Get best of the week

Remote banking identification: from complex to simple, or Banks, why do you need biometrics?


(Image taken from here )

Not always complicating the technology leads to better results. In today's article, we will try to show that a complex technical solution for biometric identification and authentication of clients in banking applications is completely replaced by the traditional presentation of a passport, but in the modern interpretation of the “connected world”: an application with an implemented recognition module may well act as a “checking” employee of the bank and document verification. We do not set as our goal to criticize or question the need for the development of biometric methods for identifying a person as an independent technological area. We show that modern technologies are catching up with each other, gradually improving due to the simplification and “facilitation” of algorithms.

The issue of remote identification, especially in the banking sector, where not only a person’s personal data, but also his financial well-being depends on the quality of the applied solution, its accuracy and security, has recently become extremely urgent, especially when the world has abruptly gone online. The main problems related to the technical, legal and organizational aspects were highlighted. And if not so long ago it seemed that biometrics and face recognition could solve all problems at once, then during the stress test that the planet underwent, it turned out that biometrics was far from the only, and certainly not the safest way for all parties to provide remote client identification . It is enough to look at what uncertain recognition technologies with a low level of accuracy lead to. A recent example is a fine issued to the wrong persondue to its 61% similarity to those to whom this penalty was intended [1].

A few years ago, when we began to introduce a unified system of biometric data in our country, it was remote recognition by human biometric indicators that was regarded as the most accurate method to remotely verify a person.

Here is how they describe the process of biometric remote identification on one of the sites [2]:
— , (). , , , ( ). , : 1) ; 2) ; 3) ; 4) () , .

It turns out that before using biometrics, the client needs to physically come to the bank (or another organization that uses the system), "pass" samples of their biometric data (the most common ones are to record a voice, scan fingerprints). And already after these samples appear in some digital repository, identification and authentication will become possible. The process, of course, is reliable, but in our opinion, it is extremely complex and disadvantageous to either side. Of the advantages here is that biometrics is always (or almost always) with us. That is why identification by biometric data is applicable, rather, in forensic science and in cross-border control: not only is a citizen identified by his biometrics, but also in the opposite direction - the correspondence of biometric data to any citizen is established.

(Image taken from here )

The most paradoxical (and unpleasant for fans of exclusively biometric authentication methods) is that presenting your own fingerprints, or voice, or iris is technologically not much different from entering a 256-bit password known only to the client, or using a bunch “Token-device”, or any other method of two- or three-factor authentication: in any case, for a machine, all our biometrics remains a set of zeros and ones. Most importantly, biometric data is no more difficult to compromise than any other. An example of this is the leakage of data from the world's largest Indian biometric database Aadhaar in 2017 [3].

Interestingly, from some time in Europe, biometrics is no longer considered as the only means of remote identification in the provision of services dealing with sensitive data.

On September 14, 2019, the EU Directive PSD2 [4], also known as Open Banking, came into force. It requires banks to necessarily use multi-factor authentication when performing any remote transactions. This means that in the process of user identification / authentication several methods of confirming the identity should be used [5]:

  • Knowledge - some information known only to the user, for example, a password or security question.
  • Possession - a device that only the user has, for example, a phone or token.
  • Uniqueness - something inherent, inherent in the user and uniquely identifying the person, for example, biometric data.

In addition to using biometric data as an access key, banking operations must be accompanied by additional checks using a code word, security question, token connection, use of a specific device (smartphone or computer with a unique identification number), or PUSH / SMS codes. Question - why is biometric data here ?

For banks, in the case of the forced use of biometric identification systems, there is another huge nuisance. The implementation of biometrics systems requires significant costs for the deployment of related information infrastructure: in fact, equipment for collecting identification data, software for their processing, creating a data center or renting a secure cloud service for storage, providing security and so on. That is why the adoption of the law on the mandatory collection of biometric data in Russia stumbled upon the opposition of the banking community and caused its adoption to be postponed indefinitely [6].

Technologies are developing and banks are gradually withdrawing intermediaries from the chain of interaction with the client in the form of operators, managers, agents. They remain only where it is necessary to provide the so-called premium service, in which the client is provided not only with the convenience of the service, but with personal attention, or in those regions and those categories of customers who, for technical reasons, are not able to use modern technical means. The operator is replaced by a “bank in a smartphone”. It is important that the remote customer identification is necessary for the bank at all stages of interaction. Until recently, even in large banks, which today completely switched to electronic document management, they made physical copies of the client’s passport during each transaction with the account, whether it’s replenishing an account, withdrawing money,transfer to another account or the conclusion of additional agreements for the connection of Internet banking or SMS informing. This provided the bank with protection against claims from the client about disputed changes to the contract or account transactions.


Until the state has created a single digital platform for registering all citizens from birth to death (Estonia was the closest to building such a fully digital society in Europe today, having built a full-fledged electronic state in 25 years, converting 99% of public services to electronic form [7]), the physical presentation of a non-digital (printed) passport or other certifying document with simultaneous verification of its authenticity and compliance of the bearer with the holder indicated in the document is the most accurate way to identify the client. In the case of remote identification using software and hardware systems, the role of the operator (controller, client manager) is played by the user's device: a smartphone or a computer with a webcam.

From the point of view of the expected result, presenting the passport to the document recognition system and presenting the passport to the operator is no different: as a result of the transaction, the customer data is entered into the customer relationship management system (CRM) of the bank, which subsequently allows it to be identified when applying. If a passport is presented to the operator, the functions of entering data into the system are performed by a person who has been authorized by the bank to perform the necessary actions: take a passport and, using a special scanner, a mobile camera and an application, enter data into the system (in an optimistic scenario, applicable not to all banks and their departments), or drive the data into the appropriate form fields on your computer (realistic scenario).


A mobile application with a built-in remote identification system allows you to optimize several tasks at once, both from the client and from the bank. The application recognizes customer data and automatically enters them into the required fields. For example, applications based on the Smart IDreader SDK recognize data from user documents almost instantly, while working completely offline, without transferring document images to third-party servers or cloud services. The computer vision system automatically selects a photo on a document and correlates it with the photo of the owner. Depending on the requirements of the bank, the forensics function may be integrated into the application, that is, checking the image of the document for signs of forgery or additional image processing,and data validation based on machine-readable zone (MRZ) analysis. It does not matter at all who and where holds all these events - the operator in the bank or the user himself, sitting on the sofa at home. The chain of actions remains unchanged: presentation of the document, data entry, data verification, assessment of the validity of the document.

Let us pay attention to the following: if, upon presenting a forged document, the artificial intelligence-based recognition system did not reveal any signs of falsification of the document and recorded the correspondence of the bearer of the photograph on the document and approved the operation, this means that if the document is presented to the operator at a bank or a loan issuing center , the operator (person) would have made a similar decision. To deceive machine vision today is much more difficult than to deceive a person.

Acting as adherents of identification based on document recognition, we summarize by listing the advantages of the approach.

  • (OCR). “” , , , . .
  • , .
  • , .
  • Remote identification through document recognition requires investments at the level of software development (client application), but does not require the development of an accompanying infrastructure, does not provide for the creation of its own biometric data storage, or access to existing higher-level systems (state or industry).

Thank you for the attention!

List of sources used
  1. 15 . - 61- — meduza.io/news/2020/04/15/zhitelnitsu-sahalina-oshtrafovali-na-15-tysyach-rubley-za-narushenie-karantina-iz-za-61-protsentnogo-shodstva-s-drugoy-zhenschinoy
  2. «» — www.zakon.kz/4928580-pro-udalennuyu-identifikatsiyu-klienta.html
  3. rb.ru/story/aadhaar-india
  4. Payment services (PSD 2) — Directive (EU) 2015/2366 — ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en
  5. habr.com/ru/company/trendmicro/blog/469533
  6. cnews.ru/news/top/2020-01-14_gosduma_otlozhila_prinyatie
  7. We have built a digital society and we can show you how — e-estonia.com

More articles:


All Articles