a technology that banks can set and forget. Banks will need to employ data scientists and improve their data analytics capabilities, says McGowan—no mean feat in an industry where just 13 percent of executives and directors believe their institution effectively uses data, per the 2017 Technology Survey.
Almost half of bank boards discuss technology at every board meeting, and 38 percent discuss the issue quarterly, according to the Technology Survey. So why don’t more boards—or senior executives, for that matter—see the value in biometrics and AI? It’s possible that up-and-coming technologies just aren’t discussed frequently enough. Ninety-four percent say the board focuses on cybersecurity in discussions about technology, but significantly fewer use that time to focus on other technology-related concerns, such as staying on top of technology trends (40 percent) and evaluating new technologies (24 percent). Without understanding the solutions available for banks today, it will be increasing difficult for boards to oversee the cybersecurity risk facing their institution.
The 2017 Technology Survey was conducted in June and July of 2017, and examined how banks strategically approach technology. Bank Director surveyed 145 senior executives—including CEOs, chief information officers and chief technology officers—and independent directors of U.S. banks above $250 million in assets. Technology solutions provider CDW sponsored the survey.