Biometrics in Banking: Navigating Identity Verification & Customer Experience

Biometrics in banking is about verifying and identifying people based on their unique physical or behavioral traits. Despite the obvious advantages of better security and UX, the main driver of the spread of biometrics in banking is compliance with regulatory authorities. So, it has become rather a must-have than a nice-to-have feature for businesses in this industry that want to secure their market share.

Typically, biometrics in banking involves two essential technologies:

• Processing and verifying biometric identity documents

• Verifying facial biometrics

Let's dive into each of these areas.

Originating from the need to standardize travel documents, the International Civil Aviation Organization (ICAO) introduced Doc 9303, a set of guidelines that outlines the technical specifications for machine-readable travel documents (MRTDs). This document laid the groundwork for the adoption of electronic machine-readable travel documents (eMRTDs), which include biometric information embedded on a chip inside the document.

Now, over 170 countries and territories issue biometric documents which contain contactless NFC chips, such as passports, ID cards, and residence permits. In this case, they are often called ePassports, biometric passports, and electronic or biometric identity cards. In the UK, for instance, a residence permit with such a chip is called a biometric residence permit.

Biometric documents are becoming more popular for remote verification than traditional ones, mainly because they are much more secure and difficult to counterfeit.

Businesses, especially banks, increasingly use facial biometrics in their operations, proving its effectiveness in fighting identity fraud.

Unlike fingerprint and iris scans, facial recognition technology offers a less intrusive and more accessible form of verification that requires no physical contact. This convenience factor and the technology's increasing reliability make face biometrics highly appealing for online banking services, mobile banking apps, and remote customer onboarding processes.

Facial recognition technology works by analyzing the unique features of an individual's face, creating a digital representation that is then compared to a database of known faces and/or the individual’s portrait in their ID.  

Companies that adopt facial recognition systems typically pair them with liveness detection technologies. Such technologies aim to verify that the individual is a real person and physically present during the remote process. Thanks to this, you can prevent fraudsters from impersonating someone by submitting other individuals’ photos, pre-recorded videos, etc.

Leading banks are already leveraging this technology to streamline the customer experience. For example, UBS integrates biometric ID scanning and facial recognition right from the first step of onboarding new clients. This approach speeds up the process, making it more convenient for customers while maintaining high security standards.

Remote self-service in banking allows customers to manage their banking needs from anywhere, at any time, and without in-person interactions. In many countries, including the entire EU, regulators require a biometric identity document for self-service identity proofing of a prospective customer. 

Simply put, certain contracts, such as loans and mortgages, require a qualified electronic signature based on the highest level of identity assurance. That makes biometric identity documents essential for automating identity proofing and onboarding customers remotely 24/7.

The process of remote self-service onboarding somewhat resembles the process at the airport when you go through the e-gates. It usually unfolds in these six key steps:

• Document scanning

• Reading the digitally signed data from the chip

• Know Your Customer (KYC) questions

• Taking a video selfie

• Performing liveness detection

• Face comparison

When creating secure remote banking solutions, it’s worth considering two main factors:

• The mobile devices themselves

• Backend processing

Zero trust model. The first foundational principle is not to trust users’ mobile devices, because they are vulnerable. They might be modified in ways that make them less secure, like being rooted or jailbroken. So, mobile devices serve mainly to gather information, while all the critical security checks and decisions happen on the backend system.

All the processing on the backend. The backend system is where all the heavy lifting happens. This includes but is not limited to validating documents, liveness detection, making sure the person's face matches their ID, and other security steps. Data must also be stored in a trusted backend environment.

Designing a service with a versatile API from the start is another important principle. It makes it easier to fit the needs of different users, and work smoothly with various mobile apps and business processes.

Three key factors influence the conversion rate of remote self-service onboarding:

#1 Intuitive user guidance. The success of the IDV process largely depends on providing users with clear instructions. Since scanning identity documents, especially with biometric features, is rare for most people, step-by-step guidance can significantly improve user experience. For example, demonstrating the correct way to hold an ID and use a mobile phone for scanning can prevent drop-offs at this step.

#2 Contextual help. When users encounter errors, generic error messages are not helpful. Providing context-specific animated instructions can guide them on how to correct mistakes: for example, adjust lighting conditions to avoid glare, or position the document correctly for NFC chip scanning. This tailored support minimizes frustration, and encourages users to complete the process.

#3 Early eligibility checks. Starting the authentication process with an eligibility check for the identity document ensures users don’t waste time on a process they cannot complete. If a document isn't eligible for self-service, users should be promptly directed to alternative verification methods, such as video calls or branch visits.

While the advantages of biometrics in banking are clear—reducing fraud, better compliance, and cost-effectiveness—this strategy also presents challenges.

Security vs. accessibility. While biometric IDs provide a high level of security, they could also sideline potential customers who don’t have such documents, particularly in regions where biometric documentation is not widely available.

That's the case, for example, if you want to cater to customers from India. The country represents almost 18% of the world’s population, but still doesn’t yet have biometric passports for the general population. Or countries like the US, where more than half the population doesn’t have biometric documents and relies on traditional documents such as driver's licenses for identification.

Perspectives of stakeholders. Banks lean towards the enhanced security and streamlined processes biometric IDs allow, and customers enjoy the quick and convenient onboarding they enable. Yet, regulatory bodies stress the need for inclusivity, cautioning against security measures that might exclude specific groups.

This can also cause revenue losses due to the loss of potential customers who wanted to use self-service but were declined because they only had a traditional passport. This may create a negative experience and influence customer loyalty in general.

It’s clear that in most cases, there has to be a “plan B” to cater to customers with traditional documents. For example, a business might offer a video onboarding call.

The capability of biometric technology to digitize and streamline banking processes extends far beyond initial customer onboarding. Once users are in the system via biometric authentication, the same technology opens up plenty of options.

In regions like Switzerland and the broader European Union, regulations require that digital signatures and client identifications be renewed every three years. With biometric authentication already in place, banks can automate this process, eliminating the need for physical signatures or paper contracts. This streamlines operations and also enhances convenience for users.

Changes in personal information, such as name or address, can be seamlessly managed through remote biometric-based identity verification processes. This automation significantly reduces the administrative burden on both the bank and its customers.

Biometric technology also offers an effective solution for account recovery scenarios. Should a customer need to reinstall a mobile banking app, biometric authentication facilitates a secure and straightforward process for regaining access, available around the clock.

For transactions deemed high-risk, biometric technology can provide an additional layer of security through step-up authentication. This can include liveness detection and facial comparison checks, further safeguarding against fraud and unauthorized access.

Banking is an extremely high-stakes, regulated industry, regardless of the geography, so it’s natural that there are plenty of must-have features on their evaluation criteria list. The ideal technology partner should possess a deep expertise in biometrics and document verification, a proven track record in the banking industry, and the ability to provide secure and scalable solutions.

Here’s a breakdown of essential evaluation criteria for biometrics in banking tools across three major categories:

• Document support (comprehensive coverage of ID documents, including biometric passports and national IDs)

• NFC-based verification with server-side re-verification

• Document liveness checks

• Cross-checks and authenticity control

• Error-handling flexibility (the ability to effectively manage errors during the verification process, including customizing responses to specific error events)

• Biometric checks (robust liveness detection to counteract deepfakes, masks, and videos, plus face match and face search)

• User guidance (clear, intuitive user guidance with options for customization to fit the bank’s branding and workflow requirements)

• Automatic document type detection

• Image quality assessment and improvement (so users can complete the verification process, even in challenging conditions like poor lighting)

• Cross-platform support

• Detailed developer documentation and customizable code samples

• On-premises or software-as-a-service models to align with the bank’s data privacy, protection needs, and regulatory compliance

• Adjustable size of SDK

• Test document service (more about that below)

A very important but not commonly discussed aspect of a great IDV provider is where to obtain enough document samples to test your system before rolling out into production.

If you’re in global banking or FinTech, you need to support biometric IDs from over 100 issuing countries, and you won’t be able to obtain these passports from your staff or project members. Besides, for data protection and data privacy reasons, you can’t use real passports in an engineering or a testing environment. 

Still, you need to somehow test your system to make sure it can cope with error conditions like an underage prospective customer, an expired passport, a failed signature validation, etc. 

To address this need, Regula has introduced the Regula NFC TestKit Service. The service includes a test set of identity documents featuring authentic RFID chips, each personalized with fabricated data. These documents include a visual zone and machine-readable zone (MRZ) but lack other security features. You can print and use them to evaluate your system performance.

This method closely replicates the experience of scanning real NFC chips, allowing businesses to realistically simulate document verification scenarios that might arise during remote identity verification, and ensure that any potential weaknesses are identified and addressed.

• Biometric authentication in banking improves fraud protection and streamlines onboarding, surpassing traditional security methods.

• Typically, biometrics in banking involves two main technologies: handling biometric identity documents and verifying facial biometrics.

• Most often, biometrics in banking is used for self-service onboarding. However, it has great potential for digitization of numerous processes, including renewals, personal data updates, account recoveries, and more. 

• When banks build a system to enable remote onboarding, there are three critical factors: a zero-trust model towards user devices, processing all critical security checks and decisions on a secure backend system, and utilizing a versatile API from the start. 

• Success in terms of conversion rate hinges on clear user instructions, immediate error handling, and verifying document eligibility upfront.

• Before adopting an IDV system involving biometric ID documents, it’s important to use a reliable set of IDs with real NFC chips, such as the Regula NFC TestKit, to test-drive the verification process.

• Choosing the right IDV partner is crucial for success.