The Indian government is allowing banks to verify individual transactions that exceed a certain annual limit using facial recognition and an iris scan in some cases, in a bid to reduce fraud and tax evasion, three sources said.
A few large private and public banks have begun using the option, said one of the sources, a banker, who declined to name the banks. The advisory allowing the verification is not public and has not previously been reported.
The verification is not mandatory and is intended for cases where another government identification card used for tax purposes, the Permanent Account Number (PAN) card, is not shared with banks.
The prospect of banks using facial recognition has concerned some privacy experts.
"This raises substantial privacy concerns especially when India lacks a dedicated law on privacy, cybersecurity and facial recognition," said Pavan Duggal, an advocate and cyber law expert.
The government has said it is targeting parliamentary approval of a new privacy law by early 2023.
The new measures can be used to verify identities of individuals making deposits and withdrawals exceeding 2 million rupees ($24,478.61) in a financial year, where the Aadhaar identity card is shared as proof of identify, said two government officials, who asked not to be named because the information is not public.
The Aadhaar card has a unique number tied to an individual's fingerprints, face and eye scan.
India's finance ministry in December asked banks to take "necessary action" on a letter by the Unique Identification Authority of India (UIDAI), which suggested verification should be done through facial recognition and iris scanning, especially where fingerprint authentication of an individual fails.
The letter from the UIDAI, which is responsible for Aadhaar card issuance, makes no mention of a consent framework for the verification. Nor does it say that banks can take any action if a customer refuses.
Responding to queries, a UIDAI spokesperson said Aadhaar verification and authentication happens only with the explicit consent of the user. Use of Aadhaar-based biometric authentication helps in guarding against possible misuse, he said.
“UIDAI regularly advises all authentication and verification entities to use face or iris authentications to cater to residents whose fingerprint authentication fails.” He added that authentication and verification does not mean storing of data.
The latest advisory follows a government order last year that mandated the quoting of an Aadhaar card or PAN number for making deposits or withdrawals exceeding 2 million rupees in a financial year.