VTB and Pochta Bank have applied for accreditation with the Ministry of Digital Development to work with biometrics

As Kommersant found out, in the near future several large banks may enter the register of the Ministry of Digital Development for accreditation to work with data from the unified biometric system (UBS). This makes it possible to use biometric data to provide remote services. But the requirements for inclusion in the register are quite strict. In addition, banks will need to obtain consent from clients they have not previously served to obtain their data from the EBS.

According to Kommersant sources in the financial market, VTB and Pochta Bank have applied for accreditation with the Ministry of Digital Development to work with biometrics, and Tinkoff Bank also has plans to be accredited. “VTB has already submitted a package of documents to the Ministry of Digital Development,” the bank confirmed. “The bank’s IT systems fully comply with all security requirements and legislation on the procedure for transferring biometrics to the EBS.”

Pochta Bank also confirmed the filing of an application “for the possibility of further use of biometric templates within the framework of the EBS vector model to protect customers from fraud and launch new services based on biometrics.” Tinkoff Bank and the Ministry of Digital Development did not respond to Kommersant’s requests. According to the rules, the decision on accreditation or refusal is made in no more than 50 working days.

It is already known that the largest banking player in the biometrics market, Sberbank, also submitted an application. There, Kommersant clarified that they plan to obtain the status of an accredited operator of a commercial biometric system by the end of November.

To work with EBS using the vector model (vectors are a mathematical code in which data about a person is encrypted), accreditation is required. The register is maintained by the Ministry of Digital Development. Currently, it houses two Russian banks – Rosselkhozbank and Alfa-Bank.

The Center for Biometric Technologies (CBT; EBS operator) noted that accreditation allows us to continue to provide face and voice services to our clients, as well as other companies that want to use biometric technologies, but do not plan to obtain accreditation themselves. “The purpose of accreditation is to guarantee maximum safety and security of biometric personal data, to exclude the possibility of their unfair use,” the CBT emphasized.

At the same time, as the company noted, if an organization does not plan to be accredited by the Ministry of Digital Development, but wants to continue to provide biometrics services, it can connect to the systems of already accredited companies or work directly with the EBS GIS. In the latter case, a transactional model of interaction with the EBS is assumed, when the participant pays each time for one comparison operation, but does not receive a vector, but only the result of the comparison.

The model is used to identify clients, that is, when opening an account remotely, and more than 100 banks already operate using it. As for bank services, which, as a rule, require a regular basis (service without a passport in a branch, payment by face, etc.), it is logical to use a vector model of interaction, says Kommersant’s interlocutor. This becomes more commercially profitable for large volumes of client transactions than the transactional model suggests, he believes.

An important limitation may be that banks must obtain the consent of new clients to work with vectors from the EBS GIS. This applies to all cases if the client is new to the bank. New consents are not required from existing clients whose data has been imported by the bank into the EBS.

Accreditation rules were developed at the beginning of 2023. Among the requirements for entering the register of accredited organizations, financial ones were initially considered the most problematic, notes Positive Technologies information security consultant Alexey Lukatsky. In particular, we are talking about the need to confirm financial support in the amount of at least 100 million rubles. for potential losses associated with the processing of biometrics, as well as a minimum capital amount of at least 500 million rubles.

The relevant government resolution does not contain clear criteria as to what can be considered the cause of a possible loss. According to Mr. Lukatsky, this could be any compromise of data on the part of the bank, including information leaks. In particular, the resolution itself refers to “damages caused to third parties due to their reliance on the result of authentication” based on biometrics carried out by the organization. It is these financial requirements, the expert believes, that can greatly narrow the potential circle of organizations that can work with the EBS and that will be interested in getting into the register.

Olga Sherunkova