Rawpixel.com - stock.adobe.com
NatWest develops behavioural biometrics as additional authentication
Bank is working with Visa to develop behavioural biometrics technology as an extra layer of invisible authentication
NatWest Bank is preparing to comply with the European Union (EU)’s payments security through the development of behavioural biometrics technology.
The technology recognises patterns related to how people interact with devices and because it works in the background, does not require the customer to take extra steps.
The development, in partnership with Visa, is part of NatWest’s work to comply with the EU’s Strong Customer Authentication (SCA) regulation, which comes into force next year has forced banks to offer additional methods of customer authentication.
The rules, which are part of the EU’s Payment Services Directive 2 (PSD2), mean that any online payments worth more than €30 will require two methods of authentication from the person making the payment. These include a password, biometric authentication such as a fingerprint, or having a phone that can identify them.
Payment processing companies have until 14 September 2021 to comply with the regulations, after the Financial Conduct Authority extended the deadline, which was originally September 2019.
NatWest is working with Visa on behavioural biometrics technology that could replace passwords. The technology monitors the unique behaviour of people interacting with computing devices when buying online. It recognises the way they do something, such as the weight or length of key press.
Warwick Ashford, analyst at Kuppinger Cole, said: “It is about analysing the way someone interacts with a device and recording a pattern. It is about using pattern recognition to see if the activity fits that of the normal user.
“If the patterns don’t match, the customer could be asked for another form of authentication. It speaks to the defence-in-depth philosophy, where the more layers you have, the more chance you will have to catch anything anomalous.”
Read more about strong customer authentication
- Financial Conduct Authority gives companies under its watch an extra 18 months to meet an EU payments security standard.
- The original deadline for PSD2 compliance quietly passed by at the weekend, but it will be another 18 months before UK businesses meet the regulation’s rules on customer authentication.
- The announcement that the FCA was given permission to give extensions to companies implementing Strong Customer Authentication was a gentle reminder that a major deadline was close.
Ashford added that it is important for digital services to be as frictionless as possible, yet highly secure. “This is a way of reducing end-user friction by not asking them to do anything, while providing a level of assurance that it is the person you think it is,” he said.
Georgina Bulkeley, director of strategy and innovation at NatWest, said: “We continue to explore biometrics and how they can be used to make payments easier and simpler for our customers. The success of a pilot of this new technology demonstrates our ongoing commitment to developing innovative ways of enhancing customer experience while prioritising security.”
Jeni Mundy, managing director, UK & Ireland at Visa, said the payments company is already using behavioural biometrics. “It has already been deployed successfully for the purpose of fraud prevention, and now, following work between regulators and industry partners including Visa, has been approved as a second layer of security to be used alongside one-time passcodes in the context of SCA,” she said.
Visa is to offer commercially available behavioural biometric technology to its clients via its Visa Consumer Authentication Service.