E-commerce giant Alibaba Group has asked regulators for permission to insert biometric identification functions into its mobile online payment services.
The company’s latest technological triumph known as “Smile to Pay” – developed by Alibaba affiliate Ant Financial Services Group and unveiled in March at a trade show in Germany – could be the next leap forward for China’s fast-growing online banking sector. Ant controls the Alipay payment system through which Alibaba clients’ transactions are processed.
Sources close to regulators told Caixin that the People’s Bank of China has already started working on Alibaba’s request, in the wake of a central bank meeting with online technology experts in January.
The central bank has also started crafting a regulatory framework that would open the door to experimental programs that test the security and usefulness of biometrics for Internet users who want to open bank accounts online.
China currently requires physical presence at a teller window for any banking customer who wants to open a new account.
Biometrics may also supplement or replace the identification-number authentication system generally used in China for online payments. These numbers are found on the personal identity cards, or shenfenzheng, carried by every Chinese citizen.
Biometrics also may affect the future of the Electronic Identification (eID) chip-and-card system introduced by banks in recent years on a trial basis. Some experts see a combination of these systems as the future of all online financial activity.
An expert who works at the Ministry of Public Security’s (MPS) Third Research Institute, which focuses on the development of the eID system, says China should modernize online authentication by going beyond the eID system for remote banking, which was developed by the institute.
Smile to Pay, which uses facial recognition software to identify online customers, has been touted as one of the big steps toward modernization that many experts have been clamoring for.
Smile to Pay was rolled out at the CeBIT exhibition in Hanover, Germany, by Jack Ma, Alibaba’s founder and chairman. Standing on an exhibition stage, Ma demonstrated the technology by smiling at his camera-equipped smartphone to complete an Alibaba transaction.
Facial recognition is a biometrics technique that’s widely used by police and related agencies for personal identification. But nowhere in the world has this technology been used by the financial services sector.
Chinese authorities have taken a cautious approach to Alibaba’s request that Ant clients be allowed to open new accounts remotely and conduct business online on the basis of facial recognition. They’re also weighing related requests for policy adjustments filed in recent years by banks and Internet-related companies that see biometrics as the wave of the future.
The government has already given its blessing to Internet banking, small-business credit and e-commerce payment services, none of which necessarily require the use of bricks-and-mortar bank outlets. Their next logical step may involve adjusting rules to fit the new environment, which could mean scrapping the physical presence rule for opening new accounts.
Sources said central bank regulators are mulling over proposed rules designed to cover online services offered by traditional banks as well as Internet-only banks, regardless of whether customers use PCs or mobile devices.
One official from the central bank who asked not to be named told Caixin that the bank might launch a biometrics identification pilot project for bank clients in the southern province of Guangdong and the eastern province of Zhejiang, but that no decisions have been reached.
“Regulators are very cautious because account opening is the foundation for financial services,” the source said. “Without a face-to-face interview, there may be risks.”
Asked to comment on the chances that facial recognition will be tested through a pilot project, the central bank official said the bank “won’t comment on whether the technology is mature enough, but an independent and credible party needs to prove that the technology can guarantee the identity of a (bank account) applicant.”
Some 600 million people in China use the Internet, more than in any other country. But a relatively small percentage of that population has started using eID technology.
“The system could be expanded to included online remote services such as opening bank accounts and mobile payments,” said the expert of MPS Third Research Institute. “It technically authenticates” a bank client but won’t be widely accepted without government backing.
The bottom line, said the central bank official, is that for security reasons every new bank account must be opened on the basis of a customer’s real identity. How that identity is verified is not as important as it can be guaranteed that all identification data is accurate.
Traditional banks with online services, such as China Minsheng Bank, allow remote opening for a new account if the client previously obtained some other service, such as a credit card, by being physically present for the signing-up at a bricks-and-mortar bank outlet.
Some technology experts have faulted the identity-card authentication process that’s currently widely used as insecure, saying it can leave e-commerce customer accounts vulnerable to hackers.
To meet customer demands for secure online transactions, and long before Ma unveiled Smile and Pay, traditional banks including the world’s largest, Industrial and Commercial Bank of China (ICBC), started using eID systems on a trial basis.
According to the MPS, eID systems through which personal information is embedded on a chip are common in the United States and Europe. Because these chips can be used to track a person’s online activity, they got their start in China five years ago as cyber security and anti-terrorism tools for police agencies.
An eID card looks like any other bank card but contains far more data, including the cardholder’s address, said a source who works in ICBC’s finance department. It’s also password-protected. One person is allowed only one eID.
In 2012, the MPS tested the system’s civilian and Internet-user functions after issuing 30,000 eID cards to Beijing University of Posts and Telecommunications students. The experiment led to a nationwide personal identification system designed by the ministry.
Since launching its pilot eID card last year, ICBC has embedded eID chips in 10 million customer bank cards but is keeping the test low-key. “We haven’t started any major marketing,” said an ICBC staff member.
The much smaller Shanghai Bank started issuing eID cards last September. The big state banks Agricultural Bank of China, China Construction Bank and Bank of China are expected to follow suit with eID cards of their own later this year, said the MPS expert. Two securities brokerage houses are also testing the system, he added.
Bank eID cards have attracted attention from companies in the e-commerce arena as well. For example, the anti-virus software company Qihoo 360 Technology Co. Ltd. recently said it plans to improve customer identification and transaction services by linking eID cards issued by ICBC to its online-to-offline business platform.
“EID can be used for online authentication when opening a bank account remotely and handling transactions,” said the MPS expert. “Technologically speaking, it fully meets the central government’s requirements for opening new accounts.”
Officials are looking at possibly combining eID and biometric systems in a package that meets central bank requirements for remote banking. The ICBC staffer said facial recognition linked to an eID system may work best.
An eID chip “cannot determine whether an account was opened or a transaction completed by the person willingly,” the ICBC staffer said. “But if we use facial recognition plus eID, it’ll be able to make a determination.”
When used alone any biometric system including facial recognition, said the MPS expert, can be hacked during a transaction procedure.
“The remote Internet environment cannot be controlled,” he said. “Without physical presence, falsification is easy. That’s why no country uses facial or fingerprint recognition as the main means of authentication in the finance business.