Financial firms beef up fraud prevention with biometrics and FIDO standards

Globally, financial companies are moving to strengthen their digital security and identity protocols, leveraging biometrics, FIDO standards and cryptography to prevent escalating fraud.

Japanese firms make multi-factor authentication mandatory

A host of Japanese securities firms have decided to make multi-factor authentication (MFA) mandatory when logging in to online trading. The move is prompted by a spike in fraudulent trading activity enabled by stolen credentials, phishing, malware, and emails impersonating securities companies – problems an additional security layer such as biometrics can likely curb.

An announcement from the Japan Securities Dealers Association says mandatory implementation of MFA is “a very important measure for investors’ security,” because “in the unlikely event that their login IDs and passwords are stolen, the possibility of preventing damage is higher than with single-factor authentication.”

A total of 58 companies have made the MFA pledge, including names such as Nomura Securities, Daiwa Securities, SMBC Nikko Securities, Mizuho Securities, Mitsubishi UFJ Morgan Stanley Securities, SBI Securities, Rakuten Securities, Monex Securities, Matsui Securities and Mitsubishi UFJ eSmart Securities.

Bloomberg reports numbers from the Financial Services Agency, which found that a total of 1,454 cases of fraud, including phishing scams, occurred in online transactions by securities companies in the three months from February to April 16 2025.

Philippines gives institutions under central bank a year to update systems

The central bank of the Philippines is making similar moves. An article in GMA News Online says Bangko Sentral ng Pilipinas (BSP) has given institutions under its supervision until June 2026 to improve their fraud management systems (FMS).

Per the report, under the Anti-Financial Account Scamming Act (AFASA), BSP-supervised financial institutions (BSFIs) with “complex electronic products and services (EPS)” or those with “an average of at least P75 million monthly network value for the last six months” are required to boost fraud prevention and limit the use of one-time pins (OTPs) and other interceptable methods.

BSP Circular 1213 reads: “With the increasing prevalence of social and engineering attacks aimed at obtaining login credentials, BSFIs should limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction.”

Recommended methods for MFA include biometric authentication via fingerprint or palm scanning, facial recognition or voice recognition to authorize transactions, and “behavioral biometrics that track patterns such as typing speed, mouse, or device movements,” augmented with adaptive authentication, which “adjusts the authentication process based on the user’s context to cover factors such as location, device and behavior.”

FIDO-compliant passwordless authentication using hardware tokens and cryptographic keys are also allowed under the BSP’s rule.

Banks have a year to implement the necessary software and systems. Elmore Capule, deputy governor for the corporate services sector of the BSP, says “we have to realize all of these things are very, very expensive, that’s the reality, so we are giving them sufficient time. But at the same time, we realize that if they will not adapt to this, we cannot really solve these scamming, these frauds.”

“Sometimes a good system is only good until the scammers find a way to go around it.”

Meanwhile, new implementing rules and regulations of the Anti-Financial Account Scamming Act (AFASA), set to take effect on June 25, 2025, require BSFIs to have their FMS “cater to behavioral anomalies, blacklist screening, geolocation monitoring, mobile device and account information changes.”

Singapore wants 2FA implemented for financial services ASAP

The Monetary Authority of Singapore (MAS) has updated its FAQ on two-factor authentication for online financial services platforms. The June 2025 update does not explicitly say that MFA is mandatory for financial institutions, but does note that, “given the prevalence of cyber threats and incidents, MAS expects FIs to adhere closely to the MAS Technology Risk Management Guidelines to secure their online financial services to mitigate the risks of unauthorized access and transactions.”

All FIs “should also enhance cyber threat and surveillance systems to detect unusual activities in the customer’s account and systems used for financial services.”

The Authority says “2FA should be implemented as soon as possible,” but no later than September 12, 2025.” However, “Institutional Investors accessing through direct market access or broker-assisted medium such as Bloomberg or Financial Information eXchange (FIX) are exempted from 2FA requirement.”

India introduces new UPI address validation system for investors

A release from the Securities and Exchange Board of India (SEBI) announces a new initiative to enhance investor protection and combat unauthorized money collection in the securities  market. SEBI will introduce a “structured and validated Unified Payment Interface (UPI) address mechanism, featuring the exclusive ‘@valid’ handle, for all SEBI-registered investor-facing intermediaries.”

“This mechanism shall provide investors with the option to transfer funds directly to the requisite bank accounts of intermediaries that have been validated with SEBI.”

The system aims to “proactively curb” fraudulent  activity, “enabling investors to easily identify legitimate SEBI-registered market intermediaries and make payments to them securely.”

Visual verification of a legitimate ‘@valid’ handle will be through an icon of a thumbs-up inside a green triangle.

SEBI is also introducing a “SEBI Check” tool, to “allow investors to verify the  authenticity of UPI  IDs either by scanning a QR code or by entering the UPI ID manually.”

Swiss bankers support amendments to FIDO standard

Swiss bankers are on board with the German Banking Industry Committee (GBIC)’s recommendation on amending the FIDO2 standard to make it applicable for financial use cases.

A release from the Swiss Bankers Association (SBA) and the Swiss Financial Sector Cyber Security Centre (FS-CSC) says that, from a Swiss perspective, the amendment is an important step towards making the standard usable for secure transaction confirmations in online banking and card payments.

Currently, per the GBIC recommendation, the inability for a client to view full details of a transaction directly on the authenticator presents “a particular and significant security risk in combination with PC architecture, which cannot guarantee a secure runtime environment. Malware could manipulate transaction data without a client’s knowledge.”

The amendment in question would see the FIDO2 standard extended to support the “secure display of transaction data by the respective authenticator.” SBA believes that, in order to broaden the standard’s application for use cases beyond passwordless authentication, it should  transmit full transaction data to the transaction authenticator, instead of sending only a hash value: “transaction data displayed authentically on a separate hardware token is therefore imperative.”

Transmission should integrate a secure display that shows users the transmitted transaction data for verification, and link the data to the authentication code, including a hash value calculated by the authenticator.

Finally, says SBA, the FIDO Alliance should expand the client authenticator protocol (CTAP) to include a standardized interface. “This amendment would not just allow FIDO2 standards to be implemented in the financial sector, it would also increase user confidence in FIDO2-based authentication and transaction confirmation methods.”

Article Topics

biometric authentication  |  biometrics  |  digital identity  |  FIDO2  |  financial services  |  multifactor authentication  |  passwordless authentication