Although AI is essential for identity verification, it also poses new challenges. Companies are aware of this and fear it could be used to intensify attacks.
Customer identity, in the spotlight of digital banking
Financial entities prioritise knowing their clients now more than ever, in an online world where face-to-face has been replaced by remote interaction
The crisis caused by COVID-19 has pushed companies to consolidate everything necessary to remain connected to their customers and operate remotely, regardless of meeting, mobility and social distance restrictions. But even before the health crisis, many sectors anticipated the growing digitisation of both industrial and commercial processes, products and services. Education or banks, amongst others, have been managing courses or transfers virtually for years.
In fact, the Covid-19 Banking Insight Study, prepared by the American consultancy Celent last year, shows that banks were already taking advantage of online opportunities and facilities. These strategies were aimed, for example, at improving the digital registration process for users, strengthening self-service in banking transactions and reducing operational efficiencies, that is, the amount, duration and complexity of the “bureaucracy” necessary to comply with any operation, thus speeding up the process much more. Furthermore, the study states that most banks planned to increase their budgets in Information Technology (IT) for clients acquisition and the creation of financial products.
In practice, we can appreciate these banks innovations in the fast transfers by Bizum or in Near Field Communication (NFC) technology, which allows us to “host” our credit or debit card inside our mobile phones or smartwatches, so that these devices are the ones that approach the dataphone to make our contactless payments.
In this way, banking companies also respond to changes in the preferences and consumption habits of their customers, who are increasingly localised on the Internet and on mobile devices. Clients have stopped moving to a branch to open an account, purchase a mortgage or make a transfer. Now they want to do their transactions from home, or anywhere and at the click of a button, and feel that they have control of the transaction, ensuring that it is carried out easily and immediately. All of this requires banks to adapt to a new modus operandi based on dynamism, transparency, precision and, above all, security.
However, that clients no longer go to banks, and that banks no longer have absolute control of operations, clouds confidence in digital transactions for both. Finances control and security are no longer protected in the guarded offices and the large headquarters safes, and now move to each of the clients’ mobile phones. This disintermediation is a breeding ground for identity theft or falsification, fraud and, consequently, money laundering and financing of crime. In fact, 40.7% of residents in Spain who have used the Internet between June and September 2020 trust little or nothing in the network, according to the latest Survey on ICT Equipment and Use in Homes by the INE. Although there are already qualified tools and services for secure digital identity, still many entities of all kinds, including financial ones, have not been able to implement them permanently, or still do not know their advantages.
The PSD2 Directive and the eIDAS Regulation have established the necessary laws in Europe so that digital banking transactions are just as accurate, safe and legal as traditional ones. And, above all, so that they generate the same trust in the population, and that it seems an equally serious and professional management as when being face to face with the cashier or director of our usual branch. Precisely in the absence of that face-to-face, the most important thing is to know who is doing the digital transaction, to verify that he/she is the authentic person he/she claims to be, and to make sure that he/she is present at the time of the transaction, being fully aware of all the steps.
The electronic signature and the systems for the qualified preservation of the evidence are the tools that ensure the legality of these remote movements. But the real challenge is in the authentication of the identity, which guarantees the veracity and intentionality of the transaction. Protecting a simple user code and password is no longer enough. Neither are the coordinate cards, which have become obsolete after the application of PSD2.
The solution now resides in state-of-the-art technologies that combine fluid usability, access from any mobile device and the application of different tests and precision measures that reinforce security. We are talking about systems of Multi-factor Authentication (MFA) also known as Strong Customer Authentication (SCA). More than the name of a brand, the term refers to the need for the verification of our identity on the Internet to go through two or more different security controls, based on three pillars: something that the user knows, something that the user possessesand something the user is. Some of those controls still surprise us for resembling science fiction stories.
We speak, for example, of biometric analysis, which record and analyse our biological traits with Artificial Intelligence (AI) to verify our identity. Thanks to them, our face, our voice or our fingerprints (“something that the client is”) work as passwords to authorise our digital transactions. We can find them, for example, when our bank’s app asks us to place our fingerprint on the smartphone screen to access our accounts. The biometric technology of our mobile phone reads the fingerprint in seconds and, once the identity is verified, the app is unlocked instantly.
Also Video identification, is gaining ground, that is, a monitoring video-call supervised in real time by a video agent. It is a process that recreates face-to-face on the web and applies multiple high security tests at the same time:
- In the first place, the video agent, a person qualified for this role, accredits the presence of the client, that is, he/she makes sure that the person requesting the digital transaction is ready and aware of it.
- Subsequently, the client shows through his/her camera an official identity document, such as his/her National ID document or passport. At the moment, the video agent checks the validity and effect of the document, as if he/she were a policeman at an airport border control. The presentation of the document can be done during the video call or through a photographic capture taken by the video agent. In this way, the identity document can be saved for future consultations and verifications, such as when a photocopy of our National ID document is made in a physical branch.
- Finally, the video agent compares the photograph of the document presented with the customer’s face visible in the video call. Biometric face recognition technology analyses their equivalences with AI to verify identity. As with the document, a capture or selfie of the client’s face can also be taken to save it as a record, or to run the biometric analysis with greater precision.
- Additionally, the video agent can carry out more security tests, such as, for example, verifying that the client speaks the language of the country from which he/she claims to come at a native level, in order to ensure the veracity of his/her identity. In addition, video calls are recorded, something that greatly discourages the cybercriminal as reliable elements such as his/her voice or his/her physical image are recorded.
Although video identification is more and more recurrent to open accounts or purchase insurance, it is also very useful for medical consultations, real estate contracts, employment contracts or student exams carried out remotely.
Beyond these “access” controls to a digital product or service, there are others that apply to the “development” of digital transactions, offering uninterrupted security to clients and entities. For example, banks are applying measures based on behavior, in such a way that if we want to send money to a country to which we have never made a transfer before, the bank will stop the operation as suspicious and ask us for security tests to corroborate that we are that operation conscious. Digital certificates are also becoming popular, or what is the same, a tool that limits the authorisation of any transaction only to the smartphone or tablet owned by the real customer.
In the world of the digital economy and e-commerce, where crime takes increasingly subtle and undetected forms, public and private banks are prioritising cybersecurity policies and strategies. For this reason, the Trusted Service Provider (TSP) sector is increasingly powerful and leading. Even in Spain, only 36 qualified providers of these services operate, according to the Spanish Secretary of State for Digitalisation and Artificial Intelligence. It is an exclusive market that offers financial companies the most legal, sophisticated and successful digital solutions.