12. Biometrics and the future of
identity verification
Sandra Peaston
Assistant Director, Insight
22 September 2016
13. What is Cifas?
Not-for-profit membership organisation
Members share information on confirmed frauds
To prevent the same identities & details from being re-
used for fraud.
Fraud data is non-competitive
Co-operation and communication in the interests of
crime prevention.
Operates two databases
National Fraud Database
Internal Fraud Database
17. More than 4 out of 5 Identity Frauds
perpetrated over the internet in 2015
Anonymity, volume, speed
Electronic identity verification
Identity fraud and the Internet
18. Biometrics – the basics
Biometrics refers to metrics related to human
characteristics
Biometric identifiers are the distinctive,
measurable characteristics used to label and
describe individuals
Physiological
fingerprint, palm veins, face recognition, DNA,
palm print, hand geometry, iris recognition,
retina and odour/scent
Behavioural
Typing rhythm, gait, voice
• Wikipedia
20. Biometrics – key questions
What is it for?
What biometrics do you want to
capture and for which channel?
Have you covered all channels?
When and how do you capture it?
Does this cover your entire customer
base?
Where does this information get
stored?
21. Making biometrics work
Great strength in improving customer
convenience and preventing facility
takeover fraud
Fraudsters adapt – when they learn they
can only target an organisation once, they
will move on to the next
What can be shared?
Is it the same biometric?
Is it in the same format?
Cross organisational sharing will work
most effectively if there are standards and
best practice
But administered by whom?
24. Hogan Lovells
The Clock is Ticking
Came into force 12 January 2016
Member States have until 13 January 2018
to implement
Chief aims are:
•level playing field
•improve competition
•fill gaps in consumer protection
•improve security
•ensure greater consistency of approach across EU
25. Hogan Lovells
• On 23 June 2016 we held "an advisory referendum"
• Triggering event: Notice under Article 50 of Treaty on European Union
– Remain a member for 2 years from date of notice
• CMA's "Retail banking market investigation: Final Report" August 2016
– HMG still plans to implement by 2018
What is the impact of Brexit?
26. Hogan Lovells
• Accesses payment account online;
• Initiates an electronic payment transaction;
• Carries out any action through a remote payment channel which may imply a
risk of payment fraud/abuse.
Member States to ensure SCA applied where Payer:
Strong Customer Authentication
27. Hogan Lovells
• Knowledge: i.e. something only the
user knows (e.g. static password,
code, personal identification
number);
• Possession: i.e. something only the
user possesses (e.g. token, smart
card, mobile);
• Inherence: i.e. something the user is
(e.g. biometric characteristic, such
as a fingerprint)
Security: Customer Authentication
Requires two or more of the following:
28. Hogan Lovells
• “something you know” and “something you have”
• “something you know” and another “something else you know, if only for a brief
period of time”
Knowledge v possession
30. Hogan Lovells
• Selected elements must be mutually independent
– Breach of one does not compromise the other
• Must be designed to protect confidentiality of the authentication data
• Must dynamically link e-payment transaction to specific amount and specific
payee
Strong Customer Authentication
31. Hogan Lovells
• Authentication requirements apply in the same way to PISPs and AISPs
• Bank must allow them to rely on authentication procedures provided to PSU
• EBA to develop draft regulatory technical standards (6 technical & 5 guidance):
– Requirements for strong customer authentication
– Requirements for protecting personalised security credentials
– Requirements for communication between PSPs, AISP, PISPs and PSUs
PISPs & AISPs
32. Hogan Lovells
• On major operational or security incident
– PSP must notify competent authority "without undue delay"
• Security incidents that have an/may impact "financial interests" of
customers PSP must
– Notify customers directly "without undue delay"
– Inform them of measures they can adopt to mitigate adverse effects
• EBA to publish guidelines on when reporting is required
Reporting requirements
33. Hogan Lovells
• General Data Protection Regulation
• NIS Directive
• Open Banking Working Group Report /miData
• CMA Retail banking market investigation: Final Report
Other relevant initiatives