Biometric Identification for KYC – Limitations, Risks and Opportunities
Is biometric identification the answer when it comes to Know Your Customer (KYC)? Some providers are touting it as the be-all, end-all solution, the one way that will deliver full compliance, eliminate fraud and lead us to a state of authentication nirvana. However, as with any technology, there are pros and cons; let’s take a clear-eyed view of what the technology (or rather, the technology stack) offers and what are the potential pitfalls and issues to consider.
To help understand this issue deeper and to how to better deal with it, Trulioo has partnered with PYMNTS for an ongoing report, the AML/KYC Tracker™. Download the Tracker to stay on top of the latest trends, techniques and information regarding AML/KYC:
Biometrics, in general, refers to metrics related to human characteristics. When used in regards to identity, it’s about the analysis of physical attributes such as fingerprint, iris, facial, voice and retina to determine if a person is who they say they are. While biometrics combines all the different formats and providers together, in the end each system needs consideration on its own particular merits; what are the match rates, how many false-positives, how easy is it to use or deploy, how secure and accurate is it, how does it perform in a dynamic, real-world environment?
An analysis of biometric identification depends on the specific use-case, as it can be used in scenarios as diverse as unlocking a phone to entering a high-security restricted area. Currently for KYC, biometrics may consist of comparing a selfie or video with the face in the photograph that appears on an ID document. While this does provide one level of analysis, the operational success of this technique relies on the image quality and the determination of the algorithm to accurately match that image to the individual. Often, it comes down to a person making that determination which brings up serious questions regarding accuracy and scalability. What if someone uses a mask? What if a person is having a bad hair day? What if the reviewer is tired and not being diligent?
The advantage of using identity document images is their widespread availability as driver’s licenses and passports generally have photos. Other biometric factors face the challenge of effectively gathering, storing and controlling access to the biometric data. As the information is quite personal and can’t be altered if stolen, programs to gather biometric data can be problematic and security and privacy considerations require proper protections.
An estimated 120 countries now have electronic passports that include chips that can include digital photographs for comparison, fingerprints or other biometric data. While the technical capability might exist, there are cultural, social and legal questions to consider. What type of biometric information collection will the public accept? Who has access to that information and what protocols will exist to protect privacy? What legal framework about the data’s use for KYC purposes will emerge?
Biometric legal framework
One telling example is Aadhaar, an identity foundational system in India that collects fingerprints and assigns a 12 digit number which, when combined, provides identity functions. The courts struck down a provision in the Aadhaar Act that was enabling fintech companies to use Aadhaar for KYC purposes. There was significant confusion in the marketplace, as it was unclear on how to properly identify remote customers. Fortunately, recent “amendments clearly specify the regulatory approach to resume the KYC process by using Aadhaar through offline modes.”
Having identity rely on something you are (as opposed to something you have or something you know) does have a certain appeal. Remembering passwords or keeping your documents with you would no longer be necessary. Verification or authentication could be quicker and easier; for example, just walk by a camera. But any roll-out of biometric identity systems needs to be thought through, as there’s no going back. A full understanding of the problems and potential by users, providers and regulators is fundamental to the success of biometric identification.