The lack of regulation in remote massive services for financial institutions limits the adoption of new technologies and innovation. In Colombia, the Financial Superintendency published a document at the end of 2019 that makes some modifications regarding the use of biometric validation, which helps to build trust between parties and mitigate the risk associated with remote transactions. The advantages generated by a clear regulation not only benefit the financial sector but also other sectors that want to make use of identity validation in their digital processes.
Identity validation in remote services
The implementation of massive and remote services benefits considerably from a clear regulation, since on the one hand it allows the parties involved in a transaction to develop a relationship of trust, and on the other hand it establishes security parameters that mitigate the risk of fraud. A clear example of the benefits of a regulation on the use of new technologies occurred in 2014 in Germany [FLA2019], where the first regulation emerged that made it possible to establish a person’s identity and generate a completely remote enrollment process via videoconferencing. This capability energized the digital ecosystem and promoted the emergence of digital banks such as N26, FidorBank or SolarisBank.
One aspect that is usually emphasized in this type of regulation is the adaptation to risk, i.e., the identity validation mechanism chosen must offer a level of security proportional to the risk of the transaction. This is because a higher level of security is associated, on the one hand, with greater technical complexity (cost) and, on the other, with a higher degree of friction with the user. For example, NIST [NIS2017], which is responsible for standardizing identity validation processes using digital identity in the United States, defines 3 levels for identity assurance (IAL) and 3 levels for authentication assurance (AAL).
The use of biometric techniques is generally associated with less friction with the user and has the advantage that there are different technologies that can be adapted according to the level of risk. For example, in high-risk scenarios, where the presence of the person is required and specialized equipment is available, iris recognition may be relevant. On the other hand, when it is a remote event, facial recognition by means of photos taken by cell phones is widely used. Therefore, by fostering greater ease of access to digital services, regulation oriented to the use of biometric technologies serves as an enhancer of financial inclusion in Latin America, where according to the World Bank [WB2017] in 2017 only 55% of adults had a bank account.
External Circular 029 of 2019. Superintendencia Financiera de Colombia
The document titled ..External Circular 029 of December 2019 of the Financial Superintendency of Colombia “modifies the Basic Legal Circular regarding minimum security and quality requirements for conducting operations and access and information to financial consumers and the use of biometric factors”.
Among the modifications that appear in this document there are two that make direct reference to identity validation: The first one classifies authentication and establishes specific requirements for its use in certain scenarios. The second establishes the requirements for implementing biometric factors in identity validation.
Strong authentication mechanisms
Strong authentication mechanisms are defined as follows:
“2.2.6.1. Biometrics in combination with a second authentication factor for remote transactions. The use of a second authentication factor shall not be required for face-to-face transactions.
2.2.6.2. Digital signature certificates in accordance with the provisions of Law 527 of 1999 and its regulatory decrees.
2.2.6.3. OTP (One Time Password), in combination with a second authentication factor.
2.2.6.4. EMV-compliant cards, in combination with a second authentication factor.
2.2.6.5. Registration and validation of some characteristics of the computers or mobile equipment from which the operations will be carried out, in combination with a second authentication factor.”
In other words, biometrics can be used for remote processes if combined with a second authentication factor. Something similar happens with OTPs (which are generally sent via SMS) and with what is known as the “digital device trace”, which refers to all those technical characteristics that allow the identification of the device from which the user connects to the service. Therefore, a combination of these 3 elements serves to provide strong authentication in remote financial processes.
Additionally, the circular establishes when strong authentication must be used. This use must be mandatory in two cases:
“2.3.3.1.27.1. The updating of customer data for notification of monetary transactions or generation of alerts (e.g., email, cell phone).
2.3.3.1.27.2. Transactions made with debit and credit cards, in national territory, in the present environment, when the issuer is Colombian, and the parameters established in compliance with the provisions of sub-number 2.3.3.3.1.26. of this chapter are exceeded. ”
In addition, however, entities must perform a risk analysis to establish when it is appropriate to use this type of authentication. For example, the risk may be associated with the volume of transactions, the amount, the time of day, the type of transaction, etc. Therefore, the regulation is consistent with international efforts that adapt authentication levels to the level of risk. In addition, by establishing which types of authentications are considered valid, clear rules are generated that allow both users and institutions to establish trusting relationships.
Requirements for the use of biometrics as authentication factor
One of the main aspects that appear in the circular regarding the use of biometrics as a biometric authentication factor is the verification with the database of the National Civil Registry (RNEC), with its own databases, or with the future operators of digital citizen services or digital identity, which will be authorized by the National Digital Agency. This validation is especially relevant if we consider that the RNEC is the national agency in charge of the identification of all citizens, and therefore it is the highest entity that can verify the identity of a person. Additionally, specific security measures are established for the protection of personal data in case companies have their own database.
On the other hand, in the case of using biometrics for authentication, proof of life measures must be contemplated as follows:
“2.3.9.4. In the implementation of biometric factors, proof-of-life mechanisms should be contemplated to strengthen the reliability and security of the system such as: i) measurement of physiological properties of the individual, ii) identification of human behavioral responses, or iii) challenge-response protocols.”
This aspect is very important, since static biometric schemes can present significant vulnerabilities, such as allowing a person’s identity to be validated by means of a photo or video. This undermines trust between the parties and increases the risk associated with identity validation. In reconoSER ID we provide both active and passive liveness detection solutions to address this issue.
Implementation of authentication solutions
One of the aspects addressed by Circular 029 in consistency with international standards is the adequacy of the type of authentication to the level of risk, for which a definition of strong authentication is made and defines conditions for the use of biometrics as an authentication factor. The selection of an adequate authentication method directly affects the user experience, since some methods may generate greater friction, and therefore a lower acceptance of the service.
In the case of reconoSER ID, facial recognition is used as the primary authentication element, and to ensure that it is a real-time transaction, a “liveness detection” test is performed, which includes challenge-response mechanisms. This mechanism is composed of movements and gestures that do not generate friction with the user. Likewise, in order to comply with the regulation mentioned in this document, there is the possibility of combining this authentication method with others. One of them is the validation of the identity document, which is performed with the National Identity File (ANI) offered by the RNEC. As part of the process performed by reconoSER ID, it includes the validation of the internal consistency of the document by comparing the text of the document with the information encoded in the barcode, obtaining the image of the photo of the document and comparing it with the enrollment or validation photo, and the analysis of anomalous components that indicate a forgery of the identity document. Additionally, an OTP can be sent by e-mail or SMS messages , which has the advantage of being a service that can be offered in most of the country thanks to the coverage of 2G cellular technologies. Finally, there are other elements of the solution that make it possible to identify the user’s electronic device, such as its IP address or operating system, among others. Complementary elements to establish a person’s identity can also be used, thanks to public databases. These different possibilities not only comply with regulations but are also flexible enough to adapt to the different security policies established by financial institutions.
Conclusions
The Superintendencia Financiera de Colombia has generated a regulation that allows the actors involved to define the types of electronic authentication that are valid for financial transactions, which serves as a guide for non-face-to-face identity validation processes in all types of industries. The regulation presented seeks to guarantee minimum security measures and define mechanisms adapted to the level of risk, which must be considered in the implementation strategies of non-face-to-face services in companies.
Diego Pacheco-Páramo
Translated by: Anasol Monguí
Bibliography
[SFC2019] Modificación circular externa 029 Superintendencia financiera de Colombia. https://www.superfinanciera.gov.co/inicio/normativa/normativa-general/circulares-externas-cartas-circulares-y-resoluciones-desde-el-ano-/circulares-externas/circulares-externas–10099659 [FLA2019] Libro Blanco Iberoamericano. Identidad Digital. Fintech Iberoamérica.2019 [NIS2017] NIST Special Publication 800-63-3 Digital Identity Guidelines.2017 [WB2017] Universal Financial Access. The World Bank. 2017