Why India Is Racing Ahead with Know Your Customer Biometrics

Most fraud and financial credit checking systems today are rules-based systems that profile the usage of individuals. But more advanced systems are arriving that take fraud detection to much greater levels of analytic power. A key pioneer of those systems is Bangalore-based FRS Labs. For example, working in partnership with the Vodafone Group, FRS Labs has built machine-learning systems that not only set their own rules, but also analyze social networks of people to identify suspicious fraud patterns that would not be noticed by focusing on individuals alone.

Back in 2015 when I first interviewed Shankar Palaniandy, CEO at FRS Labs, he walked me through a whirlwind of tech programs his team was working on — everything from voice biometrics and IRSF black lists… to mobile-phone credit screening and the real-time analysis of the names, addresses and telephone numbers during customer onboarding.

Two years later, FRS Labs’ has sharpened its focus on what looks to be ground-breaking cross-industry ID verification software. In our discussion, Shankar explains the evolution of India’s successful national ID database, the global Know Your Customer trend, and the face recognition software that FRS Labs is now developing and testing at many Indian banks.

Dan Baker: Shankar, two years ago, most of your development work was on behalf of telecom, but now you’re shifting the focus to banking. Why the change?

Shankar Palaniandy: Dan, identity problems are not specific to telecoms. In India, for example, innovation in ID verification is being driven by a new Indian government database — and it’s designed to be a cross-industry platform with a set of open APIs that benefits everyone.

Now as important as identity issues are to the telecom industry, it’s just not considered a priority. But for banks, identity issues are front and center. Banks feel enormous pressure today to go all-digital and move to a cashless economy. This is not just an Indian thing: it’s a global trend in banking. And if banks don’t move fast enough they know quarter by quarter their customers will decline as other banks develop superior customer onboarding technology.

When we spoke last time, FRS Labs had created a voice biometrics application and developed a face biometrics capability to go along with it. Luckily, here in India, the government took action to develop the Unique Identification Authority of India (UIDAI), a country-wide program that took off at the beginning of 2010. And banks were looking for was a way to authenticate someone’s face against a face already registered in the UIDAI database.

Well, this was wonderful because it allowed us to apply our telecom biometric research to the banking industry. So now we face the happy problem of testing our application with about thirty banks here in India.

Each of these banks is at its own stage. The early ones are just developing their plan. Others are already in the pre-production phase. So this is very exciting for us, though some days it feels like we’re running around like a bunch of headless chickens.

Great. Time to strike while the iron is hot. Please tell us more about this Unique Identity program (UIDAI) of the Indian government.

The UIDAI calls for the Indian government to capture every citizen’s biometric details and store them in a national database that acts as an identity. Even as the government says using the UIDAI is not mandatory, service providers in so many industries are asking for data access, so the UIDAI is already a key standard.

Over the past 5 to 6 years, government enrollment in the UIDAI has been enormously successful. India has 1.2 billion people, and already about 90% of the population’s biometric identity details (fingerprints, iris and face) are stored in the database. By comparison they say it took Facebook and Google much longer to reach one billion people.

Actually there are three documents the regulator wants to avail a service (e.g. a savings account):

  1. a valid Proof of ID (either a driver’s licence, passport, or voter ID);
  2. proof of address; and
  3. a photograph.

Now the UIDAI works similar to the Social Security number in the USA, except that it’s a closed system where your biometrics data is safely held by the government. In that way you don’t really have to provide paper documents: you simply provide your unique ID number and the service provider does either a finger print or iris check to verify that you are who you say you are. Then, once your identity is verified, the service provider (bank, telco, merchant) requesting the service gets notified electronically.

Now as originally conceived, this unique ID program is a bit cumbersome because you actually need to physically go to a bank or other merchant to do the biometric test. But last December, the Indian government allowed the use of one-time passwords. So by typing a request into your mobile phone, you will receive (in 3 seconds) a one-time password from the UIDAI and by typing that password (or PIN) the service provider can then pull down your customer details directly off the central database.

So with the mobile phone as the link, you can see how cross-industry ID verification is likely to gain traction.

It’s true. This is all part of a powerful global trend called KYC or Know Your Customer. Whether you are buying a mobile SIM, opening a savings account at a bank, or buying an insurance plan, you must know your customer — verify their identity. It’s mandatory.

In India, this is a government regulation and part of the Financial Action Task Force (FATF) and various local regulatory bodies. But KYC has also become a global standard that companies and governments are following. The mission is to protect consumers, banks, and the economy from money laundering, theft, and financial crime. So there’s a great deal of synergy here as banking transactions happen across mobile devices.

Now in India, the national database has already had a beneficial effect. Up until two years ago, only 40% of the Indian population was participating in the formal banking system. Now, banks are gaining customers: 200 million customers were added in just a couple of years into the formal banking system.

So what’s the next step? Where do you see opportunity in exploiting the national database for banks and telcos?

The problem today is it can still be inconvenient to visit your local bank branch or a mobile store. The UIDAI program simplified the process a lot, but your bank branch may be 2 or 3 kilometers away and parking, availability and waiting times become an issue.

And even though the one-time password sent to my mobile phone is powerful, what’s missing is the human element. Unless the person is physically present, there’s no way to know that the person someone claims to be is actually doing the transaction. It’s an incomplete solution.

So the solution we are developing combines the ID and mobile number, but also adds a face biometric capability. And when you do that, the person no longer has to visit the bank, insurance company office, etc. to get verified. The person can be anywhere. They simply open up a mobile app and they can open a bank account with Citibank, let’s say, in 10 to 15 seconds. That’s it.

Now as you can imagine, this opens up the whole world of direct marketing to banks. The bank can advertise a great interest rate or promote a new credit card. And people can sign up instantly for whatever service it is. So we complement the simplicity of obtaining customer details onto a digital application with robust application fraud checking in the backend to protect businesses in real time.

Wow, the commercial payoff of identifying customers via remote biometrics sounds huge. What’s your approach?

Dan, what we do is ask the mobile phone user to take a selfie. That selfie is then compared against the photo which is already enrolled in the government’s central database.

We feel once such biometric applications take off, user names and passwords will no longer be required. Your face alone will provide a highly accurate ID. Or you could combine the face along with a one-time password (for more risky transactions) so users never have to remember a thing to use banking services — and still protect themselves from cyber fraud.

Storing facial images in a bank or telco database: won’t that be a breach of privacy laws?

In India, the regulators don’t allow storing personal images unless you are a regulated entity and the details obtained are with your consent and used for purposes you have consented to. With that in mind, our biometric server stores no images at all. What we do instead is extract data on the relative positions of facial features. That’s alone is sufficient to get an accurate ID: storing an image is not needed.

We extract the features into a matrix — a series of numbers. And yet, seeing those numbers tells you nothing. You would still need access to our secure app to construct a face from them.

Now I don’t want to mislead people into thinking biometrics is a done deal. Actually, a number of tough problems need to be solved. For instance, people will take a selfie at different angles: sometimes the face is too far away; other times it is too close. And if there is no match or the face doesn’t get detected, then convenience becomes an issue for consumers.

To solve these problems, our app instructs the person on how to capture a valid KYC-compliant selfie. It usually takes a couple tries for someone to get the hang of holding the camera at the right position. And then, hopefully, it becomes second nature.

Lighting conditions are another issue. If the lighting is too dark, you can’t analyze the image. The same goes if the image is too bright: the facial features get blurred. Advances in cameras and resolutions will go a long way to solve these issues.

So once the person takes a proper selfie, our app verifies the picture in about two seconds. And even in a very poor connectivity environment, it takes a max of ten seconds to return an ID check. We are constantly trying out ways to work even in poor connectivity and sometimes no connectivity at all. I suppose we can only get better as we learn the problems we are trying to tackle.

That’s very good performance. But can’t a fraudster fool the system, say, by putting a printed picture in front of the camera?

Well, there are several anti-spoofing measures we’ve built into the solution already. For example, we ask the user to blink in front of the camera. And if the user doesn’t blink, the authentication fails. We’re also working on another algorithm to detect video replays and fake photographs by training our models on such spoofing attacks.

So yes, much work needs to be done to close loopholes a fraudster could exploit. But our accuracy is 98.5% already — and we just got started.

Better accuracy will surely come as we tune our algorithms and have our mobile app interact and learn to recognize the faces of millions of users. And to that end, we are running a pilot program with several banks in India. And they are independently, through third parties, verifying the performance of our app.

All these KYC developments are extraordinary. And you can easily see how all this activity in the banking industry will ripple over to telecom.

Absolutely, technology disruption is moving very fast, but the legacy systems are out there. And telecoms resist change because they are too afraid of the ID headaches and project overhead to do something new. And being wired to think that way, they decide to stick with the status quo.

Bottom line: telecoms have to change. But the good news is the tools telecoms will need are now being developed for banking. Customer onboarding is a cross-industry universal problem and I feel powerful solutions will arrive soon.

This article was originally published by Black Swan and has been reproduced with their permission.

Dan Baker
Dan Baker
Dan is a founder of the Technology Research Institute (TRI), which has published studies about the telecom software market since 1994.

As a journalist, Dan wrote for B/OSS magazine and recorded webinars with VanillaPlus before launching his own publication, Black Swan Telecom Journal.