Standard Chartered Bank Nigeria has one of the most advanced ATM machines in the nation: the ATM uses facial recognition technology which is linked to BVN (bank verification number) to authenticate users in its ATM systems. But that early-adoption decision may be costing the bank business opportunities. It is a huge problem and the bank may not know.
At Ajao Estate (Lagos), along Airport Road, I visited one of the ATM branches. It was drizzling and everyone was rushing in with pockets of water on our faces – the new Airport-Oshodi road construction did not help issues. As we took turns to collect cash, none was successful from the bank’s ATM machines. The problem: ATM could not authenticate our faces with the water having messed up what was stored in BVN, and what the machine was seeing.
Out of frustration, we left and went to the nearby Access Bank to get cash. Access Bank uses the PIN-based ATM machines which do not require any facial capture. Once you type the PIN, it is largely irrelevant if you are wet or not.
I do not think Standard Chartered has clearly communicated the purpose of the facial recognition technology. One woman in front of me thought the bank wanted to take photos of her face. Apparently, in Nigerian banks, when you take large amount of money, they record the transactions on camera. So, going to ATM, many customers may be thinking it was all photo taking. After all the special poses and nothing happened, the woman shouted “Yeye bank, after taking my photos, you no even allow me collect my money.”
The woman was certainly not the typical Standard Chartered customer segment but ATM systems in Nigeria are classless as they are fully interoperable. If you have a valid card in one, you have access to all ATM machines (fees apply after the third non-network transaction). For the woman, she saw ATM to collect money, and they wanted her to take a photo, and after the photos, they still refused to release cash.
The Problem of Early Adoption
Certainly, Standard Chartered is industry-leading here on the adoption of facial recognition ATM systems. Even in U.S., these machines are not popular. I have never used any in U.S. or Europe and none of my banks have my photo. So, it is very interesting that Standard Chartered decided to deploy this in Nigeria. They have simply created another level of friction in the transaction process and it was not funny.
My understanding is that after you have facilitated your face, you need to still use PIN to collect the money. So, they did not remove the PIN entirely – facial is simply a step to get there. Here are issues with using facial recognition this way:
- Most bank accounts are tied to one BVN even for multiple accounts. If a couple shares a bank account , one cannot access the money via ATM depending on the one used in the BVN even though the other partner has released the debit card with PIN.
- Company accounts will struggle here. That the main accountant whose ID or the owner whose BVN was used did not come to work should not stop the company accounts with legal use of the PIN to withdraw cash in places where there is no bank branch.
I personally believe that Standard Chartered is over-thinking this process. There is already a clear global standard that customers are responsible for protecting their debit cards and the PIN numbers. Standard Chartered is saying here that it does not think you can do both, so, it wants to help the customer by using the face to further authenticate. A critical analysis of this will not happen if one does not know the number of ATM thefts in Nigeria. Also, we need to know the form and structure before a total evaluation of the necessity of this facial technology.
Why this Idea Will Struggle
Standard Chartered ATM machines may lose leverage over time since not all industry players will follow that path. I will tell my bank clients not to adopt facial recognition-based ATM machines. I do not think the value is huge: it is very marginal. For a crime to happen on ATM, in Nigeria, the PIN must have been disclosed or stolen. So, even if fraudsters clone a card that does not mean that they have the PIN. The chance of getting the PIN right in 3 trials in a 4-PIN system is low (one out of 10,000 possible outcomes, over three trials). So, the risk is very low for fraudsters without the PIN to commit crime since I expect any bank to block any ATM use after the third PIN attempt.
Yes, the bank’s desire to over-secure its customers is excessive because the risk is very low if it can block any debit card after three failed PIN attempts. The facial recognition will certainly increase friction and hurt volume in Standard Chartered machines.
But for this to work, Standard Chartered has to consider that ATMs in Nigeria are not in some cozy typical environments like they have in U.S. and Europe. You can join a train and arrive in a station without any rain touching you in U.S. You can connect to your car easily and drive home. Right there, there are ATMs and it is unlikely rain would have beaten you before hitting to the facial recognition ATM. But in Nigeria, market women are soaked on water as they run to ATMs. You do not expect them to use a towel before they can get their monies. If you keep asking for those photos, you would be out of luck on growing volume.
The Starbucks Model
Starbucks, a global coffee chain, runs a loyalty program. The security in the mobile app is terrible. It is always hacked and all the points zapped out. But when you call Starbucks, they “investigate” and within days they will return the points. Over time, I have come to understand one thing: Starbucks does not really want to stop the fraud. Why? It is cost of doing business. If the company loses $500,000 to fraud but the simplicity and user-experience (#1 in the industry) makes it possible to rake in extra $1 billion where $100 million is profit, Starbucks will go for it. Yes, to save that $500,000, it can lose $100M and that will not happen.
Customers have responsibilities on how they use their cards and those include safeguarding them and also keeping the PIN secure. Security strategy is never designed to eliminate all security vulnerabilities. You have to consider the balance between too much friction and customers abandoning the service. I recalled how I struggled to open AOL email account many years ago because in the bid to have the best security, it made a product no one could sign-up.
Even Google has explained that if it has to adopt the best security, most people would give up on some of its services. For Standard Chartered, it needs to educate customers that the facial recognition is not for photo taking, but for authentication. Also, I do think the bank needs adaptive lens which can adjust its position. Getting my face was hard since I was above average-height. The same goes for shorter people – the system does not need to be a burden. But if it wants to showcase this ATM, it needs to focus on places like schools, NNPC and National Assembly. It is not ready for markets and other crowded areas in Nigeria. I do think it is ahead by more than 6 years on this in Nigeria.