How Sberbank Collects Consent to Biometrics Processing

How Sberbank Collects Consent to Biometrics Processing


TL; DR: Sberbank collects consent to the collection and processing of biometric data without normally informing its customers about it.

Introduction


If we talk about biometric data, then the most interesting sector for their use in private business is banking. The point is simple - biometrics can add an extra layer of security to the relationship between the bank and the client, thereby cutting off a number of completely stupid scammers.

However, the legislative regulation of the industry is still slightly slipping - due to the size of Sberbank, the situation is similar to the transfer market between cards: that is, there is Sberbank, which holds 80% of the market, and there is a system from the Central Bank of the Russian Federation that Sberbank is not in a hurry to join without proper motivation.

With biometrics, the situation is as follows: there is a Unified Biometric System (EBU), it is controlled by Rostelecom. Sberbank vs. EBU, because it has its own system, in which data collection is easier and already has "millions" of customers.

But just a minute ...


Yes, the question suddenly arises - what, indeed, did millions of Sberbank customers in Russia give informed consent to submit their biometric data?

And what, really, millions know that they gave it?

Since I recently “gave it up” (of course, unconsciously), let me tell you how it looked.

Procedure


It all started with the fact that the application "Sberbank.Online" began to offer the very biometrics to provide. I pressed the "Not Now" button, but I did not refuse at all. I wanted to know more about what will be collected and how.

Then I came to the bank branch, straight to the cashier, to withdraw money from the card. And then a miracle happened.

The cashier asked to insert a card to confirm the withdrawal operation. I looked at the terminal screen, and there was written in small print about biometrics.

This was my motivated and informed consent: the cashier says "insert a card."

That is, once again: in the wonderful system of Sberbank (“blockchain”, “bigdata”, “machines lerning”) the tick “Let them sign consent” was simply lit. Information about this appeared at the cashier, and that, without explaining anything, just says: leave the card, enter the PIN-code and agree.

For withdrawing money, the terminal window looks, of course, differently.

Could I completely read what I agree on from the terminal screen? Of course not. This is a small screen, and the agreement, I think, is quite long. Is it even possible to collect consent? Of course not. This can not be motivated and informed consent.

Contacting Sberbank


“Blockchain”, “bigdata”, “machines lerning” did not help the assistant in the bank chat to find out if I gave consent to the processing of biometrics. I was sent to call the hotline.


The hotline confirmed that I did agree, but how exactly and when - they do not have such information. You bet.

Findings


  1. Sberbank collects consent for processing biometric data using the terminal and your card with a PIN.
  2. Do not expect that you can read this entire agreement in this case. Maximum 2-3 lines of text.
  3. Of course, the cashier herself does not explain (and not the fact that she knows) that you are signing.
  4. That is why Sberbank has the biometrics of millions of customers.

Learn more


Article from The Bell about the situation with biometrics and Sberbank
Interview by German Gref (there is just a little about biometrics)

Source text: How Sberbank Collects Consent to Biometrics Processing