The Reserve Bank of India issued a document describing Digital Payment Security Controls on February 18, 2021 (DPSC). The document was created to assist Indian financial institutions in safeguarding digital channels and providing clients access to goods.
Global financial services companies are in a difficult position between authorities and customers. The DPSC’s principles address the entire ecosystem, from basic security controls, customer experience, and privacy controls to device-level controls that work together to safeguard consumer data and transactions.
Customers are increasingly demanding online services; thus, these standards are appropriate. They require immediate access and do not appreciate being treated as criminals. Customers are tech-savvy, and they understand how technology can help them.
The DPSC demands an accurate, rapid, and simple digital transformation of fundamental procedures, such as remote identity proofing, robust privacy protections, and sophisticated user authentication.
To comply with the guidelines, financial institutions in India should implement a distributed digital identity solution to improve access management, customer experience, privacy controls, and identity proofing. Distributed digital identity solutions also provide convenience and security while allowing users to control their data to improve privacy. Advanced distributed digital identity solutions would eliminate the need for passwords by opting for an advanced identity based biometric instead. This would identify users with a high level of assurance to minimize the threats from a data breach, MITM attacks, ransomware, phishing, and fraud.
What should financial institutions do to address the key areas in the DPSC guidelines?
Privacy by Design’Privacy by Design’ starts by putting the customer in control of their data and removing all other access to their data, except with explicit consent by the individual to share specific personal information. Companies should implement a private and permissioned blockchain distributed ledger to manage identity attributes and user privacy. This eliminates the central storage database of usernames and passwords and removes any risk of lost, borrowed, or stolen credentials. It is immutable, highly secure, and designed to support rapid transaction execution that often cannot be achieved using a public blockchain. Users’ information is encrypted using their unique cryptographic key pairs, with their private key stored securely on their mobile device’s secure enclave.
Once users enroll their attributes and biometrics, the data is pushed to the private and permissioned blockchain network. A smart contract inside the blockchain is triggered and executed, and once validated, the user’s data is stored inside the blockchain.
The clear benefit of this blockchain approach is eliminating a single identity repository, so hackers will not be able to access a ‘honey pot’ of identity data that traditional IAM and CIAM vendors deploy.
To comply with the DPSC guidelines, financial institutions should allow users to authenticate via any of the following authentication methods:
- Real Biometrics (LiveID)
- QR Code Scan
- Push Notification + Acknowledgment
- Time-based OTP Icon
- Legacy Email/SMS Codes
Each of these approaches should continuously validate identity assurance and offer a configurable journey to map user authentication requirements. Traditional’ allow or deny’ responses are replaced by more fine-grained options such as ‘allow but step up the authentication level with biometrics.’
User account and device binding:
The entire onboarding process for new and existing customers should be securely automated. This approach binds the user’s device not only to their identity but to their verified and validated identity. This creates identity-based biometric authentication and a robust passwordless experience. Users will utilize their trusted device for daily authentication and step-up authentication for account access and high-risk transactions. As a result, each access event is validated against a real, verified identity that meets the KYC (Know Your Customer) guidelines. This provides users with a frictionless experience and organizations with a flexible level of assurance for the identity on the other side of the digital engagement.
User account and SIM binding:
SIM binding should be achieved during account registration in the mobile app. The user will click on an email invite from the institution, which will open the app. The user is then challenged to verify their phone number. The platform should use a combination of SIM detection and SMS verification to validate a user’s mobile number against the number registered with their service provider. Upon successful validation, the customer can add a new account with the registered device as an authenticator through the app.
With the DPSC guidelines, global financial services firms occupy a challenging position between regulators and consumers. Financial institutions must take steps to comply with the guidelines while also considering consumer requests such as privacy and a simple login experience.
Views expressed above are the author’s own.
END OF ARTICLE