Biometrics in Financial Services -

Opportunities, challenges and emerging trends

2nd May 2006

Indra P. Chourasia
 Biometrics in Financial Services

1. Summary Note

• Financial Services industry has long been gripped with afflicting issues surrounding
identity and authentication in its business operations. As per a study conducted by
The Federal Trade Commission (FDC), identity theft is considered as one of the fastest
growing types of consumer fraud in US with a total cost to businesses and consumers
approaching $50 billion.

• With emergence of e-commerce as a cost-effective business delivery tools, financial

institutions are greatly prone to identity theft and account hijacking related frauds.
This greatly signifies need of reliable authentication platform to positively verify and
authenticate who is actually at the other end of transaction.

• Financial institutions are not only at risk externally but are also vulnerable from
internal quarters with increasing risk of confidential information stolen by employees
or participants in transactions or services.

• New security related regulations, heightened customer sensitivities and expectations

in post 9/11 scenario, have increasingly brought strong focus on reliable and effective
security measures in financial services operations.

• As a part of authentication, some form of credential presented by a user is considered

to verify the claimed identity of the user. Based on number of credential type
required, authentication is considered to be based on single-factor, two-factor or
three-factor. Single-factor authentication in form of passwords is often easy to guess,
steal, or crack, leaving a legitimate user quite vulnerable. In addition, passwords,
PINs, smart cards, tokens or public key infrastructure (PKI) as credential tend to
become increasingly cumbersome and complex means to authentication with each
new authorization level granted to a user.

• As an appealing alternative to password, PIN, card oriented authentication,

biometrics provides robust and reliable security by identifying the individuals
themselves rather than any devices. Biometric technology involves an automated way
to measure an individual’s characteristics to recognize and verify the claimed
identity. These technologies can be grouped according to biometric characteristic
used in authentication process i.e. measurable physical characteristics, behavioral
traits or a mix of these two characteristics.

• Based on data collected by the International Biometric Group1, the total size of
biometric market, which was totaling around $1.5 billion in year 2005, is growing to
exceed $5.7 billion in over five years.

• The general trend in Biometric implementation in financial services will continue to

follow the typical phases of pilots, tests and limited point based application. These
may initially involve employee-facing applications, followed by customer-facing
applications. Considering many inherent barriers, industry-wide applications do not
promise much in the short-term.

• Limited awareness about the technology, issues relating with customer acceptance
and intrusiveness, integration with legacy system, industry standards and
interoperability, difficulties inherent in centralized shared databases, legal recourse
framework and above all cost advantages are some of the major hurdles in rapid
adoption of the technology.

• Cost of usage of technology in effecting a transaction will be an equally important

determinant in early acceptance by the customers. Biometric stability over period of

1
International Biometric Group, LLC is leading independent integration and consulting firm in the
biometric industry, providing a broad range of services to government and private sector clients.
Indra P. Chourasia

2 of 8
 Biometrics in Financial Services

time, spoofing biometrics and identity theft are some of the teething questions,
answers to which are to be found in coming years.

• Despite all the hurdles and challenges, usage and coverage of biometrics applications
is expected to continue growing in coming years. With final phase of technology
evolution, biometrics is bound to be all pervasive, touching all corners of financial
services infrastructure.

2. Authentication Issues in Financial Services Industry

Financial Services industry has long been gripped with afflicting issues surrounding
identity and authentication in its business operations. In simple terms, authentication is
the mean of verifying the claimed identity of a person or entity. Closely associated with
authentication is authorization, which determines the level of rights and privileges
available to an authenticated user. Most of the financial transactions conducted by
customers is governed these two elements of identity management.

As per a study conducted by The Federal Trade Commission (FDC), identity theft is
considered as one of the fastest growing types of consumer fraud in US. It was estimated
that during year 2003, almost ten million Americans were the victims of identity theft,
with a total cost to businesses and consumers approaching $50 billion. Some of other
recent findings are equally unsettling and reveal a gaping hole in authentication and
verification strategy as being practiced by financial institutions. As per a study conducted
by Federal Reserve, company employees were found involved in more than 60 percent of
bank fraud cases. Another study by Glenbrook Partners indicates that a top US bank
reported over 30 percent of its losses from new account fraud stemming from repeat
offenders – people having defrauded bank earlier.

With emergence of e-commerce as a cost-effective business delivery tools, financial

institutions have started greatly relying on self-service model of business. In terms of
banking and payments systems, with Internet banking almost universally available,
increasing number of customers are using self-service oriented transactions such as -
electronic banking, bill-payment services, payment authorizations, electronic transfers.
However, in absence of reliable authentication platform to positively verify and
authenticate who is actually at the other end of transaction, financial institutions are
greatly prone to identity theft and account hijacking related frauds. Thus, an
unauthorized user by manipulating just a few key pieces of personal information (e.g., an
individual’s name, address, social security number, financial institution account number,
computer log on ID, or password) or stolen devices, can freely access consumer’s existing
accounts and effect fraudulent transactions.

Financial institutions are not only at risk externally but are also vulnerable from internal
quarters. By very nature of their operation, requiring creation and maintenance of large
repository of sensitive and private customer data, issue of authentication and access to
such data poses many challenges. Because of the increased networking of internal
operations and pervasiveness of huge customer databases, financial institution employees
have access to more customer information than ever before. Some industry analysts and
security professionals estimate that almost two third of identity theft cases is committed
with confidential information stolen by employees or participants in transactions or
services.

In post 9/11 scenario, apart from strong drive by national government in form of new
security related regulations, customer sensitivities and expectations are greatly
heightened towards security issues. This has increasingly brought strong focus on reliable
and effective security measures in financial services operations too.

Indra P. Chourasia

3 of 8
 Biometrics in Financial Services

3. Basic concepts of Authentication

Generally as a part of authentication, some form of credential presented by a user is

considered to verify the claimed identity of the user. These credentials include:

• Something you know: most commonly a password or PIN.

• Something you have: most commonly a physical device such as token, cards, digital
certificate etc.

• Something you are: most commonly a physical characteristic, such as a fingerprint,

voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of
authentication is referred to as biometrics.

These credentials could be any of the above or a combination thereof. Based on number
of credential type required, authentication is considered to be based on single-factor,
two-factor or three-factor.

Single-factor authentication involves use of one of the three authentication credentials

listed above, most commonly a password. Usage of smart card/token along with password
is considered two-factor authentication. Three-factor authentication involves use of all
three credentials for verification purpose. Single-factor authentication is very common
and is the method used by the vast majority of financial institutions for granting
customers access to Internet-banking applications and by the vast majority of businesses
for granting employees access to computer networks.

The main problem with single-factor authentication in form of passwords is that these are
often easy to guess, steal, or crack, and once a password is compromised unauthorized
user has the same access rights as the legitimate user. In addition, the legitimate user
may not even know that his or her password has been compromised, since usually no
physical evidence of the compromise exists. There is growing realization within industry
that passwords, PINs, smart cards, tokens or public key infrastructure (PKI) as credential
meet the basic requirements and tend to become increasingly cumbersome and complex
means to authentication with each new authorization level granted to a user.

4. Biometric Technology – an appealing option

As an appealing alternative to password, PIN, card oriented authentication, biometrics

provides robust and reliable security by identifying the individuals themselves rather
than any devices. Security experts have expressed strong opinion that authentication
strength increases when more than one type of credential is used. In context of multi-
factor authentication, by adding one more factor in authentication process, biometrics
significantly improves and strengthens authentication.

Biometric technology involves an automated way to measure an individual’s

characteristics to recognize and verify the claimed identity. Biometric technologies can
be grouped according to biometric characteristic used in authentication process i.e.
measurable physical characteristics, behavioral traits or a mix of these two
characteristics.

4.1 Technologies involving physical Biometric characteristics

Key technologies involving physical biometric characteristics are:

• Finger Imaging: analyzes the unique pattern created by raised markings found on
the tip of the finger.

Indra P. Chourasia

4 of 8
 Biometrics in Financial Services

• Facial Recognition: analyzes the geometry of face, typically statistical deviation of

measurable facial feature from the average or mean face; the heat generated by
the flow of blood under the skin.

• Hand Geometry: analyzes the size and shape of hand, usually measured from both
a top view and a side view; optionally the unique pattern created by the blood
vessels in the hand.

• Iris Scan: analyzes the coloured ring of tissue that surround the pupil on the
surface of the eye.

• Retina Scan: analyzes the unique pattern created by blood vessels situated at the
back of the eye (behind the pupil).

4.2 Technologies involving behavioral traits

Technologies involving behavioral traits mainly include Handwriting Analysis and

Keystroke or Typing dynamics.

• Handwriting analysis: Signature verification analyzes the speed, velocity and

pressure of the hand used by the user while signing the name.

• Keystroke or Typing dynamics: Measures the speed, pressure and cadence of an

individual’s keystrokes while typing on a keyboard.

4.3 Technologies involving physical characteristics as well as behavioral traits

Voice Recognition is one such technology involving physical characteristics as well as

behavioral traits of an individual. It analyzes acoustically derived from biological
characteristics (vocal chords, nasal passages and mouth) with behavioral traits (tone,
cadence and pronunciation).

4.4 Biometric – How authentication works?

A generic biometric authentication system comprises of two key processes -

enrollment and authentication. During enrollment process, biometric samples of a user
are captured using some reader or scanning machine. Subsequently, vendor’s
biometric algorithm is applied to the captured samples and the resulting template is
stored along with other enrollment attributes, for subsequent identity verification.

During the authentication process, when a user asserts an identity, new sample is
captured and after applying biometric algorithm, new sample template is compared
with the stored template. If the comparison of these two files results into similarity
within the defined limit of tolerance, the identity of the user is biometrically verified
and authenticated. Due to inherent sampling error in capturing the biometric for many
reasons (for example, in finger imaging - different pressure, position, moisture, or dirt
on reader), templates do not exactly match. Thus, in case of sample found out of
defined tolerance limits, application allows to resample user’s biometric for certain
number of attempts before rejecting the verification.

4.5 Biometric - Implementation considerations

In terms of ease of implementation and integration, accuracy of results, associated

costs, interoperability of technologies, non-intrusiveness in user usage, each of the
above listed technologies has its own merit and associated challenges. Technologies
involving finger imaging, facial recognition and hand geometry are considered non-
intrusive and reasonably low cost technology. However, variations in environmental
conditions and application setting may adversely impact the accuracy. In case of Facial

Indra P. Chourasia

5 of 8
 Biometrics in Financial Services

recognition and Hand Geometry, aging and injury may particularly affect the result.
Technologies involving Iris Scan and Retina Scan, while provide highly accurate results,
these are perceived highly intrusive and requires special and expensive hardware.
Voice recognition is considered highly non-intrusive technology with wider user
acceptance. However, reliability and accuracy may get affected with surrounding
noise or when user is suffering from cold or has laryngitis. Fear of impersonation is a
big concern in the mind of the users of voice recognition technology.

5. Biometric Technology – Industry Outlook

Based on data collected by the International Biometric Group, the total size of biometric
market, which was totaling around $1.5 billion in year 2005, is growing to exceed $5.7
billion in over five years. (Source: International Biometric Group)

A figure depicting relative market share of various biometric technologies by revenue in

year 2006 is presented below (Source: International Biometric Group)

Indra P. Chourasia

6 of 8
 Biometrics in Financial Services

6. Biometric Technology- Deployment areas in Financial Services

The general trend in Biometric implementation in financial services will continue to

follow the typical phases of pilots, tests and limited point based application. These may
initially involve employee-facing applications, followed by customer-facing applications.
There are discussions about industry-wide applications too. However, considering many
inherent barriers, industry-wide applications do not promise much in the short-term.

6.1 Employee-Facing Applications

Employee-facing applications control access and administer authentication to

employees within in-house operations. These may include - computer access, network
access, application access, physical access, time and attendance, criminal record
check etc. Employee facing applications can be used for refining the program and
adjust usability features before deployment of biometrics on customer facing
applications.

6.2 Customer-Facing Applications

Presently, biometrics has been used in branches mostly on retail basis to identify
customers on tellers, authorize transactions (also at ATM and check-cashing kiosks). In
long term, biometric application may involve many transactions, such as - new account
opening, customer identification in branches, non-customer check cashing in branches,
high-risk transaction authorization, tokenless ATM and Point of Sales (POS)
transactions.

6.3 Industry-Wide Applications

While nothing much can be predicted with certainty about the success of industry-
wide applications, some of the applications under discussion are - POS applications,
Trusted travelers program, National ID cards and enhancements to existing shared
fraud databases to include biometric identifiers. Some of these applications involve
comparison of biometric sample with the template stored in some form on a card.
With very little prospect of success, applications involving central shared biometric
repositories and facial recognition as an identification methodology may find some
relevance in long-term horizon.

7. Biometric Technology – Challenges and Future

Similar to many other emerging technologies, not all the biometric technologies are ready
for real-world implementation. A particular biometric technology cannot just be a natural
fit to any or every application setting. Many factors such as environmental conditions,
application settings, usability perspective and response time will greatly influence the
adoption and success of a biometric implementation.

Limited awareness about the technology, issues relating with customer acceptance and
intrusiveness, integration with legacy system, industry standards and interoperability,
difficulties inherent in centralized shared databases, legal recourse framework and above
all cost advantages are some of the major hurdles in rapid adoption of the technology.

In context of mass-market, considering lack of interoperability between vendors, slow

consumer adoption curve and difficulties inherent in centralized shared databases, no
significant progress is visible in immediate future. The great hurdle caused by lack of
interoperable algorithm and templates towards evolution of mass-market customer
oriented applications may be crossed over in coming years either through some form of
government enforcement or increased industry realization on its continued futility.

Indra P. Chourasia

7 of 8
 Biometrics in Financial Services

Cost of usage of technology in effecting a transaction will be an equally important

determinant in early acceptance by the customers. In order to encourage early adoption
and usage, in all likelihood financial institutions may have to come forward by providing
the technology to their customers free of charge or at deep discounts. Biometric stability
over period of time, spoofing biometrics and identity theft are some of the teething
questions, answers to which are to be found in coming years.

Considering all these factors, no quick evolution of mass-market customer oriented

applications is visible in immediate future. However, based on its inherent merit - in
terms of reliability, real-world operational performance and quantifiable cost benefit,
biometrics applications will continue making progress, mainly in niche customer-facing
applications.

Despite all the hurdles and challenges, usage and coverage of biometrics applications will
continue growing in coming years. With final phase of technology evolution, biometrics is
bound to be all pervasive, touching all corners of financial services infrastructure –
starting from authentication of a high risk multi-million dollar inter-bank transaction to
access of local savings bank account to effecting payment on purchase of groceries at
supermarket.

8. References

• Biometric Market and Industry review- A presentation by International Biometric

Group at World Customs Organization, Brussels, Belgium (December 2005)

• Putting an End to Account-Hijacking Identity Theft - a study by Federal Deposit

Insurance Corporation , Division of Supervision and Consumer Protection (December
2004)

• Biometrics in Financial Services - See Me, Hear Me, Touch Me – an advisory Report by
Glenbrook Parners (February 2003)

• Financial Institutions give biometrics a thumbs up – an article by Christine Barry

Published on biometritech.com in May 2002

• www.biometritech.com

• www.biometricgroup.com

Indra P. Chourasia

8 of 8