Deepfakes are a sophisticated form of synthetic identity fraud. Cybercriminals combine stolen personally identifiable information from the dark web and fabricated data to create highly realistic, fake identities.
The rise of Generative AI has significantly exacerbated the threat of deepfakes. With the manipulation of images and videos becoming alarmingly easy and accessible through camera apps, 'Seeing is No Longer Believing.' This poses a growing challenge for individuals and financial institutions to verify authentic identities."
The World Economic Forum (WEF) 2023 study had reported that incidents involving deepfakes in the fintech sector have surged by 700% compared to the previous year, and it is predicted that by 2026, up to 90% of online content may be synthetically generated.
The urgency to address identity fraud is especially pronounced in the APAC region, including Thailand. As the WEF highlights, disinformation has been ranked as one of the top risks for 2024, further emphasising the need for immediate action to combat the growing threat of deepfakes and synthetic identities.
Financial institutions are particularly vulnerable to deepfake scams and identity theft. The line between reality and fabrication has become blurred, making it easier for cybercriminals to exploit deepfakes to open accounts, apply for loans, and conduct fraudulent activities and money laundering transactions. This erodes trust in digital transactions and can disrupt banking services.
Vulnerable groups, particularly the elderly and those with limited digital literacy, are often targeted, leading to both financial and emotional distress.
Thailand Regulatory Landscape and the Role of National Digital Identity Ecosystems
Thailand has taken proactive anti-fraud measures against synthetic identity-related mules and money laundering frauds. In March 2023, Thailand’s central bank (BOT) ordered banks around the nation to comply with new mobile banking security requirements. This involves the use of biometric authentication whenever someone attempts to open a new bank account or attempts to facilitate digital financial transfers of more than 50,000 baht.
In September 2023, the Bank of Thailand (BOT) issued guidelines for the safekeeping and use of biometric technology in eKYC in Banking, Financial Services, and Payment Services. These guidelines reference existing regulations on Information Technology requirements and explicitly enforce that customers' biometric data must not be retained in biometric capture devices of financial service providers and the systems of third-party service providers as a form of control and safeguard for the biometric data.
Thailand's Personal Data Protection Act (PDPA) imposes strict regulations on organizations handling personal and biometric data. Biometric data is classified as highly sensitive and requires explicit consent for collection and processing. Organisations that violate PDPA's security and privacy regulations could face a maximum fine of 5 million Baht and potential imprisonment. Understanding these distinctions is crucial for organisations handling biometric information. Organisations must obtain explicit consent from individuals for their collection and processing of biometric data.
Financial institutions must ensure transparency regarding biometric data collection, purpose, storage, security, and usage while adhering to lawful processing principles to avoid legal consequences and reputational damage.
In response to the rising threats, Governments around the world have launched over 180 digital identity schemes and the market size for global digital identity solutions is projected to grow from US$34.5 billion in 2024 to US$83.2 billion by 2028. This centralised approach allows citizens to authenticate their identities securely when engaging with financial institutions and other service providers and can drastically reduce the prevalence of synthetic identity fraud. If a synthetic identity is flagged by one institution, this information can be shared across the network to prevent further fraudulent activities and enhance fraud detection capabilities.
Similarly, Thailand has developed the National Digital ID (NDID) platform, a government-backed online blockchain digital identity verification and authentication system designed efficiently and securely for individuals to manage their digital identities securely while providing a framework for financial institutions to verify and authenticate those identities reliably online, thereby reducing fraud rates and improved customer satisfaction with quicker onboarding processes. In January 2024, NDID published a revision of the Member Qualification Assessment (MQA) Guideline; the assessment ensures the measures used by member agencies to identify, protect, detect, respond to, and recover cyber threats or risks comply with Thailand regulatory and international standards. Members of the NDID platform are required to submit an independent audit of the MQA every two years.
Key Measures on Biometric Risk Management and Data Safeguards
There is a strong emphasis for financial institutions on the need to enhance their risk management frameworks within the three lines of defence. Best practice controls include multi-indicators of synthetic identity fraud, extending identity verification and biometric security with new advanced technologies to monitor and detect anomalous activities, accuracy thresholds in biometric false match and acceptance rates and adequate data protection and security safeguards.
To improve 'liveness detection' checks, financial institutions can implement techniques that verify a user's real-time presence. This can involve asking users to perform actions like tilting their head, smiling, or blinking. Additionally, incorporating biometric security features like skin texture detection, facial imperfection analysis, perspiration detection, and blood flow monitoring can further enhance liveness verification.
Rigorous biometric model risk management is essential to ensure adequate controls for monitoring algorithm performance, transparency, and interpretability. Financial institutions should regularly attest their proprietary or third-party identity verification and biometric authentication algorithms using synthetic or artificial biometric data complying with Biometric Performance Test ISO 19795, ISO 19794-5, NIST FRVT, ISO 30107-3, and FIDO standards.
Biometric data are highly sensitive and require extra safeguards throughout their lifecycle. This requires the establishment of control measures for collection, consent, processing, transfer, storage, and destruction as documented in the NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management standards.
Ensure that a robust third-party technology risk management is in place with ISO 27001 controls, NIST security standards, SOC 2 Type 2 certification, regular critical information structure and cyber security audit assessments to demonstrate their commitment to data protection.
Implement monitoring tools to track third-party vendor activities and restrict access to biometric data within the organisation and the vendor. Share the minimum amount of biometric data necessary for the vendor to perform their functions. Ensure that biometric data is encrypted during transfer and storage, using robust encryption protocols to prevent unauthorised access.
Establish incident response plans that include third-party vendors, outlining steps to take in case of a data breach. Ensure contracts include liability provisions to address potential breaches or misuse. Clearly specify data protection and security requirements, particularly for handling biometric data.
Financial institutions should adopt a zero-trust security model, assuming all network traffic is potentially malicious. This 'never trust, always verify' approach requires continuous monitoring of users, devices, and biometric data shared across the network, rather than relying solely on the network's security perimeter.
Visit Third Party Risk Management for more information. If you would like to have our training support on Biometric Risk and Third-Party Risk Management or have any other inquiries, please feel free to reach out for a discussion.
Joeyvoen Teo,
Senior Manager | Audit & Assurance
Deloitte Thailand