Category: Identity

Shaping the future of finance: key insights from M2020 USA.

Posted on by Leave a comment

Howard Hall, Vice President Growth at Consult Hyperion, consulting by Fime, summarizes the key discussions and insights from Money2020 USA 2025, one of the leading payments industry conferences.

Fime and Consult Hyperion was out in full force at Money 20/20 Las Vegas, with Dave Birch, Xavier Giandominici, Ben Potter and Nick Norman all on the ground. Over three packed days we met with dozens of clients, partners and industry friends, both old and new. We came away inspired by how fast the world of payments, identity and digital trust is evolving.

The era of agentic AI.

Agentic AI was everywhere this year. Dave Birch’s session, supported by leaders from Mastercard explored how intelligent, autonomous agents will reshape the way money moves and decisions get made. These aren’t just chatbots; they’re systems capable of acting on our behalf, initiating payments, verifying identity and managing risk. The question everyone is asking now is: how do we trust the agent? What are the new signals, frameworks and governance models that let us verify that an AI acting for us is doing the right thing?

This conversation dovetails perfectly with our heritage in digital identity and trust frameworks. It’s one thing to build an agent; it’s another to ensure that it’s secure, compliant and grounded in real-world identity. That’s where we come in.

Stablecoins and the future of money.

Stablecoins and tokenized money continued to capture attention across panels and side discussions. There’s a growing sense that programmable value, whether through stablecoins or digital fiat will be the natural companion to agentic AI. If agents are going to act, they’ll need a medium of exchange that is fast, programmable and secure.

We heard repeatedly that firms want help bridging the gap between experimentation and production. This is the kind of challenge Consult Hyperion thrives on combining technical insight with regulatory understanding to make the next generation of payment rails real.
Insights from dozens of client conversations.

Our one-to-one meetings revealed a lot about what’s on the minds of our clients and partners:

  • Platform resilience and optimization came up again and again — from large fintechs re-evaluating their processing infrastructure to global brands seeking help rationalizing fragmented payment systems across multiple geographies and logos.
  • Digital identity and trust frameworks were top of mind. Organizations across banking, payments and big tech are exploring how to extend KYC into the world of Know-Your-Agent (KYA) and mDL.
  • Tokenization and security continue to present both opportunity and friction. Several firms are revisiting their existing implementations and seeking a path toward scalable, interoperable solutions.
  • Go-to-market alignment remains a challenge. Many companies are looking for help in shaping adjacent services, workshop and partnership strategies are areas that were top of mind.
  • Sector-specific certification and standards are shifting. We heard updates from trusted partners working to reshape digital-identity assurance around specific industries rather than one-size-fits-all frameworks.

These conversations reaffirmed what we already know: clients value practical, implementation-level understanding of the complex ecosystems that connect identity, payments and technology.

Why this matters.

For nearly three decades, Consult Hyperion has helped organizations around the world navigate the intersection of trust, technology and financial inclusion. Whether it’s designing new tokenization schemes, building digital-identity frameworks or testing payment systems with Fime, our work sits at the core of where the industry is heading.

Money 20/20 was a reminder that we’re entering a new chapter, one where human and machine actors coexist in digital ecosystems that demand security, privacy and interoperability from the start.

Let’s continue the conversation.

If you’d like to explore how agentic AI, stablecoins or next-generation identity can be built safely and responsibly into your business, we’d love to talk. Reach out to our team and let’s turn these conference insights into real-world strategies and implementations.

Trust, innovation and interoperability: key insights from AAMVA conference.

Posted on by Leave a comment

Phoenix, Arizona – October 2025 – Fime participated in the AAMVA Relying Party Showcase and the AAMVA International Conference, reinforcing its leadership in advancing secure, interoperable, and scalable digital identity solutions.

The Showcase gathered issuers, wallet providers, reader providers, DMVs, and technology companies under one roof to demonstrate real-world mobile driver’s license (mDL) use cases. Fime’s delegation, including Marcelo Bellini, VP Digital Identity at Consult Hyperion, Consulting by Fime, Gregory Tierno, Business Development Director, Jerrin Thomas, Service Line Manager, and Gaurav Manchanda, Product Manager, participated in both the showcase and conference sessions.

Panel: ensuring trust in digital credentials.

As part of the panel “Ensuring Trust in Digital Credentials in North America and Beyond,” moderated by Tim Roufa Portfolio Director for Identity Credentialing at AAMVA, thought leaders came together to share their perspectives on scaling digital identity. Panelists included Luis Felipe Segura, Field CTO at Incode, Christopher Goh, International Advisor at Valid8 Advisory and Marcelo Bellini.

Marcelo emphasized the role of testing and certification in building trust within the mDL ecosystem, drawing lessons from the payments industry, where testing and certification enabled global scale. He highlighted global digital identity deployments across the EU, Japan, and Australia. Marcelo also underlined the importance of a Digital Trust Service (DTS), such as the one operated by AAMVA, in supporting adoption and scalability.

Demo highlight: two taps to trust.

One of the showcase highlights was the collaboration between Consult Hyperion and Zebra Technologies presenting a live demo, which illustrated how identity verification and payments can be seamlessly managed on a single handheld Contactless Payment ready mobile device (COTS).

The demo featured:

  • Identity verification using a production Georgia mDL stored in Apple and Google Wallets.
  • Payment transactions with production Mastercard and Visa EMV contactless cards.
  • Public key retrieval from the AAMVA Digital Trust Service, enabling the relying party to securely trust the mDL.
  • A COTS contactless payment device that scans product barcodes, triggers an ID check for age restricted items (e.g., alcohol) and processes payment – all in just two taps: one for identity and one for payments.

The demonstration was praised by attendees for its simplicity, practicality, and potential to transform multiple industries, from stadiums and public transport to law enforcement, alcohol retail, and grocery stores.

“This use case really shows the power of convergence between identity and payments,”

said Greg Tierno, Business Development Director at Fime.

“Having both functions on a single, easy-to-use handheld device makes life simpler for merchants, law enforcement, and consumers alike. It’s a practical, scalable solution that lowers friction and raises trust – exactly what the ecosystem needs to accelerate adoption.”

Building ecosystem momentum.

Following the Showcase, Fime also took part in the broader AAMVA International Conference, engaging with issuers, wallet providers, reader providers, biometric solution companies, and technology vendors. The event offered an unparalleled opportunity to network, exchange insights, and accelerate collaboration towards a trusted digital credential future.

“Our successful demonstration with Zebra underscores the transformative potential of combining digital identity and payments in a single, trusted device,”

added Marcelo Bellini, VP Digital Identity at Consult Hyperion, Consulting by Fime.

Acknowledgement

Fime extends its gratitude to AAMVA and its organizers for hosting a world-class event that continues to drive meaningful dialogue, collaboration, and innovation across the digital identity ecosystem.

Work with an expert partner for a secure digital future.

mDLs are moving quickly from pilots to real deployments, and relying parties must be prepared. At Consult Hyperion, we help organizations bridge the gap between initial awareness and production-level implementation.

Our support spans the full journey: from masterclasses and tailored workshops to build understanding, through business case development to justify investment, and market and vertical analysis to identify opportunities. We assist with use case definition, technical requirements, and RFI/RFP support, helping you select the right vendors and solutions and provide implementation support. And through thought leadership collaborations, we share insights that keep you ahead of the curve.

Our goal is simple: to give you a clear strategy, a strong business case, and a trusted path to deploy mDLs with confidence.

Learn more about Digital identity: a new frontier for payment terminal vendors.

Contact us today for implementation support.

Strategic readiness in Payments and Identity: building the digital economy’s bullet train.

Posted on by Leave a comment

The very notion of “strategic readiness” in payments and identity has evolved far beyond routine system upgrades or incremental tweaks. We’re no longer simply replacing the boiler in a Victorian banking house—we’re laying track for the bullet train of the digital economy. This seismic shift demands a fundamental rethink of infrastructure, ideology, and strategic vision.

At this inflection point, identity, reputation, and tokenized value are no longer discrete elements—they are converging into a seamless, dynamic ecosystem. The future of payments is about more than speed or scale; it’s about embedding trust, context, and programmability into every transaction. This is a call to action for payment providers, technology architects, and financial institutions: it’s time to prepare not just for the next upgrade, but for a new paradigm.

1. Tokenization: the new grammar of value

Tokenization is often misunderstood as merely a technical means of wrapping assets digitally. Tokenization represents a profound shift: money that understands us. Tokens are not just containers of value; they encode conditions, context, and control into the very fabric of money itself.

This is programmable money—value with an API. It can carry rules about who can spend it, when, where, and under what conditions. It can embed compliance, privacy, and even reputation directly into the token. This new grammar of value is rewriting the rules of payments, loyalty, and identity.

Strategic imperatives:
The readiness challenge goes beyond adopting standards like ISO 20022 or C-8. It requires building platforms capable of handling multi-asset token models—fiat currencies, CBDCs, stablecoins, loyalty points, and reputation tokens—simultaneously. These tokens must interoperate across chains, jurisdictions, and regulatory frameworks.

Tactical considerations:

  • Can your platform manage multi-asset token models?
  • Are your tokens programmable with embedded policies, metadata, and rules?
  • Can tokens interoperate across different blockchain networks and regulatory environments?
  • Do you treat tokens as carriers of identity and entitlement, not just value?

Inspiration:
The future belongs to platforms that treat tokens as flexible, composable building blocks—not static assets.

CBDCs: Central banks worldwide are exploring programmable digital currencies that embed monetary policy and compliance rules at the token level.

Stablecoins and Loyalty Tokens: Brands are experimenting with tokens that combine value with customer reputation and engagement metrics.

2. Global standards: strategic alignment beyond interoperability

Standards like ISO 20022, ATICA, and C-8 are often viewed narrowly as technical interoperability tools. They represent strategic battlegrounds for influence and alignment.

Money is becoming more abstract and global, making cross-jurisdictional alignment essential. Standards are the rails on which the digital economy’s bullet train runs. Getting them right means seamless connectivity; getting them wrong means fragmentation and isolation.

Strategic imperatives:
True readiness means engaging proactively in standards governance. It means seeing standards not as a compliance checklist but as a diplomatic and strategic game. Just as 19th-century railway gauges determined economic dominance, modern standards will determine who controls the rails of digital payments and identity.

Tactical considerations:

  • Have you mapped your organization’s position in evolving standards?
  • Are you investing in interoperability by design, bridging legacy and emerging systems?
  • Are you actively participating in standards bodies and governance forums? 


Inspiration:
The winners in the next decade will be those who shape standards, not just follow them. Open banking initiatives worldwide demonstrate how early movers in standards governance gain competitive advantage and market influence.

3. Digital identity: the strategic spine of future payments

Identity is shifting from a static presentation to a dynamic performance. It’s no longer a simple credential shown at a single point in time, but a persistent, evolving construct that draws from social, legal, and behavioral data streams.

This shift has profound implications for payments. Authentication is no longer about passwords or PINs—it’s about a rich tapestry of biometric signals, device fingerprints, and behavioral biometrics that collectively redefine trust. This isn’t just a technical upgrade; it’s a wholesale redesign of how trust is established and maintained in digital interactions.

Strategic imperatives:
Because identity is the foundation upon which all payments rest. Without a robust, flexible, and user-centric identity layer, payments remain vulnerable to fraud, friction, and exclusion. But when identity becomes fluid, portable, and programmable, it unlocks new possibilities: seamless onboarding, frictionless authentication, and privacy-preserving data sharing.

Embedding a context-aware identity layer is no longer optional—it’s foundational. This means integrating verifiable credentials, decentralized identity (DID) frameworks, and self-sovereign identity (SSI) principles directly into payment platforms. Identity must be treated as a living asset that travels with the user across ecosystems, rather than a siloed attribute locked inside a single institution.

Tactical considerations:

  • Infrastructure readiness: Does your system support verifiable credentials and decentralized identity frameworks?
  • Contextual authentication: Have you deployed multi-factor, behavioral, and device-bound authentication methods?
  • Portability: Can users carry their identity credentials across platforms and services?
  • Privacy controls: Are privacy settings granular, user-centric, and programmable to adapt to different contexts?

Inspiration:
The institutions that lead the next wave will be those that treat identity not as a compliance hurdle but as a strategic asset—one that enables trust, inclusion, and innovation.

Nordic BankID: A leading example of a national digital identity platform enabling seamless authentication across banking, government, and commerce.

India’s Aadhaar: A massive biometric identity system that powers a range of financial inclusion initiatives and digital payments.

4. The future-proofing mandate: architecting for ambiguity and agility

Future-proofing is often mistaken for predicting the next big thing. In reality, it’s about designing systems that thrive amid uncertainty and change. The real currency of the next decade is optionality—the ability to pivot, adapt, and compose new solutions rapidly.

Monolithic architectures and tightly coupled ecosystems are liabilities in this environment. Instead, the future belongs to modular, composable platforms that can integrate new identity models, token types, and regulatory requirements without wholesale rewrites.

Strategic imperatives:
Build with composability and modularity at the core. Adopt open token standards, modular identity stacks, and orchestration layers that enable dynamic rule enforcement. Embrace cloud-native, API-first, and event-driven architectures that support rapid innovation.

Tactical considerations:

  • Is your architecture truly composable and plug-and-play?
  • Are your systems event-driven and cloud-native?
  • Is your data layer decoupled from service layers to enable seamless migration?
  • Have you invested in orchestration tools for dynamic policy enforcement?

Inspiration:
Look at the tech giants who thrived in the internet era: they weren’t oracles predicting trends—they were architects building platforms that could evolve. The same mindset is essential for payments and identity today.

Final thought: lead with vision, not nostalgia

The opportunity to lead this transformation is immense—but only if leadership embraces a new mandate. The goal is not to preserve legacy systems or replicate old models digitally. It’s to reimagine what payments, identity, and value can become in a connected, programmable world. Digital infrastructure is no longer a compliance burden; it’s a civilizational substrate. The future belongs to those who treat it as such—building with courage, curiosity, and a refusal to mistake digitization for transformation. Remember: the payments game is being played by actors who have no interest in being banks. The disruptors, platforms, and protocols are rewriting the rules. Are you ready to lead?

Digital Identity: A new frontier for payment terminal vendors.

Posted on by Leave a comment

Due to their seamless user experience and secure design, payment terminals have become the gold standard for brick & mortar merchants. As the world becomes more digital, merchants need to embrace new and innovative ways to keep up with evolving consumer expectations while maintaining, or even improving, security.

One key digital advancement is digital identity which has quickly become a cornerstone of multiple industries including retail, healthcare, transportation and more. Terminal vendors therefore face a strategic choice: Stick to payments, or evolve into access points for identity too?

Why this matters now

Digital identity is a virtual representation of the user. It securely stores and presents personal information, which can be used to verify the identity of the user anywhere, anytime. By passing this verification process, users can gain access to services, without needing to provide a physical identity document. 

Digital identity is a trend, driven by convenience, fraud prevention, data privacy and security. Standards are already in place and are being followed closely by technology vendors. Acceptance must follow, now that digital identity is becoming available to many users. 

Due to its convenience, governments and schemes are launching digital identity systems. Examples include Singpass Mobile App in Singapore, Aadhaar in India with over 1.3 billion registered citizens, and the United States of America’s Mobile Driver License (mDL).

Digital ID isn’t just about online services. Citizens can also use them to verify themselves physically. For instance: in pharmacies, when collecting a parcel or at a government help desk. But these places have not yet deployed payment terminals and there’s no common de facto interface for that.

The power of payment terminals

With security chips, authentication capabilities, and a place on every retail counter, terminals are already built for trust. Vendors that move early can help shape the role of identity at the physical edge — and become indispensable to this next layer of infrastructure.

Payments and identity: naturally aligned

The payments and digital identity ecosystems already share key components of critical infrastructure, which makes them compatible and able to support overlapping use cases. Both systems rely on cryptography and secure hardware – components that are already embedded in payment terminals. These elements are essential for securely storing cryptographic keys and executing sensitive operations.

Both ecosystems also utilize similar user interfaces and input methods. Whether it’s a PIN pad, a touchscreen on a POS terminal, or a biometric scanner used for identity verification, the technology used to interact with users is easily adaptable between the two domains.

Standards and certification frameworks also provide a strong foundation for integration. For example, global standards such as EMVCo for payments and FIDO Alliance for identity authentication help ensure interoperability and security across different devices.

Finally, both ecosystems are built on trust relationships between the key stakeholders, banks, acquirers, and service providers in the payment’s world. These relationships are critical for ensuring that transactions and identity verifications are accepted across networks and ecosystems. Institutions that already support secure payment acceptance are well-positioned to extend their role into digital identity verification. 

This overlap makes the payment terminal a natural candidate for identity authentication at the edge, especially for services that require face-to-face verification or hybrid customer journeys where digital and physical interactions are blended.

The risk of standing still

A new market, not just a new feature

Digital identity does not just expand what terminals can do — it also expands where they can go. By entering non-payment environments through identity use cases, terminal vendors could open doors in entirely new markets, including public sector offices, healthcare providers, or access-controlled locations. Once deployed, these terminals may later enable payments too, making identity a strategic wedge into previously untapped areas.

Terminal vendors must be ready for market threats, such as technology players that are already enabling terminals, new players and mobile vendors.

It’s also important to remain open minded to upcoming opportunities, like helping to shape new infrastructures, incorporating new payment requirements, participating in new types of payment initiation and defining new use cases and services.

The risk of standing still

While terminal innovation has focused on sleek form factors and value-added apps, few vendors have strategically explored how digital identity can reshape their market.

By not engaging early, vendors risk:

  • Becoming sidelined as mobile-first ID platforms set the standards.
  • Allowing newcomers to enter the ID market and later capture payment market share.
  • Missing opportunities to influence national and regional schemes.
  • Losing relevance in ecosystems that increasingly value multi-function interfaces.

The integration of identity into terminals is no longer a technical challenge – it’s a strategic imperative.

The opportunity for first movers

There is a growing space for vendors who can demonstrate how digital identity and payments converge on a single device. 

Some key use cases are already emerging:

  • Age verification in retail or hospitality — a fast-growing use case in the EU, US, and across APAC. For example, in Australia, regulation for age verification with digital identity when buying liquor is already in place.
  • Prescription collection in pharmacies — where identity verification and payment occur together and a unified experience could improve efficiency and the customer journey in-store. 
  • Subsidies or tax refunds at the point of sale — where proof of entitlement and transactions converge.
  • Transit discounts and concessions — enabling the system to verify eligibility without tracking individuals directly. 

These use cases are not theoretical. In several markets, pilots are already underway, often without terminal vendors in the room. Some of these pilots involve two separate terminals, one for payments and one for digital identity, opening space for newcomers to bring solutions not yet explored by traditional terminal vendors.

Terminal vendors are in a unique position

Terminal vendors are well-placed to support both payment and digital identity use cases due to their expertise. Their devices are already embedded in the payment flow, which allows them to seamlessly optimize the user experience by unifying identity verification and transactions. Because these terminals are already integrated with retail sales systems, they offer a natural extension point for identity-based workflows without requiring duplication of infrastructure. 

Additionally, terminals come with built-in user interfaces and authentication mechanisms like touchscreens or PIN entry pads, the devices are already trusted and deployed at scale and vendors are already familiar with certification, compliance and standards processes.  Finally, vendors already have strong, established relationships with acquirers. 

These strengths position vendors perfectly to bridge the physical and digital identity worlds.

The bottom line

Payment terminals don’t have to be limited to payment transactions. In a digital-first world, they can become trusted touchpoints for identity, but only if terminal vendors act now.

The opportunity is there. Whether you seize it, or let others redefine the edge of identity, is up to you.

Terminal vendors thinking about digital identity should consider six strategic questions:

  1. Which identity roles could your terminals support? (credential verification, authentication)
  2. What standards are relevant? (ISO 18013 mDL/mDoc, W3C VC)
  3. Can you integrate identity (UX and technology) with minimal redesign?
  4. What partnerships will help you scale fast?
  5. Where are the first viable pilots?
  6. What are you doing to be compliant with new regulations for all regions?

By adopting digital identity solutions, payment terminal vendors can seize opportunity and build stronger relationships with customers. Contact Fime if you’re interested in gaining a competitive edge in this ever-changing market.

Making Digital Identity work: The path to interoperability.

Posted on by Leave a comment

At the end of February, important interoperability test events took place for Mobile Driver’s Licenses (mDL) in Utrecht, The Netherlands.

The vision and the challenge

The vast majority of mDL solutions are being developed to align with the ISO 18013 series of specifications. This is essential. Like passports, driver’s licenses have utility way beyond their basic function and it is reasonable to assume the same expectations for mobile versions of driver’s licenses. They have the potential to support access to services in travel, hospitality, financial services and many more.

The specifications are not limited to driver’s licenses either. The broader mDoc concept allows any other document or credential type to be defined, such as for identity cards, health cards, travel permits, loyalty and anything else you can think of.

The vision is that in the future we will have digital wallets, accessible from our personal devices, that allow us to present credentials (or assertions derived from credentials) in all manner of online and offline contexts. Globally that could mean hundreds of wallet providers needing to support credentials issued from thousands of issuers and be accepted at millions of locations. That is a lot of potential combinations of issuer, wallet and verifier. When a student from Japan turns ups at a liquor store in Australia, will their mDL just work?

For that to be possible solutions will need to be interoperable from a regulatory, commercial and technical perspective. Achieving that at global scale is a big challenge but not one that is insurmountable. It is something the card payment industry achieved as it evolved over the past decades and provides great learnings for mDL interoperability.

Learning from payments

Focusing on technical interoperability, a key standard in the payments space is ISO 7816. The first part was published in 1987 defining the physical characteristics of “identification cards”. You see, even back in 1987 the connection between identity and payments was evident. This first part was followed by several other parts defining things such as electrical interfaces, transmission protocols, application-level command structures, security and so on. On top of this, the EMV standards emerged to define how card payment transactions between cards and readers would be performed.

Standards were a vital step in enabling payment ecosystems to operate at scale. But standards are always open to some level of interpretation or misinterpretation. To ensure that technologies work in the real world, it is essential to test them thoroughly. For card payments, any card from any issuer must work seamlessly at any terminal from any acquirer – every time. That means a LOT of testing and in particular testing everything against established and approved reference equipment. So, alongside the evolution of standards the payment networks created and formalized certification programs that ensure that cards, readers, hosts, and so on, function consistently and reliably in line with those evolving specifications.

Testing mDLs

So what has this got to do with test events in Utrecht?
Those events brought together dozens of organizations from around the world who are building mDL solutions and need to ensure that they will work in the real world. Those solutions are being built alongside the evolution of the standards. It is very similar to what happened in payments although the timeframes are much more compressed. mDLs will emerge as a key mass-market digital identity technology within years, not decades.

During those events we tested new features in the ISO 18013 specifications with a large number of vendors. And it was not smoke and mirrors. Fime was there with its Digital Identity Test Suite that provides a reference implementation of the specifications and can act as either a wallet or a relying party. We were able to conduct tests with many vendors, performing real transactions (with test data of course), helping those vendors assess the gaps and issues in their implementations of the standards.

I think you can view these test events as the beginnings of the formal certification that will be necessary to ensure interoperability for mDL – and for digital identity more widely.

Who will own the scheme?

Perhaps the single biggest interoperability question today is – who will own the certification scheme?
In payments, the answer to that question is straightforward (at least it is now). The payment networks (especially the international ones) set their rules that apply within the large ecosystems that they own. The mDoc ecosystem will be more fragmented with no obvious single organization with the authority to set rules at a global level.

In the EU, the eIDAS legislation makes member states responsible. Of course, there will need to be a lot of work to gain alignment and we expect ENISA to play role there. For our part, Fime is delighted to be part of the WE BUILD consortium that will be delivering a large-scale pilot for the European Commission. In our role there, we will be making sure that the topic of interoperability is given priority. It is an essential requirement for the ecosystem to be successful.

Learn more how Fime can help deliver a interoperable and international mDL solutions.

Biometric authentication vs AI threats: Is mobile security ready?

Posted on by Leave a comment

Quality biometric solutions provide outstanding security with a seamless UX. This makes it appealing for use cases ranging from state-of-the-art access control for critical government infrastructure, to something as routine as unlocking your phone. However, this diversity of use cases brings its own challenges. The varying needs of different applications, coupled with the speed with which the technology has developed, has created a fragmented ecosystem with little standardisation.

Many emerging use cases rely on the biometric capabilities of consumer’s own commercially available off the shelf (COTS) device. Android platform recognized this and has laid the groundwork to enfranchise device manufacturers and biometric solution vendors to create the next generation of state-of-the-art authentication products. And it does so just in time. Artificial Intelligence has transformed the biometric security battleground, and it is vital that stakeholders understand both the threats they face, and the steps that must be taken to meet them head on.

The changing threat landscape.

Biometric authentication is based around using an individual’s unique identifiers such as their iris, fingerprint, or face to provide an additional data point to verify identity. When launched, it was praised for the infallibility and security it provided as biometric data was, quite literally, always ‘on hand’ for users, but it couldn’t be lost or stolen.

Except now it can. Easily.

Artificial Intelligence, or AI, has unlocked a host of efficiencies in our life, specifically in data management and customer experience. However, these same AI tools are also readily available to fraudsters who can use them to execute devastating attacks. For example, photos can be taken from a user’s social media and in a matter of moments be transformed into a deepfake video to be used in an injection attack that aims to spoof facial recognition technologies and gain access to private data.

Meanwhile, AI is also being used to work through extensive data caches to locate and exploit any vulnerability in a security system. This has caused a rapid expansion in both the scale and sophistication of cyberattacks. 

Stakeholders throughout the authentication ecosystem are working to adopt more robust practices. Biometrics has a key role to play in this, but only if it can be secured and trusted. The uniqueness of each individual’s biometrics, its greatest strength as an authenticator, can also be its most fundamental risk. If the data is compromised, a user cannot simply rewrite their fingerprints in the same way they change their password. It is therefore crucial the data is protected and secure. Similarly, if a biometric solution can be easily spoofed fraudsters can gain access to the user’s device, accounts and personal information. 

An updated approach.

To meet the challenges posed by this evolving threat landscape, Android defined its three classes of biometric strength for devices operating under its remit. Its Compatibility Definition Documents (CDD), the requirements that each Android device must comply with should it wish to participate in the Android ecosystem, outlines the requirements for biometric security as Class 3 (formerly known as Strong), Class 2 (formerly Weak), and Class 1 (formerly Convenience).

Devices require independent third-party testing to evaluate their Spoof Acceptance Rate (SAR) along with verification of False Acceptance Rate (FAR) and False Rejection Rate (FRR) as a part of their Biometrics Compliance Report (BCR). 

Android’s biometric requirement and the ISO/IEC 30107 standard also defines Presentation Attack Detection (PAD) testing to evaluate the liveness detection capability of the biometric solutions. This is a crucial step towards detecting and resisting spoofing attacks such as deepfakes and protecting the end users.

Independent testing and compliance will raise the baseline for the minimum performance and security of biometric solutions. It requires all biometric solution providers and Android device OEMs to carefully develop their offer to ensure it meets the minimum thresholds backed by impartial evidence. This means that authentication should work right first time for the verified user, while also prevent spoofing and hacks. Not only will this help mitigate the rising threat of spoofing and fraud, it also elevates the user experience, thereby increasing trust in the biometrics ecosystem and proliferating its growth into additional use cases.

Adding value with testing and 3rd party validation.

The process of 3rd party evaluation with industrial standards acts as a layer of trust between all players operating in ecosystem. It should not be thought of as a tick-box exercise, but rather a continuous process to ensure compliance with the latest standards and regulatory requirements. In doing so, device manufacturers and biometric solution providers can collectively raise the bar for biometric security.

The robust testing and compliance protocols ensure that all devices and components meet standardized requirements. This is made possible by trusted and recognized labs, like Fime, who can provide OEMs and solution providers with tools and expertise to continually optimize their products.

But testing doesn’t just safeguard the ecosystem; it elevates it. As an example, new innovative techniques like test the biases of demographic groups (blog) or environmental conditions. Using these techniques allow testers to discover any differential performances by using or simulating different demographic groups or environmental conditions. Biases detection can prevent security issue on real life deployment. This allows also solution providers to optimize the quality and inclusivity of their solutions to meet the needs of more markets and differentiate from the competition.

Building for the future.

We have reached a critical moment for the future of biometric authentication. The success of the technology is predicated on the continued growth in its adoption, but with AI giving fraudsters the tools they need to transform the threat landscape at a faster pace than ever before, it is essential that biometric solution providers stay one step ahead to retain and grow user trust. Stakeholders must therefore focus on one key question:

Can the user trust that they are not sacrificing security for convenience when using biometric authentication?

Product managers must make sure that the performance of their biometric offer balances these two seemingly contradictory demands, but if successful, there are a whole host of emerging use cases that could unlock new revenue streams for them. These include biometrics backed in store checkout, enhanced access control, augmented automotive experiences, and more.

Another significant trend on the horizon is the increasing use of biometrics in identity verification for eID and eKYC use cases. Digital identity is offering a faster, more secure way to verify identity in the online world. Biometrics can provide a simple, seamless to augment the enrollment and verification process for this, but much like in the payments ecosystem, its success depends on the implementation of state of the art solutions throughout the user journey.

Compliance and quality validation are no longer optional. They are essential to protecting end users, preserving brand integrity, enabling innovation, and safeguarding the future of biometric technology.

The Evolving Role of Digital Wallets and Consult Hyperion’s Expertise in Driving Innovation.

Posted on by Leave a comment

Digital wallets are transforming how we pay, interact, and secure our digital identities. As smartphones become indispensable, consumers worldwide are using digital wallets for transactions, peer-to-peer payments, and even managing digital identities like driver’s licenses and health credentials. However, behind the convenience of digital wallets lies a complex network of technology, security, and regulatory challenges.

At Consult Hyperion, we specialize in navigating these challenges, using our expertise at the intersection of identity, payments, and cybersecurity to help clients innovate securely and effectively in the digital wallet space.

Digital Wallets: Expanding Beyond Payments

While digital wallets initially gained traction as payment tools, they have evolved into multi-functional platforms that can store not only debit and credit cards but also digital identities, health passes, travel documents, loyalty cards, and more. Wallets are increasingly integral to the digital identity ecosystem, empowering people to prove who they are, access services seamlessly, and control their personal data with security and transparency.

One emerging trend is the integration of mobile driver’s licenses (mDLs) into digital wallets. As mDLs gain adoption, digital wallets can provide a secure, portable means of identity verification, allowing users to authenticate their identities for various purposes while retaining control over their personal information.

Regional Approaches: United States, Europe and Australia

The adoption of mDLs into digital wallets varies significantly across regions, influenced by differing regulatory environments, market demand, and technological infrastructure. Here’s how digital wallet innovation and mDL adoption is evolving across North America, Europe, and Australia.

United States

The U.S. has been at the forefront of mDL adoption with several state DMVs already rolling out mDLs and several others with programs underway. These digital credentials are starting to be accepted for in-person use cases such as domestic air travel and liquor purchases. And going forwards, they will also be accepted online. Like physical driver’s licences, mDLs will have a lot of utility.

Many states are choosing to work with the large platform wallets, like Apple Wallet and Google Wallet, issuing mDL credentials into the wallets consumers already have. Those wallets are increasingly becoming “digital hubs” where users can store a variety of credentials. But this is not the only solution. Some states have also launched mDL specific apps. These provide consumers with the option of a standalone mobile driver’s licence.

In the middle of all this progress is the American Association of Motor Vehicle Administrators (AAMVA) which is playing an important role coordinating stakeholders and promoting standardized and interoperable approaches.

Europe

Some European countries have local proprietary mobile driving licences…

In the EU, the eIDAS 2.0 regulation requires each country in the EU to provide at least one digital wallet to its citizens, residents and businesses. Those wallets will be required to support for the ISO 18013 standard that underpins mDLs. In parallel, the EU plans to make driving licences mobile by default.

The situation is however complex.

• The EU is developing a rich but complex wallet architecture, of which support for mDL is just one part.
• Many wallets – which will require robust certification processes if interoperability is to be achieved
• Role of OEMs unclear – providing wallets or providing the secure technology to support wallets over the top

The EU wants all of this to come together over the next couple of years, which seems very ambitious.

So whilst wallets look set to play an important role in the EU digital economy, it will be some time before they provide the straightforward utility of US mDLs.

Australia

Australia has also been a leader in mobile drivers licences, several states issuing them.
Austroads, an intergovernmental organization, is driving the development and standardization of mDLs in Australia. They are working with state and territory governments to develop a consistent framework for mDLs, ensuring interoperability and security. This includes alignment with both ISO 18013 (mDL) and the more generic ISO 23220 (mDoc). This should allow the mDL apps issued in Australia to hold other digital credentials in the future. So instead of issuing mDLs into wallets, the mDL will become the wallet.
Austroads is going one step further by building a “Digital Trust Service” – providing the means to check the authenticity of the issuers of digital credentials held in those “mDL wallets”.

The Core Elements of Digital Wallet Success

Digital wallets that can hold both payment credentials and other digital credentials will have huge utility. They will increase convenience, reduce fraud and improve privacy.

Successfully implementing and scaling digital wallets requires expertise in several key areas:

  1. Security: Security is crucial when handling sensitive information such as cryptographic keys, payment details or digital identity credentials. Consult Hyperion has decades of experience of building and testing secure payments services with expertise in strong cryptography, mobile application security and tokenization.
  2. Identity: Digital wallets often serve as digital IDs. Users can store verifiable credentials, such as mDLs or health passes, giving them control over personal data. Integrating these digital identity solutions requires navigating regulatory frameworks and ensuring interoperability with existing systems. At Consult Hyperion, we leverage our deep knowledge of standards like Decentralized Identifiers (DIDs) and Verifiable Credentials to design privacy-protective and compliant solutions.
  3. Payments: Wallets gained popularity as payment solutions, and understanding payment intricacies is essential. This includes managing multiple payment types and adhering to regional regulations. Our expertise spans EMV, contactless, and real-time payment systems, enabling us to help clients integrate and scale secure wallet-based payments globally.

Why Consult Hyperion?

Our ability to bridge the gap between theory and real-world application makes us a trusted advisor for organizations building digital wallets. Our expertise encompasses:

  1. Strategic Partnerships and Innovation: Trusted by financial institutions, tech companies, and governments, we’ve helped design systems that meet stringent security, usability, and regulatory standards. We understand the strategic goals behind digital wallet projects, allowing us to guide clients in creating solutions aligned with long-term objectives.
  2. Deep Technical Knowledge: Our technical expertise across identity, payments, and cybersecurity enables us to develop robust solutions, from designing secure protocols to implementing advanced authentication methods.
  3. Proven Track Record: Our history of delivering projects in both private and public sectors demonstrates our ability to execute at scale. Clients rely on us for our technical capabilities, dedication to quality, and innovative approach.

The Future of Digital Wallets: Shaping the Next Generation

Digital wallets are evolving with advances in biometric security, decentralized identity, and blockchain technology. As wallets move beyond payments, businesses must adapt to new standards for security, privacy, and user experience. Apple, Google, and government-led solutions worldwide are positioning themselves as leaders in the wallet space, each bringing unique strengths to the ecosystem.
Consult Hyperion remains at the cutting edge, helping organizations navigate this dynamic landscape. Whether you’re looking to launch a new digital wallet, expand an existing platform, or secure sensitive data, we offer the expertise and insight needed to support your goals.

Final Thoughts

Digital wallets are becoming vital gateways to secure payments and digital identities across the world. At Consult Hyperion, we’re excited to help shape this future, enabling our clients to create secure, compliant, and user-centric solutions. With our expertise in identity, payments, and cybersecurity, we look forward to partnering with organizations worldwide that share our vision for a secure, interconnected digital world.

Slower Payments?

Posted on by 1 Comment

I’ve just received a cheery email from my credit card provider entitled, “We’re improving your fraud protection.” I assume it is from them: it arrived amongst a barrage of emails telling me not believe what I read in emails. When online scamming was in its infancy, you could spot the difference but, as fraudsters’ skills, use of AI and sophistication has developed, nobody really can any more.

It is important to remember that this is an equal opportunities form of fraud. You don’t have to be online. You don’t even need a mobile phone. If you have a UK bank account and a phone number, the scammers will delight in using their social engineering skills to extract your life’s savings.

In the communication I’ve received, beyond all the good news about the generosity of the bank, there is a brief mention of the Payment Systems Regulator (PSR) [1]. Apparently, they require all Authorised Push Payment (APP) transactions to be subject to a refund within 5 workings days if they are found to be fraudulent. This applies to payments over both Faster Payments and CHAPS. There are exceptions to this, for example where the customer is grossly negligent and not considered vulnerable [2].

There is also a ceiling set on the amount. This was initially announced as £415k but, due to strong resistance from the banks, is now set at £85k. The PSR state that this will cover 99% of APP claims. It happens to be the same amount as individuals can claim for lost savings under the Financial Services Compensation Scheme [3], should their bank become insolvent.

In the early days, Faster Payments was a rather unpredictable experience but, as it has scaled, many of the creases have been ironed out. Confirmation of Payee has helped to ensure that the payment reaches the intended beneficiary. It can take a couple of attempts to get it right. e.g. for dog walkers, they may appear as Wendy’s Walkies, under the name of the owner Wendy Walker and as a business account or a personal account. Still, if you have the correct sort code and account number, things tend to fall into place.

My bank has sent me a similar email, telling me to be wary around One Time Passwords (OTPs) and referring me to the Take Five To Stop Fraud [4] website. Again, it looks plausible and the advice is not unreasonable. It is, however, disappointing that there seems to be very little discussion of mutual authentication these days.

One aspect of the new regime is that all Payment Service Providers (PSPs) must be registered with Pay.UK. Both receiving PSPs and sending PSPs can be liable for any APP fraud. This is a significant departure from the existing regime, where the burden tends to fall on the sending PSP.

Losses due to APP scams are estimated at nearly £500m [5] annually. UK Finance [6] has identified factors which contribute to APP fraud, one of which is perceived urgency in dealing with a situation. While Faster Payments provides real convenience, the transactions are not reversible and so it has become a honey pot for thieves. Once money is transferred to a fraudulent account, it can be sent on to multiple accounts, sometimes with the assistance of money mules, either in the UK or overseas.

Frequently, by the time the fraud is investigated, the money is long gone. In response to this, PSPs are permitted to introduce a delay into the processing of payments. In principle, where a payment appears suspicious, they can put in place a pause of up to four days [7]. Clearly, this has serious implications for transactions such as conveyancing, where a housing chain requires everyone to complete on the same day. Even in simple situations, like paying a credit card bill, delays can result in the cardholder having to pay additional charges and interest.

While it is positive to see the challenges of APP fraud being addressed, it will be interesting to see how these significant changes to the payments landscape play out over the coming months. Activities such as intelligence sharing, risk-scoring and real-time screening [8] will remain central to tackling fraud.

It is interesting to note that in other countries where approaches to Open Banking are being explored, the focus tends to be on data sharing rather than payment initiation. For example, in the US, the Consumer Financial Protection Bureau [9] (CFPB) is working to open up data sharing, to promote innovation in financial services.

References

[1] https://www.psr.org.uk/news-and-updates/latest-news/news/psr-confirms-its-decision-on-app-scams-reimbursement/
[2] https://www.psr.org.uk/media/tbbdhkcx/sr1-consumer-standard-of-caution-exception-dec-2023.pdf
[3] https://www.fscs.org.uk/what-we-cover/banks-building-societies-credit-unions/
[4] https://www.takefive-stopfraud.org.uk/
[5] https://www.psr.org.uk/our-work/app-scams/#:~:text=Every%20year%20thousands%20of%20individuals,to%20APP%20scams%20in%202023.
[6] https://www.ukfinance.org.uk/news-and-insight/blog/how-understanding-human-behaviour-key-effective-prevention-app-fraud
[7] https://www.bbc.co.uk/news/articles/cn7yel28rx6o
[8] https://www.synectics-solutions.com/our-thinking/why-your-app-scam-strategy-must-not-be-swayed-by-the-reimbursement-limit-update
[9] https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-process-to-recognize-open-banking-standards/

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.