Banks in Thailand will go live with biometric solutions for digital identity. It will enable banks to onboard customers using facial recognition by the end of this year, and will at some point be able to share that data as well, according to the fintech head at the central bank.
Naphongthawat Phothikit, director of the financial technology department at Bank of Thailand, told DigFinabout 10 banks are working on the project in the central bank’s regulatory sandbox. The work is linked to a new, government initiative to give all Thai citizens electronic identity cards, which come with electronic chips to store basic information, including a photo.
In the first phase, which should begin to deploy in the next few months, banks will use facial-recognition technology to onboard new customers. When people seek an account via mobile, banks will be able to request them to take a selfie, and compare that to the photo on their national digital identity card, or NDID.
Experimenting with facial recognition
Some Thai banks are already experimenting with electronic know-your-customer rules by using mobile apps that read contactless data off Thai passports (using near-communication field, or NCF, technology, the same used in contactless credit cards).
“It’s important to use a trusted source like a citizen’s identity card or passport” to compare against a selfie used to apply for a bank account, Naphongthawat said, speaking at Seamless, a conference in Singapore.
So far the regulator is not allowing banks to simply let people use their NDID card by itself, because fraudsters can alter those photos. But using them to compare with a selfie allows a higher level of confidence. Using biometrics is not a guarantee against people faking or stealing identities – the artificial intelligence behind face recognition can’t distinguish twins, for example – but it’s better than the current manual process, which is even worse at catching counterfeits.
You can change your password; you can’t change your faceNaphongthawat Phothikit, Bank of Thailand
Since late last year, banks have used BoT’s sandbox to begin applying biometric KYC to new customers. This involves both onboarding people who apply at branches, and to those who do so via mobile.
The central bank has used this to learn the technology and its uses, and set standards for security, accuracy, and robustness of banks’ I.T. to always support transactions.
It is also monitoring how banks communicate with customers, especially when their facial-recognition software detects potential fraud. Banks have to make a judgment about when people refuse to provide a selfie. Sometimes it might reveal a potential fraud – but sometimes it may be a person who, not realizing they needed to provide a photo, worried about their hair or their makeup or other innocent reactions.
Security and privacy
Finally, BoT is keeping an eye on how banks handle data security and privacy. Its own I.T. teams are conducting “mystery shopping” expeditions and conducting spot checks. Biometric KYC offers both great potential for operational efficiency and better user experience – but it also raises the stakes if there’s a breach.
“Traditionally, security has meant passwords. If there’s a problem, you can always change your password.” But if someone manipulates your image, Naphongthawat said, “You can’t change your face.”
BoT therefore requires banks store biometric data separately from personal data. If photographic data were hacked, the thieves wouldn’t be able to map it to individuals.
Another aspect to security is privacy. Biometric KYC requires consumer consent, and BoT is still working through all the legal ramifications.
In 2017, the government passed the Digital for Economy and Society Act, a broad framework to enable digitalization of many government services. In May of this year, it further legalized the creation of national digital identities for all citizens, and it is now rolling out online delivery of government services across various government agencies.
Thailand has been under military rule, directly or indirectly, since a coup in 2014.
Naphongthawat says banks deploying biometrics for their own customers is just the first phase of using NDIDs in financial services. Second is to allow banks to access and exchange identity verification information. This is being done around the government’s new NDID platform, which remains a work in progress.
“The national digital ID platform will become the main infrastructure for banks and other participants,” he said. For example, BoT may open its biometric experiments to fintech companies or corporations.
The idea is that a customer can give their bank permission to serve as its primary identity provider – their data trustee, in other words. If that customer then seeks a service from a different bank (or broker or other entity), which doesn’t know that person, they can authorize the institution to request personal data from their data trustee, via the national digital identity platform.
In this scenario, the data trustee would ask the consumer to authorize the transaction by sending them a selfie along with some other password measures, which it then communicates back to the new bank. But the customer doesn’t would not have to provide all of their information to get services from additional banks or other companies – they’d just have to provide a selfie and clear a few passwords with their data trustee.
The NDID platform will serve as a venue of exchanging data, but it won’t house the data. That would remain with either a customer’s authorized data trustee (that is, their primary bank) or with agencies such as the national credit bureau that would have their own information about people or businesses.
“The NDID is only responsible for data identification and verification,” Naphongthawat said.
He did not give a timeline on when Phase 2 might emerge, but said the Bank of Thailand is working with banks and government agencies on connecting them via the new NDID platform.