Today, technology is evolving faster than regulators can keep pace with, including the rise of biometric identification systems. According to recent MasterCard study, “Biometrics are an alternative that offer potential usability improvements, while retaining or improving the security guarantees. The user study shows that users believe biometrics are more secure and convenient than passwords, and that they are willing to adopt biometrics to replace existing password-based authentication.”
In fact, financial institutions are increasingly opting into biometrics. According to a study by Grand View Research, “the global biometric authentication market is expected to grow significantly over the next five years. The market size for biometrics is expected to reach $24.59 billion in the next six years and a lot of the growth will be seen from banks.” This will bring major market trends and continue to grow the adoption of biometrics within financial institutions.
Despite the spike of biometric implementation, regulations and standards are severely behind. When there are no standards or regulations, companies easily fall behind the eight ball. Standards generally take several years to establish and as a result, they are often out of date before they can even be implemented.
While recent regulations, like the EU’s Payment Services Directive (PSD2) and most recently, The New York State Department of Financial Services (NYDFS), have slightly moved the needle in security to require multi-factor authentication (MFA), regulators haven’t said anything about what constitutes acceptable performance, standardizing data formats, or even set deadlines for this to be done by. Take NYDFS, for example, requires MFA, but doesn’t mandate a specific NIST Authenticator Assurance Level as defined in NIST’s Digital Identity Guidelines.
While requiring multi-factor authentication (MFA) is a huge step forward when it comes to security, regulators must take this excessive time and money spent and make some changes as it relates to adopting new security methods. In the US, the FTC has recommended best practices for companies using facial recognition technology, but stopped short of creating rules or laws for biometrics. Similarly, the Securities and Exchange Commission, the Office of the Comptroller of the Currency, and The Federal Reserve haven’t issued any regulations on the topic.
So, what will it take for regulators to hop on board with biometrics? For starters, there are few best practices they can consider when setting standards:
- Close the Knowledge Gap: A survey by researchers from Oxford University and Mastercard found “only 36 percent of [financial industry executives] are familiar with biometrics, compared to 88 percent of them that would be involved in their deployment. These gaps inhibit adoption of biometrics, as they prevent effective communication and collaboration among different entities involved in the process of deployment.” The lack of knowledge about biometrics may be why requirements for using MFA don’t go beyond specifying that factors used should be something you know (first pet name, mother’s maiden name, etc.), something you have (a card, token, etc.), and/or something you are (fingerprints, facial recognition, etc.). Unfortunately, all authentication factors are not equally secure. It doesn’t matter how many are used if they are all weak. Closing the knowledge gap will allow for security to expand and grow in the way it’s expected to for companies.
- Create a Uniformed Template: There is a problem of the lack of a common data format. Currently the data formats are as varied as solution providers. This is due to the switching of systems – which will be more difficult and more expensive. Further, it makes it difficult to share information among financial institutions.
- Stay “Tried and True”: The lack of familiarity is another reason for regulators’ hesitancy as well. Impulsivity is not a trait usually found in bank regulators. Likewise – and reasonably – it is a profession that doesn’t lend itself to people who want to be on the leading edge of technologies. “Tried and true” is a good approach when you’re responsible for ensuring the stability of banks and entire financial systems.
The current state of security standards speaks volumes on how regulators need to take a stance. The security of personal information and lack of protective behavior will always be a top concern. In order to change this, biometric regulation and support is the first step to a unified and secure future. With these best practices, regulators can start to close this confusion gap, educate the community and ensure stability of financial systems and beyond.