Credentialing customers for security
The deluge of news stories in recent years regarding stolen personal data and the increasing issue of identity theft highlights a problem that financial institutions cannot afford to ignore. A recent study by Experian estimated that more than 110 million pieces of personal data were bought and sold in the first nine months of 2014, a greater than 300% increase from just two years earlier.
Consumers have taken notice of the increasing risks to their privacy and are changing their behavior in response. In a survey conducted in September of 2014, more than 50% of those polled stated they would actively avoid transacting with organizations that had suffered a high-profile breach, such as those experienced by Target, Home Depot and JPMorgan Chase & Co.
While many in the financial services industry may view the need to increase security as a burden and a cost-center for the business, forward-looking organizations should see this differently. Throughout the centuries, one of the primary services offered by banks has been the safe-keeping of customers’ assets. While in the past this may have been demonstrated by installing impressive bank vaults and designing impenetrable buildings, in the modern age, the act of securing client assets is represented by sophisticated digital defenses. The ability to market oneself as a “digitally secure bank” may be the next great opportunity to secure market share in the financial services industry.
Among the opportunities available in this burgeoning area is the concept of “credentialing” customers. Generating a unique credential for each customer that is based on a highly secure biometric process is a certain way of ensuring that fraudsters will not be able to access customers’ accounts and assets.
Knowing Your Customer
Under the Bank Secrecy Act, financial institutions have been charged by regulators to install programs designed to ensure that they are certain of the identity of individuals with whom they are transacting. However, such regulations are ambiguous and do not define with precision just what it means to “Know Your Customer.”
As a result, many in the industry have opted to utilize the most commonly available method – achieving a “confirmation” of identity in order to come into compliance with the regulations. This practice of accepting the default solution fails to address the customers’ best interests. Financial organizations ought to be driven to ensure that they do, in fact, know who a given individual is prior to conducting business with them.
Currently, most financial institutions confirm identity by scrutinizing application data provided by applicants and correlating the data against third-party databases. While this process is designed to protect the institution from fraud, in reality it serves to create vulnerabilities that expose the institution to loss. Simply validating identification information presented at the time of an application at best does nothing more than confirm that the data is real, not that the person presenting the data is the person they claim to be.
In recent years, incidences of mass-data breaches have created a glut of personal identification information on the dark web where such data is bought and sold. Markets such as Agora, Evolution and Silk Road 2 serve as aggregators of data stolen by hackers. Utilizing modern database management tools, these marketplaces run data matching tools and filters and are able to assemble information about individuals that may have been stolen from a variety of different sources and resell it to criminal organizations around the globe.
The fraudster is now armed and ready to come to your branch. They may simply be looking to open an account they can use to launder funds or possess enough detailed information to allow them to apply for a home-equity line of credit against real estate owned by the person whose identity they have stolen. Regardless of the intended fraud, most institutions will not be properly equipped to detect the false identity and are likely to process the transaction.
In order to avoid this potentiality, banks and other financial service companies have the opportunity to create a process that will allow them to be certain that any individual transacting with them is, in fact, the person they claim to be. The means to achieve this is enabled through a two-step customer credentialing system.
Verify the identity document. The first step in knowing your customer is to submit their proof-of-identity document to a high-level authentication test. In the U.S. alone, there are more than 1,100 different currently-valid government-issued proof-of-identity document designs. Considering 50 states and 4 territories, each with multiple different driver license and ID card types, passports, passport cards, U.S. permanent residence cards, military ID’s, congressional ID’s, TWIC cards, and a host of others, the proliferation of legitimate documents is far too great for any person – no matter how well trained – to be able to verify without help.
Equipment is currently available to enable automatic authentication of documents utilizing forensic examination techniques. These devices typically employ high-resolution cameras to capture images of the document in various wavelengths of light, such as infrared, ultraviolet and visible. They also “read” data stored in various digital formats on the document, whether in magnetic media, barcodes, near-field RFID chips or digital watermarks. The images and the digital data are than compared to a database of “known” design and manufacturing elements for each document type and a pass/fail grade is assigned.
Capture a biometric identifier. Once the proof-of-identity document has been authenticated, the next step is to enroll the customer in the customer database using a biometric identifier. It is vital that this step occur at the same time that the ID document has been authenticated to ensure that the person presenting the document is the same person who is credentialed using the biometric identifier.
Recent advances in technology have made the capture of an iris scan the most attractive option among the available identifier solutions. Iris scans can be “passively” captured, meaning the individual need not touch any equipment, as might be necessary with, for example, fingerprints or vein verification technologies. Iris scanning is also remarkably secure, achieving “false positives” at rates as low as 1-in-1.5 million, compared to 1-in-1,000 for fingerprint scans. In fact, the only identification method more accurate than iris scanning would be a DNA test. The newer iris-scanning technologies use video (at 20 frames per second) to capture the iris. This can be done almost instantly, by simply asking your customer to direct their face towards the camera. USB cameras installed at the teller window, new account desk, loan desk and safety deposit area can enable quick and easy authentication anywhere in the branch.
After the biometric authentication infrastructure is available, the organization can then enable employee-credentialing to allow access to physical locations within the branch, to workstations, vault areas, safety deposit areas and whatever other access control concerns the branch might have. Additionally, the same two-step process for onboarding new customers can just as easily be applied to onboarding new employees, thus minimizing the risk that potential “inside” accomplices working with organized crime might infiltrate your operations.