Biometric Payment Authentication (BPA) – Corporate Banking Transactions: Pakistan Perspective

1. IntroductionThe term ‘authentication’, describes the process of verifying the identity of a person or entity. Within the domain of corporate e-banking systems, the authentication process is one method used to control access to corporate customer accounts and transaction processing. Authentication is typically dependent upon corporate customer users providing valid identification data followed by one or more authentication credentials (factors) to prove their identity.Customer identifiers may be user ID / password, or some form of user ID / token device. An authentication factor (e.g. PIN, password and token response algorithm) is secret or unique information linked to a specific customer identifier that is used to verify that identity.Generally, the way to authenticate customers is to have them present some sort of factor to prove their identity. Authentication factors include one or more of the following:Something a person knows – commonly a password or PIN. If the user types in the correct password or PIN, access is grantedSomething a person has – most commonly a physical device referred to as a token. Tokens include self-contained devices that must be physically connected to a computer or devices that have a small screen where a one-time password (OTP) is displayed or can be generated after inputting PIN, which the user must enter to be authenticatedSomething a person is – most commonly a physical characteristic, such as a fingerprint. This type of authentication is referred to as “biometrics” and often requires the installation of specific hardware on the system to be accessedAuthentication methodologies are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. Multifactor authentication utilizes two or more factors to verify customer identity and allows corporate e-banking user to authorize payments. Authentication methodologies based upon multiple factors can be more difficult to compromise and should be considered for high-risk situations. The effectiveness of a particular authentication technique is dependent upon the integrity of the selected product or process and the manner in which it is implemented and managed.’Something a person is’Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. The process of introducing people into a biometrics-based system is called ‘enrollment’. In enrollment, samples of data are taken from one or more physiological characteristics; the samples are converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis.Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access.Biometric identifier, such as a fingerprint, can be used as part of a multifactor authentication system, combined with a password (something a person knows) or a token (something a person has). Currently in Pakistan, mostly banks are using two-factor authentications i.e. PIN and token in combination with user ID.Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along with small unique marks known as minutiae, which are the ridge endings and bifurcations or branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense and the density explains why fingerprints are a very reliable means of identification. Fingerprint recognition systems store only data describing the exact fingerprint minutiae; images of actual fingerprints are not retained.Banks in Pakistan offering Internet-based products and services to their customers should use effective methods for high-risk transactions involving access to customer information or the movement of funds to other parties or any other financial transactions. The authentication techniques employed by the banks should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g. ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, banks should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.


Although some of the Banks especially the major multinational banks has started to use two-factor authentication but keeping in view the information security, additional measure needs to be taken to avoid any unforeseen circumstances which may result in financial loss and reputation damage to the bank.There are a variety of technologies and methodologies banks use to authenticate customers. These methods include the use of customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of tokens.However addition to these technologies, biometric identification can be an added advantage for the two-factor authentication:a) as an additional layer of securityb) cost effectiveExisting authentication methodologies used in Pakistani Banks involve two basic factors:i. Something the user knows (e.g. password, PIN)ii. Something the user has (e.g. smart card, token)This paper research proposes the use of another layer which is biometric characteristic such as a fingerprint in combination to the above.So adding this we will get the below authentication methodologies:i. Something the user knows (e.g. password, PIN)ii. Something the user has (e.g. smart card, token)iii. Something the user is (e.g. biometric characteristic, such as a fingerprint)The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.2. MethodologyThe methodologies applied in this paper build on a two-step approach. First, through my past experience working in Cash Management department of a leading multinational bank, implementing electronic banking solutions for corporate clients throughout Pakistan and across geographies.Secondly, consulting and interviewing friends working in Cash Management departments of other banks in Pakistan and Middle East for better understanding of the technology used in the market; its benefits and consequences for successful implementations.3. Implementation in PakistanBiometric Payment Authentication (BPA) i.e. biometric characteristic, such as a fingerprint for authorizing financial transactions on corporate e-Banking platform implementation in Pakistan will be discussed in this section. First the descriptive, then the economic benefit analysis for adopting the presented methodology.As technology is very much advanced today, fingerprint scanners are now readily available on almost every laptop or a stand-alone scanning device may be attached to a computer. Also with the advent of smart phones, now the fingerprint scanner is available on phones as well (e.g. Apple iPhone, Samsung mobile sets etc)In Pakistan, end users shouldn’t have trouble using a fingerprint-scanning device on a laptop or on a smart phone as all work which needs to be done has to be done by banks introducing this methodology.Besides this Pakistan is a perfect location to implement biometrics based authentication, mainly because:a. CNICs are issued after taking the citizen’s biometric information – especially fingerprintsb. Telco companies needs to maintain and validate an individual’s fingerprints before issuing a SIM cardThese examples show that a large population Pakistan is already familiar and comfortable with biometrics (fingerprints) methodology. However, banks have to develop their e-banking portal or application in accordance with and by accepting fingerprints for corporate users. The e-banking portal would invoke the fingerprint device of the end user for either login or authenticating financial transactions. Enrollment can be performed either remotely through first time login into e-banking platform after user has received setup instructions and passwords or at the bank’s customer service center.This article suggests banks in Pakistan to move multifactor authentication through PIN and; fingerprints. Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.Now let’s discuss the economic benefits of using PIN and; fingerprints instead of token devices for authentications. And before we deep dive into the statistics, first just look into the current process of token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty.Mostly banks in Pakistan order and import tokens from a US based company called ‘VASCO Data Security International Inc.’. Once order is placed, the VASCO ships the token to the respective ordering bank and the bank receives the tokens after clearing the custom duties. Banks settles the invoices of VASCO by sending back the amount through outward remittance along with the courier charges. Banks then initialize the token and upon customer written request issues the token to an end user. The token is couriered to the end user and training is conducted via phone or physical visit of the bank’s representative to the customer office. Any lost or faulty token are replaced with new ones and again couriered to end users. Tokens are returned back to banks if any end user resigns their organization or is being moved into some other role that doesn’t involve banking related operations or use of e-banking platform.Theoretically it seems pretty simple, but practically these are very time consuming activities and cost is associated to each and every step mentioned above.Now, let’s do some cost calculation which are associated to the above activities and build some statistics so that cost benefit analysis can be done.Currently, some of the banks in Pakistan, locally, have introduced fingerprint recognition technologies to authenticate ATM users and are in the phase of eliminating the need for an ATM card which will eventually help banks in cost saving of replacing lost or stolen cards.Cost calculations are approximations and not to be taken as true cost for any budgeting.3.1. Descriptive StatisticsThe descriptive statistics for token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty (statistics built on roughly 1000 tokens consumption per year per bank) are shown in the below statistics.Descriptive StatisticsTokens Cost (1000 tokens) 15,000USD (1,569,000PKR)Custom Duty 4,610USD (482,206PKR)Courier to End User 922USD (96,441PKR)Training Cost 7376 (771,530PKR)Total 27908USD (2,919,177PKR)The above stats shows that, approximately 28000USD (amount in USD rounding off to thousands) is spent on tokens by a single bank which can easily be saved if the token is replaced by fingerprints. It’s not only cost saving for a bank but also ease off banks in administration and maintenance.Forex interbank rates as of December 23, 2016 http://www.forex.com.pk4. Change Management GridStage One: “Coming to Grips with the Problem”Mind-set (Thinking/Understanding)a. Currently banks are paying lots of cost on physical token purchasing which can easily be eliminated by using biometric methodology such as fingerprints.Motivation (Emotional/Intuitive Dynamics)a. The current old methodology of token ordering takes time and cost till it reach banks. Then specific training needs to be conducted for end users for token device activation and usage. Maintenance is another huge activity for banks. As biometric scanners are easily available on laptops and smarts phone therefore this new change is easily achievable without any huge cost. Fingerprint authentication will ease end users from remembering too many password and they have not to carry the physical devices along with them all the time.


Behavior (Capability)a. Banks in Pakistan needs to be visited and proper presentations will be conducted to brief their I.T. team with this easy to and; secure technology, finance team for the cost benefits and to their operations team about reducing their operation maintenance.b. Demos will also be arranged to show in live how this new technology assist banks.c. End user will have to use fingerprint to login or authenticate transactions instead of using physical tokens.Stage Two: “Working through the Change”Mind-set (Thinking/Understanding)a. Biometric authentication will help banks to reduce cost and reduce operational hassle. This technology will also ease off end users with their day to day e-banking activities. Proper training to the bank concerned team will be conducted. End user will also be guided with the fingerprint enrollment.Motivation (Emotional/Intuitive Dynamics)a. Banks has to invest first to adopt this new technology but this will eventually help them to reduce the recurring cost and operational maintenance.b. End users will no more have to carry any gadgets and will perform banking activities with a touch of a finger.Behavior (Capability)a. Post implementation reviews will help banks about the feedback of their customer whom have started using the new technology and client experience will help banks to enhance their product.b. With fingerprint technology, corporate customer will no more have to pay any additional cost for requesting tokens.Stage Three: “Attaining and; Sustaining Improvement”Mind-set (Thinking/Understanding)a. Banks to hold Client experience forums which will assist them on customer feedbacks and also give new ideas on any future enhancements.b. Banks to update Departmental Operating Instructions (DOI) for employees, emphasizing on their roles and responsibilities across this new technology.Motivation (Emotional/Intuitive Dynamics)a. Banks can launch reward campaign for employees who will successfully migrate the e-banking users from token to fingerprints technology.b. Likewise some promotion of fee waivers can also be offered to customers for availing this technology.Behavior (Capability)a. Training and; retraining to be conduct for any new bank staff or existing staff to emphasize the benefits of biometric authentication.b. Customer can be retrained or refreshed about this technology by send regular product brochures and short videos on trainings.c. Quarterly feedback will be conducted across all customers to assess their knowledge for the biometric authentication and gather new ideas on future enhancements.5. Monitoring / EvaluatingBanks being a service oriented industry always focus on ‘Customer First’. Through client experience forums customer feedbacks will be attained and issues, if any, faced will be addressed through keen follow-ups and final feedback on will be taken from customer upon resolution.Post implementation review will give a clearer picture of the new biometric methodology implemented and will also get further view points for future enhancements.6. ConclusionThis study aims to examine the replacement of physical token usage of corporate e-banking platform users with the end users fingerprints for their login into e-banking channel and financial transactions authentication. Findings of this study reveal that this new technology will not be only beneficial for the banks in cost and; maintenance perspective but will also ease corporate end users with a peace of mind of not remembering too many passwords or carrying the physical token wherever they roam.

Car Finance – What You Should Know About Dealer Finance

Car finance has become big business. A huge number of new and used car buyers in the UK are making their vehicle purchase on finance of some sort. It might be in the form of a bank loan, finance from the dealership, leasing, credit card, the trusty ‘Bank of Mum & Dad’, or myriad other forms of finance, but relatively few people actually buy a car with their own cash anymore.

A generation ago, a private car buyer with, say, £8,000 cash to spend would usually have bought a car up to the value of £8,000. Today, that same £8,000 is more likely to be used as a deposit on a car which could be worth many tens of thousands, followed by up to five years of monthly payments.

With various manufacturers and dealers claiming that anywhere between 40% and 87% of car purchases are today being made on finance of some sort, it is not surprising that there are lots of people jumping on the car finance bandwagon to profit from buyers’ desires to have the newest, flashiest car available within their monthly cashflow limits.

The appeal of financing a car is very straightforward; you can buy a car which costs a lot more than you can afford up-front, but can (hopefully) manage in small monthly chunks of cash over a period of time. The problem with car finance is that many buyers don’t realise that they usually end up paying far more than the face value of the car, and they don’t read the fine print of car finance agreements to understand the implications of what they’re signing up for.

For clarification, this author is neither pro- or anti-finance when buying a car. What you must be wary of, however, are the full implications of financing a car – not just when you buy the car, but over the full term of the finance and even afterwards. The industry is heavily regulated in the UK, but a regulator can’t make you read documents carefully or force you to make prudent car finance decisions.

Financing through the dealership

For many people, financing the car through the dealership where you are buying the car is very convenient. There are also often national offers and programs which can make financing the car through the dealer an attractive option.

This blog will focus on the two main types of car finance offered by car dealers for private car buyers: the Hire Purchase (HP) and the Personal Contract Purchase (PCP), with a brief mention of a third, the Lease Purchase (LP). Leasing contracts will be discussed in another blog coming soon.

What is a Hire Purchase?

An HP is quite like a mortgage on your house; you pay a deposit up-front and then pay the rest off over an agreed period (usually 18-60 months). Once you have made your final payment, the car is officially yours. This is the way that car finance has operated for many years, but is now starting to lose favour against the PCP option below.

There are several benefits to a Hire Purchase. It is simple to understand (deposit plus a number of fixed monthly payments), and the buyer can choose the deposit and the term (number of payments) to suit their needs. You can choose a term of up to five years (60 months), which is longer than most other finance options. You can usually cancel the agreement at any time if your circumstances change without massive penalties (although the amount owing may be more than your car is worth early on in the agreement term). Usually you will end up paying less in total with an HP than a PCP if you plan to keep the car after the finance is paid off.

The main disadvantage of an HP compared to a PCP is higher monthly payments, meaning the value of the car you can usually afford is less.

An HP is usually best for buyers who; plan to keep their cars for a long time (ie – longer than the finance term), have a large deposit, or want a simple car finance plan with no sting in the tail at the end of the agreement.

What is a Personal Contract Purchase?

A PCP is often given other names by manufacturer finance companies (eg – BMW Select, Volkswagen Solutions, Toyota Access, etc.), and is very popular but more complicated than an HP. Most new car finance offers advertised these days are PCPs, and usually a dealer will try and push you towards a PCP over an HP because it is more likely to be better for them.

Like the HP above, you pay a deposit and have monthly payments over a term. However, the monthly payments are lower and/or the term is shorter (usually a max. of 48 months), because you are not paying off the whole car. At the end of the term, there is still a large chunk of the finance unpaid. This is usually called a GMFV (Guaranteed Minimum Future Value). The car finance company guarantees that, within certain conditions, the car will be worth at least as much as the remaining finance owed. This gives you three options:

1) Give the car back. You won’t get any money back, but you won’t have to pay out the remainder. This means that you have effectively been renting the car for the whole time.

2) Pay out the remaining amount owed (the GMFV) and keep the car. Given that this amount could be many thousands of pounds, it is not usually a viable option for most people (which is why they were financing the car in the first place), which usually leads to…

3) Part-exchange the car for a new (or newer) one. The dealer will assess your car’s value and take care of the finance payout. If your car is worth more than the GMFV, you can use the difference (equity) as a deposit on your next car.

The PCP is best suited for people who want a new or near-new car and fully intend to change it at the end of the agreement (or possibly even sooner). For a private buyer, it usually works out cheaper than a lease or contract hire finance product. You are not tied into going back to the same manufacturer or dealership for your next car, as any dealer can pay out the finance for your car and conclude the agreement on your behalf. It is also good for buyers who want a more expensive car with a lower cashflow than is usually possible with an HP.

The disadvantage of a PCP is that it tends to lock you into a cycle of changing your car every few years to avoid a large payout at the end of the agreement (the GMFV). Borrowing money to pay out the GMFV and keep the car usually gives you a monthly payment that is very little cheaper than starting again on a new PCP with a new car, so it nearly always sways the owner into replacing it with another car. For this reason, manufacturers and dealers love PCPs because it keeps you coming back every 3 years rather than keeping your car for 5-10 years!

What is a Lease Purchase?

An LP is a bit of a hybrid between an HP and a PCP. You have a deposit and low monthly payments like a PCP, with a large final payment at the end of the agreement. However, unlike a PCP, this final payment (often called a balloon) is not guaranteed. This means that if your car is worth less than the amount owing and you want to sell/part-exchange it, you would have to pay out any difference (called negative equity) before even thinking about paying a deposit on your next car.

Read the fine print

What is absolutely essential for anyone buying a car on finance is to read the contract and consider it carefully before signing anything. Plenty of people make the mistake of buying a car on finance and then end up being unable to make their monthly payments. Given that your finance period may last for the next five years, it is critical that you carefully consider what may happen in your life over those next five years. Many heavily-financed sports cars have had to be returned, often with serious financial consequences for the owners, because of unexpected pregnancies!

As part of purchasing a car on finance, you should consider and discuss all of the various finance options available and make yourself aware of the pros and cons of different car finance products to ensure you are making informed decisions about your money.