The Associated Press reports that when some banks’ customers call in to customer service, their voiceprints are being gathered so the banks can identify them. This practice of gathering biometric information, sometimes without giving notice to or obtaining consent from customers, raises substantial privacy questions:
An Associated Press investigation has found that two of America’s biggest retail banks — JPMorgan Chase & Co., and Wells Fargo & Co. — are quietly recording the biometric details of some callers’ voices to weed out fraud. The technology, sometimes called voiceprinting, is aimed at bad guys rather than legitimate customers, but legal and privacy experts alike still have reservations about the practice. […]
As it stands, seven major American financial institutions are already using blacklists or have run pilots, said Shirley Inscoe, an analyst with the Aite Group, a research and advisory firm.
Inscoe declined to identify the institutions, but said they largely saw them as a quiet and effective way of dealing with fraud. […]
Banks may run into trouble when they deploy voice biometric technology secretly, legal experts say. That’s because some states, such as Illinois and Texas, restrict the collection or sharing of biometric data.
A confidential company memo obtained by the AP provides some insight into companies’ attempts to build legal cover for their work.
The document, dated Aug. 1, 2013, lays out NICE’s plans for the creation of a blacklist shared across a consortium of different companies. It carries advice from NICE to U.S. banks suggesting that they deal with issues of consent by changing the traditional message at the beginning of each call to say: “This call may be monitored, recorded and processed for quality assurance and fraud prevention purposes.”
“Creating a voiceprint from the call falls under ‘processing,'” the memo explains. “Sharing the voiceprints within the consortium is for the purposes of fraud prevention.”
Tech and privacy lawyer David Klein, the managing partner of New York-based Klein Moynihan Turco, said he had doubts about whether playing a canned message to callers counted as getting consent to gather biometric data.