In this blog post, Jonas Kullgren discusses how your digital footprint and transaction data can be used for payment authentication.
Inherence, or “something a person is” is one of the three security factors used for secure user authentication. Today, face recognition and fingerprints are used to sign you into your online banking app. How can your digital footprint and transaction data be used for payment authentication?
A joint industry statement signed by leading players in the payments industry in August 2109 applauded the EU Commission’s efforts to reduce fraud numbers by using strong customer authentication (SCA). At the same time, the co-signers raised concerns about the implementation impacts of SCA. They asked the Euro Banking Association (EBA) to encourage the financial industry to develop data-driven inherence (“who you are”) factors. One year earlier, at its summit in Japan, Gartner presented the concept of “corroboration”, meaning that your digital identity is confirmed by “real-life events”. This can be translated into “data analysis on transactional behaviour”.
When the Payment Service Directive 2 (PSD2) was fully implemented across Europe in September 2019, one of the major topics of discussion was strong customer authentication (SCA) and how it would affect end-consumer behaviour. The discussion is still ongoing, as the SCA requirements have been postponed until the end of December 2020. It was also intensely discussed how the financial industry could secure customer confidence in payments without affecting the frictionless experience in executing a payment transaction.
To carry out a payment that does not fall under any of the exceptions in the Regulatory Technical Standards (PSD2 RTS on SCA), a two-factor authentication procedure must take place on the consumer side. It must include at least two of three required identification measurements:
TietoEVRY’s Financial Crime Prevention Team helps our customers to build profiles on entities to protect end users from becoming victims of fraud and to safeguard institutions against criminals seeking to use financial systems to conduct illegal activities.
By combining data points from several sources, we can create entity profiles that make us (almost) certain of who is trying to execute a transaction. With consent from the end customer, we can use data on, for example, tracking, where, using analytics techniques, accelerator sensors measure how devices are used. Unsupervised machine learning models can help us estimate what transactions are likely to occur on an entity level.
While our Financial Crime Prevention Team develops rules on known fraud patterns, supervised machine learning is used to forecast emerging risk patterns. By comparing historical transaction data with real-time data, performing a real-time analysis on entity level, and comparing it with peers, we can determine the identity of the entity. What’s more, by understanding the network surrounding the person with the help of other digital markers, we create a “who you are” model based on types of information other than biometrical data.
Is it possible to replace fingerprints or face recognition technology with data analysis? Can we use authentication data in connection with transaction data and consumer behaviour in such a way that it is secure and fast enough to reduce friction by building entity profiles? The answer is yes – and yes. With the data we have, we can secure your transaction, protect you from fraud and safeguard institutions from being exploited by criminals by determining your identity.
When applying advanced analytics (AI) and profiling to transactions, it is imperative to take GDPR into account, as these processes often imply the use of personal data (data-driven inherence). At the same time, from a regulatory perspective one must bear in mind the far-reaching obligation financial institutions have to prevent financial crime. The use of personal data for identification and authentication purposes is crucial to avoid fraudulent third-party events, cybercrime, and financial crime. GDPR (Recital 71) specifically refers to fraud prevention as a legal ground for conducting profiling. As with all processing of personal data, it should be noted that potential user profiles used for financial crime prevention should not be misused for non-compliant purposes.
Against the backdrop of GDPR, one must not forget that the profiling and use of personal data is solely used to protect individuals and financial institutions from criminal events. In this context, the use of data-driven inherence combined with biometrics and behavioral data is in fact a key prerequisite to protect individuals and personal information from criminal third parties.