29.04.2020 г.

Remote customer identification (KYC) in banking: from biometrics to document recognition

In this article we would like to argue that effectiveness of business processes, which involve customer relations, does not rely on the sophistication of the technologies involved. Often, complex technical solutions for biometric verification in the banking sector can be easily replaced by simple ID recognition. We will take the banking sector as an example, and demonstrate how easily a bank can verify its clients’ identity by simply checking their ID remotely through the banking app, which has an integrated recognition module. We would like to make it clear though, that we do not wish to criticize biometric methods of identification or question the importance of their development in this context. We would like to show that modern technologies are catching up with each other and as a result and gradually improving due to the simplification and “facilitation” of developed algorithms.

In the banking sector particularly, not only a person’s personal data but also their financial well-being depends on the quality of the solution that the bank uses for remote identification. The accuracy and security of such solutions has recently become an issue, and is especially relevant now, when the world just suddenly went online due to the COVID-19 pandemic. Even though not so long ago it seemed that biometrics and face recognition could solve all the problems related to remote identification, this stress test that the world is undergoing now, shed new light into the fact that it is far from the only remote identification method, and certainly not the safest one – for both interacting parties. We only need to look at what some questionable recognition technologies with low precision have led to: where an individual which had 61% similarity to the suspected person received a fine, says it all.

A few years ago, remote human biometric data collection and recognition was regarded as the most accurate method to remote verification of an individual. Here’s how the process of remote biometric identification is described on one of the sources: “Remote identification is a primary procedure of the bank’s first acquaintance with a client, which is carried out online and involves a collection of certain unique biometric identifiers, including: fingerprints, blood vessels patterns such as the retina of the eyes or finger veins, voice, facial contours and even the heart rate. It is essential that: 1) biometric samples are passed by the individual in advance; 2) those samples get stored in a certain database; 3) the bank has access to that database; 4) it is possible to verify (confirm) the material provided by the client with a sample stored in the database.”

Thus, before using biometrics as a method of identification, the client has to first physically go to the bank or any other organization that uses the biometric system, provide data samples (the most common ones include voice recording, or fingerprints scans), and identification and authentication will become possible only after these samples appear in some digital repository. This method is indeed reliable, however in our opinion it is extremely complex at the same time, for both sides of the process. Biometric identification is most likely to be used in forensic science and in cross-border control, where not only the citizen has to be identified by their biometrics, but also the other way around – the fact that the biometric data belongs to the relevant citizen has to be confirmed.

 The most ironic part, and certainly the least pleasant for fans of biometric authentication as the one and only method of authentication, is that from a technological point of view presenting your own fingerprints, or voice, or iris is not much different from entering a 256-bit password; same goes for using token-device bundle or any other method of two- or three-factor authentication. For a “machine”, all our biometrics is just a set of zeros and ones anyway. Most importantly, it is as easy to compromise biometric data as it is with any other personal data (example: the world’s largest Indian biometric database Aadhaar (https://www.bbc.com/news/world-asia-india-42575443), 2017 data leak).

It is curious that Europe has recently started to consider biometrics as not the only method of remote identification when it comes to the provision of services that involve sensitive data. On January 12, 2016 the EU adopted the PSD2 directive (https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en/), which is also known as the Open Banking. It imposes a requirement on banks to use multi-factor authentication when performing any remote transactions. This means that in the process of user identification / authentication several methods of confirming the identity should be used, including:

• Knowledge: certain information is only available to the client, for example, password or security question.
• Ownership: a certain device that is used by the client, i.e. mobile phone or token.
• Uniqueness: something either inherent or what uniquely identifies the person, for example, biometric data.

In addition to using biometric data as an access key, banking operations must be accompanied by additional checks, such as code word, security question, token connection, use of a specific device (smartphone or computer with a unique identification number), or PUSH / SMS codes. And this is where it gets interesting – what is biometric data here for? 

There will be yet another big trouble for banks in case they are forced to use biometric identification systems: its implementation requires significant costs, since the deployment of related information infrastructure is expensive and includes installation of equipment for data collection, processing software, creation of data centers or secure cloud service rent to store that data, security provision, and so on. That is the reason why such regulation on obligatory collection of biometric data was met with broad opposition from the banking community in some countries and caused the government to postpone the adoption of the law indefinitely.

As technologies are evolving, banks are gradually withdrawing intermediaries from the bank/client interaction, including operators, managers, and agents, using human interaction only to provide premium service, in which the client receives individualized attention, or in those cases where modern technical tools are not available to the customers. Today, more often the operator is replaced by the “mobile bank”. 

Remote customer identification however is necessary at all stages of bank/client interaction. Until recently, even large banks had to make physical copies of their clients’ passports each time their client performed a transaction, topped up their account, withdrew money, transferred funds to another account or subscribed to an additional service, such as online banking or SMS notification. This provided protection to the bank in case the client raised any claims. Today, however, all this has completely evolved into electronic document management. 

Provision of physical copies of identity documents for their verification and authentication of the individual will remain the most accurate way of identification as long as the state is using a unified digital platform where all records of citizens are kept – from their birth till death. The closest example of building a fully digital society of this kind in Europe today is Estonia: in 25 years it has moved 99% of public services to digital. In case of remote identification which involves software and hardware systems, the role of the operator/controller/account manager is performed by the user’s device: a smartphone or a computer equipped with a web camera.

In terms of the outcome, it doesn’t really matter who will be checking the document – the operator or the recognition system. In either way, the customer data will be populated into the bank’s CRM system, which will allow them to be identified for future interactions. In case it is the operator who is performing the identification, in an optimistic scenario, they will take the passport and enter the data into the system using a special scanner/mobile device equipped with a camera and the relevant application installed. Speaking realistically though, they will most probably type that data using their computer, as most banks do not use recognition technologies yet. 

A mobile application with a built-in remote identification system allows optimizing several processes at once: it recognizes customer data and automatically enters it into the relevant fields. To give you an example, applications based on the Smart Engines SDK recognize customer document data almost instantly while working offline, without transferring document images to third-party servers or cloud services. The computer vision system automatically detects a photo on the provided ID document and cross-verifies it with the photo of the owner of that document. Depending on the requirements of the bank, the document image can also be checked for the signs of falsification, which is called forensics, as well as the correctness of the data based on the analysis of a machine-readable zone (MRZ) can be established. As you can see, it doesn’t really matter who is performing all the actions – the bank representative, or a user, while sitting on the sofa at home. The process does not change and includes: presentation of the document, data entry, data verification, and document validity assessment.

Let’s imagine a case, where the provided ID document is fake. If the AI-based recognition system did not reveal any signs of falsification and confirmed the relation of the document to the person who provided it – by a selfie with the document hold next to the face, the chances are that a person at a bank or a loan issuing organization, would have made the same conclusion: at the end of the day, it is much more difficult to deceive machine vision than a human. 

To summarize, let us list the advantages of the ID recognition based identification:

• Document recognition technologies are based on modern scientific achievements in the field of computer vision and optical character recognition (OCR). Technologically speaking, this is a more “advanced” solution than biometrics, as it operates with less individualized, albeit more structured objects.
• Recognition of passport data is performed on the user’s end device and does not require connection to any personal data repository, unlike in the case of biometric identification.
• It is much easier to replace at ID document in case of data leak than to change one’s biometrics.
• Although document recognition based identification requires investments into software development (client application), it does not involve creation of related infrastructure, such as biometric data storage, or access to existing higher-level systems (state or industry).