Using and storing biometric data: Scrutinizing practices of banks and governments
By Ján Lunter, the Founder and CEO of Innovatrics
Biometric technologies are becoming the go-to security technology in the government and banking industries. And the spending in the identity verification market is forecasted to reach USD 18 billion by 2027. Around 28 percent of biometric technology used in the U.S. is by companies from the financial industry.
The demand for biometrics is skyrocketing, and the number of local providers of such security infrastructures is rising accordingly. The more sensitive data is handled, the higher the risks involved.
Actors considering the implementation of biometric technologies should closely monitor the market before making a decision. Looking at solutions that offer safe and unbiased algorithms should be a priority. Let’s examine what difficulties the banking and government sectors have faced and what lessons you can learn from them.
Use cases of biometric technology with banks
Prolonged trips, queues, and incorrect account details leading to error messages – all came to an end for service providers and banks who began to deploy face and ID recognition widely. Today, opening a new bank account, receiving a credit card, or obtaining a phone service contract, is just an “ID photo match” away.
Biometric technology makes the onboarding process faster, more convenient, and even more accurate. With the help of OCR (optical character recognition), numbers and text can be filled in automatically, and facial recognition can verify whether the person with the ID is, in fact, the person behind the camera. Such digital security solutions are very efficient for financial institutions. Most importantly, they reduce costs, as acquiring a customer online is 10 times less expensive than in-person onboarding. On average, acquiring a new customer in person costs approximately $150 in advanced economies. Remote onboarding cuts the cost to as little as $5.
However, the use cases don’t end there. Registered authorities typically exchange data elements with a central database owned by the state to ensure that people are authorized to register a bank account, get loans, and are not accused of fraud. In Mexico, for example, banks verify the identity of their customers using biometric features and successfully combat money laundering. Institutions can also more easily qualify people for larger mortgages if they can ensure their information is tied to a biometrical database and not just a signature on a paper.
Lastly, financial transactions have become safe and seamless via biometric recognition technology. Today, smartphone banking is so simple, thanks to the installed smartphone fingerprint recognition. GlobalData shared at Money 20/20 that adoption rates of biometric authentication are as high as 93 percent among banking customers if rolled out properly.
Banks have also started offering their own additional security services for online transactions to further reduce the risk of unauthorized money transfers and protect themselves against identity theft and fraud. Some now verify identity with a fingerprint reader on a smartphone and in-app facial recognition or other biometric identification services, including voice and vein recognition. Barclays, for example, introduced a finger vein-scanning identification feature for Barclays.net and iPortal clients. This way, they can keep everything under control – as risk management is essential for their business and service guarantee.
Use cases of biometric technology with governments
It is not only the banking sector that benefits from state-of-the-art security technologies. Any service that falls within the realm of government affairs and bureaucracy, which are processing sensitive data, can rely on the perks of biometrics.
For example, in Chile, biometric technologies allow authorities to ensure that government health care is delivered to those that qualify under the existing care guidelines and to those only. Hospital staff can use the ID to quickly and precisely check whether individual citizens have health insurance. Moreover, patients can be correctly identified even when unconscious, avoiding the possibility of e.g. administering medicine they can be allergic to or helping to know their anamnesis before they come to.
Biometrics also enhances the fight against crimes. Both fingerprint and facial recognition modules help to accurately identify individuals – much better than a human eye. Institutions can detect identity fraud and even control illegal movements of individuals or criminals, for example, at border control or on security cameras.
The police use advanced surveillance systems analyzing the faces of thousands of people to identify suspects. The computer interprets faces, and when a suspect steps into the image area, the information is passed to the police personnel in charge.
But it’s not only the complex cases where biometrics are highly beneficial. Often enough, we need to request documents or fill out forms and visit the city’s administration to do so. Until now, all these activities have cost us hours of valuable time: registering in a new town, applying for a new passport, or requesting a police report for foreign affairs. But with simple verification of identity, those processes are much faster and possible from anywhere in the world. It also reduces the time spent by authorities on typing in data manually.
Risky business: How a data bias affects the reliability of biometric technology
“People worry that computers will get too smart and take over the world, but the real problem is that they’re too stupid, and they’ve already taken over the world,” Pedro Domingos, a prominent computer science professor, once said.
There’s much truth in this quote. As soon as an algorithm decides on an individual’s case, such as at border control, we cannot leave ethical questions aside. If we train biometric recognition technologies the wrong way, we might face more immense consequences and larger-scale implications than when a human’s judgment fails.
Biometric recognition is only reliable when feeding the algorithms with precise training sets, consisting of many different images of faces or other biometric data. If, for example, we want to identify a 27-year-old woman, the algorithm analyzes the entire database and compares the photos with each other. The neural networks try to find similarities. However, whether the algorithm will identify a face correctly depends on the training it has received.
Some companies use internet pictures and Facebook profile images to teach an algorithm, raising many ethical concerns. Additionally, many populations and individuals don’t have access to Facebook, so their chance of being found by the system is much lower.
For instance, a 2018 study by MIT and Stanford researchers found that one provider utilized faces of 77 percent white and more than 83 percent male when training for commercial systems.
For example, at border control, racial profiling often leads to darker-skinned people being more frequently stopped. If an algorithm can’t identify the person, the person might become a suspect in illegal immigration. The same scenario is likely when darker-skinned people like to log in to their bank account but can’t be authorized. Such biases stigmatize members and societal groups and can destroy the reputation of governments, banks, or businesses using them.
Clearview AI, for example, has used media reports, social media, and other publicly available data to feed an algorithm used by police forces. Many police institutions needed to ban the software because such training methods overlap with individual rights, and they received immense criticism.
Tips for choosing the right biometric provider
1. Make sure your algorithm operates ethically
If you want to receive biometric algorithms that are ethical, there’s a need for ethical training sets. The EU is even working on the proposal for an artificial intelligence act, the GDPR. Under the act, a user of an AI solution, which facial recognition is, is responsible that the deployed AI is fair, unbiased, and used ethically. Let’s check how to check providers and minimize the risk of choosing an unethical one.
- To ensure the technology you are using does not work in a preconceived way, you should scrutinize the provider in time. First, you can compare existing algorithms using the US government’s NIST website. NIST has taken reliable measurements of facial algorithms’ biases and their ability to recognize people wearing masks. As not all vendors officially submit their algorithms there, you might necessitate third-party rankings additionally.
- Cross-check the algorithm’s quality, the training sets they use, and whether the company promises continuous improvement and training from their side. For example, in our company Innovatrics, we first created thousands of fake profiles with different dates, names, cities, and characters, etc., to train our algorithmic ID card reading.
- In addition, one should be clear about the purpose of using biometric data and whether identification is essential or whether verification is sufficient for their business purposes. Sometimes, a simple ‘vital sign’ check to verify that a person is present, not just an image, is adequate for customer relationships.
Again, individual usage patterns are essential in deciding what level of access security and accuracy are required. For example, suppose you manage highly sensitive data, like the police, or only give access to authorized people, as in government use cases. In that case, you need an algorithm that will respond positively to the most accurate match. However, for other purposes, such as access control to a telcom account or simply checking your balance, this might increase wait times or error messages. In the end, it’s always about finding a balance between convenience and security.
Regardless of what purpose or type of product you want to use biometric technology for, looking for vendors that already have credentials for your industry will help you heaps. Let’s say you are in the telecom industry. See if the vendors are also in the banking industry, as the turnout and minimum standards are very similar.
2. Match your security needs with the proper infrastructure
Another lesson we can learn from governments and the banking sector is how to ensure that biometric data can be stored accurately and securely. Depending on what data you need to verify the identity of your customers or, if necessary, to check their identity, there are different security guarantees required.
After increasing incidents and cyberattacks, many financial institutions now turn to the most secure providers in the market. Those provide encrypted data storage on a security infrastructure that encrypts each ‘box of data’ differently. This means your fingerprint, details, and account number are connected to identify the right person, but each information is separately encrypted on another server. So, if someone only has access to one of the data elements, such as the ID, this person won’t be able to log in and steal money. Choose a similar system for storing sensitive data of clients.
For passports and ID cards, fingerprints are stored only on the chips of the respective ID card. The police or other authorities can only access this data with readers that don’t save any data. The remaining data, such as residence, age, and height, is usually stored in a central database.
In Germany, for example, special ID readers are available to the police, border guards, and customs officials only. Suppose there is a suspicion that a document is forged or being used unlawfully. In that case, the fingerprints stored in the chip can be used to determine whether the proper holder is the owner of the document. They have the authority to retrieve and read encrypted data on the chip if the identity is uncertain, but they can’t store any personal information. Such security infrastructure is becoming more and more vital for payment processing or banking authorization and any business that processes sensitive and confidential information.
In any case, check for the most recent ISO guidelines and make sure you comply with the rules of storing data. The ISO recommends the current software and security infrastructure you need to ensure a safe registry of each customer.
3. Don’t store what you don’t need
One principle applies to personal and biometric data that everyone should adhere to. If you don’t need the data, don’t collect it. If you can throw it away, throw the data away. Otherwise, you can cause problems for your customers, making you vulnerable to destroying your reputation or business continuation in the worst-case scenario.
Also, it is inevitable to be clear about your own utilization needs. Depending on how vital risk management and data security are and what data you manage, you employ different technologies and comply with varying levels of data security. And, don’t forget to look closely at the algorithms, checking if their providers target the minimization of bias.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.