Biometrics – the future of verification

24 June 2016

Julian Turner talks to Chris Popple, managing director of digitisation at RBS, about the biometric banking revolution, artificial intelligence and partnering with the world’s most iconic technology company.

In 9 September 2014, at an iPhone 6 launch event in California, Apple made public one of the worst kept secrets in world business; namely, that it was entering the US contactless payments market.

Apple Pay represented a major milestone in the history of disruptive banking technology. Using near-field communication (NFC), the 'digital wallet' allowed users to make secure card payments through Apple's Passbook app, verified by the owner's fingerprint using Apple's biometric Touch ID system.

For added security, Apple Pay ensured that card details stored on a mobile phone were never passed to the retailer. Instead, the payee received a 'token' allowing them to debit the payment only once.

A year on, iPhone devices are now used for 10.0% of all global online transactions. In the UK, where Apple Pay launched in July, 44.8% of online transactions in Q2 2015 were made using a mobile.

Smartphone manufacturers are frantically playing catch-up. Samsung used the 2015 Mobile World Congress to launch its own NFC platform, Samsung Pay, but Apple Pay's rivals have so far failed to gain meaningful traction, particularly in the UK, where iPhones enjoy high market penetration.

For Chris Popple, MD of digitisation at Royal Bank of Scotland, Apple's entrance into the UK mobile and biometric banking market was a unique opportunity to offer RBS customers what they'd long been clamouring for: seamless access to essential services in partnership with a trusted global brand.

That goal became a reality in February when RBS and NatWest customers became the first of any UK-based bank to be able to login to their mobile banking app using only their fingerprint.

"RBS is all over new technologies that make services more accessible to our customers and we think we've found the magic blend in Touch ID," he states. "If there's one thing that hinders adoption of digital experiences it is access; the average number of user names and passwords that someone now has to remember to access digital services is around 25 - and that number is growing.

"Mobile biometric technology represents a really exciting solution, and Apple helped us understand and get comfortable with how fingerprint authentication works, and how it communicates into apps. There was definitely a vocal crowd of early adopters who we listened to via our online community forum 'Ideas Bank' and our resulting strategy centres on improving multichannel access to services."

Touch ID technology

Biometrics refers to authentication technologies that measure and analyse human characteristics such as DNA, fingerprints, retinas and irises, voice patterns, facial patterns and hand measurements.

The average number of user names and passwords that someone has to remember to access digital services is around 25 - and that number is growing.

Faster yet more secure than a four-digit pass code, Touch ID works much like a flatbed scanner used for scanning photographs. Protected by sapphire glass, the fingerprint image is scanned at 500ppi by a sensor just 170 microns thick, and a high-resolution version is stored. Measuring unique features of the fingerprint such as subdermal ridge flow angles, the Touch ID system produces a unique key, and a mathematical representation of the fingerprint scan is stored and encrypted on the iDevice.

Every time the phone is unlocked, the scanning process is repeated and if the data key generated matches the one already stored, the handset is unlocked. When completing purchases with systems such as Apple Pay, a fingerprint match results in the device auto-filling stored keychain information.

Popple is quick to point out that, as measured by attempts to defraud, fingerprint authentication in general - and Touch ID in particular - is one of the safest ways to access digital banking services.

"Touch ID revolves around the key chain access; how the individual fingerprint is stored in the key chain, how that key chain is accessed and how RBS then taps into that data," he explains. "The critical RBS information is encrypted in Apple's complex key chain, making it extremely difficult to access.

"Yes, it is possible to lift off the fingerprint using a laminate, steal the phone, place the laminate back on the fingerprint device and access the app, but that's a very involved process to perform at scale.

Criminals want to expend the least amount of effort for the maximum gain, and so in terms of risk versus reward, there are much more attractive ways to commit fraud.

"RBS employs a top-notch security team that continuously monitors our systems and challenges our assumptions. In addition to Touch ID, we have multiple security blockers and safeguards in place that track everything from mobile customers' behaviour patterns to their payment limits."

Background monitoring also underpins the bank's corporate strategy in the form of a new biometric platform that offers multinationals forensic insight into unauthorised and anomalous behaviour.

Danske Bank recently introduced a timer into its ebanking platform and discovered that the speed at which an online form was filled out differentiated a real user from an imposter 97.4% of the time.

"Large corporates have administrators in accounts and finance departments whose job it is to move money around and these people have a pattern to how they use digital services," Popple explains.

"How they type on the keyboard, how they use the mouse, this all forms part of the individual user signature, and RBS's innovation function is heavily invested in developing a new wave of technology that identifies rogue behaviour patterns and throws up a flag - without the client being aware."

Customer demographics

In terms of customer-facing technology, RBS and NatWest's busiest branch is arguably the mobile app itself. Over three million of the banks' customers access it every week, and RBS and NatWest also boast 1.8 million active iPhone users who log on to the app an average of 40 times each month.

"People assume that it's a young demographic that uses Touch ID but in reality the customer spread is very broad," says Popple. "At first, the user numbers were almost directly mapped to wealthier people - those who owned iPhones - but now, with the iPhone 6 series, it's become more ubiquitous.

"I don't see this as the difference between tech-savvy and not tech-savvy. There's always an early wave that loves the technology but we are now seeing uptake from people who are more discerning.

"Touch ID is therefore less about the technology and more about the overall customer experience, because the fingerprint technology is part of the set-up of the iPhone. If Samsung, for example, developed more phones with fingerprint ID incorporated, then we could simply piggyback our services on the back of their offering. That proposition makes tons of sense for RBS and NatWest."

Behavioural monitoring in the form of a new biometric platform offers multinationals forensic insight into unauthorised and anomalous signatures.

Technology alone is not enough to change entrenched customer behaviour; instead, banks must be benefit-led. For Popple, that means engaging existing and potential RBS customers in a meaningful dialogue about what they realistically want from the multichannel commercial banks of the future.

"When people are time-starved, they tend to revert to established patterns of behaviour," he says. "Mobile banking is therefore about persuading people to pause and take the time to understand how certain technologies can change or improve something they have become familiar with.

"To a large degree, branch telephony and online evolved in silos but now we want the way in which we ask for identification to be consistent across all channels. So we've made our customer IDs much simpler to remember - that's important in a world of 25 names and passwords.

"I'm also not convinced that mobile technology inevitably spells the end of the traditional high-street branch. Mobile uptake and the declining use of banking branches are correlated, but not causal. People may decide to call the branch because something has gone wrong, they may have a query, they may need advice or their request may simply be more complex than the digital format allows."

The future of biometrics

A recent report published by Research and Markets estimates that by 2020 companies involved in delivering biometric technologies to the banking industry will create $5.5 billion in revenues, while the UK is on course to surpass the 50% mark for mobile transactions midway through 2016.

Barclays will roll out finger-vein authentication for UK business customers this year, having already pioneered mobile cheque imaging that allows customers to pay in cheques using a smartphone.

In July, Lloyds took a significant step towards abolishing passwords by launching a system whereby customers tap their contactless payment cards on their smartphones in order to prove their identity.

Facial recognition and commercial iris scanning systems are also being developed, but for Popple the next major biometric innovation is just as likely to come from artificial intelligence (AI) community.

"AI holds a huge amount of promise in terms of banking access and control in the mobile space," he enthuses. "Almost every major technology player has AI as part of its service; Apple's Siri, Cortana from Microsoft, Facebook - you could even argue that Google is semi-artificially intelligent.

"With the release of iOS 9, there is a set-up function to Siri where it asks the user to say phrases and then you train the system to recognise you. I can foresee a time when banks could piggyback off of Siri, for example, taking that unique voice fingerprint and wrapping into their banking services."