Biometrics Are Too Hot to Handle

Biometrics are so hot that hardly anybody is using them, at least in financial services. Despite the years of hoopla surrounding biometrics as the answer to all banking security problems, and despite banks' seeming to take an interest in this technology, biometrics (digitizing specific physical characteristics, such as the pattern of someone's iris, to verify identity) still have not taken off in financial services. Although some financial institutions are using biometrics in one form or another, they represent a drop in the bucket when compared with the number of financial companies worldwide. In addition, most biometrics initiatives by banks to date have been very limited in scale. Few have made it past the pilot stage.

Most experts attribute banks' lukewarm reception of biometrics technology to its cost. Although the price of biometrics devices has come down from the stratosphere, it apparently remains too high to overcome banks' propensity to move slowly in their approach to such developments.

But the interest is there. "Banks realize biometrics are not something to be ignored," says Jennifer Schmidt, a Meridien Research analyst and author of a study on biometrics in financial services institutions. Biometrics provide a unique advantage over other forms of security, such as user name and password, in that an individual's biometrics print is one-of-a-kind. Whether it's the pattern of blood vessels in the eye or the long-familiar thumbprint, no one else in the world has the same measurable characteristic.

There are several types of biometrics technologies, including facial scan, which uses certain points on one's facial structure to identify a person; finger scan, which analyzes, not one's entire fingerprint, but just particular points; and iris recognition, which measures the unique patterns of one's iris, such as the flecks and rings.

As to which biometrics banks should use, that all depends. Some biometrics are extremely accurate, such as retina scanning, which recognizes the blood- vessel pattern at the back of one's eye. Cost-wise, however, retinal devices are not too practical for, say, securing a bank's ATM fleet. On the other hand, retina scanning might be appropriate for use internally.

According to Schmidt's report, some banks are using biometrics for the physical security of buildings and select locations. This includes access to vaults and computer networks.

A more practical mass-market approach to biometrics for banks are devices that rely on existing infrastructure, according to Dr. Joseph Atick. The president and chief executive officer of biometrics company Visionics Corp. and co-founder of the International Biometrics Industry Association, says: "All biometrics have value. Face, finger and voice-recognition technology are unique. These rely on standard infrastructure. It's easy to have cameras on ATMs or the right kind of phone equipment."

Other biometrics, such as iris recognition, are not compelling to Atick because they are too expensive.

"It costs about $3,000 extra to equip an ATM with iris technology," he says.

Bill Willis, chief technology officer of Iridian Technologies Inc. which specializes in iris recognition technology, says banks "can get more bang for their buck" with iris reading machines. Iridian, for example, is taking the approach of creating a multi-purpose device.

"Iris recognition can enable a bank's computer network, can be used for Web access control, and for fraud prevention, not just at ATMs, but at full-service banking kiosks."

Additionally, Willis thinks that the next generation of mobile devices, like cell phones and personal digital assistants, will come with cameras by default.

"It is great for Iridian, because not only can a camera be used for taking snapshots or for doing conference calls, but it can enable iris recognition security for online transactions," he says. With this prediction in mind, Willis says, Iridian will begin marketing its devices to individuals as well as institutions.

It is the Internet-savvy consumer, not the average Joe, who will be most likely to purchase and use such devices, says Meridien's Schmidt. "Those who are comfortable banking online are likely to want [biometrics]. People are beginning to realize that with everything becoming Internet and mobile-oriented, there is a need for an added layer of security."

Once mobile devices are made biometrics-compatible, the next biggest obstacle-consumer acceptance-is expected to come tumbling down. For cost is not the only thing that makes banks reluctant to deploy biometrics on a broad scale. People are simply unaware of what biometrics is. Some are suspicious and don't want any of their physical features saved on some database. They are frightened of iris and retinal recognition because they believe a laser will scan their eyes a la Mission Impossible.

This fear is completely unfounded, says Iridian's Willis, because iris technology merely involves a camera with good optics. "We don't scan anything," he says.

Schmidt, meanwhile, adds that some people don't like facial scans for "aesthetic reasons. They think it's like getting their picture taken and they hate that."

As with any new technology, however, the right kind of education goes a long way in allaying consumers' doubts.

"There will always be people who are afraid of technology," says Visionic's Atick. "But user attitudes can be changed through good education." A great example of such a phenomenon is ATMs. When they first came on the scene, the public was reluctant to use them. Now banks can barely keep up with user demand for the machines.

While biometrics is often thought of principally as a means of securing computers, buildings, etc., financial institutions need to look at the technology as more of a fraud-prevention measure, which can be used in conjunction with other security solutions, such as PINs.

Some bankers think that once biometrics are in place, they can do away with PINs and ATM cards. Such was the case with Bank United.

Before it was acquired by Washington Mutual, Bank United possessed three ATMs with iris recognition technology provided by Sensar (Sensar has since been acquired by IriScan, creating Iridian). According to Joe Arbona, someone who was close to Bank United's biometrics initiative, the institution originally used the iris technology as "a marketing tool for promoting new locations" it gained after the Bank of America/NationsBank merger.

Bank United saw biometrics technology as a novel way of luring away customers dissatisfied with the new Bank of America. "We did focus groups and people said the iris technology was an added benefit for switching their assets from Bank of America to Bank United," Arbona claims. "It gave them peace of mind."

The souped-up ATMs were in Dallas, Houston and Fort Worth, Bank United's three major markets. People were not afraid of the iris recognition technology in this instance. Part of their initial acceptance may have been due to Bank United's having placed the machines in areas with universities nearby. College students are always searching for the next "cool" thing.

Bank United used the biometrics to eliminate PINs. ATM cards were still issued, however, so people could use them at point-of-service locations. By itself, killing the PIN sounds great. But experts say you can never have enough security. "Banks should look at biometrics as a dual service," says Atick, "as another level of security." Biometrics are compelling for fraud prevention, but not for eliminating PINs, he concludes.

In the end, the biometrics project was put on the back burner when Bank United merged with Washington Mutual. Arbona could not comment directly on Washington Mutual's plans for the technology, but he did say the financial institution is not going forward with biometrics to his knowledge.

The Bank United story is a tale of lost potential; after all, no sooner did the biometrics initiative take off than it found itself grounded. But, while the outcome may be disappointing for those who champion the technology, it's not atypical of biometrics' application in banking thus far.

Yet, on a positive note, there is a company called Innoventry that has made great headway in the area of biometrics in financial services. Innoventry manufacturers check-cashing kiosks using FaceIt, the facial recognition technology produced by Atick's Visionics.

Innoventry entered the check-cashing business knowing it was a lucrative market but one with huge potential for fraud, Atick explains. By adding FaceIt, Innoventry is able to prevent anywhere from 90% to 95% of aliases.

"The fraud rates with our check-cashing clients are down to half a percent because of the facial recognition biometrics," he claims.

Innoventry has over 1,200 kiosks and has processed almost 4 million transactions with over $1 billion in cash dispensed.

Atick says biometrics have taken the stigma from the whole check-cashing process. People using Innoventry kiosks simply stand before the machine and wait for the biometrics identification process to kick in. They even register at the machines. Not only does Innoventry's kiosks save these people money (check cashers can take up to 8% of a check) but they no longer need to stand in line answering humiliating questions.

Wells Fargo owns a stake in Innoventry, hoping to cash in on this lucrative market segment and to show it embraces the latest and greatest in technology, according to a Wells spokesperson. Ironically, biometrics are not present on any of Wells Fargo's ATMs.

It appears that public perception of biometrics is actually quite positive. Bank United customers gave a thumbs-up to its iris recognition-equipped ATMs, short-lived as they were.

In addition, Innoventry seems to be doing quite well in the "non-banked" marketplace, a group which tends to be somewhat mistrustful of technology.

Perhaps the problem, as Bank United's Arbona puts it, is a lack of standards. "Imagine trying to convert all the ATM networks across the country to biometrics," he says. "We need some kind of biometrics standard to do this successfully."

Ultimately, that means time and money.

"A bank won't want biometrics unless they have a positive effect on its bottom line," says Atick.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER