Governance Best Practices

Biometrics and Identity Assurance Services

Presented by: Dr. Ted Dunstone, CEO – BixeLab

Agenda

• Business Case for Biometrics
• Data Protection, Privacy & Governance
• Performance & Control Considerations
• Global Digital Identity Frameworks
• Australian Digital Identity Ecosystem
• Future Proofing & Conclusions

Biometric recognition is about managing risk — balancing user convenience and system security.

Key questions:

• What is the identity problem?
• How is it currently solved?

The Business Case for Biometrics

Key Considerations

• Replace existing authentication methods
• Improve security through biometric integration
• Focus on enrolment accuracy & public trust

Additional Factors

• Privacy & data security compliance (e.g. AGDIS)
• Avoid vendor lock-in
• Manage lifecycle costs of biometric software & hardware

Privacy and Data Protection

Major Risks

• Function creep
• Data breaches
• Potential discrimination
• Reputational damage

Mitigations

• Data Protection Impact Assessments
• Purpose limitation, retention control, minimisation
• Compliance with privacy law (PII sensitivity)
• Continuous monitoring and reassessment

Governance Essentials

Organisational

• Usability & accessibility
• Technical performance validation
• Supervision and user adaptability
• Role-specific training and upskilling

Legal & Ethical

• Adherence to privacy principles
• Digital ID legislation compliance
• Governance for biometric management and oversight

Functional and Performance Considerations

• Mitigate known vulnerabilities (e.g. spoofing)
• Apply robust PAD and liveness detection
• Choose centralised, federated, or user-held data models wisely
• Maintain biometric templates (handle ageing, drift)
• Regular re-validation and accuracy monitoring

Performance & Fairness

Key Points

• Validate vendor claims on accuracy and liveness
• Independent testing across demographics
• Evaluate long-term performance drift
   

Fairness

A fair biometric system shows no statistically significant performance differences across demographic groups while maintaining overall accuracy. 

AI / ML Black-Box Challenge

• Modern biometric algorithms rely on deep learning.
• AI introduces potential biases and opacity.
• Mitigation requires managing inputs and evaluating outputs.
• Continuous fairness monitoring is essential.

Control & Record Keeping

• Regular Privacy Impact Assessments (PIAs)
• Maintain records of algorithm versions and scoring data
• Align with frameworks such as FIDO and ISO 30107
• Support “Scam-Safe Accord” biometric requirements (2024)
• Continuous threat assessment and response mechanisms

Privacy Framework

Core Principles

• Proportionality & necessity
• Transparency & informed consent
• Accountability & auditability
• Non-discrimination

Best Practice Actions

• Conduct PIAs and Fundamental Rights Impact Assessments
• Implement “Privacy by Design”
• Continuous monitoring and regular management reporting

Global Digital Identity Frameworks

• Numerous frameworks emerging globally in last 24 months
• Biometrics are integral to remote identity proofing
• Systems require compliance testing & third-party validation

Key Frameworks & Standards

National Frameworks

• TDIF / AGDIS (Australia)
• SingPass (Singapore)
• eIDAS (EU)

Standards Bodies

• NIST
• FIDO Alliance
• Android CDD
• W3C Verifiable Credentials
   

Testing and Accreditation

Qualified independent labs (e.g. BixeLab) support verification against:

• ISO/IEC 30107 (PAD)
• ISO/IEC 19795 (Performance)
• FIDO Biometric Requirements
• National accreditation schemes (e.g., AGDIS)

NIST SP 800-30 Rev.1

Guide for Conducting Risk Assessments

Process

1. Prepare – Define scope, assets, stakeholders
2. Conduct – Identify threats, vulnerabilities
3. Communicate – Share findings
4. Maintain – Update periodically
    

Application to Banking & Biometrics

• Address both cyber and biometric attack surfaces
• Align with ISO 31000 / 27005 and APRA CPS 234
• Integrate biometric assurance in enterprise risk frameworks

NIST SP 800-37 Rev.2

Risk Management Framework (RMF)

Lifecycle Stages

1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

 Banking & Biometrics Context

• Treat biometric ID as high-impact assets
• Enforce lifecycle privacy & security testing
• Continuous re-certification after model update

Australian Digital Identity Ecosystem

• Digital ID Bill (2024) expands accreditation beyond TDIF
• Three provider types:
  • Identity Service Providers
  • Attribute Service Providers
  • Identity Exchanges
• Enhanced privacy protections and enforcement powers

AGDIS Accreditation Scheme

• 10.5+ million myGovID users across 38 agencies
• Framework for voluntary, secure, inclusive digital identity
• Sets out biometric quality, PAD testing, and data-handling requirements
• Includes independent testing & staff training obligations

Biometric Binding

Local Binding

• In-person verification
• Manual face comparison
• Optional tech-assisted matching
   
• Online Binding
• Selfie capture & PAD
• Automated matching to photo ID
• Third-party biometric testing required

Compliance & Risk Management

• Independent biometric testing for PAD & matching accuracy
• Defined minimum image quality & audit trails
• Source, Technical, and Local authentication mechanisms
• Aligns with AGDIS, FIDO, and ISO/IEC standards

Banking Applications

Scam-Safe Accord 2024

• Banks to adopt at least one biometric verification for new online accounts
  Mitigation Strategies
• Manual: training and assessment of staff
• Automated: performance testing of face/document match systems
• Continuous performance monitoring in production environments

Future-Proofing ID Ecosystems

• Manage identity risk and data flows
• Detect issues early to reduce fraud exposure
• Apply FIDO frameworks even without formal adoption
• Maintain independent assurance for ongoing trust

Conclusion

• Independent evaluation ensures trustworthy biometric use
• Governance frameworks sustain long-term system integrity
• Continuous oversight enables secure and privacy-preserving banking ID systems

Contact

Dr. Ted Dunstone – Senior Responsible Officer
ted@bixelab.com | +61 419 990 968

Somya Singh – Operations Manager
s.singh@bixelab.com | +61 412 802 334

Clare Taylor – Training Coordinator
c.taylor@biometix.com | +61 451 680 698