Inter-company digital ID being tested as biometric compliance gets nearer
Large institutions are now looking to simplify KYC by using biometric facial recognition across multiple institutions. This could be expanded to regulators using it with brokers, leading to simplification of the entire compliance process when onboarding new clients
Only a handful of entities in the electronic trading industry have gone down the route of investing in any form of biometric facial recognition technology for the purposes of aiding much more modern and efficient KYC and AML procedure when onboarding new customers.
This may be largely due to that it is not part of the remit for most brokerages, as regulatory authorities do not require it, and that many brokerages have already been through enough in the advent of MiFID II which required almost ground-up overhauls of trading environments, execution methodologies and reporting procedure, only to find that two years later, the authorities are looking at backtracking.
Whether developed in house, or offered by a third party Software as a Service (SaaS) provider, there has been no urgency to go down this route, with just one or two exceptions, however today it certainly appears that the banking sector and various technology consultancies are looking to expand digital identity operability to be able to work between companies, not just internally.
Fujitsu, JCB and Mizuho Bank are to jointly test a system that enables secure transactions involving sensitive user ID information between companies and industries.
For the trial, JCB and Mizuho Bank will exchange and link participant ID information, such as names, addresses, and employers, on a cloud platform built by Fujitsu, a consultancy that has a long history of working onsite with financial institutions and with whom I personally worked with several times during the 1990s on server migration projects and app deployment architecture projects for the financial markets sector.
Approximately 100 Fujitsu Group employees in Japan will participate in the programme, which is scheduled to last for approximately four months, and the project will run on a self-sovereign and decentralised digital identity exchange technology, which utilises a blockchain solution from Fujitsu Laboratories.
Allowing this type of technology to operate on an inter-organization basis is a step forward. Internally, ATFX was one of the first retail FX firms to go down the route of developing biometric facial recognition for its own compliance purposes, back in January this year.
The move aimed to allow clients to open the account and conduct transactions anywhere, anytime within 60 secs and without having to visit an office and creating new security standards during the digital era.
Clients of ATFX now only need to fill in the necessary information and import the ID picture. Afterwards, the Optical Character Recognition (OCR) system can read and identify the information of ID card and the geometry of clients‘ faces automatically, which significantly reduces the time or errors compared with the traditional way. Also, it can reach a confidence level of 98%.
In order to achieve constant results in multiple regions, ATFX’s international coverage required an automated KYC due diligence solution suitable for multiple-country use.
To achieve the necessary level of compliance and fight off increasing identity fraud, ATFX joined forces with Electronic IDentification, a software vendor which aims to disrupt the Digital Identification and e-Signature industry, therefore providing a single solution for all things compliance and user onboarding.
ATFX consider these matters to be of great benefit to the company, clients and the FX industry because it prevents unauthorized access by malicious persons, ensures the safety of clients’ assets, avoids legal issues when complying with new and future regulatory rules.
A vital step in cybersecurity
FinanceFeeds has been an advocate of the move toward biotechnology for quite some time. Two years ago, we pointed out that as an equally effective paradox to watertight systems that only allow access to data or international mobility via completely unique attributes such as the iris within a human eye, criminal entities with intentions to defraud are also using high technology and ruses that appear plausible to the potential victim in order to empty bank accounts – and similarly electronic trading accounts – of retail customers worldwide.
The general public across many modern nations – which let’s face it – represents absolutely the target audience for many large retail FX companies of good standing – have demonstrated their faith in biometric security systems, as there has been no reported resistance by any individuals or groups when being asked to provide photographs to government agencies in order to be able to use facial recognition systems to verify identity for all manner of very important and security-dependent tasks.
Yet, when a physical letter is sent, retail customers are beginning to doubt its legitimacy.
This is perhaps due to a widespread understanding that unique facial features are absolutely unable to be counterfeited, as today’s members of modern society are no longer afraid of ‘harvesting of information’ by governments as was the case in the 1990s with those who are now retirement age, but fully understand the modern systems which operate both for the preservation of legitimacy and compliance, and also methods used for nefarious purposes.
MiFID II was implemented in January 2018, and during the period when many retail FX firms were in the process of digesting the somewhat ambiguous infrastructural rulings from the European Securities and Markets Authority (ESMA) which have thus far required exponential explanation to compliance personnel by specialist regulatory technology firms and trade repository executives across the world.
Within MiFID II’s stipulations on the reformatting of brokerage infrastructure, absolutely no advancement in cybersecurity for retail clients had been included, leaving the forward thinking innovators within our industry at companies such as ATFX to pre-develop it and lead the way.
Since that time,other important regulatory authorities around the world have looked increasingly at biometric recognition technology, the most notable being Hong Kong’s SFC, which in November 2019 hinted at conducting inspections on firms under its auspices to evaluate compliance with cybersecurity requirements.
To mitigate hacking risks, the SFC mandated two-factor authentication (2FA) along with 19 other baseline requirements for all Internet brokers, including companies that offer leveraged foreign exchange trading. Since April 27, 2018, logging into online trading systems requires authentication utilising two of the following factors: what you know (such as your login password), what you have (such as an SMS one-time password received via your mobile) and who you are (such as your fingerprint). Other baseline requirements came into effect in July 2018, including prompt notification to clients upon system login and timely patch management.
During that particular report, Hong Kong’s SFC touched on biometric recognition, but has thus far limited it to fingerprints, however eventually facial recognition is likely to be globally required, and is much easier to administer for FX companies due to most of the retail FX trading community using laptops with webcams, as not many retail laptops are equipped with fingerprint recognition pads.
On this note, ATFX considers that financial technology is driving innovation in financial services globally and changing the trend of the FX industry and end-user expectations for trading services.
n 2018, Bloomberg deduced that given industry-wide implementation costs that are expected to exceed €2.5 billion as firms face reworking KYC (know your client) process, repapering clients and reconfiguring systems, they should consider focusing on implementing in the most efficient way possible.
Bloomberg also opined at the time that while the regulation also gives firms an opportunity to enhance their services, gather more useful and accurate data and – most importantly – boost competitiveness, interpreting the KYC data and new client onboarding and reporting requirements in the right way will be critical to success.
Quite simply, this is absolute testimony to the outmoded nature of most mainstream financial services reporting and advisory firms (some of which are being paid subscriptions of over $30,000 per month for their consultancy services), and also highlights the ineptitude of those responsible for consulting with ESMA on behalf of national regulators.
This of course does not simply apply to European markets, as the prevention of fraudulent access to retail trading accounts is the responsibility of every broker and regulator globally, however given the complexity and requirement to restructure the environment which operates FX firms in Europe, this has been overlooked.
Today’s smartphone cameras can easily be used to verify account access via facial recognition, as can computer webcams.
The recently released Symantec Internet Security Threat Report (ISTR) Financial Threats Review 2017 stated that 38% of all financial threat detections were against corporations, rather than customers. While these attacks are more difficult to execute, they yield a higher profit, which is why there was 1.2 million such attacks in 2016.
Attacks against financial institutions are on the rise, with the emergence of a select group of cyber criminals targeting financial institutions in a sophisticated manner.
Some research by FinanceFeeds conducted in the Middle East last year showed that incidents targeting banks have spread around the world, striking institutions in Ukraine, Poland, Bangladesh, Ecuador, U.K. and India, to name a few, with losses totaling hundreds of millions of dollars. These widespread events indicate that financial criminals see these networks as prime targets for attack.
FinanceFeeds concurs with this, and also is of the understanding that several attacks of this nature are aimed at gaining access to customer accounts and passwords, providing the attacker with the full user credentials required to make successful withdrawals from trading accounts to their own bank accounts without any contact with the actual account holder.
The FX industry is so multi-faceted that the need for cybersecurity exists in many specific areas such as the electric payment processing sector, the safeguarding of client funds in online trading accounts and the actual access to trading accounts themselves in order that trades can be opened and closed.
Now Mizuho is working with Fujitsu to deal with this between companies, it could be extended to operational functionality between companies and regulators, making a huge difference to the efficiency of onboarding new clients.