Digital fraud is proliferating around the globe. Cybercriminals continue to devise new ways to mislead users into relinquishing personal and security details. Their methods range from advanced social engineering to installing malicious software on victims’ devices. Fortunately, these fraudsters can be thwarted using technology such as behavioral biometrics to monitor and analyze data during online activities that characterize a specific person as a human being who has been validated as a legitimate user.

The use of behavioral biometrics raises new questions, however, regarding the specific personal data that is collected and how it is processed and protected. When deploying behavioral biometrics, banks and financial services providers need to understand what legislation and regulations are in place related to security and privacy protection and how to comply with them.

How behavioral biometrics works

In the context of online and mobile banking, behavioral biometrics solutions enable a person to be reliably identified by their habits and the environments where they typically transact. It goes beyond physical biometric data such as height, weight, fingerprints and iris scans to include biometric data about behaviors that are common in the digital world.

In the same way humans pick up others’ intent in the physical world by observing their behavior, behavioral biometrics can process user behavior data to validate people’s identities and understand their intent. This data comes from user activities such as logging in to applications and navigating to a specific page and other activities that prove users are human beings, including how they type, use a mouse, and touch or swipe a display. The information represents what is called the behavioral biometry, or “inherence factor,” consisting of those elements that are integral to user authentication.

With a reasonable amount of data and proper processing, behavioral biometry can be used to uniquely characterize a user while minimizing falsely rejected users and transactions and, more precisely, mitigating risk. This can be done without additional devices to create and compare individual profiles, as would otherwise be required with biometric authentication technologies like fingerprinting, retinal scan, or voice recognition.

Data privacy regulations affecting banks

Europe has led the way in regulatory initiatives with its General Data Protection Regulation (GDPR), inspiring other data regulations worldwide, including the United States. 

The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.”

According to the GDPR:

• All biometric data is personal data.
• Biometric data allows or confirms the identification of an individual.
• Biometric data falls into a special category of data when it is processed “for the purpose of uniquely identifying a natural person.”

Two other GDPR requirements are important for bank security leaders to understand: biometric data processing rules and the need for explicit consent. The GDPR prohibits the "processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Collection of biometric data is allowed in specific situations under strict, general processing rules. Exemptions are allowed within a restrictive framework per Article 9.

The GDPR also emphasizes the need for explicit consent to process user personal data. A bank or other financial services provider must develop a clear and concise procedure for informing customers that their biometric data is being collected, how it is stored and used, and how they can withdraw consent.

U.S. developments in data protection

While there is currently no general, federation-level U.S. regulation of personal data processing similar to GDPR, the issue resurfaced with the re-introduced proposal of the Data Protection Act in 2021 in the U.S. Senate. The regulation now depends on state-level legislation. Only a handful of U.S. states currently have legal regulations covering commercial biometric data use, including California, New York, Texas and Washington.

California’s GDPR-inspired Consumer Privacy Act (CCPA) of 2018 looks at the processing of biometric information used to uniquely identify a customer the same way it looks at any other sensitive personal information. It is permitted, with certain limitations, as long as it is within the boundaries of processing for “business purposes.” These purposes include “helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.”

GDPR relationship with PSD2

The GDPR must be considered in conjunction with the second Payments Services Directive (PSD2) 5, and especially its Strong Customer Authentication (SCA) Regulatory Technology Standards (RTS) 6 requirement.

PSD2 focuses on protecting consumer transactions over the Internet. It provides rules for payment security and customer authentication. For payment security, the directive requires financial services organizations to assess their operational and security risk posture and prove that they have adequate security protections in place.

PSD2 also addresses authentication mechanisms to match the risk context of the payment transaction. When a payer initiates an electronic payment transaction, the payment service provider must apply SCA, which helps to validate the authenticity of the identity involved in the transaction.

SCA uses two or more authentication elements:

• Something the user knows: a password or PIN
• Something the user has: a card, a One-Time-Password (OTP) hardware token or mobile phone 
• Something the user is: a fingerprint, voice, eye-print or behavioral biometrics

The GDPR refers to other legislation, such as PSD2, for specification of the public interest, while the PSD2 requires processing in compliance with data processing legislation such as the GDPR. This type of security protects the customer as well as the public.

Best practices for deploying behavioral biometrics

Behavioral biometrics is used in today’s risk management and fraud prevention strategies to help ensuring secure and safe online experiences where legitimate users are easily validated and unauthorized users are kept away.

These solutions must create a completely trusted user behavioral profile. To maintain a positive user experience, all data must be collected via collection points operating in the background of the active application. The keystroke dynamics, such as how long an individual key is pressed, are among the many factors used to determine the identity of a user. Performing a linear discriminant analysis of these keystroke dynamics enriches a user’s profile, making behavioral biometrics an even more effective inherence authentication factor.

Behavioral biometrics also include analyzing each user’s cursor movements on all protected pages within the protected application. Not only is movement, direction and speed evaluated, but also characteristics like curvature angle and distance. This makes it possible to identify ongoing attacks that use scripted access to break into the application.

Through these and other behavioral biometrics techniques, risk management solutions update and improve a user-specific behavioral profile in real-time for seamless identification with a high fraud prevention rate and the lowest possible false positives. This approach is also recognized by the European Banking Authority (EBA), which has said that “information, related to physical properties of body parts, physiological characteristics, and behavioral processes (and the combination of these) created by a human body, can be used as an inherence authentication factor.”

Behavioral biometrics can make continuous re-authentication invisible and deliver a better experience for users who do not want to re-enter passwords or use other means of identification while interacting with the same application unless necessary.