Wednesday, 21 June 2017

Tackling Regulatory Change Through Automation and Machine Learning

Machine learning and AI technologies are starting to support compliance management functions. The ability to automate resource and data intensive processes is beneficial to compliance management functions struggling with increasing levels of regulatory data. 

Financial services organizations are dealing with a tidal wave of regulatory change that shows little sign of abating. As part of my research for a new study published by Goode Intelligence investigating how machine learning and automation can get regulation under control, I interviewed compliance officers and Regtech experts in both the UK and the US. A compliance officer based in London told me that the financial services industry is facing "mountains and mountains of regulation". This statement is echoed by industry experts including the Boston Consulting Group who believe that "regulation must be considered a permanent rise in sea level - not just a flowing tide that will ebb or even cresting tsunami that will recede."(1)

The combination of information overload and manual regulatory change analysis is creating headaches for many organizations that cannot afford to invest in large specialist compliance teams or automation. The reliance on under-staffed compliance teams to sift through vast reams of complex regulatory data can lead to mistakes – mistakes that organizations cannot afford to make when failure to comply to regulation can lead to financial penalties that can run into the millions, even billions, of dollars. Since the global financial crisis of 2008, banks globally have paid $321 billion for a number of regulatory failings from money laundering to market manipulation. (2)

To reduce the ever-increasing burden on compliance teams, financial service organizations can turn to new regulation change management solutions that automates resource-intensive tasks through machine learning technology.

Just as financial services organizations are increasingly turning to FinTech tools to take advantage of advancements in areas like automation, machine learning and cloud computing, these firms can also turn to the new sector of RegTech to better manage regulation and turn it into an advantage.

Leveraging expert-in-the-loop (EITL) machine learning for automating document frees up compliance professionals to focus their time on the details of actually helping their organizations comply with regulations, rather than just laying the groundwork. 

A smart machine learning compliance solution must offer the following core competencies:
  1. Aggregation - from a comprehensive variety of sources
  2. Normalization - of millions of documents, citations, rulings and publications
  3. Curation & Classification - based on expansive EITL machine learning model foundation
  4. Trend analysis - transform raw regulatory data and peer-review trends into distilled insight
  5. Personalization and notification - follow specific regulatory topics
I explore this further in a white paper that references the latest Regtech solution from entitled "Getting regulation under control with Compliance AI".

(1) Global Risk 2017: Staying the Course in Banking / March 2017 published by the Boston Consulting Group
(2) Boston Consulting Group February 2017

Thursday, 1 June 2017

Five Considerations for Selecting a Consumer Authentication Vendor

In today's mobile-first world, consumer authentication is driven by the need of having a smooth user experience. Of course, it has to be secure and tick all of the boxes for privacy and regulation but when I talk with clients, both authentication vendors and service providers, they all say that the number one priority is having a great user experience (UX). If the authentication user experience fails then customers will simply walk away and go somewhere else or choose an alternative payment method.

I was recently asked to create a white paper for RSA and EyeVerify on key considerations for selecting a consumer authentication vendor. I identified five key considerations:

  1. Consumer choice
  2. Convenience
  3. Demonstrable fraud reduction
  4. Meeting a 'mobile first' strategy'
  5. Regulation compliance
These five considerations are powerful criteria for organizations when assessing authentication solutions and vendors.

Consumers must be given a choice of convenient, easy to use authentication services. The availability of a wide range of device-based authentication technologies including multiple biometric solutions supports this requirement. Convenience and consumer choice can also be combined in a well-designed consumer authentication solution. The combination of risk based authentication (RBA) and mobile biometric authentication services (MBAS) can meet this criteria. Risk based authentication can meet a good percentage of normal authentication scenarios and mobile biometrics can be applied to authentication scenarios that require further ‘proof’ of true identity; a combination of frictionless and friction-light authentication.

Service providers are increasingly pressured to support legacy service channels including physical (bank branch and retail store) and telephony at the same time as evolving their offering to work across a wide range of new technology, first web, now mobile and moving swiftly into the Internet of Things (IoT). When choosing an agile technology partner that can support multiple delivery channels, omnichannel support, an organization must ensure that they choose an authentication solution that can operate across a wide range of these channels. The mobile first strategy can allow organizations to design and deploy effective authentication services that meet this consideration.

Fraud is rising in all sectors. A consumer authentication vendor must be able to demonstrate fraud reduction as a result of deploying the chosen authentication solution – measurable and tangible fraud reduction benefits.

Around the world, regulatory powers are adapting existing regulation or introducing new ones to ensure that consumers are protected when using the latest digital services. A trusted technology partner must be able to demonstrate:
  1. It can help organizations address the latest federal and industry regulations; and
  2. It actively participates in influencing regulatory bodies to ensure that convenience and ease of use are not sacrificed at the expense of over rigid security requirements.

Getting the balance between security and convenience is an essential ingredient in supporting flexible digital service delivery.

To read the white paper in full, you can download it from the Goode Intelligence website here.

Thank you - Alan

Monday, 7 November 2016

When fraud prevention goes wrong & a lesson in why banks need to make mobile their prime channel

I recently returned from a trip to the US to attend a conference organised by RSA Security. After spending almost a day in getting from London to New Orleans I arrived at my hotel, weary and in need of a shower and some rest. 

The room was already paid for but I needed to present a credit card to the hotel receptionist for incidentals during my stay. Unfortunately, my business card was declined and even more worryingly a second privately-owned card was also declined. There were adequate funds on both cards so I assumed that the bank's fraud service had flagged the attempted transactions as being high risk and in need of investigation. This has happened to me a couple of times before when travelling outside of the UK and previously I swiftly received a call on my registered  mobile phone from the bank to query the transactions. On this occasion, no call. 

I decided to call the bank myself by ringing the number provided on the reverse of the card. I bank with a large international bank and it was past midnight in the UK. As I was using a contact centre channel I was requested to authenticate using the method that the bank has assigned for telephone banking. Being a sensible security professional I had set up a 12 character alphanumeric passcode that included special characters. As a convert to mobile banking I had last used the telephone channel over two years ago so had managed to forget the 12 character alphanumeric passcode. As a result, I couldn't gain access to the bank's contact centre to inform them that I was actually in New Orleans and not at home in London. As a result of my failure to get access to a customer care resource I couldn't unlock my cards and use them for the hotel. 

Fortunately I had an alternative card, issued from a different bank, that I was able to use and allow me to get to my room. It still meant that I couldn't use two of my primary cards whilst away.

When I arrived home I noticed that I had a letter from the bank asking me to call them urgently as they had witnessed potential fraud activity on my card. Yes, a letter. Some five days after the incident they sent me a letter. I may have experienced time travel on my journey home and returned to the 1980's (if you could listen to my Spotify playlist you probably would think I am still there).

What are the lessons?

This was a very frustrating experience for me and it drives home how reliant we are on our banks to provide access to our funds whenever where ever. This is also not just about the technology. People and Process are vital components in delivering convenient 24/7 financial services. You still need to connect business processes with technology.

Could I have used my mobile banking app? Possibly, but my bank app doesn't have the capability to inform the bank of false positive transaction attempts. In any case with my biz account I still need to use my OTP token to authenticate and I didn't fancy whipping out the token in a crowded hotel lobby to gain access. 

Inconsistent experience in managing fraud: Why didn't the fraud team call me on my registered mobile as has been the case? It was outside of UK business hours but I think I am offered 24/7 support and it is an international bank and to come home to a letter!

Make the mobile the prime authenticator and channel: We are now in the era of the mobile native so why not leverage this channel in more efficient ways. When the fraud system declined my cards my mobile was in my hands (behavioral  biometrics could prove that I was holding it) and connected to the local radio cell and receiving GPS data to inform them where I was (Geolocation). This data in itself could give a very good indication that I was in a hotel lobby in downtown New Orleans. If the bank (card issuer) wanted more data it could have sent a push notification to my mobile to ask "Are you in this hotel in this location and are you attempting to make a transaction of $n?" I then could be promoted to use a registered biometric (fingerprint or EyePrint) that the bank supports in its mobile app to give the risk engines more data and prove to a reliable percentage that it was actually me and not a fraudster with my card. 

This can be done now as the technology is available today to support banks and card issuers in turning an inconvenient and highly annoying episode into an event that gives me a great level of assurance that my bank is taking care of my money. In an age where agile FinTech companies are seriously providing an alternative to established banks I feel that the traditional banks need to sit up and start using the technology that is available to them to make our lives a little easier. Start with the customer and work backwards - feel my pain!

A postscript.  It was pretty ironic that this incident happened whilst I was attending an RSA Security event and spending time with the Fraud and Risk Intelligence team discussing ways in which to improve customer experience whilst reducing financial fraud by leveraging biometrics on smart mobile devices. Perhaps we could drop the letter!

Wednesday, 7 September 2016

Apple September Event - Any new Biometrics Features?

The net is buzzing with its usual mixture of the possible, the potential and the damn-right ridiculous predictions on what Apple will announce later today at its September device event. In the mix has been a number of rumours on what Apple may do in terms of supporting biometrics.  Time will tell, but before the event takes place here is a list of some of them with my views on them.

iPhone 7
The most believable is changes to the home button with either a more flushed designed button integrated into the display or removal completely. Most fingerprint sensor designers have been working on integrating a sensor underneath the display (under glass) rather than underneath a coated button and Apple is probably ahead of the curve in its development. 

There is a strong possibility that Touch ID on iPhone 7 will be an under the glass sensor (probably still capacitive) and Apple may have had to either reduce the thickness of the glass or develop a recess in the glass to reduce its thickness to ensure that the sensor's performance is not degraded. 

The integration under glass may also mean the development of 'Force' Touch ID and could mean that the sensor could improve anti-spoof capabilities by measuring the force of its registered user's touch in addition to the usual matching against  stored fingerprint templates. 

With Iris being integrated into the Samsung GN7 (unfortunately recalled) there have also been rumours that iris recognition will be supported in this version. It is likely that this will have to wait until at least iPhone 8. 

Watch 2
The most reliable rumours on new sensors points to GPS. As my Sony SmartWatch 3 has this feature, I can definitely see that having GPS in a watch definitely makes the device more independent and is a great feature when you out running (According to Google Fit this last occurred in February for me - shocking I know). The partnership between Precise Biometrics, FPC, Gemalto and STMicro in developing a biometric platform for wearables has given us a clear indication that integrating biometric sensors into wearables, for authentication and identity, is viable. Whether Apple sees any merit in doing so is questionable. Payments has been a major driving force for biometrics and for Apple to support a standalone payments app on a smartwatch that  replicates the iPhone security environment including the secure enclave is debatable from a business case point of view. 

We may see the watch having more independence from a paired iPhone but I would be surprised to see a decoupling in this context. I would say there is an outside chance of a separate biometric (identity) sensor being integrated into Watch 2. 

I look forward in hearing what Apple will actually do later today and will follow-up this blog with another one with analysis on anything that is important from a security and identity perspective.

Addendum 09/09: After the official announcements from Apple on iPhone 7 and Watch 2, comments on my predictions. Not a lot of direct announcements on biometrics. However, Apple has changed the home button in creating a solid state version with force features and taptic feedback. There was no clarity on whether there is any changes to Touch ID as a result of this change. As predicted, no support for other modalities including Iris and no Biometrics for the Watch. I am currently researching the mobile biometrics market so keep a watch out for further updates in this area. Thanks. Alan

Thursday, 14 July 2016

Will Brexit affect PSD2's Strong Customer Authentication Requirements?

There is no doubting that Brexit is having a profound affect on the UK and ripples of disruption have been felt around the world as result of the UK's decision to leave the EU.

I have written extensively on EU and EC legislation and its impact on a number of cyber security matters including mobile security, identity, authentication and biometrics. 

Recent researchhas investigated the impact of PSD2  on security; in particular the impact on how payment service providers (PSPs) manage customer authentication. 

To summarise the main objectives of PSD2:

  • Contribute more to a more integrated and efficient European Payments market
  • Improve the level playing field for payment service providers (PSPs), including new players
  • Make payments safer and more secure
  • Protect consumers
  • Encourage lower prices for payments

The European Parliament adopted PSD2 in October 2015 and EU member states have two years in which to implement the new procedures. The EC states that there is a different date of application for the new security measures, including Strong Customer Authentication (SCA) and standards for secure communication. This is subject to the adoption of the regulatory technical standards which are being developed by the European Banking Authority (EBA) and adopted by the EC. It is anticipated that the new security measures shall apply 18 months after the adoption of the standards by the EC.

PSD2 provides rules for payment security and customer authentication, concentrating on protecting consumers when paying on the internet. 

PSD2 applies to all payment service providers (PSPs) operating in the EU, including banks, payment institutions or third party providers (TPPs) and relates to all electronic means of payment.
The EC defines SCA as a process that “validates the identity of the user of a payment service or of the payment transaction”.

SCA is based on the use of two or more elements:
  1. Knowledge - something only the user knows, e.g. a password or a PIN
  2. Possession - something only the user possesses, e.g. a card or an authentication code (OTP) generating device
  3. Inherence - something the user is, e.g. a biometric authenticator such as fingerprint, voice or eye-print
PSD2 states that these elements have to be independent of each, meaning that if one element is breached or compromised then this does not compromise the “reliability” of the others. The design of the authentication solution must also protect the confidentiality of the authentication data or identity credentials. 
As the UK has voted to exit the EU, will this mean that UK banks and PSPs will not be bound to comply with these regulations (and in fact other EU legislation)? This is a difficult question to answer as the exact nature of the UK's exit and what will exactly be negotiated as the UK triggers Article 50 is still very much up in the air. What I think will happen is this:
  • UK banks and PSPs that have functions in the EU will have to comply with PSD2 - it also makes competitive sense to support PSD2
  • PSD2's authentication requirements are pretty-much the basic requirements for supporting strong customer authentication and it makes common sense to support them especially some of the risk-based authentication services that enable lower-risk payment transactions to be exempt from strong customer authentication
  • Some UK retail banks are owned by European organisations who will want to have a common strategy for customer authentication that supports PSD2
As the UK's ex Prime Minister, Harold Wilson said in the 1960s "A week is a long time in politics" and I am sure that there will much debate over the coming months and years about the relevance of EU legislation to the EU. If you are a UK bank and have started projects to ensure compliance to PSD2 then I am pretty sure that these will not be halted as a result of Brexit.
Please let me know your thoughts my commenting on this blog. Thank you and remember in the global economy no nation is an island!

You can download the Goode Intelligence White Paper "The impact of PSD2 on authentication and security" from here.

Thursday, 7 July 2016

The Future of Mobile Security

Mobility is the new normal for enterprise users. With forecasts from the GSMA predicting that 80 percent of adults on earth will have a smart phone by 2020 these always connected and always on devices are the most popular personal computer in history.

The use of smart mobile devices (smart phones and tablets running mobile platforms such as Apple iOS and Google Android) in the enterprise is rising rapidly each year. Figures from Citrix indicate that the number of smart mobile devices (SMD) managed in the enterprise increased by 72 percent from 2014 to 2015.

What is surprising, however, is that the enterprise is not fully embracing mobile. Whether it is an employee-owned Android smart phone or a company-issued and controlled iPhone productivity-enhancing enterprise services are still relatively scarce within the enterprise. Outside of email and calendar applications there are relatively few examples of enterprise mobile apps. This differs from the current situation with consumer adoption of mobile where it dominates social, financial services, commerce and entertainment.

So why is? In the latest white paper from Goode Intelligence, the issues facing the enterprise in delivering services to mobile is explored. The report discovers that a mixture of technology constraints, security concerns, compliance to regulation and privacy law are having an impact of restricting mobile enterprise services.

Enterprises do face a challenge in enabling productivity enhancing applications to be available through smart mobile devices but there are ways in which they can combine the convenience of mobility and strong security mechanisms that meet company security policy and comply with regulation. In covering mobile security since 2007 I have learnt that next generation mobile security solutions should have these characteristics:
  • They should focus on users
  • Support agile multi-factor authentication (MFA) with a choice of authenticator to match the context 
  • Be able to provide mobile-based single-sign-on (SSO)
  • Must protect the data, both at rest and during transmission
  • Be available in a simple to use and unified security offering
I believe that there are very few solutions that offer a unified solution that supports these characteristics and this is why we have seen limited adoption of full-throttled enterprise services for mobile. Often, an organisation will have to mix and match technology solutions to support this vision and this can be expensive and time-consuming. A solution that combines the functionality and features of a next generation mobile security solution is the Sign&go Mobility Center from Ilex International

This product provides an integrated security solution to solve the enterprise mobility conundrum; mixing convenience and mobile security in a unified product and provides:
  • Strong Multi-Factor Authentication supporting one, two or three factors
  • Mobile SSO
  • Data Protection in a secure container
Without the combination of these features, organisations will remain limited in what productivity-enhancing mobility solutions they can deliver. 

Friday, 26 February 2016

Biometrics Takes Centre Stage at MWC 2016

This is my fourth year of being a judge for  the GSMA's annual Global Mobile Awards (Mobile Identity and Mobile Security category) and each year I am seeing an increase in the number of entries that are using biometrics to protect smart mobile devices and the services that are being accessed from them.

One of this year's nominees (finalists) was Hoyos Labs who were nominated for their 1U mobile biometric authentication product. Hoyos Labs is one of a growing list of companies that are showcasing their biometric solutions at Mobile World Congress (MWC) as mobile has been a major catalyst for the rapid growth in biometric technology and its adoption by millions of consumers.

Alongside Virtual Reality (VR) technology (did you see that crazy image of Mark Zuckerberg entering the auditorium with all those people plugged into VR units?), wearables was one of the big themes of this year's MWC. We have had limited adoption of biometrics on wearables for security purposes and one consortium of technology companies wants to change that by providing a solution that offers hardware OEMs a platform for building biometric authentication in a range of wearable devices. Gemalto, Fingerprint Cards, Precise Biometrics and STMicroelectronics have partnered to introduce an end-to-end security framework for the use of fingerprint biometrics on wearable devices. The partnership will demonstrate a solution that embeds a fingerprint sensor from Fingerprint Cards, fingerprint software from Precise Biometrics and secure NFC and low-power mircocontrollers from STMicroelectronics. Gemalto is providing the UpTeq eSE , secure hardware where the user's credentials are stored, and the match-on-card application that validates the fingerprint.

The financial services market has been the fastest growing area of biometric adoption with our (Goode Intelligence) forecasts of over 120 million users in 2015. On the back of HSBCs decision to roll-out voice and fingerprint multi-modal mobile biometric authentication to its UK customers in 2016, MWC 2016 witnessed a flurry of announcements for this sector. 

MasterCard is another financial services company that is planning to roll-out multi-modal mobile-based biometric authentication with the decision to deploy fingerprint and facial-recognition technology in around 14 countries. MasterCard's 'selfie pay' solution was piloted in the Netherlands in 2015 and proved to be so successful that it will be available to millions of payment customers around the globe. The aim is to offer this solution to replace MasterCard's 'SecureCode' online payment verification solution. This is an ideal solution and solves a real problem; how do you verify those transactions that need additional user verification and also make it convenient. How many people currently abandon the payment process when the SecureCode window pops up and asks you to enter your 2nd, 5th and 7th letter of your SecureCode? Touching a finger against a sensor or taking a selfie on your smartphone is miles better and should play an important role in reducing Card-Not-Present (CNP) fraud, making it easy to prove you are who you say you are. 

Visa, not wanting to be outdone by its main card scheme competitor, also made announcements on biometrics at MWC including a tie-up with Morpho. Morpho has many years of experience in the high-end biometric market (identity and law enforcement) and wants to apply this experience to the consumer market. This includes the use of the MorphoWave four-finger scanner at the physical point of sale. MorphoWave can scan and match four fingerprints in under one second without any sensor contact and involves a customer waving their hands through the scanner. 

This is just a selection of the activity that is happening with the convergence of mobile, wearables and biometrics at the moment. If you are a company that is involved in this exciting area of technology then please reach out to me - either through this blog or via the enquiry email address at Goode Intelligence; enquiry at goode intelligence dot com.

Thank you.