Who among us doesn’t have a password list stashed somewhere—physically or digitally? For bank employees, though, such lists can get them—and the bank—in trouble with examiners.
It’s a situation probably any bank can relate to.
Despite policies and training, says Bill Weber, vice-president and chief information officer at $410 million-assets West Milton State Bank, “We still find sticky notes with passwords hidden under keyboards and in little green books in desk drawers. It’s human nature.”
It’s also human capability. Regulators require long and complex passwords to be used and require them to be changed regularly. It’s tough to remember them, Weber says. As a result, the IT department gets many requests to “unlock and reset” over the course of a year.
Solution right at hand
Weber says the central Pennsylvania-based bank, founded in 1920, looked into a cloud-based password vault product, but didn’t think it was the right answer. About a year ago, Weber watched a demonstration of a Fiserv solution called Verifast—a biometric authentication technology that uses palm scanning.
“Before the demo was over,” he say, “I contacted the speaker and said, ‘Call me after this is over, we need to have a one-on-one demo at the bank’.” Once that happened, the banker was impressed enough to order ten units for an initial rollout among backroom employees.
Fiserv says it has sold the Verifast product to about 100 financial institutions, split about evenly between banks and credit unions. West Milton was the first bank to implement this particular palm-scanning system.
Chris Van Der Stad says Fiserv produces the software for the product and partners with Fujitsu for the hardware. The actual scanning device is about a one-inch cube. For employee use, the scanner is built into a mouse. For customer use, the scanner is placed under a clear plastic “cradle” to properly position the hand. (Employees can also use the cradle if they prefer.) The system is core agnostic.
The technology used is more formally known as “palm vein scanning.” A person puts their hand over an infrared light—the same as used in a TV remote—which illuminates the vein patterns in the hand, unique to each individual. Once a person has had that pattern linked to their identity, the device quickly scans and confirms their identity on subsequent visits. The process takes a few seconds.
Plastic "cradle" makes it easy for customers to position hand for scanning. Employee users at one bank mostly skip the cradle and hover their hand over the scanner/mouse.
According to information on the Fiserv website, palm vein scanning is very reliable. Vein patterns are highly complex—with typically five million scannable reference points—and remain stable throughout a person’s lifetime. In addition, the scanning is not blocked by the use of hand lotion.
Bill Weber says he even tried it with a bandage covering part of his palm. It worked as long as no more than half the palm was covered.
Linked to customer data
For customer applications, the scanner can be connected to the bank’s customer database so that once authenticated, a person’s relationship profile and account information are automatically presented to the teller or service representative before the transaction begins, according to Fiserv.
Van Der Stad, who is senior vice-president and chief technology officer for Open Solutions at Fiserv, explains that Verifast can be used for internal access, as West Milton State Bank is doing, and for customer authentication. In the latter case, the mouse sits in a clear plastic cradle that positions the person’s palm at the right height above the scanner. A customer-facing touch-screen tablet is connected to the scanner, which is also connected to the teller/CSR system for in-branch applications.
Weber says that most of his employees that use the palm scanner replaced their existing mouse with the scanner mouse. They just hover their hand above the mouse. The system prompts you to move your hand if you haven’t got the positioning right, he says.
The initial setup began with a session to go over the basics and see what the options were. “That took from about 9 a.m. to 11 a.m.,” Weber says. “By 1 p.m. the software was installed, set up and all ten devices deployed. If you’ve ever gone through software installations,” he says, “it’s amazing you can do it in half a day including training.”
Clamoring for a scanner
On the day of the installation of the first ten palm scanners, Weber showed it to the bank’s president.
“His eyes lit up,” says Weber, “and he said, ‘Deploy it to the rest of the bank as budgeting permits.’ He could see in ten minutes the importance and efficiency of the devices.”
Weber says that the units were such a boon, that people in other departments became jealous and said to him “How can I get one of those?” He added another two dozen more users following the initial trial. Eventually all employees will use the scanners for authentication into various systems.
In the year that the bank has been using the palm scanners, Weber reports that no one using them has been locked out of their system. He says the bank has between 30 and 40 different templates deployed for the authentication devices. Weber explains that a template basically is any application requiring a user code and password—e.g. the ADP timecard, the Fedwire, an IT support connection, or the link to Deluxe to order checks.
For each template, users still create a password, but because it is just set up once, they can make it very long and complex, which helps security. Weber says the bank is still changing passwords, says Weber, but he is looking at whether that needs to continue now that they have the biometric system. Regulators would have to approve, however.
Customer use next
Weber says the bank is looking toward the latter part of the year to implement customer use of the palm vein scanners, especially now that the system integrates with the bank’s teller system.
Tellers will be able to authenticate a customer, even one they don't know, without asking the person to give their name, account number, and show an ID in a busy lobby situation. Once they’ve scanned their palm successfully, no further identification is required, says Weber.
Van Der Stad notes that the tablet lets the customer indicate if he wants a receipt; can take an image of a driver’s license (or read the bar code) if necessary for a particular transaction; and allows customers to sign on the tablet with their finger, eliminating the need for a separate digital signature device. He says the system has the potential to simplify the physical setup of a teller station, which typically has four to five devices in a small space.
“Teller spaces were never designed for so much equipment,” says Weber. He adds that the bank has been redesigning some branches—turning teller stations into pods, and that the palm scanning system could help there.
Asked if any clients had reported customer reluctance to use the palm scanners, Van Der Stad says it’s been very limited. “I can’t explain why it’s different than using a thumbprint or an iris scan, but holding your hand over a scanner is not invasive.”
He says there have been some surprising benefits. One example he mentioned is of a woman who came into a branch using a walker and had to fumble in her wallet to find her ID. Now, says Van Der Stad, she can simply place her hand on the cradle over the scanner.
He adds that the scanners are useful in high-turnover situations. “The bank is no longer relying on the teller to authenticate a person’s identity,” he says. The technology does it for them.
Adds Weber: “We find that when we move a teller to a different location and bring in a new teller, a customer would sometimes get irritated—‘I’ve been a customer for 20 years, why don’t you know me?’ they would say.”
Large banks tend to use their ATM or debit cards as ID, usually in conjunction with a PIN, Van Der Stad observes, but that is not the case with many banks. For those that still require use of a driver’s license and the keying in of name or other information, the palm scanning alternative can reduce authentication times significantly—by 90%, he says—and improve accuracy.