Problems of establishing the practice of remote identification of clients in the Russian banking system (economic aspects)

In author's opinion, the results of the government efforts to combat cybercrime in the Russian banking sector can hardly be considered satisfactory. This significantly hinders the development of modern Internet technologies in banking, including the innovative system of remote customer identification.

Key problems in the development of remote client identification in the Russian banking system and their solutions

Problem I. The risk of unauthorized access to the Unified Biometric System, which may result in: a) disclosure of clients' personal data to the public (at least in the Internet, Tor, darknet); b) use of accumulated biometric data for banking operations by unauthorized persons (criminals). It is important to note that compromised biometric data, unlike lost logins, passwords, certificates, PIN codes, etc., cannot be recovered!

Solution. Taking into account the devastating consequences of the above, it is essential to conduct a lengthy pilot operation of the system (Chinese experience). As the project has already been launched in Russia and there is no “turning back” without reputation losses, the Central Bank of the Russian Federation should not put too much pressure on the banking community (taking into account the Indian experience).

Problem II. Concerns of a large number of citizens regarding breach of their privacy. Thus, according to Article 14.1 of the Federal Law No. 149-FZ “On Information..” Rostelecom, as an UBS operator, is obliged to provide information stored in a unified biometric database upon the request of the Ministry of Internal Affairs and the Russian Federal Security Service.

Solution. An increased liability for the unauthorised use of information from the UBS, together with explanatory and educational activities to reduce social tension. Meanwhile, law-abiding citizens obviously have nothing to fear under the primacy of the rule of law.

Problem III. Lack of transparancy regarding the proper testing of the UBS software, developer's and operator's guarantees, etc. This significantly reduces the confidence of potential users (both banks and citizens) in the project. For example, “requirements to biometric data (face image and voice recording)..” posted on the Rostelecom portal, contain a bibliographic list, which includes six works by foreign scholars. This should probably increase confidence in the document and the system as a whole. However, all these articles are related to the study of voice biometrics [Beigi, 2011; Barinov, 2010; Pearce, 2000].

Solution. Rostelecom, as an EBS operator, should publish on its website: a) technical specifications of the systems; b) a positive opinion of an authoritative research institute or university including an analysis of relevant studies (rather than 20-year-old materials) by leading Russian and foreign scholars; c) a series of popular scientific video that would demonstrate the reliability and convenience of the system.

Problem IV. The risk of unauthorized access to the UBS system by unauthorized persons who successfully completed the identification procedures. There is no publicly available information about the probability of a false matches in the UBS. However, the specifications attached to the tender documentation allow 0.1 % probability of a false coincidence in the UBS D-Russia. URL: http://d-russia.ru/wp-content/uploads/2017/06/TZ-biometriya.pdf.. So, a computer may make a mistake once in a thousand matches. This error value may indeed seem small, but the Amazon American platform, for example, with photos of 25 000 criminals uploaded, has “identified” 28 of them among the current congressmen CNET. URL: https://www.cnet.com/news/amazon-facial-recognition-thinks-28-congressmen- look-like-known-criminals-at-default-settings/ (accessed: 14.02.2019).. It would appear that the error in this case was only a minor 0.112 %. However, there are implications for this “statistical error”! Besides, repeated experiments on the most perfect gadgets confirm that, despite scanning “30 thousand dots and eyes” Iguides. URL: https://www.iguides.ru/main/security/bliznetsy_i_iphone_x_udastsya_li_obmanut_ face_id/ (accessed: 22.02.2019)., twins can easily unlock the bio identification system. Similar results were obtained using high-precision human face masks Macdigger. URL: https://www.macdigger.ru/news/post/face-id-obmanuli-s-pomoshhyu-3d-maski (accessed: 22.02.2019)..

In fact, any biometric recognition system has a problem with setting the degree of “accuracy”. If the algorithm is made very “rigid”, then with decreasing the probability of second-generation error (acceptance of a false match, which was discussed above), the probability of first-generation error will increase (deviation of the correct match). In other words, the users will have problems accessing the system (according to the technical specifications, the probability of false mismatch of the UBS is 3 %).

Solution 1. It is obvious that modern biometric technologies designed for large-scale application cannot guarantee a high level of reliability (which must be a priority, since we are talking about people's savings). New customers must be additionally identified by:

- confirming one-time passwords from a previously registered mobile phone number There are certain problems associated with the illegal reissue of SIM cards of mobile operators in this area. However, this is the subject of a separate study.;

- entering a secret code word. Besides, in order to reduce the risk of forced identification (under threat), it is necessary to foresee the possibility of using a combination of words, after which the system will be blocked until a personal visit to the bank (the system then should a loss of connection or other technical problem).

Solution 2. In fact: a) there is no information about the real capacity of the bioidentification system; b) the number of bioidentification procedures is by no means unlimited Customers pass it once during initial identification at the bank. Otherwise, the bank will have to pay 200 rubles for each client's entry into “Internet Banking” system which is too expensive. Therefore, customers will need to be identified biometrically only once (“at login”) and then will use “traditional” logins and passwords from “regular” Internet Bank system.. Therefore, it is necessary (at least at the first stages) to conduct bioidentification under the control of the employees of the bank where the client wants to open an account. This follows the Austrian and Swiss experience and will: a) prevent the violation of Federal Law No. 115-FZ; b) detect and correct the existing defects in the new system; c) increase the credibility of the project for both the banks and the potential clients.

Solution 3. It is necessary to introduce a mandatory periodic prolongation of citizens' consent (every 3-5 years) to the use of biometric templates, carried out in person at bank offices (following the experience of South Korea).

Problem V. At present, the client himself bears the responsibility for unauthorized access to the UBS system, as he signs a written statement of consent specifying the relevant risks. At the same time, the bioidentification process is not subject to video recording and storage. In this case it is very difficult (in fact, almost impossible) for the client to prove his innocence during an investigation and in court.

Solution 1. All bioidentification procedures should be video recorded and stored for a period of 3-5 years; they should be made available upon request of the competent authorities in the investigation of theft and fraud in the banking sector (Austrian experience).

Solution 2. Rostelecom, as the UBS operator, should create a special fund to compensate clients for the unauthorized use of customer records. The funds should be generated by Rostelecom itself and the banks that want to use bio identification for new clients.

Problem VI. The current efforts to combat cybercrime in the banking sector consist mainly in “rebuffing” cyber attacks. In the event of actual theft, neither banks nor their clients would normally report it to law enforcement agencies. Moreover, banks are not authorized to report such crimes if the subject of theft is clients' money (as formally they are not victims). The government, in fact, remains unaware of the majority of crimes committed, and therefore such crimes are not investigated at all.

Solution 1. Banks should be obliged to report to law enforcement agencies no matter how successful the hackers' attacks have been The uncompleted act (attempt or preparation) constitutes an offence..

To form a complete picture of computer crime, banks should be allowed to accept statements from their clients about thefts to forward the information for further investigation to the law enforcement agencies.

Solution 2. Establishing specialized departments to investigate cybercrimes in the banking sphere. It would be sensible to study the UK experience.

Since 2017, Financial Fraud Action UK, consisting of about 300 financial institutions and banks, has been funding a special police department to investigate cybercrimes connected with illegal card transactions Financial Fraud Action UK. URL: https://www.financialfraudaction.org.uk/police/.

Problem VII. In modern Russia, cybercriminals remain either unpunished or the court imposes fairly lenient penalties (fines, suspended sentence).

Solution.

Legislative and judicial authorities should pay attention to the serious public threats posed by high-tech fraud in electronic banking information. Indeed, the district courts are full of young people (usually not older than 30 years) who committed a faux pas, rather than hardened criminals.

Yet in most cases, the courts deliver minor or suspended sentences for the established offence, and never impose correctional or compulsory work (Table 3).

General risks of global digitalization in the process of developing the institute of remote biometric identification in Russian banks

The rapid technological development that took place at the beginning of the 21st century, resulting from digitalization of virtually all sectors of the economy, is, according to many scholars, “a key element of the fourth industrial revolution” [Rihter, Pahomova, 2018]. The level of digitization of the financial and banking sector is constantly growing [Belousov, Levchuk, 2018]. Despite obvious advantages, this also increases operational and other risks for banks. For example, the author distinguishes three main groups of economic risks resulting from the introduction of biometric remote client identification initiated by the Central Bank of the Russian Federation.

Group I. Risks related to inaccurate functioning of the remote identification system, which lead to direct and indirect material losses of clients and/or banks, as well as reputational losses incurred by credit institutions, operators and vendors of the newly created Unified Biometric System.

Group II. Negative impact on the development of the Russian financial and banking system due to significant and unorganized changes in its existing structure. The expantion of remote interaction with clients may significantly weaken the competitive position of a large number of domestic banks, especially medium and small ones, which, due to limited financial resources, will not be able to fully integrate their business into the new digital model of interaction with customers. Despite the fact that this risk is generally market related, it may lead to certain destabilization of the domestic banking system in the medium term due to disorderly exit of a number of uncompetitive banks from the market (as it happened in the Russian banking system earlier).

Group III. Social and economic risks associated with a significant reduction in the number of bank employees engaged in direct interaction with clients. It should be noted that these risks are among the general risks of the fourth industrial revolution which is expected to replace low- and medium-skilled specialists with artificial intelligence [Maslov, Luk'yanov, 2017].

Regulation of the above risks (in order to minimize negative economic and socioeconomic consequences) is only possible if the institute of remote client identification in the domestic banking system is operational. Therefore, they should be taken into account when adopting regulatory measures in the relevant area in the future -- both in the medium- and long-term perspective.

Conclusion

The analysis of scholarly literature, as well as the global experience of developed and developing countries, demonstrates convincingly the advantages of the national institutions of remote client identification by banks. However, their technological characteristics differ significantly. Foreign countries employ different approaches combining biometric and non-biometric methods (online video identification, use of traditional logins/passwords, etc.). In Russia, the Central Bank of Russia initiated the creation of the national institute of remote biometric client identification using photo and audio templates of citizens collected on a centralized basis. Despite the fact that similar opportunities were provided to commercial banks on July 1, 2018, de facto they do not take an active part in the innovation project. There are two groups of reasons explaining this fact: lack of economic motivation and unwillingness of clients (individuals) to submit biometric data on a voluntary basis. It should be emphasized that these reasons (which have been described in detail above) are objective in nature. The author has also identified seven main groups of key problems that hinder the systemic development of the institute of remote identification of clients in the Russian banking system, provided practical recommendations to address them in the short and medium term, and outlined a number of common risks that global digitalization poses for the establishment of an innovation institute in Russia for the purpose of overcoming economic and social problems. This made it possible to confirm the correctness of the originally formulated scientific hypothesis, as well as to achieve the goal of scientific research and fulfil all the tasks set within it.

Implementation of the project on remote client identification in the Russian banking system is, undoubtedly, a step in the right direction. A new generation of clients is already prepared for new and unconventional communication technologies. However, to reach real positive potential of the bioidentification system, it is necessary to pay attention to objective problems in this area. If they are ignored (as is currently the case), direct losses, reputational losses, and lack of credibility among the population and banks can literally “bury” this undoubtedly ambitious and innovative social and economic institution in Russia.

The author is grateful to anonymous reviewers for useful suggestions and recommendations, which made it possible to strengthen and generalize the arguments, expand the bibliographic analysis, and generally improve the quality of the text.

References

1. Awad A. (2016) From classical methods to animal biometrics: a review on cattle identification and tracking.

2. Computers and Electronics in Agriculture. Amsterdam, Elsevier Science Publishers B. V., pp. 423-435. Banerjee S. (2015) From cash to digital transfers in India: The story so far. Customer-Centricity for Financial

3. Inclusion brief. Washington, DC, World Bank, pp. 1-4.

4. Barinov A. (2010) Voice samples recording and speech quality assessment for forensic and automatic speaker

5. identification. 129th Audio Engineering Society Convention. San Francisco, AES, pp. 334-343.

6. Beigi H. (2011) Fundamentals of Speaker Recognition. Yorktown Heights, Springer. 909 p.

7. Belousov A. L., Levchuk E. Yu. (2018) Didzhitalizatsiia bankovskogo sektora. Finansy i kredit, vol. 24, no. 2 (770), pp. 455-464. (In Russian)

8. Chajkina E. V., Kozinkin A. A., Chajkin V. Yu. (2018) Innovative technologies as a factor of competition in the Russian banking market. Nauchnyi vestnik: finansy, banki, investitsii, no. 4, pp. 114-121. (In Russian) Charles A. (2018) Biometrics, the future of banking and financial service industry in Nigeria. Journal of Electronics u Information Engineering, vol. 9, no. 2, pp. 91-105.

9. Dostov V. L., Shust P. M., Kozyreva A. D. (2017) New concepts of applying a risk-based approach in the implementation of identification procedures. Iuridicheskaia nauka, no. 5, pp. 104-112. (In Russian) Emets M. I. (2019) Remote identification of bank customers: prospects and challenges for compliance services. Mezhdunarodnaia nauchno-prakticheskaia konferentsia mezhdunarodnogo setevogo instituta Epokha kriptoekonomiki: novye vyzovy. Moscow, Publishing House of the MIFI, pp. 231-237. (In Russian)

10. Gelb A., Decker C. (2011) Cash at Your Fingertips: Biometric Technology for Transfers in Resource. CGD.

11. Washington, D. C., Center for Global Development, pp. 1-43.

12. Indrayani E. (2014) The Effectiveness and the Efficiency of the Use of Biometric Systems in Supporting National Database Based on Single ID Card Number. Journal of Information and Software Technology, vol. 4, no. 1, pp. 129-138.

13. Khan A. (2018) National Identity Card: Opportunities and Threats. Journal of Asian Research, vol. 2, no. 2, pp. 77-85.

14. Kozlova N. P., Ustinova E. V. (2019) Digitization of the banking sector: trends and cases of development of the Russian market. Ekonomika. Biznes. Banki, no. 1, pp. 18-34. (In Russian)

15. Krivoruchko S. V., Maklakova T. R. (2017) World practice of development of biometrics in the provision of payment services to increase their accessibility. Uchenye zapiski Rossiiskoi akademii predprinimatel'stva, vol. 16, no. 4, pp. 184-192. (In Russian)

16. Krivoruchko S. V., Ponomarenko V. Ye., Lopatin V. A. (2019) Increasing the availability of payment services through the development of user identification systems. Moscow, Infra-M Publ. 157 p. (In Russian) Krylova I. Yu., Rudakova O. S. (2018) Biometric technologies as a mechanism for ensuring information security in the digital economy. Molodoi uchenyi, no. 45 (231), pp. 74-79. (In Russian)

17. Kumar S. (2019) Cattle Recognition: A New Frontier in Visual Animal Biometrics Research. Proceedings of the National Academy of Sciences. Ed. by Jai Pal Mittal. Deli, Springer, pp. 241-248.

18. Lozhnikov P. S. (2017) Biometric protection of hybrid workflow: a monograph. Novosibirsk, Publishing House of the SB RAS, 2017. (In Russian)

19. Martens A. A. (2018) Remote maintenance as a basic technology for the development of banking business. Lizing, no. 6, pp. 39-44. (In Russian)

20. Martin A. (2012) National Identity Infrastructures: Lessons from the United Kingdom. 10th International Conference on Human Choice and Computers (HCC). Amsterdam, Springer, pp. 44-55.

21. Maslov V. I., Luk'yanov I. V. (2017) The fourth industrial revolution: sources and consequences. Vestnik Moskovskogo universiteta. Seriia 27: Globalistika i geopolitika, no. 2. pp. 38-48. (In Russian) Medvedeva E. A. (2018) On the prospects for the development of remote customer identification. Bankovs- koe delo, no. 12, pp. 59-61. (In Russian)

22. Naumov V. (2018) Problems of development of legislation on identification of the subjects of information space in digital economy. Trudy Instituta gosudarstva iprava RAN, vol. 13, no. 4, pp. 125-150.

23. Nazarov S. V. (2018) Electronic documents and remote identification of individuals. Dnevnik nauki. no. 6(18), pp. 34-41. (In Russian)

24. Pearce D. (2000) Enabling New Speech Driven Services for Mobile Devices: An overview of the ETSI standards activities for Distributed Speech Recognition Front-ends. The Speech Applications Conference, San Jose, Motorolla Lab., pp. 1-11.

25. Rihter K. K., Pahomova N. V. (2018) Digital economy as an innovation of the XXI century: challenges and chances for sustainable development. Problemy sovremennoi ekonomiki, no. 2. pp. 22-31. (In Russian) Shatalov A. S. (2018) Phenomenology of crimes related to the use of modern information technologies.

26. Zhurnal Vysshei shkoly ekonomiki, no. 2, pp. 68-83. (In Russian)

27. Shnekutis S., Gobareva Ya. (2018) Remote identification and biometrics in the field of remote banking services. Khronoekonomika, no. 1, pp. 67-71. (In Russian)

28. Vengerovskij E. L. (2018) Innovatsii internet-bankinga kak faktor konkurentosposobnosti kreditnykh organizatsii na sovremennom rynke bankovskikh uslug. Bankovskoe pravo, no 5, pp. 47-52. (In Russian) Yakimenko A. A., Vikhman V. V. (2016) The introduction of biometric identification in access control systems. Novosibirsk, Publishing House of the NSTU. 54 p. (In Russian)

Размещено на Allbest.ru