When discussing biometrics with others, I find that two television programmes are inevitably mentioned: BBC drama “The Capture” and Charlie Brooker’s dystopian “Black Mirror”. But biometrics are no longer the realm of futuristic, TV production imaginings.
They are increasingly forming part of our everyday life, from unlocking our phones with our fingerprints or faces, to iris recognition in airport security, to voice recognition when we talk to Alexa and Siri.
For the financial services sector, biometrics form a key part of upcoming regulatory requirements. The introduction of strong customer authentication (SCA) requirements in the Second Payment Services Directive (PSD2) puts biometrics front and centre in authenticating customer identity. When the SCA requirements come into force, payment service providers will need to authenticate customer identity using two or more of the following elements:
The advantages of biometrics, both for businesses and users, are clear (and we’ll touch on some of these below). However, no conversation about biometrics would be complete without digging into the challenges posed by the General Data Protection Regulation 2016 (GDPR). Biometric data is a 'special category' of personal data under the GDPR, meaning it is afforded higher levels of protection. Financial services organisations need to be keenly aware of the GDPR implications of processing biometric data to avoid weighty fines and reputational damage.
What exactly are biometrics?
The mention of biometrics immediately brings to mind dusting for fingerprints and scanning faces in crowds. Facial and fingerprint recognition are certainly prime examples of biometric technology at work, but the concept of biometrics extends much further than this.
The GDPR definition of biometric data refers to both 'physical and physiological characteristics', encompassing the traditional examples of fingerprints and facial images, as well as, iris and retina scanning, palm veins, voice recognition and DNA and 'behavioural characteristics' for example. The GDPR does not define this concept further, but the European Banking Authority’s (EBA’s) opinion on SCA, released in June 2019, gives an indication of how broadly this may be construed. When examining what would constitute 'inherence', the EBA refers to 'behavioural biometrics' as including behavioural processes created by the body. In a non-exhaustive list of characteristics that may fall within the concept of 'inherence', the EBA identifies, among others, heart rate, keystroke dynamics (the way a user types) and even the angle at which a user holds their device.
Biometrics use cases in financial services
SCA is the obvious example of where biometrics is already coming into play in banking and financial services. But the potential of biometrics in this arena is vast. In a world where security is key, the value of using a part of yourself as your password cannot be underestimated. After all, you can’t forget or lose your fingerprint. NatWest became the first bank, in October 2019, to issue a biometric credit card using fingerprint recognition to authenticate identity and allow payments to be made. China has taken this a step further with 'Smile-to-Pay', which allows users to pay for goods simply by (you guessed it) smiling at a point-of-sale machine.
Biometrics also lend themselves easily to fraud detection and prevention. Take keystroke patterns; if my bank can detect that I always pause for a microsecond before the asterisk in my online banking password to find the right key, any failure to do so can trigger further authentication methods to make sure that it’s not a more adept, yet fraudulent, typist trying to access my account.
There’s a space for biometrics in customer service, too. Customers are increasingly expecting a smoother and more technology-enabled service from the organisations they engage with. It’s not infeasible to imagine voice recognition being used on customer service lines both to identify the customer without having to ask for authentication information, and potentially to inform how that customer is dealt with based on the customer’s tone and perceived mood.
Privacy challenges of biometrics
Despite the clear advantages of biometrics, organisations need to exercise caution when deploying biometric technology into their businesses. As mentioned above, biometric data is a 'special category' of personal data within the GDPR definition, which means that it must be handled even more carefully than 'standard' personal data. Just some of the privacy implications of using biometric technologies are as follows:
Addressing the challenges
A ‘privacy by design’ approach is key when designing and implementing biometric technology solutions. Data protection impact assessments (DPIAs) are mandatory for 'high-risk' processing, particularly using new technologies. A DPIA will be indispensable not just to demonstrate compliance but to help businesses flush out where the key risks lie and determine and implement solutions to mitigate those risks.
Whatever the scenario, the processing of biometric data will always need to be proportionate, fair and justified. Businesses should think about the purposes they are intending to achieve; can those purposes be achieved using less intrusive means. If the answer is yes, it will be a challenge to demonstrate that using biometric data to achieve those purposes is proportionate. Ethical considerations should also be taken into account throughout the design and implementation process to ensure compliance with the overarching GDPR requirement that processing be fair.
The processing of biometric data will not always be at odds with the privacy legal framework, but a failure to consider the GDPR implications can land businesses in hot water. Thinking through the privacy risks from the outset can help organisations to design effective biometric solutions that respect individuals’ privacy and comply with the legislative requirements in place.
This article was originally published in Global Banking & Finance Review.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.