How behavioural biometrics can help address the new Digital Payment Security Controls directions, 2021 guidelines
On 18th February 2021, the Reserve Bank of India (RBI) published detailed guidelines (viz. Digital Payment Security Controls directions, 2021) to strengthen India's burgeoning digital payments ecosystem. These new guidelines are to act as a framework for all regulated entities (REs) in the country, to follow best practices and help maintain an industry-wide security baseline for “an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.” The provisions apply to Regulated Entities (REs) including scheduled commercial banks, small finance banks, payment banks and credit card issuing NBFCs.
The rollout of the guidelines comes at an ideal time. Today, 92 percent of the world’s currency is digital meaning all the money we earn and spend on a daily basis lives somewhere in the cyber sphere. While the opportunity for businesses in a digital economy is vast, so are the risks. We have seen this with the explosive growth of digital payments in India as UPI hit two billion transaction per month and banks and consumers finding themselves a lucrative target for cybercriminals.
Having worked with financial institutions and payment providers across the globe, these guidelines will go a long way in building trust with consumers to further accelerate digital payments adoption in the country, not to mention enhance the security posture of the payment industry as a whole.
Of particular interest were the sections on Fraud Risk Management & Mobile Payments Application Security Controls where behavioural biometrics play a big role in addressing the guidance. Some of these are highlighted below:
- The Authentication methodology to be deployed should take into account the “Risk” of the user session and be triggered accordingly. A “one size fits all” approach shouldn’t be taken which means that the Fraud Risk Management solution in use should be carefully chosen and set up to allow only high-risk sessions to be stepped up.
- Some of the parameters that that should be monitored to flag suspicious transactions should include amongst others:
- Transaction Velocity
- Detecting First Time / Irregular users
- Excessive activity on a new account (could be a mule account)
- IP Geolocation / Geofencing
- Behavioural Biometrics (matching user behaviour profiled in earlier sessions)
- Transacting with hot-listed accounts etc.
- Staff should be trained on how to use Fraud control tools, investigate them, set up appropriate relevant rules etc, differentiate false positives etc.
- Under the Mobile Application Security Controls following controls /checks have been prescribed amongst others:
- Ability to detect Remote Access Tools (RATs) and prohibit login access to mobile application.
- Ability to detect and prevent access from Jailbroken and Rooted devices.
- Consider implementing alternatives to SMS based authentication.
- Ability to detect access from new networks or unsecured networks.
- Detecting Malware or other suspicious applications on the Mobile device.
Behavioural Biometrics: Going Beyond Digital Payment Security
So, what exactly is behavioural biometrics and how does it work?
Behavioural biometrics leverages machine learning to analyze patterns in human activity and detect whether someone really is who they claim to be when they interact online and whether the activity is driven by a human or part of an automated attack.
Behavioural biometrics works passively in the background of a user web or mobile session to monitor thousands of parameters such as the way a person holds the phone, the pressure they use when they type, and how they scroll or toggle between fields. Because each person’s interactions with a device are unique, behavioural biometrics can differentiate between the activities of a genuine user and the activities of an imposter.
Whether as a standalone solution or as part of a layered fraud management plan, behavioural biometrics is delivering extraordinary results and exposing the most advanced fraud attacks outlined by the RBI guidance including Remote Access Tools and malware on mobile devices.
As banks in India work to address the newly released RBI guidance, BioCatch believes it is also important to consider long-term business requirements, specifically the need to balance protecting the bottom line against the demands by customers for a frictionless digital experience. I recommend reading the recent Gartner report, How to Create a Payment Fraud Strategy at the Organizational Level, which delves into the requirements of building cross-functional alignment on digital payment security and how tools, such as behavioural biometrics, are pivotal to improve customer experience and profitability. I think banks will find it a valuable resource as they move forward on their journey towards compliance with the new digital payment security rules.
This post was originally published by Vikram Gidwani of BioCatch on LinkedIn. Read more here.