Banks' biometrics efforts raise questions amid bias study, data breach

Over the past half-decade, a number of banks have explored advances in biometrics, technology that uses people’s physical markers as access points to their stored money.

Although fingerprints, iris scans and facial recognition are touted for the added security they can offer account holders, a study released last week by the National Institute of Standards and Technology (NIST) indicated most commercial facial-recognition systems exhibit bias.

The agency tested 189 facial-recognition algorithms from 99 developers and found black and Asian people were up to 100 times more likely to be misidentified than white men in “many-to-one” searches, a type that law enforcement might use to identify a suspect in a crime.

The technology also falsely identified older adults up to 10 times more often than middle-aged adults; women more often than men; and Native Americans more often than any other ethnic group.

The agency found disproportionate error rates among some of those populations in “one-to-one” searches, as well. One-to-one biometrics can be used in lieu of passwords or to unlock smartphones.

Lawmakers and civil liberties groups are raising alarms over the technology’s potential negative effects. Cities such as San Francisco, Oakland and Berkeley in California this year banned local government use of the technology.

At stake is some of the $59 billion to which CB Insights, in a study this month, projected the biometrics industry to be worth by 2025.

Banks' recent pilots

U.K.-based bank NatWest is testing a key fob that uses a customer’s fingerprint to make payments.

Barclays introduced a finger vein-scanning identification feature last year for its Barclays.net and iPortal clients.

Bank of America allows customers to use their fingerprint and Apple’s Touch ID to sign into the bank’s mobile app, and piloted iris scanning with Samsung in 2017.

Wells Fargo introduced iris-, face- and voice-scanning for corporate clients to sign into their accounts in 2016. At the time, Secil Watson, the bank’s executive vice president of digital solutions, told the Los Angeles Times, “user names and passwords are basically 15 years old,” and posted on LinkedIn that “biometrics will replace passwords.”

A Wells Fargo spokesperson told Banking Dive, “customers who use our biometric authentication offerings for account sign-on have reacted positively to the capabilities,” and that the bank is “currently exploring how and when we will support new Android face authentication capabilities in the future.”

As the global biometrics market grows, banks want a piece of the pie — but are already facing privacy and security concerns and could face more serious issues down the road.

In October, for example, NatWest pulled its mobile banking app from the Google Play store after discovering a security flaw in its fingerprint scanner that caused Samsung phones with screen protectors to disable the fingerprint scanner.

Albert “Buzz” Scherr, chair of the international criminal law and justice program at the University of New Hampshire, told Banking Dive his concern is how banks plan to protect consumers’ biometric data from potential breaches such as this year's exposure of the personal information of 106 million Capital One customers by a former Amazon Web Services employee.

“[Banks are] going to be creating these huge databases, at least one of iris scans, fingerprints or voice,” Scherr said. “In terms of hacking, we are always protected against the last technique used to hack into a system. We are rarely protected from the next technique.”

Federal safeguards

There are no cohesive federal guidelines on how banks can use consumers’ biometric data. And legislation in the space is limited. Sens. Roy Blunt, R-MO, and Brian Schatz, D-HI, proposed a bill in March aimed at protecting consumers’ biometrics.

And only a few states — Texas, Illinois and Washington among them — have passed biometric data privacy laws.

However, regulators are scrutinizing such tech giants as Facebook and Google for how they handle consumers’ personal identifiable information. (Incidentally, Facebook, Google, Amazon and Apple did not submit their algorithms for the NIST study.)

Banks also have to consider how they’re going to cooperate with law enforcement should they be asked for customers’ biometric data, Scherr said.

“Are they going to let the government [search their biometric databases] because they want to help solve a crime, or are they going to demand a search warrant for probable cause before they allow that?” Scherr asked. “Even when there’s a search warrant supported by probable cause, what you’re effectively doing by giving your fingerprint to the bank, you’re depositing identity information with a third party. Under the current law, it’s very unclear whether you are giving up any privacy rights you have to your fingerprint and iris scan and voice pattern. ... That privacy issue is going to be an open question under the Fourth Amendment.”

Authorities last year caught the Golden State killer because his relative’s DNA was available on a genealogy website.

When customers sign up with Ancestry, for example, they can opt in for “informed consent research.” However, they also can opt out.

Honest terms and conditions

Scherr said banks need to be “forthcoming” with customers in their terms and conditions and disclosures.

“I am a very strong advocate for clear and simple notices before you sign up rather than the 40-page fine-print notices that maybe only me and three other people in the universe have ever read,” Scherr said. “I think it’s an illusion of notice when you give someone a 40-page document that goes on and on. They need a simple two paragraphs that say, ‘Here’s what will happen if the police want to search our database in anyway,’ rather than have it buried very deeply in fine print somewhere.”

Consumers are already uncomfortable with financial apps’ access to their personal data, so addressing privacy and security concerns with biometric data could be a way for banks to get ahead of consumer and regulatory concerns to establish trust.

“Financial data is at least as private or more private than genetic info or health info,” Scherr said. “It’s a particularly sensitive area of privacy for some people.”

Bank of America, Barclays, Citibank and JPMorgan Chase declined to comment for this story. NatWest did not return several phone calls for comment.