Biometric Recognition, a new way to identify clients for Banks and Financial Intermediaries
Massimo Masini holds a degree in Law from the University of Rome “La Sapienza”, comes from the banking system where he gained significant experience working in the General Management with particular tasks related to the study and analysis of the international banking, currency and tax supervisory regulations; at a later time, he has undertaken the professional path that, as an expert in banking supervisory rules, in the execution stage of the new legislative framework that started with the currency deregulation of 1990, has participated as an external expert in numerous institutional working groups at the then Italian Office of Exchange for the drawing up of the related implementing rules regarding the liberalization of the movement of capitals and those referred to the rising “anti-money laundering” legislation; he is the author of numerous essays on the topics mentioned above, has spoken at many conferences intended for the banking sector and financial Intermediaries and currently holds the position of Manager at GPM & SAIP GROUP srl, a company operating in the consultancy and training sector for Banks in the context of the topics relating to the anti-money laundering legislation.
Fintech’s swift growth forces financial operators, many of whom are still bound to traditional systems, to introduce, within their internal processes and in accordance with primary law and Supervisory Authorities regulations, a great deal of progress in developing efficient procedures of data identification in the operational phases of payment systems.
One of the cornerstones factors in developing Fintech’s platforms tailor made for banks and intermediaries is, undoubtedly, the necessity of a technology capable of identifying a client without any margin of error, both at the opening of the contractual relationship and, subsequently, at the execution of a requested opening of a remote transaction.
Considering that, just in 2017, roughly 500 million of identity thefts and 18 million of domain violations were estimated on a world-wide scale, it is evident that systems traditionally employed in home-banking (such as usernames, IDs, passwords, tokens and PINs) do not suffice anymore to guarantee the inviolability of clients’ data and, therefore, their safety.
The era of Fintech, which is making staggering progresses in everyday procedures, has the merit of encouraging many startups, specialized in digital technology products and services, to enter the market; among them, many are developing new security systems ideal for protecting costumers of banking or financial services, adopting cutting-edge procedures which guarantee the immediate identification of clients’ data as well as their safety and inviolability.
Based on studies regarding cyber security conducted on an international level, with the contribution of banks and intermediaries anti-fraud systems, the safest and most reliable protection against attacks is the so-called biometric recognition.
The Biometric Recognition System originated in France in the ‘900 as an instrument of “legal anthropology” (measurements of physio-somatic characteristics of prisoners, to be stored in a historical archive for further identifications); it is thus peculiar that such innovative system for the financial sector derives from a practice which is more than a century old. Therefore, we will try to understand how and in what ways biometrics may serve banks and financial intermediaries in securing their data from frauds.
Many sectors have been benefiting of biometric recognition systems within the last ten years: by way of example, we can mention antitheft systems like thumbprints or voice detection, systems of corporate access, systems of access to hardware, or, in the public sector, the recent introduction of the electronic ID card, equipped with biometric data for physical identification.
Biometric recognition is defined as the automatic identification of individuals based on their biological and/or behavioral characteristics, introducing the concepts of biometric verification and biometric identification.
When an individual establishes a relationship or subscribes to a system requiring biometric recognition, an enrolment procedure is triggered; in other words, a process by means of which the biometric sample is acquired and memorized in the database (biometric feature); biometric features are then extracted to generate a reference for future comparisons; the sample (biometric sample) is the analogical or digital representation obtained at the end of the acquisition process (also called biometric capture or biometric acquisition) as, for example, the reproduction of a fingerprint image.
Biometric verification is nothing but the immediate and automatic comparison between a biometric model provided by the user when he interacts with the biometric system and the model already memorized in the database and referred to him (one-to-one comparison). The model (biometric template) is the entirety of biometric traits memorized in the acquisition phase and directly comparable to other biometric templates.
The phase of identification through a biometric probe starts whenever a user makes access to the system with his own biometric traits: it is a search in the database in order to execute the automatic comparison between one or more biometric data corresponding to the acquired one (one-to-many comparison); this biometric comparison is based on statistic methods and metric models typical of the biometric system which has been chosen.
Once the main phases of the system have been analyzed, the innovative process, which banks and Intermediaries are willing to develop and/or bring to perfection, refers to data-processing procedures designed to instantly detect biological and or behavioral characteristics, interfacing them with the list of data acquired in the records through the enrolment phase.
With the evolution of both national and international legislation, against money laundering and terrorism financing, the identification of clients and traceability of data pertaining to them has been a major concern in order to prevent the usage of financial channels to fund criminal activities.
On these grounds, the EU legislator, with the adoption of the IV Directive against money-laundering and terrorism financing (849/2015), transposed into Italian law with Legislative Decree 90/2017, modifying Legislative Decree 231/2007, has introduced the possibility of identification of customers “using other checking mechanisms based on reliable and innovative technological solutions (such as, for example, those which prescribe forms of biometric recognition), as long as they are assisted by strong security control guards”.
Such dispositions introduce a stark change of paradigm compared to the past, allowing banks to check clients’ identity, even when they are physically absent, through digital means as recognized by EU Regulation 910/2014.
Even the Italian data protection authority (the Garante della Privacy), as early as 2014, while drawing up the Guidelines concerning biometric recognition and graphometric signature, claimed that the “use of devices and technologies for the collection and treatment of biometric data is growing up increasingly, especially with reference to the assessment of one’s personal identity….”; this large-scale “legislation” process, moreover, allows biometric application to be employed both on an autonomous basis or combined with other supporting technologies (such as, for example, smart cards, cryptographic keys, RFIDs and digital signature), thus proving that biometric systems based on the physiognomy of customers are safe, fast and effective.
Without any doubt, biometric identification is one of the crucial themes in Fintech, since, with the coming of the PSD2 and the spreading of digital payments via e-mail or smartphone, Member States must provide barriers against frauds arising from identity thefts.
The acquisition process (or enrolment) of the biometric characteristic (reference template) is carried out through: lasers, scanners, cameras, microphones, etc…; it requires, for a user’s registration, the creation of a template (biometric sample) which is, as specified above, the acquisition of one or more sounds or imagines pertaining to the individual thanks to algorithms varying from system to system.
Biometric characteristics have the nature of universality for all individuals, and, at the same time, every trait is different for each person; they also last for long, barring physical and/or behavioural alterations deriving from accidental events. Example: all men have fingers (universality) but no fingerprint is equal to another (uniqueness) and fingers, except in cases of alterations, have a lifespan equal to that of the individual.
Although the Garante della Privacy recognized in the aforementioned Guidelines of 21 May 2014 the lawfulness of biometric data collection and storage, it also provides for several directions aimed at guaranteeing that data treatment is limited to the fundamental activity, it being understood that clients must be informed on the methods of acquisition of biometric data and on their following use.
In conclusion, we hereby report biometric categories and models already in use, except for the DNA exam, which is not relevant for this context regarding financial activities.
Interactive and passive biometric systems
Whenever the interested party is aware on how and for what means the acquired data is utilized, such as the acquisition of his signature or retinal scanning, he cooperates, allowing an interactive acquisition; without the awareness of the interested party (for example: recording one’s voice or taking a picture of one’s face without him knowing it), there is a passive acquisition, which is not allowed by the regulation.
Biological and behavioural biometric characteristics
Physio-somatic features are the biological ones; those regarding behaviour are one’s signature, voice or pace.
Tracing and traceless biometric characteristics
An example of biometric characteristics leaving traces on objects are the fingerprints, which could also be traced without the prior knowledge of the interested party. Traceless biometric features are, for example, the hand topography, a finger’s vein structure, or the signature.
In detail, the physiological biometric technologies viable in the present time and of instant use as access credentials for accounts in the financial and banking sectors, with the exception of the long and complex DNA exam, are:
- Facial recognition allows the identification of people based on the analysis of specific features of the face that cannot be easily altered; to be more specific, both macro-elements (mouth, nose, eyes, ears, forehead, bone structure) and micro-elements (distance between macro-elements or between macro-elements and points of view, and the size of macro-elements) are taken into account. During the detection of data, a sensor captures a certain number of 2D or 3D images of an individual’s face, which are stored in digital format and, using an algorithm that registers individual features, can be memorized and utilized for eventual processes of identity verification.
- The thumbprint (or fingerprint) is probably the most common and accepted form of biometric recognition, and has been widely popular in criminology since the first decades of the Twentieth Century. The enduring fortune of such method as a biometric technology, which replicates the disposition of Galton’s details and ridge patterns, found on fingertips since the pre-natal phase, derives from two factors: it guarantees immutability and individuality. Thumbprint detection allows for indexed researches using more modern search engines like the Automated Fingerprint Identification System- AFIS.
- Hand geometry represents the biometric technology based on recognizing the print of the palm of one’s hand: it is very similar to the one based on the detection of fingerprints. The employed parameters for the detection are major features (like fingers’ length and structure or size of the palm) and minor features (lines, indentations, grains, wrinkles, and ridges-valleys schemes), which are perceived by sensors that can be ultrasonic, thermal and optical. The most employed instruments of detection are optical instruments utilizing 3D cameras, the detected images of which are then compared to those in the database.
- The vein structure of the hand and the fingers generally develops in the pre-natal phase; its acquisition is conducted through sensors that scan the form and the disposition of finger veins and the back or palm of the hand through a luminous source with a wavelength nearing the infrared.
- The vascular structure of the retina is the membrane which forms the inner lining of the ocular bulb; there are patterns on the retina of each individual, formed by blood vessels on the subtle nerve placed behind the ocular bulb, the latter processing the light filtered through the pupil. Biometric recognition systems based on retinas’ features compare the whole system of blood vessels, of which every pattern is unique.
- The form of the iris: biometric systems based on iris’ mathematical measurement are made of a sensor that, if positioned in the right way, illuminates the iris of the individual subjected to the scan with a low-intensity laser; an infrared light carries out the eye-scanning and detects the peculiar characteristics of the iris structure, which are then mathematically represented by an algorithm. Iris is made of an elastic connective tissue and, having at least 266 distinct features, is a precious source of biometric data. There are 173 of these distinct features that are utilized in the iris recognition technology. To carry out a recognition, the most relevant features are compared to iris’ images stored in a template.
There are, finally, behavioural biometric technologies:
- Vocal recognition is considered as a system of biometric recognition that is both physiological and behavioural. Vocal features registered in the system include the tone, frequency, intensity, nasal articulation, while other more specific coefficients and spectres are taken into consideration. Data acquisition can happen telephonically or through computers, allowing the “vocal recognition” to be utilized later for the elaboration and analysis of “signal processing”. Normally, vocal verification is compared to other complementary data, such as a PW or other forms of identification.
- The signature, the acquisition of which is generally carried out by analysing the signals through graphometric tablets, is the biometric technology based on the recognition of the autograph signature, which allows for the authentication of an individual’s identity using specific parameters, such as calligraphy, velocity of signature, rhythm, acceleration and pressure.
The information above was taken from:
- Identità, identificazione e riconoscimento – Nicola Corvino – 1 giugno 2012
- Viaggio nelle tecnologie che stanno per cambiare la nostra vita – Sole 24 Ore – 2015
- Cyber Warfare: Verso Un Nuovo Paradigma Strategico – Stefano Ricci – 11 settembre 2017
- Linee Guida del Garante della Privacy – 21 Maggio 2014
7 January 2019