Biometrics in FinTech
The science of identifying people by their physical or behavioral characteristics is called biometrics. For our work at Cermati and Indodana, we restrict ourselves to the set of unique physical traits of an individual, such as fingerprints. In recent years, biometric technologies have been widely embedded in mobile devices to enhance the security of mobile devices. We see it in our everyday life, from unlocking our phone by pointing the front camera to our face or even a fingerprint scan when clearing customs at the airport. Its presence is commonplace, you see it in law enforcement, migration control, healthcare to even a nation-wide civil identification.
With the rise of financial technology (Fintech) — which uses mobile devices and applications as promotional platforms — biometrics has the added important role of strengthening the user identification of such applications for security. However, many still have privacy and trust concerns about biometrics. Thus, the challenge is to strike a balance between convenience and trustworthiness.
Fintech took off circa 2002–2005, with the sale of PayPal and launch of Zopa, a UK peer to peer lender and at a time when smartphone adoption rate was starting to pick up exponentially. The most common kind of biometric technology familiar to everybody is fingerprint recognition. The cost of deploying is extremely low due to the ubiquity of smartphones equipped with fingerprint sensors and companies need only leverage on these technologies rather than going through the hassle of acquiring, deploying and maintaining the equipment.
However, with the proliferation of mobile devices and online digital transactions, identity theft also grew in tandem. Synthetic Identity Fraud rose as well, it is where fraudsters combine information of multiple real-life people to create an identity that is “real”. These sort of attacks are extremely complex and often on a large scale that is designed to perform long cons on financial institutions.
Biometrics typically require active subscription from the users, it works great when we are trying to selectively identify a small group of people with special access privileges. But we cannot positively identify anybody who is not enrolled in the system, i.e. you can tell who they’re not, but not who they are. Furthermore, one generally has to interact closely with these systems in order for them to check one’s identity (for example, walk up to a retinal scanner and push some buttons). Obviously, someone with malicious intentions would avoid that. So, if we want to monitor suspicious or dangerous individuals from a distance, these systems won’t help.
But in the combat of identity thefts and frauds in Fintech, biometrics is particularly relevant. The most obvious area of biometrics use is rapid and reliable identification of the client at different stages of financial interactions. Fintech biometrics leverages on the uniqueness of individuals, hence it is a much stronger and secure way of identifying people. The use of commercial and large-scale usage of facial recognition software offered by cloud providers thus explains a steady increase in patent filings for facial recognition over the past decade (see Figure below).
Types of biometrics
- DNA Matching
- Ear Shape
- Iris Recognition
- Retina Recognition
- Face Recognition
- Fingerprint Recognition
- Finger Geometry Recognition
- Gait
- Hand Geometry Recognition
- Odour
- Typing Recognition
- Vein Recognition
- Speaker Identification
- Speaker Verification
- Signature Recognition
In the Fintech scene, Fingerprint, Voice and Signature Recognition are widely used. Cracking biometric-enabled security is comparatively much more difficult to traditional ones such as passwords or PIN. Furthermore, users need not remember complicated passwords and are instead able to enjoy the convenience and simplicity that biometric security methods bring.
We have seen a rapid adoption of biometric technologies in the last couple of years. Especially so during the COVID-19 pandemic, where the push for digital onboarding and/or adoption increased manifold, alongside the push for security as well. The adoption of biometric technology in Fintech has only strengthened over the years. Facial recognition, Voice recognition and Iris Scans are the next most adopted biometric technologies.
Biometric Adoption and Projection
Southeast Asia has strong growth opportunities for the players in the fintech and/or biometric system market in the next few years. As biometric sensors are increasingly easy to integrate into smartphones, the ability to leverage on the technology becomes simpler and easier for fintech companies to use.
The growth of the market in APAC (Asia-Pacific) is also attributed to technological advancements, increased awareness among the masses regarding the use of biometric systems for security purposes, and lowered cost of devices based on these technologies. Some of the early adopters include DBS Bank (Singapore) where small and medium-sized enterprise (SME) owners simply need to face a camera to authenticate and verify their information while setting up a corporate account online.
Moreover, these countries have taken numerous initiatives for the protection of their citizens. In Japan and China, biometric security systems have been deployed at airports, banks, ATMs, government institutes, and other public places. Smartphone adoption is key for biometric market penetration too (within the APAC region, the adoption rate of smartphones is 64% in 2019, 68% in 2020 with a projection of 83% by 2025). Higher number of smartphones with biometric capabilities, fintech companies are able to reach further.
Pervasiveness of Biometrics?
At Cermati and Indodana, we believe we are in the age where usage of biometrics technology is normal and increasingly integrated with our lives. However, alongside the growth of this technology, the issue of privacy vs security arises.
Biometric data, unlike a username or password, is persistent: we carry it with us for life. Therefore, it’s important that people are informed about the way biometric data is used and held, and under what circumstances it might be passed on to other agencies. Biometrics of all kinds are an effective way of identifying a customer, but this technology should be used as a secondary protection method that complements other security measures rather than replaces them completely. People should have the ability to use technologies free from worries, unnecessary limitations and other obstacles brought by cybersecurity risks.
Once your biometric information is out in the wild, there is nothing that can be done. To help protect our information, government regulations and/or guidelines are in place and companies operating in the country/region are required to abide by them. General Data Protection Regulation (GDPR) in the EU, California Privacy Rights Act (CPRA) in California, Stop Hacks and Improve Electronic Data Security (SHIELD) in New York and Cybersecurity Law (CSL) + Personal Information Security Specification in China
COVID-19 Impact
In the push for technology adoption, biometric-enabled devices are even more pervasive. Fintech Companies are now able to reach-out to even more people. Biometric security becomes that much more crucial in onboarding, verifying if users are legitimate individuals and ensuring frequent authentication occurs to prevent fraud.
Increasing pressure to move away from contact-type biometric methods like fingerprint, in favor of contactless-type methods such as retina scans and facial recognition. Liveness testing, one such form of contactless method, is an example of identity verification and recognition.
With COVID-19, the new norm is to constantly wear facial masks which will occlude a substantial part of the lower face; or the wearing of gloves will prevent the use of any fingerprint verification. Such obstructions change dramatically the operational conditions for numerous biometric recognition technologies. Here, we are exploring iris and voice recognition as alternatives to facial recognition.
Parting Words
There is no escaping some form of biometric technology, especially when interacting with fintech services. Biometric verification is ubiquitous, being able to identify if the person is who they claim to be is crucial. It is safe to assume that fraud reduction will be a primary objective of any fintech company. Security breach resulting in leakage of this information is likely to have much more serious consequences than the theft of a password: after all, we can change a weak password or PIN, but we cannot change a compromised fingerprint, or other biometric. There are also privacy implications of replacing an ID to verify someone’s age with biometrics but that’s another discussion point.
At the start of the article, we postulated the need to balance security and wide-spread convenience with respect to biometrics technology. We’ll end by adding one more dimension–that of reduction of bias. Inclusion means equal access, but we aren’t there yet. For instance, facial recognition determines the user’s gender simply by scanning their face and assigning the identity of male or female based on previous data analysed.
The trend of increasing adoption of biometric technology is here to stay. In the future, you might even be required to submit a DNA report to start using a product.
Acknowledgements
Cermati Fintech Group is the leading startup company in FinTech space focusing in Indonesia market. The product portfolio consist of Cermati.com, Indodana, Cermati Insurance, and Cermati Bank-as-a-Service. Our group vision is to bring more financial inclusivity in Indonesia by empowering players inside the ecosystem.
