The Commonwealth Bank of Australia has used the launch of the fourth version of its popular mobile banking app to reveal it’s working with federal agencies to port government facial biometric holdings to bank customer verification checks required by Know Your Customer regulations.
But Pete Steel, the CBA’s chief digital officer, says that Australia’s biggest bank doesn’t want to be in the business of keeping people’s fingerprints or digital mugshots in bank data vaults, preferring instead to dial into existing authorised holdings when and where appropriate.
It's a big step, especially as banks have for years been salivating at the prospect of gaining authorised access to government minted identity credentials because of the potential to slash compliance and fraud costs while accelerating legitimate transactions.
Publicly CBA's push is all about making life more frictionless for consumers, but there is still big coin to be saved.
Identity security skunkworks
Steel repeatedly stressed the biometric customer verification foray is still at a research and development stage, but went on to say he anticipated a timeframe of around a year before something tangible would be bowled-up, a relatively short runway compared to government development cycles.
In terms of specifics, CBA revealed one avenue it’s experimenting with is being able to get customer phones to read ePassport data stored on a secure chip – including biometric data – and then using facial recognition via the phones camera to cross match a customer’s identity.
“We are using the phone and the capability that is in the chip to read from an ePassport and pick out the passport information, the face, which gives us a chance to then to pop the image up in the screen and do a real time comparison with customers,” Steel said.
“That’s both for initial onboarding of customers [and] routine checks of customers we have every year.
A problem for government
However banks have been uniformly loathe to wade into the privacy and legal quagmire that comes with storing highly sensitive biometric data. On Wednesday Steel hand-balled responsibility for biometric storage squarely back to the government.
“It will be used in conjunction with particularly government data sources where biometrics are already present in certain critical high value processes to identify customers so they are who they say they are, Steel said, adding product was still months away.
“It will probably be some time in the year ahead we are looking to announce,” Steel said.
“When it comes to biometrics we are extremely unlikely to store anything significant on biometrics… we’ll be having moments in time when we check biometrics but we don’t want to be in the business of storing customer fingerprints and facial recognition.
“It’s more using endorsed government sources to make sure we can understand who customers are,” Steel added
But the digital identity and biometrics issue is clearly a burning one for CBA, especially now that the federal election has been resolved and the prospect of digital identity being weaponised into a new Australia Card spectre by Labor mothballed for the time being.
Federated digital identity favoured
A major overhead for the CBA is that it has a comparatively high burden of identity proofing costs because as a former government bank it has inherited and maintains a large proportion of account holders on welfare, in regional and remote areas and from non-English speaking backgrounds.
The institution, along with rival Westpac, has for decades been jockeying for electronic and digital identity verification credentials that can interoperate across government and regulated industries bound by KYC requirements.
Westpac had floated the concept of an interoperable federated online identity verification portal dubbed the ‘Trust Centre’ as far back as the late 1990s, with the CBA later seeking to add a federated digital ID capability into the later abandoned Project MaMBO.
Pushed on where the CBA is now at in terms of its position on digital identity, Steel was emphatic something needs to happen.
“It’s definitely a space we want to solve. We are open to working with the rest of industry and government on it,” Steel said.
“We are working across the payments and banking industries and other participants looking at models and what we can help with.
“I think it is something we need to solve, the banks have a unique role to play. Most security in financial services comes right off the identity.”
Asked where CBA stood on a federated digital identity offering, including offerings from Human Services and Australia Post, Steel indicated a federated model rather than a singular winner emerging was preferable.
“I think in the next 18 months you’ll see some more real progress. We want to make it as easy for all Australian to step into, rather than bank everything on one single provider,” Steel said.
Where you at?
On the location services front, the CBA also confirmed its new app will allow customers to opt in and turn on location tracking in the new CBA app as a security feature to guard against fraudulent transactions.
The new feature allows the bank to ping customers’ phones when it sees a suspicious transaction and pause or halt it along with sending an alert to customers.
The shift towards using location tracking on the CBA’s app was revealed by iTnews after the bank updated a swag of terms and conditions relating to the app and various services earlier this month.
Again, Steel stressed any invasive elements of the technology had been offset with strict privacy safeguards
“The location based security is coming with the new app. It’s definitely opt in, there are clear privacy policies and transparency from a customer point of view,” Steel said.
“It’s something the customer can choose to turn on to help us track their phones.”