This article is part of several items we have published that examine cybersecurity issues. Such security has become even more critical at a time when so many wealth management professionals work from home, a trend that has been going on for some time and accelerated by the pandemic.

Continuing our focus on the cybersecurity and data protection challenges exacerbated by COVID-19, we now turn to the boom in biometric authentication.

Part 1 of this feature unpicks the compelling business case for verifying the identity of staff and clients using this technology; Part 2 will dig deeper into the technological choices and hidden risks wealth managers need to be aware of.

One potentially significant upside to the COVID-19 crisis is a massive acceleration of the wealth management sector’s digitisation - necessity being the mother of invention or, more accurately here, adoption. Barriers are being swept away as circumstances compel firms to implement solutions that many would argue that they should already have in place. The impetuses behind the rollout of enhanced performance reporting, client communication portals, video conferencing and instant messaging have suddenly become very strong indeed.

This is particularly true of biometric authentication, technology which verifies an individual’s identity through biological or behavioural characteristics. The concept may not be particularly novel in financial services as over the years institutions have variously implemented, or at least piloted, dactyloscopy (fingerprint identification), face recognition, voice patterning, iris/retina scans and even electrocardiograms to boost security. What is new - technology vendors tell us - is the rocket-fuelled take-up of this technology in the financial services sector, now that business is being carried out almost exclusively in the digital sphere, and outside institutions’ walls.

As this publication has recently explored, in itself the home working environment may be far from ideal from a cybersecurity and data protection perspective. At the same time, cybercriminals have all too predictably moved to exploit the disruption by massively ramping up their efforts to steal information and identities. The pandemic has created an acute need to beef up security to protect systems, devices and data. As a result, these are boom times for biometrics across sectors, but particularly in tightly regulated ones dealing with valuable and often very sensitive data, as wealth managers most assuredly are (it may often fall under the GDPR’s Article 9 definition of “special category” data).

The weakest link
Single-factor authentication via a password or phrase has long been regarded as antediluvian by security experts; at best, these should only form part of Multi-Factor Authentication (MFA) methodologies. “Brute force” attacks are easier than ever with cracking technology, but it is well acknowledged that human beings are the weakest link in the security chain. Even with training, people are all too vulnerable to increasingly sophisticated “social engineering” tricks like phishing emails aimed at eliciting key information, along with other lapses like writing verification details down. The sheer volume of what we have to remember means the average internet user has to reset a password almost once a week. 

Nonetheless the scale - and escalation - of the problem may still surprise. “Passwords are responsible for over 80 per cent of data breaches, and there has been a 667 per cent increase in funded cyberattacks on them since February,” notes James Stickland, CEO of Veridium. 

The costs arising from data breaches are several and serious. Under the General Data Protection Regulation, supervisory authorities are empowered to issue fines of up to €20 million or 4 per cent of annual global turnover for the most egregious data protection breaches, but there is also provision for individuals to seek redress through the courts for material and non-material damage under Article 79. Reputational risk is naturally also a huge concern in the private client space.
 

Password pain
However, what might not be so well recognised are the costs and loss of productivity associated with resetting compromised (or simply forgotten) passwords. As this cybersecurity feature highlights, password expiration is another issue exacerbated by the current dispersion of workers. “By ridding company processes of passwords, businesses will not be so vulnerable to phishing attacks, saving them the costs of a data breach," Stickland explains. “But businesses can also save themselves millions of pounds in costs associated with resets and increase productivity across all departments.” 

The seriousness with which financial institutions have to approach security means that they have long favoured MFA, where usernames and passwords are combined with a second or third factor. Importantly, as Gerhard Oosthuizen, chief technology officer at Entersekt, points out, strong authentication calls for variety. “A combination of different types of authentication factors is always stronger than using only one factor, or even more than one factor of the same type,” he explains. 

Familiar options to bolster “something you know” factors include possession of devices such as cards and key fobs or One-Time-Passcodes sent via “out of band” channels like email and SMS (or, in their more modern form, generated by standalone apps). However, to varying degrees these may be vulnerable to theft or hacking, as well as adding unwanted friction to the authentication process. For reasons of both convenience and cybersecurity, the view of experts like Stickland is that “MFA must move away from methods that verify what you have or know, towards ones that verify who you are.”

Pushing on an open door
Wealth managers would be justified in thinking that they are pushing on an open door here with clients, as most will be well used to unlocking their smartphones with fingerprint or face identification - as well as using biometric authentication for mainstream banking apps. Indeed, many will have experienced entirely digital onboarding for digital native services using a combination of photo ID and selfies.

It could also be said that expectations (or at least hopes) of a seamless digital experience apply equally to wealth management personnel, who, already time-pressed, are now working under even greater pressure. An aversion to clunky authentication procedures will be particularly true for the born-digital generation of advisors coming up, making eradicating them a matter of talent management as well as productivity.

Answers in our hands
As with so much today, the answer may be literally in our hands in the form of smartphones. And, verifying identities in this way has several benefits beyond familiarity and the not inconsiderable cool factor. As Darren James, technical lead at Specops Software, explains: “Mobile device-based biometrics offer three-factors rolled into one: the phone itself is the ‘something you have’; a pin, the ‘something you know’; and your face or finger is ‘something you are’. This is why financial institutions like to use them so much for their mobile apps.”

The fact that staff and clients will invariably have biometrics hardware already in their pockets is a further boon to the mobile option, James continues: “Biometrics choices tend to depend on what firms already have. Buying additional hardware, especially if it’s for a single purpose, is usually cost prohibitive and a barrier to adoption.” 

By the same token, the need for speedy rollouts is a further factor - wealth managers, like everyone else, having been bounced into remote working with very little notice. As previously explored, recent weeks will have seen very rapid evolutions (and remediation) in everything from extending network security to encompass home working, practicalities like providing privacy filters for screens and updating IT and data protection policies.

Beset by emerging risks, and under immense time pressure, biometric authentication methods may seem heaven sent. However, as will be explored next, there are also very serious risks that wealth managers need to be aware of too.