Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityTechnologies & SolutionsCyber ProductsBanking/Finance/Insurance

Banking & behavioral biometrics: Understanding privacy & security regulations

By Adrian Castillo
bank

Image from Unsplash

October 21, 2022

Digital fraud is proliferating around the globe. Cybercriminals continue to devise new ways to mislead users into relinquishing personal and security details. Their methods range from advanced social engineering to installing malicious software on victims’ devices. Fortunately, these fraudsters can be thwarted using technology such as behavioral biometrics to monitor and analyze data during online activities that characterize a specific person as a human being who has been validated as a legitimate user.

The use of behavioral biometrics raises new questions, however, regarding the specific personal data that is collected and how it is processed and protected. When deploying behavioral biometrics, banks and financial services providers need to understand what legislation and regulations are in place related to security and privacy protection and how to comply with them.

How behavioral biometrics works

In the context of online and mobile banking, behavioral biometrics solutions enable a person to be reliably identified by their habits and the environments where they typically transact. It goes beyond physical biometric data such as height, weight, fingerprints and iris scans to include biometric data about behaviors that are common in the digital world.

In the same way humans pick up others’ intent in the physical world by observing their behavior, behavioral biometrics can process user behavior data to validate people’s identities and understand their intent. This data comes from user activities such as logging in to applications and navigating to a specific page and other activities that prove users are human beings, including how they type, use a mouse, and touch or swipe a display. The information represents what is called the behavioral biometry, or “inherence factor,” consisting of those elements that are integral to user authentication.

With a reasonable amount of data and proper processing, behavioral biometry can be used to uniquely characterize a user while minimizing falsely rejected users and transactions and, more precisely, mitigating risk. This can be done without additional devices to create and compare individual profiles, as would otherwise be required with biometric authentication technologies like fingerprinting, retinal scan, or voice recognition.

Data privacy regulations affecting banks

Europe has led the way in regulatory initiatives with its General Data Protection Regulation (GDPR), inspiring other data regulations worldwide, including the United States. 

The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.”

According to the GDPR:

  • All biometric data is personal data.
  • Biometric data allows or confirms the identification of an individual.
  • Biometric data falls into a special category of data when it is processed “for the purpose of uniquely identifying a natural person.”

Two other GDPR requirements are important for bank security leaders to understand: biometric data processing rules and the need for explicit consent. The GDPR prohibits the "processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Collection of biometric data is allowed in specific situations under strict, general processing rules. Exemptions are allowed within a restrictive framework per Article 9.

The GDPR also emphasizes the need for explicit consent to process user personal data. A bank or other financial services provider must develop a clear and concise procedure for informing customers that their biometric data is being collected, how it is stored and used, and how they can withdraw consent.

U.S. developments in data protection

While there is currently no general, federation-level U.S. regulation of personal data processing similar to GDPR, the issue resurfaced with the re-introduced proposal of the Data Protection Act in 2021 in the U.S. Senate. The regulation now depends on state-level legislation. Only a handful of U.S. states currently have legal regulations covering commercial biometric data use, including California, New York, Texas and Washington.

California’s GDPR-inspired Consumer Privacy Act (CCPA) of 2018 looks at the processing of biometric information used to uniquely identify a customer the same way it looks at any other sensitive personal information. It is permitted, with certain limitations, as long as it is within the boundaries of processing for “business purposes.” These purposes include “helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.”

GDPR relationship with PSD2

The GDPR must be considered in conjunction with the second Payments Services Directive (PSD2) 5, and especially its Strong Customer Authentication (SCA) Regulatory Technology Standards (RTS) 6 requirement.

PSD2 focuses on protecting consumer transactions over the Internet. It provides rules for payment security and customer authentication. For payment security, the directive requires financial services organizations to assess their operational and security risk posture and prove that they have adequate security protections in place.

PSD2 also addresses authentication mechanisms to match the risk context of the payment transaction. When a payer initiates an electronic payment transaction, the payment service provider must apply SCA, which helps to validate the authenticity of the identity involved in the transaction.

SCA uses two or more authentication elements:

  • Something the user knows: a password or PIN
  • Something the user has: a card, a One-Time-Password (OTP) hardware token or mobile phone 
  • Something the user is: a fingerprint, voice, eye-print or behavioral biometrics

The GDPR refers to other legislation, such as PSD2, for specification of the public interest, while the PSD2 requires processing in compliance with data processing legislation such as the GDPR. This type of security protects the customer as well as the public.

Best practices for deploying behavioral biometrics

Behavioral biometrics is used in today’s risk management and fraud prevention strategies to help ensuring secure and safe online experiences where legitimate users are easily validated and unauthorized users are kept away.

These solutions must create a completely trusted user behavioral profile. To maintain a positive user experience, all data must be collected via collection points operating in the background of the active application. The keystroke dynamics, such as how long an individual key is pressed, are among the many factors used to determine the identity of a user. Performing a linear discriminant analysis of these keystroke dynamics enriches a user’s profile, making behavioral biometrics an even more effective inherence authentication factor.

Behavioral biometrics also include analyzing each user’s cursor movements on all protected pages within the protected application. Not only is movement, direction and speed evaluated, but also characteristics like curvature angle and distance. This makes it possible to identify ongoing attacks that use scripted access to break into the application.

Through these and other behavioral biometrics techniques, risk management solutions update and improve a user-specific behavioral profile in real-time for seamless identification with a high fraud prevention rate and the lowest possible false positives. This approach is also recognized by the European Banking Authority (EBA), which has said that “information, related to physical properties of body parts, physiological characteristics, and behavioral processes (and the combination of these) created by a human body, can be used as an inherence authentication factor.”

Behavioral biometrics can make continuous re-authentication invisible and deliver a better experience for users who do not want to re-enter passwords or use other means of identification while interacting with the same application unless necessary.

KEYWORDS: bank cybersecurity biometric authentication biometrics data privacy fraud prevention GDPR user authentication

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Castillo

Adrian Castillo is a Pre-Sales Engineer at HID Global and brings over twenty years of experience in the fields of public key infrastructure, identity management and authentication protocols for enterprise and cloud. He has been involved with infrastructure and application integration ranging from native to Web to mobile. Over the years he has had roles in professional services, product management and engineering where he managed various innovation projects to bring additional value to our customers. Castillo is part of the HID team working with the FIDO Alliance to improve security online by reducing the world’s reliance on passwords.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • globe

    Understanding cybersecurity trends and regulations in a global world

    See More
  • data-freepik1170x658v493863656.jpg

    Rising to the challenge of modern data security and growing privacy regulations

    See More
  • Technology

    Considerations for enterprises amid new privacy regulations

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing