Tinkoff Bank asked clients for consent to process their photos

Tinkoff Bank requested clients’ consent to process their photographs taken when checking out products for conversion into the format of biometric data, including vectors of the Unified Biometric System (UBS). The number of bank clients is estimated at 30 million people; this is a significant amount of data that could significantly supplement the EBS. But without consent, the information will simply have to be deleted. So far, according to Kommersant, citizens are generally negative. However, in order to avoid getting into the EBS, they must express their refusal explicitly – by contacting the bank.

Since the end of September, Tinkoff Bank began collecting customer consent through a mobile application for the processing of photographs that were taken during the design of products, Kommersant drew attention to. “This will allow you to quickly confirm transactions and protect you from fraudsters,” the bank explained. At the same time, the method of communication chosen was not the most ordinary: the bank did not spend money on SMS, mail or even push notifications, but only published information in “stories” (temporary short video stories) at the top of its mobile application.

The essence of the appeal is this: the bank asks clients to consent to the processing of biometric personal data and its result, including EBS vectors. The goal is for the bank to carry out actions “aimed at ensuring the security” of operations, issuing a loan, as well as authentication during remote servicing. In the same text, the bank actually notifies clients that, in accordance with 572-FZ, it will place data in the EBS. Roskomnadzor explained to Kommersant that the legislation allows the inclusion in the text of one material medium of several consents to data processing, provided that the purposes of the processing correspond.

What caused the most questions and indignation among clients was that in the appeal, Tinkoff Bank provided only one choice – the “allow” button. More than 3.4 thousand surprised comments appeared under the “story”. Clients did not understand how to formalize a refusal to process data.

“Kommersant” found out that if you follow the link from the message and study the text of the consent, you can see that “revocation of consent to the processing of biometric data” is a refusal sent through Russian Post or through a personal appeal to the bank, including through services remote maintenance.

The photographs in question were traditionally taken by couriers delivering bank products. As follows from previous explanations of bank employees, for example, on the Banki.ru portal, “at the meeting, the representative is obliged to take photographs of the client with a sealed envelope in his hands and, separately, a photo of the passport on which the data will be visible.”

The photo itself is not considered biometrics (this was confirmed by a bank employee in the customer support chat). But the situation changes if the client consents to processing. Then the bank will be able to make a digital impression based on the photograph. “Also, the photo can be from a video call or when using Face ID, etc.,” the bank employee clarified.

The market participants interviewed by Kommersant raise questions about the quality of this kind of photographs. However, bankers admit that when exported to the EBS, the images will be checked. At the same time, the bank’s data volume itself can be significant, Kommersant’s sources say—such a “biometric database” is essentially equal to the number of clients. According to Tinkoff Bank itself, as of mid-2023 it has over 30 million retail clients.

Since the bank is only now collecting consents, it is likely that until recently it did not consider these photographs to be biometrics, using them only for anti-fraud purposes, Kommersant’s interlocutors in the financial market note.

“If consents are collected for the purpose of changing the category of previously collected personal data in order to turn them into biometrics and transfer them to the EBS, then this will not work; obtaining consent for processing after the fact is unlawful,” believes Artem Dmitriev, managing partner of Comply. Kommersant Bank did not answer.

Meanwhile, now formally the bank has only two options: obtain customer consent and transfer data to the EBS, or completely delete the information from its system. Storage of biometrics is now allowed only in the EBS, and data collection for commercial systems is prohibited.

Olga Sherunkova