skip navigation

Monday, May 20, 2013

[ – ] Text Size [ + ]  |  Print Page

Home > Bank Resources > Bank Resources Publications > SRC Insights > 2004 > Third Quarter

SRC Insights: Third Quarter 2004

Biometrics: A Viable Solution for Financial Institutions?

by Frederick W. Stakelbeck, Jr., Training and Development Coordinator

Financial institutions and their customers may be closer than ever to living in a futuristic world driven by biometric technologies. Forget the virtual reality kiosk at your local shopping mall, not even motion picture director George Lucas could imagine biometric solutions like those now being developed by research laboratories nationwide. With considerable advancements realized over the past twenty years, an astonishing array of biometric solutions are now available to financial institutions seeking customized products to meet their physical security, computer access, and data management needs.

Traditional security approaches used by financial institutions normally focus on locks and keys, numeric keypads, magnetic cards/PINs, usernames/passwords, surveillance cameras, and human guards. These security approaches, while somewhat effective, have clear limitations. Keys and passwords are often lost, stolen, or damaged. PINs are designed to identify a card and password, but not the user. Surveillance cameras are susceptible to malfunction, disrepair, and quality issues. Human guards are expensive and prone to error.

Used independently or to supplement existing security measures such as smart cards, biometric technologies offer financial institutions legitimate alternatives to protect against illicit criminal activity, such as identity theft, account manipulation, and fraud. Identity theft, in particular, has become an increasing threat to the autonomy and independence of financial institutions. A recent survey released by Dr. Alan Westin, Professor Emeritus of Public Law and Government at Columbia University, showed 33.4 million Americans have been the victims of fraud or identity theft since 1990, with 13 million cases since 2001.1 The same survey noted that since 2001, out-of-pocket expenses for victims have totaled $1.5 billion annually.

The International Biometric Group, a biometric consulting and technology services firm, recently released its Biometric Market Report for 2003-2007.2 Some of report's more notable findings include:

  • Global biometric industry revenues, which stood at $601 million in 2002, are expected to reach $4 billion by 2007.
  • The largest increase in revenue will occur in fingerprint-based technologies.
  • Facial-Scan and Middleware biometric technology revenues are expected to reach $200 million and $215 million respectively by 2007.
  • The government sector will continue to be an attractive market for biometric technologies, generating $1.2 billion in expected annual revenues through 2007. The financial sector will account for $672 million in annual revenues, while travel and transportation will account for an additional $556 million in annual revenues through 2007.

This article will examine biometrics as an alternative to current authentication and verification measures. It will review the functionality of biometric devices, describing the various types of biometrics now available to financial institutions and providing examples of current business and government uses; review broader legislative and regulatory action; discuss the evolving market for biometrics, including at financial institutions; outline recent Federal Reserve action; and provide general conclusions.

What are Biometrics?
In our everyday lives, most identification occurs through our personal interaction with others. If this identification method is unavailable, the next best alternative involves the introduction of "tokens." Tokens come in two forms: knowledge tokens, which include passwords, PINs, or personal data, and physical tokens, which include identification cards, chip cards, passports, and keys. Knowledge and physical tokens have worked well in the past in reducing identity theft and fraud because they can be revoked or reissued. However, like most mature technologies, cracks have appeared in the armor, as fraudsters have found ways to compromise authentication, identification, and verification measures.

This brings us to the next generation of security products for financial institutions—biometrics. The term "biometrics" refers to automated methods used to identify a person based on physiological or behavioral characteristics.3 Physiological Biometrics are based upon data resulting from the direct measurement of a part of the human body, such as hand geometry, finger images, facial characteristics, voice, and iris recognition. Behavioral Biometrics are based on an action taken by a person; they are traits that are learned or acquired. Biometrics actually serve a dual purpose—first, confirming a positive identification or proving that an individual is who he/she says he/she is and secondly, confirming a negative identification, or proving that he/she is not who he/she says he/she is.

Biometrics can be used in a very practical way in our everyday lives. In a positive identification scenario, an individual submits a "live" sample, such as a fingerprint, to a biometrics system using a fingerprint scanner. The system performs a check against a database containing authorized individuals to determine if the sample on file matches the sample presented.4 This identification system reduces the probability of more than one individual using an identity.

In a negative identification scenario, an individual claims not to be someone already registered in a system's database. The system checks the database to affirm that the individual is not on a "watch list" of individuals.5 This watch list may include bank robbery suspects, credit card or identity theft fraudsters, or individuals suspected of other criminal activities.

Biometrics are used by a growing number of financial institutions. The following are some of the more widely used biometric solutions.

Fingerprinting. Fingerprint scanning is the most widely used biometric application today, accounting for about 50 percent of the overall market. This is due in large part to its reliability and cost effectiveness. Fingerprint readers and scanners are used by some of the largest financial institutions for IT security, including Barclays and Barclays Card, UBS, American Express, Bank of Montreal, Westdeutche Landesbank, Bank of Nova Scotia, Bear Sterns, Prudential, Bank of Slovenia, Union Bank of California, and Morgan Stanley. In practice, fingerprinting takes an ink or digital scan image of an individual's fingertips and records unique features such as whorls, arches, ridge patterns, loops, furrow patterns, and other details. This information is stored as an image or as an encoded computer algorithm and is compared to an existing database for identification or verification. An advantage of this technology is that fingerprints are difficult to counterfeit, given the intricate information in each fingerprint. For depository institutions, the use of fingerprint biometrics could provide a more secure alternative to customary card-and-signature safe-deposit box access. Depository institutions may also realize security-related benefits in the areas of online transactions and employee computer access. Fingerprinting has also been the subject of significant research over the past several decades, increasing its public visibility. Finally, fingerprint sampling units are accurate, sturdy, compact, and less susceptible to forgery.

Voice Recognition. Voice recognition technology remains a second-tier alternative among current biometric alternatives. Difficulties arise with the voice compression associated with microphones and handsets, background noise, and changes in the human voice as a result of aging, stress, and fatigue. This presents difficulties for computers in the positive identification of individuals. However, voice recognition does allow for remote identification using existing phone lines, which would eliminate much of the up-front costs associated with normal biometric identification program startups.

Signature Verification. Signature verification is the process used to distinguish an individual's handwritten signature. To confirm the identity of a user during the verification process, changes in the speed, shape, and pressure of an individual's signature are measured. A rudimentary form of this verification process is typically used today by depository institutions when bank tellers verify the signature of an accountholder making a transaction. The consistency of a signature is most important, since ordinary motions and patterns will assist in the creation of a recognizable pattern for biometric identification.

Iris/Retina Scanning. Originally proposed by ophthalmologist Frank Burch in 1936, iris/retina scanning analyzes the unique features of the colored tissue surrounding the pupil, which includes corona, filaments, striations, and other identifiers. Iris scanning provides a very attractive and accurate alternative for authentication, identification, and verification. However, start-up costs remain extremely high, and issues of operational difficulty and training remain.

Facial Recognition. First introduced in the late 1980s, facial recognition analyzes the characteristics of an individual subject's face image, including overall facial structure and spatial measurements between the nose, eyes, jaw, and mouth. Measurements are retained in a database and are used for comparison when an individual stands before a camera. This technology is gaining support in the anti-terrorist community because of its apparent non-intrusive nature. Concerns have been raised, however, over the use of facial recognition technology because of its perceived infringement upon an individual's right to privacy, especially if used in public places such as airports, restaurants, and sporting facilities.

Hand Geometry. Employed at nearly 8,000 locations worldwide, hand geometry involves the measurement and analysis of the shape of an individual's hand. Unlike fingerprints, hand features are not unique; however, using a combination of independent variables, verification can be achieved. Hand geometry is easy to use, requires very little data, and is virtually impossible to manipulate. The difficulty associated with this technology rests in its accuracy, cost, device size, and possible user problems as a result of physical changes to hand geometry.

Selected Legislative and Regulatory Action
A number of legislative and regulatory initiatives have been adopted over the past several years that incorporate biometric solutions as key components of an overall strategy to improve national security and reduce fraud. The following are some of the significant initiatives in these areas:

  • The USA PATRIOT Act requires the federal government to develop and certify a technology standard that can be used to verify persons applying for or seeking entry into the United States on a visa. The Enhanced Border Security and Visa Entry Reform Act of 2002 requires that only machine readable, tamper-resistant visas and other travel and entry documents that use biometric identifiers be issued to aliens after October 26, 2004.
  • The Fair and Accurate Credit Transactions Act of 2003 (FACT), signed by President Bush on December 4, 2003, made significant changes to the Fair Credit Reporting Act (FCRA), which will provide consumers, companies, credit reporting agencies, and regulators with new tools in the fight against identity theft. The FACT Act provides for a free annual credit report, allows for the receipt of a credit score from a credit reporting agency, increases the standard for accuracy in credit reports, reinforces the need for adverse action notices, and creates a national fraud detection system to protect consumers against identity theft. The Act also requires federal regulators such as the Treasury Department to study how biometrics can help prevent identity theft and to solicit public comments regarding the costs, risks, and uses of biometric technologies. The Treasury Department released a 14-point survey in the March 2, 2004 Federal Register to comply with this requirement.6,7 Responses from individual entities and the general public were due on April 1, 2004, with a report to Congress required in June 2004.
  • The Department of Homeland Security has been a strong advocate of biometric solutions to curtail unauthorized entry in the United States. The U.S. Attorney General and the Secretary of State have been directed by Congress to issue to aliens only visas and other travel and entry documents that use biometric technologies. Each country certified to participate in the visa waiver program has been instructed to certify that it has a program to issue to its nationals passports that incorporate biometric authentication identifiers. Both the Transportation Security Administration and the Immigration and Naturalization Service have released policies, which conform with the Department of Homeland Security policies concerning the use of biometric technologies for foreign travelers.
  • The Federal Financial Institutions Examination Council (FFIEC) is an interagency body of federal financial institution regulators responsible for establishing uniform principles, standards, and report forms. On August 8, 2001, the FFIEC released guidance, which focused on the inherent risks, and risk management practices related to authentication in the electronic banking environment, and provided considerations for the implementation and use of biometric technologies by financial institutions. The FFIEC also set forth administrative and logistical standards for secure biometric systems in its Information Security Booklet.8 According to the FFIEC, biometrics contain unique authentication advantages, which may be beneficial to financial institutions. The booklet addresses issues related to biometric technologies associated with the recording of physical characteristics, establishment of secure enrollment devices, and acceptable probability and statistical confidence levels.

Federal Reserve SR Letter 03-10
The Federal Reserve System and the Federal Bureau of Investigation (FBI) have enhanced the Federal Reserve System's name check requirements under the Bank Holding Company Act and Change in Bank Control Act. Under these Acts, individuals who would "control" an insured depository institution must first secure regulatory approval. As part of this approval process, the Federal Reserve usually conducts name checks on individuals associated with the proposed transaction.

In SR Letter 03-10, Enhancement to the Name Check Process Related to Applications Reviewed by the Federal Reserve, released on May 28, 2003, fingerprinting has been added to supplement the overall criminal history and name check process. The Federal Reserve uses two methods to obtain fingerprints—"LiveScan" terminals and fingerprint cards. Currently, eight Federal Reserve banks, including Philadelphia, use LiveScan terminals. Important guidance related to the applicability of SR 03-10 can be found in the instructions to the Interagency Biographical and Financial Report, Form FR 2081(c).9 Applications or notices received after June 30, 2003, are subject to the new finger printing procedure.10

The Evolving Market for Biometric Technologies
Growth in the biometrics market is expected to be driven by the global focus on security. Global biometric revenues generated during 2001 totaled $524 million, with 65 percent of that from law enforcement and the public sector. In the United States, the $10 billion US-VISIT (Visitor and Immigrant Status Indicator Technology) Program was piloted in November 2003 by the Department of Homeland Security. This program is designed to collect and retain biographic, travel, and biometric information about visitors to the U.S. Nationwide implementation of the security program occurred on January 5, 2004 at 115 U.S. airports and in cruise ship terminals at 14 U.S. seaports.

On April 26, 2004, Great Britain announced plans to introduce identity cards to stem illegal immigration and defend against possible terrorist attacks. Pilot trials for the new identity program began in April 2004 and have included 10,000 volunteers nationwide.11 An integral part of the new identity card program will be the use of a national database containing the facial dimensions, iris images, and fingerprints of individuals. According to Great Britain's Home Security Office, biometric data will be used for passports and driving licenses before compulsory identification cards are eventually rolled-out sometime in 2013.

Financial institutions currently reviewing the feasibility of biometric systems include the following:

  • Associated Bank - implemented voiceprint technology in June 2003. The technology is designed to improve security for the Bank's e-business initiatives by increasing the "probability" of identifying online users. 12
  • Fidelity Investments - pilot testing a voice recognition system to authenticate customers conducting telephone transactions.13
  • Bank of America - testing fingerprint ID for customers. 14
  • United Banker's Bank - using fingerprint technology for customers and employees.15
  • American Express - using fingerprint biometrics for physical access.16
  • Mellon Bank - using fingerprint biometrics for background checks.17
  • California Commerce Bank - using fingerprint biometrics for network access.18
  • InTrust Bank - using voice recognition for bank transactions.19
  • Western Bank - using signature-based biometrics for financial transactions.20
  • First American Bank - using signature-based biometrics for document processing.21
  • First Tennessee Bank - using signature/hand biometrics for vault access.22
  • Bank of Hawaii - using signature/hand biometrics for vault access.23
  • Zion First National Bank - using signature/hand biometrics for vault access.24

Although the global market for biometric solutions has experienced measurable growth, the United States market still remains the catalyst for global acceptance. The global market has not expanded as rapidly as most industry analysts would have predicted, due primarily to a downturn in the world economy and United States' foreign policy issues which have delayed finalization of private and public sector contracts. These concerns not withstanding, it would seem that the delay in adoption of biometric solutions is more a matter of timing than of product legitimacy, since many of the delayed projects remain under consideration by clients.

Considerations for Financial Institutions
As with any emerging technology, biometric solutions present unique challenges. Some issues related to biometrics will dissolve naturally, while others will require more targeted approaches. There are a number of issues financial institutions should consider before making an investment in a particular biometric solution. First, in general, biometric solutions still remain a cost prohibitive alternative for many small to medium-sized financial institutions. Although prices are expected to fall, fingerprinting devices and iris scanning devices sell for around $100 and $300 per unit, respectively, while face recognition systems start at $15,000 per unit. The maintenance of these systems also presents a cost concern, since hardware to capture biometrics and the databases and servers that house and process the information remain expensive.

Beyond price, user education can be lengthy and sometimes cumbersome, and gaining acceptance of biometric applications by both employees and customers may be problematic. Other concerns related to the use of biometrics by financial institutions may include:

  • The time constraints associated with the development of a realistic threat model that identifies targets and the threats they pose.
  • The quality of risk data used.
  • The reliability of information collected through the initial enrollment or registration process.
  • The implementation of a solution that exceeds an institution's security and authentication needs.
  • Concerns about the discriminatory and dehumanizing aspects of collecting, storing, and using biometric information.
  • The storage of central templates.
  • The need for extensive testing prior to deployment.

The Future of Biometrics
The financial services industry has traditionally been difficult for biometrics solutions to penetrate, due in large part to the cost prohibitive nature of the technology and consumer concerns regarding privacy and convenience. Cultural, political, and legal issues associated with biometrics continue to confront financial institutions, while issues of size, convenience, speed, accuracy, connectivity, and compatibility remain largely unanswered. Biometric vendors have attempted to address these concerns by offering more affordable, accurate, and compatible devices that can be easily installed and configured to meet the unique needs of financial institutions. Also helping biometrics win acceptance has been legislative, regulatory, and public recognition. There has also been encouraging work by the U.S. Biometric Consortium and the International Biometric Group in the development of uniform measurements, standards, and testing.

Where will the opportunities for biometric technology occur, so that sustainable, quantifiable growth can take place? Much of the focus post-September 11 has been on security issues and the government's desire for public safety in transportation, immigration, and border management. However, for the biometrics industry to survive and flourish, future efforts must focus on providing viable solutions for financial institutions, keeping in mind concerns about privacy and civil liberties. Encouraging signs have begun to emerge that show biometrics have become part of the lexicon of financial institutions. Serious discussions are taking place at all levels of government and in corporate boardrooms regarding the role of biometrics in the areas of physical security, data management, and data storage. As capital spending becomes more elastic, privacy concerns are addressed, uniform standards are adopted, and geo-political issues are resolved, we are likely to see biometric solutions play a more integral role in the overall operations of financial institutions well into the future.

If you have any questions regarding this article, please contact Frederick W. Stakelbeck, Jr., Training and Development Coordinator, at (215) 574-6422.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.