Thailand's Personal Data Protection Act (PDPA) imposes strict regulations on organizations handling personal and biometric data. Biometric data is classified as highly sensitive and requires explicit consent for collection and processing. Organisations that violate PDPA's security and privacy regulations could face a maximum fine of 5 million Baht and potential imprisonment. Understanding these distinctions is crucial for organisations handling biometric information. Organisations must obtain explicit consent from individuals for their collection and processing of biometric data.

Financial institutions must ensure transparency regarding biometric data collection, purpose, storage, security, and usage while adhering to lawful processing principles to avoid legal consequences and reputational damage.

In response to the rising threats, Governments around the world have launched over 180 digital identity schemes and the market size for global digital identity solutions is projected to grow from US$34.5 billion in 2024 to US$83.2 billion by 2028. This centralised approach allows citizens to authenticate their identities securely when engaging with financial institutions and other service providers and can drastically reduce the prevalence of synthetic identity fraud. If a synthetic identity is flagged by one institution, this information can be shared across the network to prevent further fraudulent activities and enhance fraud detection capabilities.

Similarly, Thailand has developed the National Digital ID (NDID) platform, a government-backed online blockchain digital identity verification and authentication system designed efficiently and securely for individuals to manage their digital identities securely while providing a framework for financial institutions to verify and authenticate those identities reliably online, thereby reducing fraud rates and improved customer satisfaction with quicker onboarding processes. In January 2024, NDID published a revision of the Member Qualification Assessment (MQA) Guideline; the assessment ensures the measures used by member agencies to identify, protect, detect, respond to, and recover cyber threats or risks comply with Thailand regulatory and international standards. Members of the NDID platform are required to submit an independent audit of the MQA every two years.

Key Measures on Biometric Risk Management and Data Safeguards

There is a strong emphasis for financial institutions on the need to enhance their risk management frameworks within the three lines of defence. Best practice controls include multi-indicators of synthetic identity fraud, extending identity verification and biometric security with new advanced technologies to monitor and detect anomalous activities, accuracy thresholds in biometric false match and acceptance rates and adequate data protection and security safeguards.

To improve 'liveness detection' checks, financial institutions can implement techniques that verify a user's real-time presence. This can involve asking users to perform actions like tilting their head, smiling, or blinking. Additionally, incorporating biometric security features like skin texture detection, facial imperfection analysis, perspiration detection, and blood flow monitoring can further enhance liveness verification.

Rigorous biometric model risk management is essential to ensure adequate controls for monitoring algorithm performance, transparency, and interpretability. Financial institutions should regularly attest their proprietary or third-party identity verification and biometric authentication algorithms using synthetic or artificial biometric data complying with Biometric Performance Test ISO 19795, ISO 19794-5, NIST FRVT, ISO 30107-3, and FIDO standards.

Biometric data are highly sensitive and require extra safeguards throughout their lifecycle. This requires the establishment of control measures for collection, consent, processing, transfer, storage, and destruction as documented in the NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management standards.

Ensure that a robust third-party technology risk management is in place with ISO 27001 controls, NIST security standards, SOC 2 Type 2 certification, regular critical information structure and cyber security audit assessments to demonstrate their commitment to data protection.

Implement monitoring tools to track third-party vendor activities and restrict access to biometric data within the organisation and the vendor. Share the minimum amount of biometric data necessary for the vendor to perform their functions. Ensure that biometric data is encrypted during transfer and storage, using robust encryption protocols to prevent unauthorised access.

Establish incident response plans that include third-party vendors, outlining steps to take in case of a data breach. Ensure contracts include liability provisions to address potential breaches or misuse. Clearly specify data protection and security requirements, particularly for handling biometric data.

Financial institutions should adopt a zero-trust security model, assuming all network traffic is potentially malicious. This 'never trust, always verify' approach requires continuous monitoring of users, devices, and biometric data shared across the network, rather than relying solely on the network's security perimeter.

