Voice AI authentication and identity in financial services

Integration touchpoints

• Identity service exposing tiered assurance decisions on a per-action basis
• Voice biometrics platform integrated as an inherence factor, with enrolment governance
• Push-to-mobile / OTP channel for active step-up that does not depend on the SIM
• Fraud platform write-through for AI-observed risk signals (cadence, ANI mismatch, behavioural)

Regulatory hooks

• PSD2 SCA — independent factors from at least two of knowledge / possession / inherence
• FCA Consumer Duty (UK) — false-reject rates that cluster on demographic must be measured and remediated
• GDPR Article 9 — biometric data is special-category; explicit consent and DPIA required
• UK Contingent Reimbursement Model on APP fraud — authentication strength is a defence and a liability driver

What good looks like

Tiered assurance encoded as policy, not as prompts. Disclosure runs at low; account changes at medium with a passive factor; SCA-grade actions at high with an active factor that does not depend on the SIM. Step-up rate, false-accept, and false-reject are published operational metrics with demographic breakdowns. Voice biometrics is enrolled with informed consent and re-validated periodically.

Watch-outs

• Trusting the calling number for any change-of-contact action. SIM-swap and number-porting fraud assume you do.
• Enrolling voice biometrics without explicit informed consent — GDPR Article 9 is unambiguous.
• Identical assurance for disclosure and change. A balance read and a beneficiary add are not the same risk.
• Hiding step-up rate from the operations dashboard. A rising step-up rate is an early signal of an attack pattern.

Frequently asked