How we collect customer biometric data
This year, Rostelecom presented the Unified Biometric System - a project to identify bank customers for remote access to banking services. Thanks to biometric verification, users have the ability to remotely use services that previously required a mandatory physical presence in order to verify their identity.
Biometric data for the system are recorded in bank branches according to strict regulations. In this post we will describe how we implemented the collection of biometrics in Promsvyazbank and will try to dispel the myths associated with this process.
While other industries were engaged in the implementation of biometrics at different levels, the banking sector could only experiment with her. The legislation severely restricts banks in identifying the identity of an individual and the procedure for providing services. In the meantime, banking cases of large vendors of biometric solutions started in the meantime. The company Nuance, for example, has collected and successfully uses dozens of voice biometrics.
The ice started when the federal project “Digital Economy” was launched in Russia. On December 31, 2017, the President signed 482-ФЗ “On Amendments to Certain Legislative Acts of the Russian Federation”. The first stage of the Digital Economy project was the creation of a national biometric platform - the Unified Biometric System - the state base of biometric templates of citizens of the Russian Federation. At the same time, in order to develop the economy, the “Remote Identification of Bank Clients” project was logically launched.
We joined the project from the very beginning, at the level of the working group at the Ministry of Communications and the Central Bank of the Russian Federation. So we got time not only to understand the process itself, but also to think well of our actions and the process of implementation of the process. In addition, using our knowledge, it was possible to influence the concept of the project, as well as the formation of requirements, which in the future this process will be presented to all banks.
Assessing the documentation and comments of partners from Rostelecom, the Ministry of Communications and the Central Bank, we divided the service into four main parts.
ABS PSB-Retail is a banking system for servicing individuals, in which personal (non-biometric) customer data is also stored. For this project, we have refined it and integrated it with intrabank services and the biometric data
registration portal. The registration portal is the main element of the system, which includes an automated workplace (automated workstation) of the operator of the service center. We will tell about it in more detail.
Connector between the portal and SMEV (interdepartmental electronic interaction system)- a software product that generates requests and sends them to SMEV for processing by state-run services of ESIA and EBS. This part was made for us by an external vendor who has already created transport solutions for the bank, including on interaction with SMEV.
ESIA and EBS - government services, Unified Identification and Authentication System, Unified Biometric System. Created and maintained by Rostelecom. According to them we received all the documentation, descriptions, the bank interacts with them through SMEV.
The data registration portal was fully developed on the bank side. On the one hand, it should clearly interact with all parts of the system listed above, and the data acquisition hardware. On the other hand, to ensure an adequate level of security for the processing of personal and biometric personal data and use the quality control library provided by Rostelecom to check samples.
We decided not to use fat clients, but to create a web solution for easy deployment in the workplace, centralization of data storage and processing, and the possibility of flexible modification of the solution.
Our product was named ARM PACK “Registrar. PSB-BIO ”- Automated Workstation of the Software-hardware Complex“ Registrar. BIO "for Promsvyazbank. Everything was clear with the hardware of the complex - it is necessary to comply with the requirements for the equipment (they are listed in this post ). And we have developed the software part ourselves. We started with the elaboration of functionality - the application should be able to:
The registration process originates in the bank's ABS, for which we wrote an API on the back-end to receive data from third-party systems. After the ABS generates an order for the registration of a client, the portal URL is called and the required data is transmitted.
Now the operator workstation to begin the registration process. He sees in the portal a client card with the data that will be used in work with ESIA and EMU. Here you can choose which client's address will be used when registering with ESIA (registration or residence), as well as specify information for delivering a password (phone or e-mail).
Next, a request is automatically created to search for a client account in the ESIA. According to the search results, the service gives the possible use of the aircraft ESIA. BC - the type of information, a protocol for transmitting information of a certain type between the information systems of the supplier and the consumer. If several accounts are detected and none have confirmed status, the operator chooses which one to work with.
If the account provides for several types of information, the operator selects one of them under the control of an employee who has the authority of the central office controller. So we reinsure ourselves from sending incorrect data and eliminate the possibility of fraud at this stage.
After approval of the set of sent data, the operator sends a request to the ESIA on the selected type of information. In response, SMEV confirms the sending of the request, and the operator receives the OID of the client account in the ESIA.
Now, upon receipt of the client's consent to register with the EBU, we begin to collect data.
First, the operator sets the correct position of the camera relative to the client. It helps the workplace, displaying a preview of the frame with marks of the location of the face (crosshair), the angle of the head. It also displays numerical information: resolution, image size, angle of inclination of the head and the distance between the eyes. Along with this there are tips for the operator.
After setting the camera position, the operator presses the start button of the survey. The service takes pictures, checks their compliance with the requirements of Rostelecom and displays information to the operator - whether or not the check passed, what the client needs to do (lower the chin, turn the head, etc.).
After completing this stage, AWP automatically goes on to record voice samples. The client repeats a randomly generated sequence of numbers from 0 to 9 in three standard sequences three times. After each entry, the quality control library checks it. By the way, this library was developed by Promsvyazbank employees.
Then in the records the beginning and the end are put down, they are combined into one and sent to the EBU. After passing the control at the central office controller, the biometric samples are transmitted to the connector to form and sign the package, transfer to the SMEV and further to the EBU.
After receiving a response from the EBU, the operator’s screen displays the registration end card. And as a result of the registration, a message is received from ESA to the client.
This is how data is recorded in Promsvyazbank for the Unified Biometric System.
We know that the new system is causing some people questions. Let's comment on a few popular ones:
“Banks will own my data and cheat.” No, banks simply do not get access to the biometric data of customers and individuals. Banks register an individual (a client in ESIA), send a photo and voice recording of proper quality to the EBU. Fraud is impossible without an EMU biometric template that is not created on the bank side. In the process of identification in the ESIA, banks do not participate, but only receive the final status of this identification.
"My data will be used by outsiders."We often hear remarks like “another will take credit for me”, “a wife with my photo will have access to my accounts”. Not. The technology of biometrics provides for verification by the Liveness method - that is, it is verified that there is a living person at the other end. For this, the order of pronouncing phrases or numbers is unpredictable, and the movement of a person, mimicry, lip movement during face verification is evaluated. Such multimodal biometric features increase the reliability of the method.
"We are being watched and therefore everyone is obliged to submit the data." No, the surrender of biometrics is an entirely voluntary matter. Of course, over time, those who have accounts in ESIA and EBS will be able to receive more interesting offers and services and much faster. But the decision on the delivery of biometrics remains always for the client.
Biometric data for the system are recorded in bank branches according to strict regulations. In this post we will describe how we implemented the collection of biometrics in Promsvyazbank and will try to dispel the myths associated with this process.
While other industries were engaged in the implementation of biometrics at different levels, the banking sector could only experiment with her. The legislation severely restricts banks in identifying the identity of an individual and the procedure for providing services. In the meantime, banking cases of large vendors of biometric solutions started in the meantime. The company Nuance, for example, has collected and successfully uses dozens of voice biometrics.
The ice started when the federal project “Digital Economy” was launched in Russia. On December 31, 2017, the President signed 482-ФЗ “On Amendments to Certain Legislative Acts of the Russian Federation”. The first stage of the Digital Economy project was the creation of a national biometric platform - the Unified Biometric System - the state base of biometric templates of citizens of the Russian Federation. At the same time, in order to develop the economy, the “Remote Identification of Bank Clients” project was logically launched.
We joined the project from the very beginning, at the level of the working group at the Ministry of Communications and the Central Bank of the Russian Federation. So we got time not only to understand the process itself, but also to think well of our actions and the process of implementation of the process. In addition, using our knowledge, it was possible to influence the concept of the project, as well as the formation of requirements, which in the future this process will be presented to all banks.
How we collect biometrics
Assessing the documentation and comments of partners from Rostelecom, the Ministry of Communications and the Central Bank, we divided the service into four main parts.
ABS PSB-Retail is a banking system for servicing individuals, in which personal (non-biometric) customer data is also stored. For this project, we have refined it and integrated it with intrabank services and the biometric data
registration portal. The registration portal is the main element of the system, which includes an automated workplace (automated workstation) of the operator of the service center. We will tell about it in more detail.
Connector between the portal and SMEV (interdepartmental electronic interaction system)- a software product that generates requests and sends them to SMEV for processing by state-run services of ESIA and EBS. This part was made for us by an external vendor who has already created transport solutions for the bank, including on interaction with SMEV.
ESIA and EBS - government services, Unified Identification and Authentication System, Unified Biometric System. Created and maintained by Rostelecom. According to them we received all the documentation, descriptions, the bank interacts with them through SMEV.
AWP biometric registration
The data registration portal was fully developed on the bank side. On the one hand, it should clearly interact with all parts of the system listed above, and the data acquisition hardware. On the other hand, to ensure an adequate level of security for the processing of personal and biometric personal data and use the quality control library provided by Rostelecom to check samples.
We decided not to use fat clients, but to create a web solution for easy deployment in the workplace, centralization of data storage and processing, and the possibility of flexible modification of the solution.
Our product was named ARM PACK “Registrar. PSB-BIO ”- Automated Workstation of the Software-hardware Complex“ Registrar. BIO "for Promsvyazbank. Everything was clear with the hardware of the complex - it is necessary to comply with the requirements for the equipment (they are listed in this post ). And we have developed the software part ourselves. We started with the elaboration of functionality - the application should be able to:
- receive data from a third-party application (in our case, it is ABS Bank);
- provide a convenient environment for registering biometrics - with prompts for the operator;
- automate the entire process of obtaining biometric samples;
- send data to form a request to the connector and receive a response via the banking data bus;
- take into account security requirements when working with personal and biometric personal data;
- log the actions of the system, its users and the administrator;
- take into account the specific requirements for hardware and software.
The registration process originates in the bank's ABS, for which we wrote an API on the back-end to receive data from third-party systems. After the ABS generates an order for the registration of a client, the portal URL is called and the required data is transmitted.
Now the operator workstation to begin the registration process. He sees in the portal a client card with the data that will be used in work with ESIA and EMU. Here you can choose which client's address will be used when registering with ESIA (registration or residence), as well as specify information for delivering a password (phone or e-mail).
Next, a request is automatically created to search for a client account in the ESIA. According to the search results, the service gives the possible use of the aircraft ESIA. BC - the type of information, a protocol for transmitting information of a certain type between the information systems of the supplier and the consumer. If several accounts are detected and none have confirmed status, the operator chooses which one to work with.
If the account provides for several types of information, the operator selects one of them under the control of an employee who has the authority of the central office controller. So we reinsure ourselves from sending incorrect data and eliminate the possibility of fraud at this stage.
After approval of the set of sent data, the operator sends a request to the ESIA on the selected type of information. In response, SMEV confirms the sending of the request, and the operator receives the OID of the client account in the ESIA.
Now, upon receipt of the client's consent to register with the EBU, we begin to collect data.
First, the operator sets the correct position of the camera relative to the client. It helps the workplace, displaying a preview of the frame with marks of the location of the face (crosshair), the angle of the head. It also displays numerical information: resolution, image size, angle of inclination of the head and the distance between the eyes. Along with this there are tips for the operator.
After setting the camera position, the operator presses the start button of the survey. The service takes pictures, checks their compliance with the requirements of Rostelecom and displays information to the operator - whether or not the check passed, what the client needs to do (lower the chin, turn the head, etc.).
After completing this stage, AWP automatically goes on to record voice samples. The client repeats a randomly generated sequence of numbers from 0 to 9 in three standard sequences three times. After each entry, the quality control library checks it. By the way, this library was developed by Promsvyazbank employees.
Then in the records the beginning and the end are put down, they are combined into one and sent to the EBU. After passing the control at the central office controller, the biometric samples are transmitted to the connector to form and sign the package, transfer to the SMEV and further to the EBU.
After receiving a response from the EBU, the operator’s screen displays the registration end card. And as a result of the registration, a message is received from ESA to the client.
This is how data is recorded in Promsvyazbank for the Unified Biometric System.
Common Misconceptions
We know that the new system is causing some people questions. Let's comment on a few popular ones:
“Banks will own my data and cheat.” No, banks simply do not get access to the biometric data of customers and individuals. Banks register an individual (a client in ESIA), send a photo and voice recording of proper quality to the EBU. Fraud is impossible without an EMU biometric template that is not created on the bank side. In the process of identification in the ESIA, banks do not participate, but only receive the final status of this identification.
"My data will be used by outsiders."We often hear remarks like “another will take credit for me”, “a wife with my photo will have access to my accounts”. Not. The technology of biometrics provides for verification by the Liveness method - that is, it is verified that there is a living person at the other end. For this, the order of pronouncing phrases or numbers is unpredictable, and the movement of a person, mimicry, lip movement during face verification is evaluated. Such multimodal biometric features increase the reliability of the method.
"We are being watched and therefore everyone is obliged to submit the data." No, the surrender of biometrics is an entirely voluntary matter. Of course, over time, those who have accounts in ESIA and EBS will be able to receive more interesting offers and services and much faster. But the decision on the delivery of biometrics remains always for the client.