Skip to main content
Blog Post

The promise and risks of biometrics for financial institutions

Financial, Executive and Professional Risks (FINEX)|Cyber Risk Management
N/A

By Anthony Rapa | October 29, 2019

While biometrics can help firms provide a faster, more seamless online account experience, care must be taken to understand the risks – and insurance coverages – involved.

On the face of things (poor puns not withstanding), it’s not hard to see why the use of biometrics is increasing among financial institutions. As recent cyber breaches have again reminded us, keeping sensitive information and funds safely out of reach of criminals remains an imperative for firms in all corners of the industry. The regulatory, litigation and reputational costs of even a small incident can derail firm financial goals in an already margin-tight environment. All firms must continue to evaluate and improve security measures. In this regard, biometrics offer many opportunities. 

Speed and security

Relying on passwords, tokens or PINs, current security protocols no longer seem up to the task. For example, Willis Towers Watson claim data has consistently shown that around two in three cyber breaches are caused by human behavior, including the use of weak, unchanged or downright predictable passwords. Biometrics can replace often lackadaisical human behaviors with unique physical characteristics such as fingerprints or facial recognition, which hackers are hard-pressed to replicate and certainly cannot guess. As such, biometrics can increase security in ways that “legacy” security protocols simply cannot.

Biometrics can also be seamlessly integrated into public-facing mobile or online portals in a way that does not impede on a quick, seamless user experience. As one of the three megatrends reshaping the financial services sector, technological innovation and transformation will increasingly separate the players from the also-rans.

One facet of this technological arms race is speed and ease of access. Aside from offering dubious protections against increasingly sophisticated attacks, legacy security protocols interrupt the customer experience. Customers are hard-pressed to remember a litany of passwords, which often require them to reset or engage in “slow” multifactor authentication processes. Biometrics, which are already integrated into most users’ ubiquitous smartphones, enable financial firms to provide secure access to online portals in a way that doesn’t slow or interrupt the customer experience.

Already in use

The advantages of biometrics are far from hypothetical. Many firms have already integrated them into their operations:

  • Mobile banking/digital branches: As firms rush to offer broader mobile and digital services to their clients, biometrics can provide effective security without distracting from or interrupting the digital experience. Most mobile phones now can read fingerprints or use facial recognition technology.
  • Traditional services: PINS can be replaced with fingerprints for ATM machines or point-of-sale credit card transactions. Tellers can verify customer identities using eye-print authentication in person or voice authentication via phone.
  • Compliance: Firms, such as broker dealers, can create audit trails for trades and transactions to verify exactly who initiated a purchase or sale. Access to customer or firm databases can be more closely monitored and more tightly controlled.
  • Fraud prevention: To combat the plague of social engineering schemes, many companies have turned to voice identification protocols to help customer service representatives quickly identify whether they’re speaking with a customer or a known fraudster.
  • Cybersecurity: Security for computer networks, traditionally controlled with passwords, can be strengthened via the use of biometrics, which cannot be easily shared or stolen.

Not without dangers

On balance then, biometrics might seem like a win-win for the financial services industry: better protection that doesn’t interfere with customer access. What could go wrong?

Not surprisingly, lots. While biometrics offer significant advantages, they are not without risk.

  • Technological: Biometric data can still be hacked. For example, Internet security firm vpnMentor recently announced it discovered a data breach of a security platform that makes use of biometric markers. The trove of leaked data included not only personal information, but also over 1 million fingerprint records and facial recognition information. To mitigate this risk, firms are making use of software or third-party platforms that “distort” biometric markers in such a way that, should a leak occur, the affected markers can be “reset.”
  • Litigation: One major drawback of biometric reliance is that, unlike passwords or PINs, customers cannot be reissued new fingerprints. The potential downside here is massive – might a breach of personal information with the potential to follow customers forever play into the plaintiffs bar’s ongoing battle for standing in post-breach class actions?
  • Regulatory: The use of biometrics comes with significant regulatory risk. The collection, use and storage of biometric information is a new and developing area of risk that is only now starting to take hold. Evolving regulations like the General Data Protection Regulation, California’s Consumer Privacy Act, and even a new Illinois law concerning the use of facial recognition technology, will present new and evolving risks to financial firms in the years ahead. Although some regulators see the upside of biometrics (see the New York Department of Financial Services landmark Cybersecurity Requirements), their goodwill may only extend so far.
  • Reputational: Harder to quantify are the reputational damages that come with data breaches. Lost customers and business relationships resulting from a perceived lack of trust or security may be hard to replace.

Implications for risk transfer and insurance

Gone are the days when risks fit neatly into one insurance policy. Like any of the evolving risks financial services firms face today, the risks associated with biometrics do not stay in one lane. Consideration must be given across the spectrum of insurance placements to determine whether, and to what extent, these risks are properly addressed:

  • Cyber: Generally provides indemnity for costs incurred responding to and investigating a data breach, regulatory scrutiny and follow-on litigation. Policies are far from standard and, in an evolving marketplace, constantly changing. As companies must collect and store biometric information in order to make use of it, coverage for claims alleging wrongful collection of data (as opposed more traditional breach-only cover) should be secured. In addition, a cyber policy’s definition of covered personal/confidential information must be broad enough to cover biometric information and rapidly changing legislation in this area.
  • Crime: First-party coverage for funds stolen by your employees or, under particular, enumerated circumstances, third parties. The base language of these policies was generally written decades ago, long before the digital age of crime began. As biometrics become more prevalent, the sophistication of attacks will only increase.

    Crime coverage is already highly fact-dependent, and the use of biometrics will only increase these challenges. There are opportunities to educate insurers on how biometrics increase security (lessening risk) and fit into the otherwise covered, named perils of a typical crime or financial institution bond.

  • Directors’ and officers’ (D&O) liability: Although much has been written about the topic, it bears repeating that cyber and privacy risk are D&O risks. As firms seek to implement biometrics into their operations, boards should continue to play an active role in the analysis and mitigation of the attendant risks. Understanding exactly how biometrics fit into a firm’s operations, along with how the technology works and the giving consideration to the potential downsides, is key.
  • Errors and omissions (E&O): As companies increasingly make biometrics available to customers (individual or institutional) to access accounts and services, the potential for litigation following a loss or theft remains a key risk. Understanding if and how your E&O coverage interacts with your other coverages (cyber, crime) is a good place to start. Also be mindful of cyber-related exclusions. As always, great care must be taken in defining covered “professional services” under an E&O policy to ensure coverage for the products and services actually being offered to customers.
  • Employment practices liability: Biometrics have a significant role to play in internal security measures as well, ensuring that only authorized employees have access to information and helping firms keep track of their workforces. Many of the lawsuits filed under Illinois’ Biometric Information Protection Act are employee-class actions related to the collection and retention of employee biometrics (e.g., handprints used to clock in/out in lieu of punch cards).

Risk and opportunity

Keeping pace with customer expectations is essential for financial firms operating in an increasingly margin-tight environment. While biometrics can help firms provide a faster, more seamless online account experience, care must be taken to understand the risks involved. Only a careful, enterprise-wide evaluation of the risks and opportunities presented by biometrics will lead boards, risk managers and general counsel to make informed decisions about their suitability for a given organization.

Contact

Anthony Rapa

Anthony Rapa is a member of the Willis Towers Watson FINEX Global Financial Institutions Claims Advocacy team.


Contact Us

Related Capabilities