Citi Adds Biometrics To Its ‘Security Perimeter’

A single data breach costs a business $3.86 million on average. The high risks and costs of breaches, says Tapodyuti Bose, Global Head of Channel and Enterprise Services with Citi’s Treasury and Trade Solutions, are prompting companies to turn to biometric solutions, while forgoing older authentication tools like physical tokens. In the latest Digital Identity Tracker, Bose explains how biometrics and behavioral indicators can add layers to the “security perimeter,” which helps businesses keep bad actors at bay.

Hackers and cybercriminals are growing more innovative by the day, and data breaches have become an all-too-common and costly problem. Some estimates put the average cost of a data breach for a company at $3.86 million. Many businesses are looking for new solutions to prevent bad actors from stealing data and inflicting this level of financial harm, and some are turning to biometrics. Passwords and PINs can be easily stolen, duplicated or compromised, but the same can’t be said for fingerprints or facial patterns. 

Financial services giant Citi is investing heavily in biometrics. As of last month, its institutional clients in 54 countries, including the U.S., U.K., Brazil, China and India, can use facial recognition and fingerprint readers to access CitiDirect BE, a mobile app that makes banking services available to firms. Companies previously accessed the service with hardware tokens that generated passcodes. 

According to Tapodyuti Bose, global head of channel and enterprise services for Citi’s Treasury and Trade Solutions division, biometric solutions add protection to the company’s “security perimeter” and are more effective and seamless than physical tokens. 

“Our goal is to … provide much greater standards of security … with [less] friction,” Bose said. 

Taking Physical Tokens Off the Table 

Enterprise clients that wanted to access CitiDirect BE were previously required to use physical tokens resembling key fobs to generate one-time passwords that would be verified by the bank. Users had to enter four-digit PINs to authenticate their identities before the codes were generated. 

Bose added that this process introduced many frictions. Tokens had to be delivered by couriers, a process that could take several days, and users’ PINs had to be delivered in the same manner. Additionally, if another party managed to gain access to both the token device and a user’s PIN, data could be compromised. He also emphasized that this process presented challenges to businesses that often required adding new members to their teams. 

Biometric solutions, however, enable all team members to gain access without having to wait for the necessary components to arrive by mail. 

“You don’t have to keep track of a physical device … nor do you have to remember a PIN,” Bose said. “It really does eliminate the friction involved in other methods while [also] providing greater security.” 

The addition of biometrics allows users to access CitiDirect BE from their own mobile devices. 

“[It leverages] the smartness of your device and [its] biometrics capability,” he explained. 

Enhancing the Banking ‘Security Perimeter’ 

Biometrics are also being used to establish users’ profiles, Bose said, which monitor different indicators such as how they type or whether they log in with their right or left hands. If users’ patterns do not match their biometric profiles, the system puts them through additional scrutiny. 

“At the application level, which is the CitiDirect BE level … our system tracks the IP location, time, geography [and more],” he said. “If we find behaviors [that are] untoward particular users, we throw more challenges at [them] before they can actually start transacting.” 

These solutions could eliminate several authentication hoops that customers previously had to jump through before they could conduct business, but some firms are still hesitant. Bose said that many do not allow employees to use their personal devices due to the sensitive natures of their jobs. Policies like these could stall adoption, but biometrics’ ease of use could help spur uptake at the enterprise level. 

“People are getting used to using biometrics in their daily lives,” he said, and many consumers are familiar with using them on their personal devices. 

Biometric solutions aren’t the only ones being employed by Citi, Bose noted, adding that it’s an additional layer on top of the company’s broader security protocols. 

“The biometric authentication is part of a broader, layered security perimeter that we regularly test and strengthen, given the sensitivity of transactions, high values and the natures of these interactions,” he said. 

Keeping the platform’s perimeter secure requires the company to frequently check CitiDirect BE’s various software components, which are vulnerable to cyberattacks. As a result, the company monitors the most prevalent malware trends and patterns so it can stay one step ahead of sophisticated fraudsters. 

“Applications are made out of multiple software [components that] … are constantly subject to vulnerability,” he said. 

Data breaches take an expensive toll on businesses, but adding biometric solutions on top of existing security procedures could help companies keep their operations safe and enable them to retire more vulnerable protocols like passwords and PINs. 



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.