Behavioral biometrics — the coding of a user's actions to verify their identity — seems to possess all the elements that banks want in security technology.
It’s painless for customers to use and it’s hard for criminals to spoof. And it’s not subject to the same kinds of privacy protection regulations as other biometrics — such as a thumbprint or a retina scan.
The technology's growing popularity is reflected in new growth plans at the behavioral biometrics firm BioCatch. It closed a $30 million round of financing led by Maverick Ventures, along with American Express Ventures, NexStar Partners, Kreos Capital, CreditEase, OurCrowd, JANVEST Capital and other existing investors.
BioCatch, which is based in New York and Israel, will use the financing to explore new use cases and expand into other industries beyond financial services.
Behavioral biometrics has been especially attractive to bankers because it adds a layer of security that doesn’t create any friction for customers as it works totally in the background, said Julie Conroy, director of research at Aite Group.
No financial institution can rely on any one kind of technology to defend itself, she said, but the kind of data that BioCatch collects is particularly hard for fraudsters to copy: subtle movements like the way a customer swipes across the screen to unlock their phone, or the way they hold it during a voice call.
That lack of annoyance to the customer is a major reason that Experian adopted BioCatch as a third-party provider for its CrossCore security platform that it markets to financial institutions of all sizes, as well as telecommunications companies and online retailers.
“The thing about most of these behavioral biometrics is that they’re passive. They’re happening in the background and the end user doesn’t feel intruded upon,” said Kathleen Peters, Experian’s senior vice president of global fraud and security.
BioCatch is now exploring other use cases, like authenticating new customers at the time of sign up, said Frances Zelazny, vice president of marketing at BioCatch. It is also expanding into other industries, such as payroll processing and insurance, she said.
Although BioCatch does not say how many financial institutions it works with, it currently sifts through about 5 billion transactions per month and has around 60 million users within its system, Zelazny said.
Other product providers are also getting into the behavioral biometrics space. Al Pascual, head of fraud and security at Javelin Strategy & Research, says that is a good indicator of its success and popularity. Increasingly, companies in need of fraud prevention are asking their service providers whether they also offer those same behavioral biometrics protections.
“If you’ve worked with product managers, you know it takes a while to integrate those capabilities and things that show up on product road maps, but we’re actually seeing these capabilities being integrated with other solutions and they’re live,” Pascual said. “That tells you that in this short time frame since BioCatch came into existence, how much interest there really is.”
Another plus is that behavioral biometrics isn’t governed by the same kinds of privacy regulations as physiological biometrics. Illinois, Texas and Washington state have all passed laws either requiring companies to ask users to opt in to collection of biometric identifiers or governing how companies may use that kind of information. Similar measures have been proposed in a handful of other states, including Connecticut, California and Montana, but have failed.
Could it be the case that regulators simply haven’t gotten around to grouping behavioral biometrics into the same kinds of categories?
Never say never, Pascual said. Still, there are a few specific reasons that behavioral biometrics are highly unlikely to be regulated in the same way that physical biometrics are.
First, behavioral biometrics data is not considered to be personally identifiable information in the same way that data from physical biometrics is — and with good reason. A database of palmprints could be easily linked back to their owners, but movements on a touch screen, not so much.
As Zelazny puts it, “you can’t tell who somebody is based on their mouse movements.”
Secondly, behavioral information is important to advertisers, so restricting its collection and uses is a hard sell politically, Pascual said.
“Understanding what our behavior is has incredible value to folks like Google and Facebook and basically any advertiser,” he said. “To suddenly say, ‘If you see Al do something, then you can’t save that information and use it later,’ I don’t think you’re going to hear any legislator really push hard for that.”