Digital Transformation in Financial Services Using Biometrics

Hello and welcome to our webinar today. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole. Today I'm joined by Pascal Tavernier, who is IAM Architect and Executive Director at UBS.

Welcome, Pascal. Our topic today will be digital transformation and financial services using biometrics. So a few logistical things before we get going here. Everyone's muted centrally. There's no need to mute or unmute yourself. We will be doing a couple of polls at the end of my presentation before Pascal starts, so please get ready to participate in the polls and we'll show the results at the start of the Q&A session. And we will have a Q&A session just after that, before the end.

And both the recording, we are recording this, and the recording and the slides will be available in a couple of days time. So with that, I'm going to start off talking about the business drivers, which are largely financial regulations and the need to prevent fraud, and how biometrics can be used for both onboarding, registration, as well as authentication. Then I'll turn it over to Pascal, then we'll do the polls and Q&A at the end. So first up, identity assurance for financial services.

Like I said, two of the biggest drivers are complying with regulations in various places around the world and trying to prevent fraud. So let's look at the financial regulations first. There are essentially lots and lots of lists that have to be checked, and it really depends on which country, which government. There are some differences in how the laws are enacted and enforced, but broadly speaking, we see, you know, four major kinds of regulations and practices that need to be in place for financial institutions. The first of which is anti-money laundering. We call that AML.

This is to prevent exactly what it sounds like, money laundering. You know, this might be drug money, terrorist financing money. So you really need to know who the person is who's trying to open an account. Know your customer. This is sort of an extension of that. This requires, you know, identity proofing and really ongoing identity proofing or periodic identity proofing, where you want to know that the person is still in control of that account and you have the updated information, whether that's email address, physical address, phone number, email address, and so on.

Then we have PEP, politically exposed persons. These are, you know, perhaps politicians, prominent people that are, you know, politically exposed. Then we have PEP, politically exposed persons.

These are, you know, perhaps politicians, prominent people, their families, anybody who might be, you know, susceptible to things like bribery or kidnappings. Lastly, we have sanctioned screening. We've heard about this for quite a bit in the last couple of years because of the war.

People, companies, organizations, government agencies, you name it. And as a financial institution, you want to make sure that you're not transferring money or holding money for people who are, you know, in the hands of the government.

So, you know, you want to make sure that you're not transferring money or holding money for people who are, you know, in the hands of the government. So, you know, you want to make sure that you're not transferring money or holding money for people who are, you know, in the hands of the government. Another regulation that we should talk about, or actually directive, is the EU revised payment service directive. As a directive, it's a little bit different than a regulation. It had to be ratified individually by all the member states and put into place.

But now there are regulatory technical specifications for PSD2 that apply to all member states. And probably the most interesting for our discussion today are the requirements for strong customer authentication, which is exactly what it sounds like too.

You know, our typical information security definition of strong authentication is two or more of the something you have, something you are, or something you know. And then also transactional risk analysis. This can be making sure that it's the same person who started the session or who started the session recently. If you don't want to encumber them with yet another strong authentication event, which sometimes can be a bit onerous, if you're doing transactional risk analysis, you can sometimes obviate the need for that.

And what's good about this, you know, from the biometrics perspective, is both of them can be facilitated with biometric authentication and registration. So we'll dive into that in a bit more, just in a minute here. I mentioned fraud as well. There are two major types of fraud.

You know, broadly speaking, that all kinds of organizations, not just finance, are trying to prevent today, and that's account takeover or ATO fraud and account opening fraud. ATO fraud, attackers are trying to gain at least temporary access to some existing account. They can be used for value transfers, anything that can be converted into money.

Of course, bank accounts, credit cards are highly targeted, but, you know, frequent flyer, any kind of reward account, anything that can be converted into money is a potential target. So that means all industries are targeted, but, you know, finance is definitely one of the most targeted in this regards. Account opening fraud, this is a little bit different. That's where the attackers try to create fake accounts, but based on real people's data, where do they get that data? You may have noticed there have been many, many data breaches, you know, looking for all kinds of personal information.

That personal information can be used to create a fake account if the financial institution or other account holder isn't particularly careful. So school records, employment records, healthcare records, all of these contain information that can be used to build fake accounts. Just think about, you know, what are you asked when you are trying to open an account? Those bits of information, those are the ones that the cyber criminals are after. Why do they do that? They want to commit major financial fraud, you know, do money laundering.

They create mule accounts to move money back and forth, you know, from country to country, organization to organization. So these two types of fraud are two of the most prevalent that we see across many, many industries. So rather than just talking about problems, we should talk about mitigations for these problems.

ATO mitigations we've been recommending for years, things like multi-factor authentication, which aligns with, you know, PSD2 strong customer authentication, as well as risk-based authentication to make sure that, you know, it is the person who has registered for this account that's trying to transact something with this account. Then account opening mitigations, identity proofing, you know, that at the time of registration, making sure that that person, you know, matches, you know, some authoritative government issued ID and they have the proper information to register.

And then ongoing KYC, you've got to keep that information up to date and how often that has to be done can vary by jurisdiction. And this is where mobile biometrics ties in because we can use mobile biometrics for both the ATO mitigations and AO mitigations like multi-factor and risk-based authentication, as well as identity proofing. So I've mentioned biometrics a few times. It's time to sort of dive just a little bit deeper into that. It's really about leveraging something to something in our part for both registration and authentication.

So there are multiple what we call modalities, biometric modalities, how people interact with devices, how, you know, features about themselves that can be unique or a pattern can be made unique that can later be identified, again, you know, doing pattern matching. First up, we're all probably very familiar with fingerprint, fingerprint or thumbprint.

You know, it's looking at the patterns on your finger and matching them. It's pretty usable, but there are some populations with which it does not work well. Facial recognition, you know, this has gotten quite a bit more popular. Most of the, you know, newer phones in the last few years have this as a built-in option. What that's doing is looking at different points on the face, you know, making a spatial geometry comparison. There are things, however, that can sort of make that difficult operationally.

You know, it depends on what you look like at the time you took your initial facial recognition sample, you know, have you shaved since then, are you wearing cosmetics, masks, you know, throughout the pandemic, you know, masks, wearing a mask obviously will make it so it doesn't work well, hat, glasses, all sorts of things could make it just a little bit more difficult. And so it's very good, very useful, particularly useful for registration time and matching what's on identity documents.

Voice, you know, we haven't seen as much of this, probably assuming, you know, in recent months because AI has gotten fairly good at, you know, duplicating voices, but there are a couple of major methods for voice recognition. That's text independent where, you know, your app could listen to you and decide, yes, that's the right person or not, when sometimes they constrain you to saying specific words.

Again, we haven't seen nearly as much on the voice recognition side. Iris, you know, science fiction years ago told us we'd all be doing retina scans, but it turns out iris is a bit more usable and it has an advantage of being, you know, many, many more degrees of freedom. It's called different points within the iris that can be scanned that truly can come up with a very unique profile of what an individual's iris looks like, and one of the real benefits of that is it doesn't change with aging.

Lastly, we have behavioral biometrics. This is, you know, how a user interacts with their devices. If it's a computer, you know, how do you type? What's your dwell time? What are your keystrokes like?

What's it, how do you use a mouse? It turns out that people have highly independent patterns of usage, and those can be built into profiles with which, you know, ongoing real-time comparisons can be done. What's really interesting about that is that, you know, let's say you're using a mobile device. You can do how an individual swipes across the screen, the screen pressure, how they hold the phone. That's what gyroscopic analysis is.

And even in the case where you may have multiple users of the same phone, individual behavioral biometric profiles can be built so that the device and software can determine which particular user is using it at a given time. So one question that often comes up is, you know, how accurate is this? So there are a couple of different concepts here that are useful to explain the false acceptance rate. This is how often an imposter might be able to get in, false rejection rate, how often a legitimate user may be denied access.

You know, I think that happens to all of us quite often. You know, if we're using things like fingerprint or face, you know, maybe you are, you know, you do have glasses on or you're wearing a mask, so those things can interfere with that. But you see at the bottom here, we've got equal error rate. So what most biometric implementations aim for is, you know, that middle point where, you know, you turn up the sensitivity enough to make sure that imposters would have a very, very hard time getting in, but you also don't want to preclude a legitimate user for being able to get in.

So biometrics sound ideal in many ways and, you know, really they do increase usability most of the time. I certainly like being able to use that. It's way better than passwords. Passwords are, as we all know, not only inconvenient, but insecure and are certainly much better than, you know, having to rely on things like security questions. The biometrics themselves can be attacked in a couple of different ways. There are enrollment time threats where, you know, maybe people collude to register a different person with a given identity document.

So, you know, from the time the account is opened, there can be an attempt to sort of mismatch biometric samples and templates. You know, this could also mean that, like in the case of a phone, maybe trying to steal the biometric template from the device. That's why there are on-device features, you know, things like Secure Enclave, global platforms, TEE and SE, that can help with protecting biometric templates that are stored on phones and other devices. Then there's also the common security notion of confidentiality, integrity, and availability. Biometrics aren't secret.

I mean, you can see my face. People leave fingerprints everywhere. You can't keep them confidential. But keeping the integrity of the biometric samples is key.

And that, again, is, you know, the templates that may be stored on a device. We generally recommend local storage and local comparison. It's much better if that's not going over the air or over the wire.

And, of course, availability can affect overall usability as well. Lastly here, in just a moment, we'll talk about presentation attack detection. You'll see many biometric implementations that talk about liveness detection. And that is, you know, trying to make sure that an attacker isn't, you know, holding a picture up to a phone or, you know, using a mold. There's all sorts of different ways that presentation attacks can show up. And that can be, you know, using photos or even 3D printed molds.

So, you know, liveness detection might be looking for perspiration on the finger, asking someone to blink when they're doing facial recognition, things like that. It's very important to be able to help defeat the attackers that are using sophisticated methods like this.

So, lastly, here I've talked about biometrics in general. We all are kind of familiar with how biometric authentication works, remote onboarding. Here I just want to kind of highlight what we might call a happy path flow where, you know, you're using a mobile app to register for an account for the first time.

So, you apply for a high assurance credential. You will probably be asked to go download a remote identity verification app. A couple of the key features are, you know, take a selfie, a picture, which will also perform that liveness detection I was just mentioning. These apps can also scan, maybe using OCR or NFC, authoritative documents, whether that be a driver's license or a passport.

And, you know, assuming all of that is legitimate, then a credential can be issued. This, you know, definitely speeds things up.

You know, in the olden days, or it still can happen today, where you go to a bank and you show these documents and a person verifies you, but there are things, you know, that can be costly and it takes more time. So, you know, remote onboarding definitely has advantages.

Of course, it has security risks as well. And, you know, what's really interesting, and we've probably said this before, is, you know, this technology has been widely used, you know, throughout the pandemic for even enterprise or workforce use cases where a person, you know, got onboarded to a new employer using, you know, these kinds of technology for identity verification. So this has become much more widespread. It's an interesting technology that I think will only continue to improve. So with that, it's time to ask a couple of questions.

And we're curious, you know, talking to the audience today, what are the main drivers that you see for remote identity verification? And we've got several choices here. Is it for that AML compliance? Are you looking for usability improvements? Is it 24 by 7 availability?

Because, you know, banks aren't open all day, every day. Is it about customer conversion and increasing your revenue? Because if a person doesn't have to go to a bank to register, then it certainly would be advantageous to be able to offer registration at any time. And then lastly, you might just be looking for something lower cost altogether. So we'll launch that poll. Okay. Next question.

So, do you have or are you looking for remote onboarding solutions? And the choices here are, we already have a solution in place.

No, but we're looking for one. Or we're not really looking into that at all at the moment. And we do appreciate your participation in this. And we will look at the results of these polls right before we start the Q&A session. So just as a reminder, feel free to enter some questions for us.

Thank you, John. Thanks for the intro and welcome to the second part of the webinar. My name is Pascal Tavernier and I've designed and built such a remote identity verification solution. And I will talk about the technology and I will also talk about some of the key success. So when we talk about remote identity verification options, there are basically two ways to get this done. And I would say in summary, there is an expensive, inconvenient version, which is doing a video call. And then there is a convenient 7-24 hours cost effective solution.

And that is offer self-service identity proving or identity verification. When you look at the video call, there are some advantages for that. It does not require an NFC capable mobile phone.

True, although around 98% of mobile phones sold do have an NFC chip because it's used for payments. And then it also works for all sorts of people. So even elderly people that are having challenges using a smartphone, they can go through that process. The cons are it's inconvenient. And from feedback we've received or I've received, it is people, people don't like it. And it takes a lot of time. So it's usually, I mean, an average video call is taking around nine to 10 minutes. It depends on the identity document.

And if people understand what they need to do to scan the identity document or verify the identity document. It also requires a quiet private place. You can't just do that in a noisy, loud place. It doesn't work. And usually from what I've seen, most banks, they do not offer 7-24 because it's very expensive to operate such a service desk 7-24. If you look at the self-service, the pros are prospects and clients. They prefer self-service. It's available from anywhere at any time. Low cost compared to a video call. And it has higher conversion rate. And that's from my experience.

On the negative side, it requires a compatible mobile device. And very important, it requires a very intuitive and also a very secure process. Because that is obviously also vulnerable for any sorts of online attacks. So today I'll talk about the self-service way to do it. So you will see the typical steps in such a self-service identity verification process. It starts with the product selection. Then with the scan of a passport. We will talk about the technology later on. Reading of the biometric chip. Then the liveness detection and face comparison is what John already mentioned.

Then the next step is the KYC background check. Then client and product opening. And at the end, the electronic, the issuing of a digital signature that is required to digitally sign the contract. And that would allow a client to have instant access to digital banking and credit card. And I will show you later on in a live demo how this looks like. And then we're going to the technology part. So how does it work? Most of you have actually seen the technology at the airport. It's the same technology. As some of you have used at the e-passport gate.

Using an e-passport with an integrated biometrics chip. And the way it works is you use your mobile phone and the integrated NFC chip. The same chip you use for payments with Apple Pay or Google Pay. And with that mobile phone, you first read the machine readable zone. That machine readable zone allows you to read the information. You first read the machine readable zone. That machine readable zone are these two lines at the bottom of the first page in the passport. That will give you the password or the passphrase to then read the data from the chip.

All the data on the chip is digitally signed by the issuing country. And that means it allows a offline validation. So you can check the digital signature and you can say 100% sure this is a genuine document. If you verify the digital signature. The second step then is an automated identity verification. And what it does in fact is the first step is we check if the user is a real person. Is not a fake. And that means we have to or you have to ensure that it is not a video replay from a screen. It is not an AI generated deep fake. It's not a high resolution photo. And it's not a mask.

And for that you need you need to have a robust liveness detection solution. That allows you to say, well, that's a real person. It's a genuine person. And the second step is you need to compare it to the holder of that identity document. And that happens by a face comparison. So that's step number four. Once this is completed, you can say identity proving done. Tick off. I've summarized some of the key architecture principles for the mobile device. My recommendation. You should go for a zero trust model for the user's mobile device.

That means you should assume that the mobile device is compromised. That's one of the key architecture principles. Probably the most important one. And you should have several security controls to enforce that. That means you only use the mobile device to collect information. But you don't make any decision. And you don't do validation on the mobile device. That's what you're doing on the backend in a trusted environment. That means processing or storing of information must happen in a trusted backend. Also validation of documents, comparing faces and liveness detection.

My recommendation here is backend services designed to scale and withstand any cyber attacks. Cyber security threats, the usual secure by design. It's also important that you support various consumer and business workflows. I will come to that later on. So you should design it as a service that can be consumed by multiple journeys. And it should be cloud native. So that means you can deploy to any of the hyperscaler clouds. I want to talk about the enormous potential that the technology has to digitize your digital identity processes for your clients.

So it starts with a self-service digital client onboarding that allows you to onboard a client in under five minutes. And if you have an intuitive self-service capability, your conversion rate will increase. And that's from my experience. You can also use the same technology for re-identification. One of the use cases is qualified electronic signature. You need to re-identify the user every three years. Users that haven't done that, you can do that in your mobile banking app or in your mobile app. And they can do that self-service.

If you scan the passport, you do the identity, the liveness detection. You can do that in under two minutes. Any personal data changes, like name changes or gender changes, anything. You can automate that process by scanning the passport and by doing liveness detection. And most banks still have manual processes in place. So you need to go to the branch to get this done. You can automate that with that technology. Account recovery using liveness detection and facial biometrics.

You can do the account recovery instead of users need to call the support or the help desk to get an activation ping, for example. You can do that by doing face biometrics and an OTP to the mobile phone number. Very effective and it saves a lot of money for support calls and also waiting time. For example, if you send activation pins via post. You can also do it for high risk business transactions. That means if you need to have step up authentication and identity verification for it. So what I'm going to show you is an example of UBS mobile banking. That's the key four. That's digital banking.

So what you see here is the process for Swiss based clients. There are two terms and conditions. One is just I pause here for a second to explain it. So there's one for to open the account that does include the consent of the bank. To open the account that does include the consent of the user to process biometrics and to process his personal information from identity documents. Also that his data is stored. And the second one is around the qualified electronic signature. UBS is using a separate provider for that Swisscom. And hence we have there are different terms and conditions for that.

Once this is confirmed. It goes to the next step. That's part of the product selection depending on the age. There are different product offerings. So you select your credit card you want. And then you can see here there are some certain countries are supported. You can see them here because not all passports can be offline validated because countries do not publish the certificates. So there are some restrictions going to the email address mobile phone number verification. And then to the important part biometric self service or video call.

Then some basic instructions on how you need to hold and you see here that's the first step. Scanning the first page of the passport. And then the second one with the signature. If this is completed. Next step is the NFC chip scanning. For that you need to hold your mobile on to the biometric passport and it will then read the chip data. Once this is completed. It's around the personal details address check. Then some KYC questions. That all belongs to KYC. And now it's the step with the liveness detection. That's where iProof is coming into the game.

Some instructions on how to do the selfie video. And then the liveness detection starts. As you can see it only takes a few seconds. It's around five seconds and it's very intuitive. And then the contract is generated instantly. Including opening a bank account and the issuing of a virtual credit card that can be used instantly in the wallet. The whole process as you've seen here. It takes under five minutes. You select the product until you have a bank account open. So I will continue to talk about the conversion rate. Because that's key for the self-service and what are the key factors.

So from my experience. The key three points here. First of all user guidance. The user guidance should be visual. And animated guidance is a must. Specifically when it's about error handling. That's the next point. So if users do not know how to do it. Or if there's a timeout. Or if they do not scan it correctly. Then you need to provide accurate context based help. Otherwise users will fail again. They get frustrated and your operating will go down the drain. Then around eligibility. You should evaluate the self-service eligibility support right at the start of the process.

Users get frustrated when they find out very late in the process. They can actually not use self-service. So that means by selecting the country. And telling them only these countries for example are supported. Then they don't have to go through the whole process. To find out that they still have to go through the video call. What I learned is kind of the hard way. Is that the majority of the prospects and users. They drop out during the identity scanning phase. And if you use the e-passport gate at the airport. You can probably imagine why that is. It's not an intuitive process.

Most people probably do that the first time in their life. And holding a mobile phone on a passport to scan an NFC chip. Is not something people are familiar with. And that means and that goes back to point number one. User guidance is absolute key. Users need crystal clear animated instructions. Real-time feedback. And my recommendation as a summary. Focus on animated user guidance and accurate error handling. And the other lesson learned. Is conduct as many usability lab sessions as you can. Because once you're live you have only one chance to get it right.

If people don't like the app or don't like the process. You'll have to deal with bad ratings and feedback. I used to use my mom. She's around 70. She has a smartphone. I used her as benchmark. And I noticed that for the first few versions. She never passed the NFC scanning. And that's probably a good benchmark. And that's what I mean with usability lab session. Try as many different people as you can. To go through that process and to give you feedback. Then the identity document scanning and validation. Here are some hints around the evaluation criteria. For a solution.

So you should check on the support of the identity documents. Biometric passports and national IDs. There are also biometric national IDs in the European Union. That are compatible. It's a standard. And you can use both. And I can tell you that many citizens of European nations. They don't even have passports. They just use national ID cards. Biometric ID cards. So it's important that both are supported. And then as I said before regarding usability. Check with the vendor. What type of standard default user guidance they provide. And what the capabilities are to customize the UI.

The error handling options. So that you can provide accurate help. For the users that are struggling with the scanning. With the OCR scanning and the NFC scanning. You also should check scanning and OCR performance. With some older and entry-level phones. It's also something I've learned. It's important to check. With older phones. It's also something I've learned. Especially entry-level phones. The performance can be really poor. That means you need to hold the passport. And the mobile phone still for several seconds. And that leads to quite high dropouts.

So that you also need to test it under poor light conditions. Some people try to scan it in dark places. Or with light from the top. And that produces glare. And that people keep on failing. Scanning the first page of the passport. If you need to decide about hosting. Either in your own cloud or on-prem. Versus software as a service. You need to focus on data privacy and data protection aspects. My recommendation is. I would go for a software as a service solution. Because you don't want to bind your engineering and operation resources.

And the vendor is always the best solution to host their own products. Then the size of the SDK. You need to check with some of the vendors. They provide quite big SDKs. And that can become a problem. If you're already using other SDKs in your mobile app. That might become a deployment problem. Developer documentation. Code samples for customization. It's always helpful to have a look at the developer documentation. And ask your developers what they think about the quality. And the samples. That gives you an impression on the quality of the solution. And very important.

Support for artificial testing documents. I will come to that later on. But it's important to have that support. That you can use some artificially generated test documents. So in summary. Focus on user guidance and error handling. And ensure that the solution supports a zero trust model. And that means the validation of the document. Happens in a trusted environment. Liveness detection. The most important aspect from my perspective. Is you need to decide for an approach. Some vendors offering an active or a passive approach. What does that mean? Active means the user needs to do something.

During the liveness detection process. That means you either need to move your head up and down. Or left and right. Or you need to take your mobile phone. And bring it closer to your face. Or move the mobile phone. From my experience with the usability lab sessions. Most people are overwhelmed. When it's active liveness detection. It's already difficult or challenging. For some users. To position your face in a frame. So that means. I would definitely recommend to go for passive liveness detection. Where you just need to hold your mobile phone. In front of your face.

Then the AI model performance. You need to ensure that it works equally. Between different races, ethnicities. Gender and light conditions. And that means extensive testing. And I would also ask the vendor. For statistics around that. Because you don't want to end up having reputational issues. If the performance is not equal. Between races, ethnicities. Then the pad robustness. The liveness detection technology. It's important that you test that properly. And you have a good understanding. Of how that works. And what kind of AI models the vendor is using. Again with the hosting.

Versus software as a service. You need to focus on security controls. For data privacy and data protection. The vendor is hosting biometric templates. Or biometric data of your clients. So that means you need to ensure. That you have full control over that data. And it's all EU GDPR compliant. To other data privacy laws and regulations. Then reporting capabilities. And fraud abuse detection. So that gives you an impression on what's going on. And how many attacks that you have. And what the capabilities are. And then most vendors. They offer two different license aspects. Or license models.

Capacity versus transaction. So that means you either license a certain capacity. Let's say 1.5 liveness detection transactions per second. Or you pay per transaction. The pay per transaction comes. With a bit of risk in the sense of. You might increase your transactional cost. That means you as a consumer. Or provider of such a solution. You have the risk of the license costs. And then last but not least. If you subject to qualified electronic signature certification. Then it's helpful. If that vendor can help you with that certification. Or is used to the process of certification.

By an auditor. So testing the solution. That's what I've mentioned before. When we talked about the solution. For document scanning and validation. The problem is there are over 150 countries. That do issue biometric identity documents. Although it's a global standard. That is defined by ICAO. There is the problem that you have different design surfaces. Various races and ethnicities. If you have a testing environment that's not a good idea. And it is also not scalable. So you need to have custom artificial identity documents. For testing purposes. That means you need to be able to generate.

These NFC compliant e-passports. Fake ones. And you need to find a solution for that. And you need to evaluate that right from the start. And that's my recommendation here. You need to be able to meet the requirements. To your must evaluate criteria. Once you're building the solution. You find out very late in the process. That you don't have the right test materials. That becomes a showstopper. Then performance measure and improve. You can only improve what you know. And that's key when you design such a solution. You need to define right from the start. The various steps in the process.

And so you can see how far users get. Or where users are struggling. That's extremely important that you have that for both. For the front end and the back end. That gives you an end-to-end view. And you can then see where the dropouts are happening. And so from my experience. You can't have enough data. So when I designed the solution. I didn't have enough information. And then later on once you see that users dropping. And you do not have enough information. It's very difficult to improve that step. Of the identity proving process. So my recommendation. Collect as much information as you can.

Also use the behavior context information. For example there are some mobile phones. Known for compatibility issues. So you can use that information. And you can use that information. To improve the process. And that means plan for comprehensive statistics. And reporting dashboards for the business. Right from the start. So the business can see what has an impact on conversion rate. And where users are dropping. Also important. To prevent fraud and abuse. So my recommendation here. Add the reporting, monitoring, logging. Add that as part of the solution. As part of the RFP. If you do an RFP.

And with that I'm at the end. Of my presentation. And I hand back to John. Great well thank you. That was really informative. You know when you build and test one of these systems. You've got to have artificial identity documents. That's probably something that not everyone thinks of. You know. And then looking at the different data points. You know about where users might be getting hung up. In these different processes. There are so many different things to consider. Like what kind of phone. Or you know what operating system version. You might be using.

So let's take a quick look at our poll results. I think these are pretty interesting. The first question was what are the main drivers. For remote identity verification. And not unsurprisingly. It was AML compliance number one. Followed quickly by usability improvements. That's that accounts for three quarters. Of the respondents right there. So the user experience is definitely not the driver. Most I mean from my perspective. It's related to usability improvements. And the demand of clients. Of having a seven 24 hours. Self-service onboarding solution. And AML compliance is certainly.

I mean I'm talking about Switzerland. Switzerland just introduced this option. Of having remote identity verification. In all sorts of contracts. Including credit contracts. That is certainly a driver yes. Great. Next one please. So do you have. Or are you looking for remote onboarding. Not currently planned. Is the predominant response here. But about 42 percent. So that's that's good. Okay well thanks for. Showing those. Let me. Let's take a look at our questions then. Which we received quite a few. Questions. Just a second. Screen back in place here. So the first question is.

Most of these points. Face and voice can be faked with AI nowadays. Is there a new policy that handles this problem. PSD2 sounds outdated with this new challenge. Well yeah we're certainly learning about. Attacks that make the news at least where. These kinds of things do happen. But I think you know liveness detection. What we have been talking about is designed to. Help prevent that same thing with the presentation. Attack detection. Anything you'd like to add there Pascal. Yeah I mean if it's about. The attack vectors for biometrics I can talk about. Facial biometrics.

My recommendation is to use a third party. Do not trust the vendor promises. Most of the vendors are have some sort of certification. Like I beta. But that doesn't from from my experience and from testing. That doesn't really mean. They have they have good security controls of pet. Pet controls in place presentation attack detection. Controls in place so I would always engage. An independent third party. Vendor that is specialized in biometric. Penetration testing and verify that the results. That's all the promises that vendors. Giving you in an RFP. So I mean we've I've done that.

For several products and. I've seen I've seen a massive difference between. What vendors promised and and the effective. The control effectiveness. And I believe final alliance has. Security certifications that look at biometric. Like the F.A.R. F.R.R. E.R. those kinds of things too. Yes. Yeah. Let's see should biometrics make traditional passwords. Obsolete or should they be used together more frequently. Well you know. My feeling about passwords is. I'm kind of sick of them and you know I do believe. That you know some of the latest implementations. Of things like facial recognition.

Fingerprint recognition are. Better than most. Let's say at least six digit pins. But you know the problem with passwords. And passcodes is you know they can. They can be stolen they can be leaked. I would prefer just to see them go away. I. Obviously there are other kinds of attacks that we've talked. About here that can happen against biometrics. But I think overall when done right. Usability certainly improves when you're more reliant. On biometric authentication than password. What do you think Pascal? Yeah I share your opinion regarding passwords. I think everyone does.

And I believe biometrics is the future. And AI is the game changer here really. I mean traditionally there was kind of the fear that. Biometrics could be stolen. But biometrics in combination with artificial intelligence. Makes it a much more secure factor. Than a possession factor. Or a knowledge factor like passwords. So I believe in biometrics only for the future. That's my personal view. But I've seen the advantages for clients. And I've seen the positive feedback from clients. When going through such a process especially for recovery. You don't have to scan the passport.

If you just have to do the liveness detection. People love it. Well yeah I don't know if anybody else has noticed. But most of the time you can use face or fingerprint ID. But occasionally it will say. You have to enter your passcode or your password. In order to be able to use those features then. Of course that's always at the most inconvenient time. But then I think okay if you're going to go down that route. Then all you have to do is keep failing. Biometric authentication enough. And then you can always use passcode anyway. So if you've stolen a phone I guess that's what they do.

That's more secure. We're running out of time here. Let's just kind of go through here. You highlighted usability and inclusion as key evaluation criteria. Can you give more context around choosing say. A liveness provider in this scenario. Yeah it's probably what I said before. Regarding active passive. You also have to ensure that. The technology that a vendor provides does not allow video injection. For example. So I would say usability is key. How many. That it's in a convenient. And intuitive process. And best thing is as I said. Ask your mom. And see how that works.

And then the second one is really the robustness. The robustness against attacks. Against presentation attacks. And here I can only recommend to test yourself. And do not believe numbers. Okay. Let's skip down here real quick. And take a few more. If mobile is assumed to be compromised. How to guarantee the data collected by the phone has not been tampered with. And then the third one. Is the back end. You know you mentioned SDKs. There are you know fraud reduction. Intel platform providers. That provide SDKs that do. Many of the things that you're talking about here today.

But also can check for things like evidence of malware. Evidence of. The phone is say in the wrong hands. Or the TEE. I think there are a number of different ways that ultimately you can fail safe. And you would not be able to use the credential. If it looked like the device itself was compromised. Any thoughts on that? Yeah. I mean specifically around the document scanning. The data that comes from the chip is digitally signed. As I said in my presentation. It's digitally signed by the issuing country. And that ensures that the data was not. Modified tampered in between.

That's the beauty of this. E-passport biometric passport solution. You can trust the data because you can verify the data. And you can check whether it's genuine. And as you said I mean there are lots of other technologies. To ensure that the device is not rooted. Or is not a virtual device. There are lots of these kind of technology. That you can use as a first line of defense. And then the second one is confirming. Or validating the signatures. Okay. We'll take one quick last one here. We're almost out of time. But several questions are related to AI deep fakes. You mentioned pad testing.

If the threat landscape is evolving into generative AI. Such as deep fakes. You can't trust. That's what I said before. No you shouldn't. You shouldn't trust. When you do an RFP. And if you have your shortlist. I can only recommend from my personal experience. Go search a third party provider. That helps you testing. Someone that is specialized on that. That will guarantee the end. That the vendor does deliver what they promise. Great. Well we're at the top of the hour. Thanks everyone for joining. Thanks Pascal. Great presentation. Great insights. And this will be available soon.

So I hope you join us for our next event and our webinar.