Today’s community banks have a full suite of resources to keep their customers and their information secure, including biometric authentication. But in the past decade, states have been eyeing new laws to regulate the use of this growing cybersecurity technology.
By Mary Thorson Wright
The federal Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect the privacy of consumers’ finances and safeguard their personal information. Since then, we’ve witnessed dramatic changes in consumer privacy protection laws and regulations. At the same time, there’s been a striking evolution in electronic banking and a rigorous effort to thwart hackers and other cybercriminals from stealing consumer information and personally identifiable information. Enter biometrics and biometric authentication.
What are biometrics? Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices or data. They include fingerprints, facial patterns, eye scans, voice patterns or even typing cadence. Biometric identifiers are considered unique to an individual and may be used in combination to boost a bank’s security. Payment authentication by biometrics is a reality; it’s growing, and it may eventually replace traditional user authentication.
It follows that biometric privacy in banking would be guided by laws and regulations to manage risk and ensure coverage and consistency. Today, there isn’t a single federal biometric privacy law and there aren’t many state laws. In varying degrees, some state laws regulate collection, use, storage, safeguarding, retention and destruction of biometric identifiers, such as retina or iris scans and fingerprints, and biometric information that companies collect on their employees and customers.
How states regulate biometrics
What does the trend of states adopting biometric privacy regulations mean for community banks? Today, it depends primarily on the locations of banks and on the customers who are sharing their biometric information with them.
Illinois was the first state to enact a law for biometrics and privacy, 2008’s Biometric Information Privacy Act, or BIPA. The law defines a biometric identifier as a “retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” It prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s or a customer’s biometric identifier or biometric information unless they follow certain procedures. These include the requirement to let a subject know in writing that their biometric identifier is being collected or stored, the purpose of collection and how long it will be stored. Private entities must obtain consent for disclosure from the subject of a biometric identifier or a legally authorized representative and develop a publicly available written policy about the retention and destruction of biometric identifiers, among other requirements.
types of biometric data are recognized by the Biometrics Institute, from hand geometry to vein recognition
Following the lead of Illinois, Texas enacted the Texas Biometric Privacy Act of 2009, and Washington passed a biometric identifiers bill in 2017. Neither is as stringent as the Illinois law, and they differ in requirements related to written consent and definitions of covered data. Currently, the Texas statute exempts voiceprint data retained by a financial institution or an affiliate, as defined by the GLBA. Washington exempts financial institutions or affiliates of a financial institution subject to GLBA and the rules promulgated under it.
Biometric privacy bills have failed, at least initially, in Montana, California, Idaho, Alaska, New York, New Hampshire, Massachusetts, Rhode Island and Connecticut. Some states, such as California, Arkansas and New York, have extended their privacy and security protections to biometric data by amending existing laws. Washington amended an existing data breach response law in 2019, which is separate from its 2017 biometrics privacy law.
Regulator guidelines on biometrics
As new payments systems emerge, industry demands for anti-fraud measures may result in greater use of biometrics. The Federal Financial Institutions Examination Council (FFIEC) Retail Payment Systems Booklet acknowledges the use of biometrics to allow a consumer to make purchases or to cash checks. However, it also advises that a biometric identifier alone is only a single factor and it may need to be combined with other technologies or factors for proper authentication of high-risk banking transactions.
First steps for community banks should include a full evaluation of the biometric data that they use and the role of biometrics in their business model. Community bankers need to be certain about current or pending privacy and security requirements under applicable laws. Bank counsel or federal and state regulators may be helpful in that regard. The rising interest in biometric data privacy and security compels banks to keep a close watch on legislative and regulatory changes.
The FFIEC Guidance on Internet Banking Authentication recommends performing risk assessments, implementing effective strategies for mitigating identified risks and raising customer awareness of potential risks. While the guidance focuses on digital banking, the due diligence methodology might be applied to biometric data. In the absence of law specific to biometric data privacy and security, community banks should apply the most stringent protections established by the GLBA and applicable privacy or security rules at the state level.
Through proactive due diligence, community banks can negotiate the growing use of biometric authentication to safeguard customer information and mitigate risk stemming from the theft of sensitive customer information.
Mary Thorson Wright, a former Federal Reserve examiner, is a writer in Virginia.