Steps to Implementing Voice Authentication and Securing Biometric Data

As the use of voice verification continues to grow, call centers are seeing benefits not just in time (and costs) saved, but in a better experience for customers - while improving security at the same time.

The top three channels for using biometric information are Contact/Call Centers (61%), App or Chatbots (both 59%) and Voicebots (56%), according to a Deloitte survey last year. The results also illustrate that – although still just ranked #3 behind fingerprint and Facial recognition – Voice is on the rise and becoming increasingly important.

Fraud prevention is a key driver for implementation and companies are looking both internally as well as externally. Insider threats can be reduced as staff access privileges are tightened up alongside voice biometric introduction.

What are the steps to implementing a voice verification system, and how should the voiceprint data be secured, while ensuring compliance? Before implementing, the current system of authentication needs to be analyzed and compared to the desired process. Companies need to answer a number of questions.

Authentication Process
What is the current authentication process? For example passwords, PINs, set questions. How will this process change by using voice biometrics? Will Voice biometry replace OR extend current authentication steps? This depends on the geography. EU regulations such as PSD2 require strong authentication such as a biometric factor and something in your possession, such as an app.

It also depends on their motivation. Some banks want voice biometrics to help with compliance, some want it to slash verification time – for example, if a bank currently asks five questions, they can safely cut it down to only one.  

Agent training
How will agents change their behavior? Replacing knowledge-based questions with voice biometrics saves them time and they can dive straight into helping clients. It removes mundane, repetitive tasks and once they start using the new system, they will immediately see the benefits. Client internal training is of course critical to smooth introduction. 

The voice authentication system will plug into the call center software to easily show an agent that a caller is verified (or not) using a red or green light for example. If a fraudster is identified, a system of escalation needs to be defined, e.g. to a fraud department.

What is the enrolment process for customers? It depends on the country. For example, with the GDPR, if you want to use biometrics to improve security you need to gain customer consent. How many times do you hear the message ‘this call may be recorded for monitoring purposes’? So clients will need to introduce voice verification as a new system and check callers are happy to use their voice for this purpose the next time they call. Call scripts for agents need to be used for both enrolment and voice verification stages.

CX & Fraud
How is CX measured? Clients must measure customer experience first, using various metrics, and then compare after implementation. They should have an understanding of where they are now and where they want to improve.

Next we look at the risk process. What is the current estimated fraud size? What security level is expected to be reached by implementing? Fraud is a problem for many businesses, not only financial services, but telcos and utilities.

Technical considerations
As it’s a collaborative process, the biometric supplier often work with external software agencies or client dev teams. The client knows how their call center infrastructure processes work and they know voice biometrics. So by working together they establish the best way to implement, while understanding the limits of biometrics, providing use cases and looking at risks. 

Suppliers work with a client to advise on deployment - whether on-premise or cloud, PBX configuration, and call center/CRM integration.

When ‘going live’, often the process is started on a small subset of the customer database – especially in a bank with thousands of callers per day. This highlights whether the processes are correct for agents, if the CX is good, are any tweaks required – before rolling it out to everyone. The process is then checked to ensure it meets the planned time savings and improved experience.

Securing Voice Data
Securing sensitive data is based on the clients’ policy. For example banks already have in place strict internal rules and regulations about how to deal with data security. An on-premise installation (the usual method) means voiceprint data is stored where all sensitive data is kept, so it’s as secure as any other personal data the bank holds.  

With a voiceprint, as soon as it can identify a person, then it becomes personal information and must be treated as such. As per EU regulations, clients must ask the owner for consent to store, explain how securely it is stored etc. 

Access privileges to this data is also an important consideration. One client implemented voice biometrics to help prevent internal fraud from employees – so only the people who need access should be granted it.

The voice verification software must communicate with the bank software via enterprise standard secure channels. This means nothing can get out of the bank and no-one can intercept communications.

Summary
Voice authentication means significant reduction in call length – paying agents to ask the same questions repeatedly doesn’t make sense in today’s environment. Especially as leading enterprise-class verification systems on the market take just three seconds. 

It’s not just call time saving, other solid commercial benefits include fraud prevention, compliance, seamless customer experience, and a fast install time. Time to pick up your phone.

What’s Hot on Infosecurity Magazine?