New regulations surrounding banking, financial services and payment processing provide individual customers or clients with unprecedented levels of control over their personal information and who’s entitled to access it. I’m referring primarily to European initiatives like the Payment Services Directive 2 (PSD2), which is designed to open the financial services and payment processing ecosystem to new businesses and the General Data Protection Regulation (GDPR), which will bring heavy fines to companies that fail to follow guidelines surrounding the acquisition and storage of personal data, as well as personally identifiable information (PII).
While it might not be immediately evident, biometrics will play a big part in promoting the adoption of an “open” technology infrastructure that can assure both personalization and strong privacy protection. Given that a great deal of digital activity originates from smartphones, voice biometrics is destined to be a natural solution to user authentication challenges.
The Age of Digital Banking is Upon Us
Before we go any further, let’s spell out exactly what’s going on in the banking world and show why real-time authentication, involving biometric factors, is so important. Commercial banks, which used to serve customers best through nearby, brick-and-mortar branches have found that they better serve them through a multiplicity of digital channels and mobile devices. Banking customers have grown accustomed to having continuous access to their funds and account information, as well as the ability to initiate transactions or make payments at any time of day and through the most convenient device.
To stay competitive, and ultimately survive, commercial banks and brokerage companies are getting more friendly and flexible, even as concerns over privacy and data hacks crescendo. Just to make sure that the banks stay true to their word, global regulators are devising the new laws mentioned above, giving “teeth” both privacy strictures and the mandates for greater inclusiveness.
PSD2 aims to break down banks’ long-held monopoly on their customers’ data. It will make it possible for individuals to complete payments without leaving an online merchants site. Amazon will “know” whether an individual has sufficient funds and complete a transaction seamlessly (with that individual’s permission, of course). The convenience is obvious. Shoppers can complete a purchase without invoking a connection to a credit card issuer or moving to another payment service like PayPal.
Because this era of openness coincides with the age of high-visibility data hacks and identity theft, PSD2 brings with it a mandate for solutions to incorporate strong customer authentication (or “SCA” as it is referred to in the proposed law) to a broad spectrum of purchases and other financial activities. While the details are still being hashed out, they will require solution providers to employ, at a minimum, two-factor authentication (2FA) in choosing two of the following three options:
Something you know – including passwords, PINs and answers to challenge questions. These are the most common means of authentication, even though as many as two-thirds of callers into bank contact centers report that they are frustrated with having to remember a multiplicity of increasingly complex passwords.
Something you have – which used to refer to physical dongles or tokens that could be lost, stolen or damaged. Today, possession of a smartphone suffices. Banks or other financial institutions are able to determine the unique attributes of the phone (the so-called “device profile”), plus it brings the added advantage of having “sensors” – including microphones, cameras, accelerometers, GPS – that can bring great confidence in the identity of an individual.
Something you are – often referred to as a biometric or behavioral attribute. Commonly used biometrics are fingerprints (TouchID, etc.), facial characteristics (selfies) and iris scans. Yet, given that the phone is often something you have, voice is a natural and strong authenticator.
Opus Research has observed the adoption of biometrics on smartphones and notes the following. Fingerprint-based systems (like TouchID on an iPhone) are the preferred means of authentication, but fail about one-third of the time. Voice is the most natural factor but people are hesitant to use it in public and it can fail in noisy environments. “Selfies” are equally popular, but don’t work if there is insufficient light.
The Time is Now
Strong customer authentication does not take place in a vacuum. Banking customers have grown accustomed to using biometric factors and voice-first “trigger words” to wake up their devices and initiate services. Both contact centers and IVR systems have been pressed into service to perform voice-based authentication and other factors, such as device profiles, location information and originating numbers are brought to bear to detect imposters and prevent fraud.
The formulation of PSD2 by the European Banking Association is still underway. Still, it is high time for companies to get their plans in place and begin design and implementation. As bank security executives and customer experience professionals contemplate their options for conforming to PSD2, they should note that NICE’s Real Time Authentication platform is well-tuned to support SCA across voice and digital channels.
In the name of friction-free digital commerce, we counsel companies to include voice in their two-factor authentication plans. The efficacy (and accuracy) of voice is as good as or better than the alternatives. And the ease-of-use is unsurpassed, especially if enrollment can be done passively and authentication can be performed “in the background” during a conversation with a speech-enabled IVR or financial advisor.