Investigating Fraud Statistics and the Case of Biometric KYC

Know-Your-Customer (KYC) policies have been more aggressively adopted by banks during the past years and especially since the onset of the COVID-19 pandemic. Among others, KYC refer to various processes related to digital identity registration, electronic document verification, proof of address, and, in recent years, biometric registration (primarily using fingerprint and face recognition), which have been introduced to combat transaction and identity fraud. The explosion of online sales during the market lockdown (especially during 2020 and early 2021) has caused a significant increase of Card-Not-Present (CNP) fraud.

In order to provide a succinct but data-driven examination, it is important to take a look at several statistics that are indicative of the level of fraudulent transactions. A few key statistics used for this examination include data from the US Federal Trade Commission, the US Department of Labor, the European Central Bank, and the European Payments Commission. In the US, the Federal Trade Commission (FTC) stated that it received 2.1 million fraud reports from consumers in 2020 with consumers losing more than US$3 billion to fraud in 2020, up from US$1.8 billion in 2019. Additionally, overall fraud in 2021 in the Consumer Sentinel Network Data Book 2021 is calculated at the staggering figure of US$5.9 billion. Additionally, the FTC mentioned that fraudulent government benefits and credit card fraud for new accounts accounted for approximately 32% and 29%, respectively, of all identity theft in the US during 2020, ranging between 400,000 and 365,000 reports each (for further information refer to the following full list of FTC’s Consumer Sentinel Network reports). Further, the U.S. Department of Labor (DOL) stated that approximately US$87 billion in fraudulent unemployment benefits was paid to individuals in 2021 due to the onset of the pandemic. These figures have been leveraged by proponents of biometric identification in the banking industry in the US to actively influence spending towards more user-friendly (but still potent) biometric applications within the next three years.

On the European sphere of influence, according to the European Central Bank (ECB) the total value of fraudulent card transactions amounted to £1.3 billion in the eurozone alone, out of which 80% of which was linked to online payments, 15% to ATMs, and 5% to physical PoS card payments. This segmentation is also observed in most countries albeit with notable exceptions in some cases (e.g., Asia-Pacific or the Middle East and Africa countries with elevated penetration rate of ATMs). More recently, in the 2021 report of the European Payments Council (EPC), the EPC advocated for the use of biometric authentication either on Point-of-Sale (PoS) devices or in smartphones where it can be used as a secure alternative or an additional security layer.

The need for higher levels of security due to transaction fraud is further fueling biometric KYC initiatives across banking and fintech with organizations steadily employing biometric authentication layers to both on-prem PoS and online transactions. However, implementers are also mobilizing towards adapting biometric authentication into other identity verification solutions like welfare and claiming unemployment benefits. Adding a biometric security layer on KYC would definitely provide a significant boost to registration and authentication security and greatly decrease transaction fraud.

The important variable to consider here is where or not the additional cost justified based on current market fraud statistics. Indeed, there is a very clear Return on Investment (ROI) and value proposition available by tackling fraud reduction using biometrics. Biometric and digital identity providers are currently delivering additional value in the form of customer experience and onboarding/authentication streamlining for organizations. Additionally, biometric KYC increases accuracy for automated authentication processes based on spoof-less (or at the very least a lot more secure) technologies. As mentioned above, extraordinary amounts of fraud generated each year on a global basis is more than enough to incentivize governments, banks, and finance institutions to enable biometric KYC.

One very important issue to consider is the issue of cost-efficiency, a point that was also made by the European Payments Council. Specifically, how can biometric service providers clearly demonstrate that biometric services can cut costs for payment and banking? The answer to this comes in the form of fraud mitigation which, ultimately, both limits transactional fraud and increases customer trust. Based on the eurozone statistics offered by the EPC, more than 80% of fraud does not occur in Point-of-Sale applications but rather in online payments, which suggests that any efforts to increase security will focus on the latter rather than the former.

This does not mean that PoS biometric devices will not have their place in the market in retail and banking but rather that PoS is not the prevailing threat vector overall in western societies and (based on current statistics) definitely not in the EU. However, this varies in the rest of the world and particularly in the Middle East, Africa, and Asia-Pacific where PoS authentication for banking, welfare, retail, and civil applications is becoming increasingly attractive for biometrics vendors.

Market players set to benefit from the increased adoption of biometric technologies in the banking market include leading digital payment providers like Idemia and Thales, offering digital infrastructure and platform management services, biometric and digital ID KYC organizations like iProov, OneSpan, Onfido, iDenfy, Trulio, Sumsub, getID, and AdvaceAI, offering biometric registration/onboarding and verification services for governments and banks, and biometric device manufacturers like Dermalog, HID Global, and Secugen.

Fraud will continue to run rampant unless additional security measures are implemented, notably biometric registration combined with traditional electronic document verification and other forms of ID. However, these measures should not come at the expense of data privacy for customers and citizens and any potential loss of Personal Identifiable Information (PII). Other than the perceived loss of any personal piece of information for customers, there is the very real danger of certain financial institutions laying the ground for extensive invasive data policies, which can cause extreme levels of discrimination based on a multitude of markers and complicate the banking data privacy legislation in its entirety (e.g., see The Gramm Leach Bliley Act).

While the General Data Protection Regulation (GDPR) is carefully and clearly defined as a legislative instrument in the EU (at least compared to the alternatives), the same cannot be said in other countries. Even in the US, many states have different laws pertaining to biometric data management, or even what constitutes biometric data altogether. For example, while the California Consumer Privacy Act (CCPA) is more frequently quoted as a better-defined piece of legislation, Colorado did not specifically define biometric information and its Privacy Act (CPA) has outlined biometric data to be part of the “Sensitive Data”, which also includes ethnic origin, religious beliefs, health diagnosis, or sexual orientation (expected to be set in effect in July 2023). The lack of strong data protection and privacy laws will undoubtedly equate to the lack of security measures down the line. Payment service providers need to provide guarantees that their platforms will protect their customers’ data and personal information.