"You can change your password. You can't change your face." - Naphongthawat Phothikit, director of the financial technology department at Bank of Thailand.
Banks in Thailand are all set to go live with biometric solutions for digital identity by the end of this year. Biometric solutions will allow connecting with customers using facial recognition and will be able to share the data at some point in time. Ten banks in the country are involved in the project to bring this vision to life and are currently working in the central bank's regulatory sandbox.
This is correlated to a new government initiative which is to give every Thai citizen electronic identity card, also called National Digital Identity (NDID), with electronic chips to store basic information, including a photograph.
The first phase of the biometrics solutions will be deployed soon and will have banks using facial-recognition technology to bring in new customers. When new customers request to open an account through a mobile, banks will guide them to take a selfie and then compare the selfie to the photograph on their NDID.
Some banks in Thailand are testing the waters with electronic Know Your Customer (KYC) rules where they use mobile apps that can read contactless data off Thai passports. They clarify the importance of using a trusted source like a citizen's identity card or the passport when they need to compare against a selfie which is being used to apply for opening a bank account.
However, banks have so far been restricted by the regulator from allowing people to use their NDID card by itself for the fear of fraudsters altering the photos. But allowing them to be compared with a selfie gives a higher level of confidence. It is also understood that using biometrics is not a fool proof method to guard against people faking or stealing identities, because the artificial intelligence behind face recognition still cannot differentiate between twins for that matter. Nevertheless, it still scores over the current manual process which is not at all efficient in catching counterfeits.
Some banks have been using Bank of Thailand's sandbox since late last year, to start applying biometric KYC to new customers applying at branches and through mobile. This has been used by the central bank to learn the technology and its uses, while also setting standards of security, accuracy, and robustness for its IT department to always support transactions.
The central bank is keeping an eye on how banks communicate with their customers, particularly when their facial-recognition software identifies possible fraud. It is up to the bank to judge why a customer may refuse to provide a selfie. Sometimes it might expose a likely fraud or else it could simply be a person's unwillingness to click a selfie while not looking his or her best.
Most importantly, the Bank of Thailand is closely watching how banks handle data security and privacy. For all the operational efficiency potential and better user experience biometric KYC offers, there is a lot to lose if there is a violation.
The Bank of Thailand is taking all precautions by using its own IT teams to conduct "mystery shopping" expeditions and spot checks. Mr. Naphongthawat explained that when security meant passwords, it could always be changed if there was a problem. But if a photograph is manipulated, the face cannot be changed. Hence, the Bank of Thailand has made it necessary to store biometric data separately from personal data to prevent hackers from linking the picture with the individual.
On the other aspect of security which is privacy, the Bank of Thailand is still trying to work out the legal consequences as biometric KYC requires customer consent.
The second phase is set to revolutionize the FinTech industry as it will allow banks to access and exchange identity verification information. Here customers can authorize their bank to act as their primary identity provider or their data trustee. If a customer wants to use another bank or entity's service, the customer can permit the other bank to request personal data from the data trustee, through the national digital identity platform. Then, the data trustee would ask the customer to allow the transaction by sending them a selfie along with some other password measures, which gives it permission to give details to the new bank. The customer doesn't provide all the information but just selective information to get services from the new bank.
The NDID will serve as a platform for exchanging data, without housing the data. Customer data would remain with a customer's authorized data trustee (that is, their primary bank) or with agencies like the national credit bureau which would house their own information about people or businesses.
Thailand is headed towards exciting times in fintech as The Bank of Thailand is working towards connecting banks and government agencies through the new NDID platform.