Hands holding tablet showing security

Behavioral Biometrics in Banking: The Latest on Privacy, Security and Regulations

There’s a reason behind every regulation, and global data security and privacy standards are no exception ― from an alphabet soup of acronyms like GDPR, BIPA and PSD2 to CCPA, CPRA and LGPD. These rules regulate how data is collected and managed in order to protect the personally identifiable information (PII) of citizens and businesses.

What Are Biometrics and How Do They Strengthen the User Identity?

Most of us think of PII (personally identifiable information) as something obvious like a Social Security number or account number. But the term also encompasses physical factors (like fingerprints, face images and iris scans) and behavioral factors, so-called behavioral biometrics (like typing cadence and swipe pattern data). Advancements in biometric technology enable these physical and behavioral identifiers to be layered together — and combined with other authentication methods like public key cryptography and digital certificates for electronic signatures. This approach aims to provide a seamless transaction experience for customers while also strengthening the identity of a user over time.

The banking and financial services industry is working diligently to implement these new authentication technologies, thanks in no small part to the amount of fraud it continues to suffer. In 2021 alone, the value of fraud loss in the United States by bank transfer or payment fraud resulted in losses amounting to 756 million dollars ― but the cost doesn’t stop at the value of the loss. Insurance policies often cover a portion of the financial losses that were encountered as part of the fraud, but the money not covered by the policy is unlikely to be recovered. The cost of fraud amounts to much more than the money the dishonest employee or the cybercriminal steals. Think about everything that come as a consequence including the unavailability of funds to pursue future opportunities or the negative impact on your brand.

An Evolving and Dynamic Biometric Regulations Landscape

As the regulatory landscape for biometric data continues to evolve, two important regulations have emerged in the banking sector in Europe — and have come to dominate the landscape. The General Data Protection Regulation (GDPR) encompasses individuals’ data protection and privacy, while the Payment Services Directive 2 (PSD2) dictates strong customer authentication (SCA) requirements for businesses processing online payment transactions.

The approach of identifying users through behavioral biometrics is recognized by the European Banking Authority (EBA), which developed the regulatory technical standards for SCA and secure communication for payment service providers across Europe, as enforced by PSD2. As noted in its report, the EBA “had to make difficult trade-offs between the various, at times competing, objectives of PSD2, including enhancing security, promoting competition, ensuring technology and business-model neutrality, contributing to the integration of payments in the EU, protecting consumers, facilitating innovation and enhancing customer convenience.”

In the United States, the most well-known biometric rights protection law is the Illinois Biometric Information Privacy Act (BIPA). BIPA was the first law of its kind in the U.S., aiming to prohibit companies from profiting from consumers’ biometric information. It allows people to sue for any damages that might stem from a violation.

Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, Social Security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft and is likely to withdraw from biometric-facilitated transactions. – Excerpt from the Illinois Biometric Information Privacy Act (BIPA)

In the absence of overarching federal regulations, a handful of other countries, state legislatures and even municipalities, have enacted or proposed similar laws to BIPA that address the collection, storage and use of biometric data. Most of these statutes impose a standard of reasonable care regarding the storage and transmission of biometric data that is equivalent to methods by which other confidential and personally identifiable information is handled. The California Consumer Privacy Act (CCPA) ― which extends to biometric data ― will be strengthened in 2023 with protections under the California Privacy Rights Act (CPRA) and will go as far as creating an enforcement agency, among other initiatives.

As the widespread adoption for biometric technologies increase, the uptick in convenience will continue to be accompanied by mounting regulations that seek to ensure strong security and privacy across service channels while considering the customer experience.

Read the white paper, Privacy and Legal Regulations in the Age of Behavioral Biometrics, for a deeper dive into the current regulatory landscape.

Innovation and Regulation Bring Complementary Benefits

Today’s best-in-class biometric authentication systems are not only secure, but can be used to support compliance with data privacy and security frameworks. As a growing number of financial services providers properly implement these systems, they will naturally adhere to even the most stringent legislation being enacted or proposed, thus creating an ecosystem of significant benefits to both the service provider and the user.  

Banks can attract and retain customers with the promise of convenience and ease of use (the primary ways to compete for customers). Their customers benefit from the frictionless, premium experience of no longer being required to remember or re-enter complicated passwords ― all while having the peace of mind that their privacy is protected and their personal data is safe.

As innovative biometric solutions and the regulations that govern them continue to progress, they stand to make each other, and the user experience, better. 

Top banks are combining deep learning with behavioral biometrics to improve compliance and the customer experience.

To learn more, read the white paper, Privacy and Legal Regulations in the Age of Behavioral Biometrics, or visit the behavioral biometrics information hub.

Adrian Castillo is passionate about secure identity credentials that enable trusted transactions in physical and virtual environments. Since joining HID in 2008, he has developed credential solutions for end-users, client applications and back-end services. Most of all, he likes to understand the complete chain of components that are involved in the chain of trust.