How the banking sector is adapting to security and regulatory requirements [Q&A]
Banks and other financial services institutions have been moving more and more towards digital in order to streamline processes and improve customer service.
The pandemic has accelerated this process but has also brought a rise in cyberattacks. Regulators have also begun to take more notice of security practices surrounding accounts. We spoke to Michael Magrath, director, global regulations and standards, at specialist in anti-fraud and digital identity solutions for financial institutions OneSpan, to discover more.
BN: Has the 'dash for digital' and increased remote access been moving ahead of systems security?
MM: Certainly on the mobile app side I would say yes, and that's always been the case. App developers tend to have specific deadlines to push new versions to the app stores and security's kind of an afterthought. I used to work for a health care company and I know that first hand. So it's one of these things where, on the banking side, I think the security has been quite sound. It's when the pandemic hit those financial institutions that were not digital first or had put off a transition, they had to rush their assessment of vendors and due diligence, they needed to put something in place quite quickly and really shift their priorities.
BN: Has this led to greater use of biometrics?
MM: From a policy standpoint there's been a lot of talk around biometrics in particular, you know on how safe they are. And people tend to lump different biometric use cases together whether that's facial recognition or something else. But the use cases are very different. So you have facial recognition where you might have to match facial data to thousands or even millions of people in a large database for a law enforcement or border protection type of application, or you might be simply verifying that person during an account opening process.
The standard for account opening now that's really been embraced by the financial industry is the combination of a scan of a government issued ID using a smartphone, having that identity document verified on the back end to assure that it's really a, you know, State of California driver's license. And then doing a selfie match using identity verification and face matching algorithms to ensure that the face on the photo is the face on the ID card.
BN: Existing regulation, kind of tends to be to be quite general it basically says 'you've got to look after this data properly.' Do you think we'll see more specific regulation of particular technologies to ensure that things like biometrics have been properly applied?
MM: There are a few things going on. In the US there has been some legislation put forth and much of it is around privacy, but there was also legislation called the National Biometric Information Privacy Act. That was introduced in the Senate and didn't go anywhere, but that doesn't mean it won't be reintroduced in the next Congress, starting in January. If passed that's going to put obligations on entities such as banks when it comes to the collection and protection of biometric identifiers. Then there's other things that couldn't be written into regulations, where, there could be an industry best practice not to store any biometrics un-encrypted for example. Another practice that the industry tends to do is separate biometric identifiers from other identifiers like addresses and have those stored in separate areas. Those are some of the things that I think you'll see.
Then during the election California passed the replacement for the California Consumer Privacy Act, the California Privacy Rights Act (CPRA). California is very progressive but one of the things that they've done is define what sensitive personal information is and that businesses need to collect consent from the individual before they can use information or share it with any other entity. They also define what sensitive personal information is in the law. That's the usual suspects like name and date of birth and address but they go so far as to include account credentials, user IDs passwords, email addresses biometric information, which could be the fingerprints, or facial images.
I think you're going to see more states introducing that or piggybacking on the California Privacy Rights Act and introducing their own legislation to mirror that in 2021. I think with a Democrat administration you're going to see stronger data privacy protections at the federal level too. The Obama administration introduced the National Strategy for Trusted Identities in Cyberspace (NSTIC) and I can see the new administration rekindling that and embracing it.
BN: Will some of the actions taken during the pandemic become permanent?
MM: Most of the states -- I think it's up to 47 now -- have either enacted laws, or the governors have by executive order, which have permitted remote online notarization. It's kind of like a Zoom meeting with identity verification built into that so the notary can know who that person is and verify their identity to have documents electronically signed, as opposed to using pen, and having the notary stamp digitally affixed to those to those documents. That's something that I think will be a permanent fixture now, and I see that being rolled out, globally, not just isolated to the United States.
If you want to explore this subject further there's a Global Financial Regulations Report available from the OneSpan site.