CBA using facial recognition logins to verify disputed payments

CBA is using facial recognition logins to its banking app to determine whether customers who dispute a transaction did in fact authorise the payment.

The investigative technique has come to light in an unfair dismissal case, where an employee was sacked after disputing “multiple transactions” totalling $500 from an unknown merchant on his personal bank account.

The now former employee said “the transactions in question were processed through QR code ordering” at a pub, "but were … handled by a third-party point-of-sale company.”

That meant the transactions did not show up on bank statements in the name of the pub.

“This naturally leads to confusion, as the transaction description does not clearly reflect the actual venue name,” the former employee said in written submissions to the Fair Work Commission.

“At the time of lodging the [transaction] disputes, I could not recognise the merchants involved.

“The right to dispute an unrecognised transaction is a basic consumer right, and I exercised that right in good faith - as any bank customer is entitled to do.”

CBA not only rejected the $500 claim, but also accused the man of lodging the dispute with fraudulent intent, commenced disciplinary action against him in his capacity as an employee, and ultimately dismissed him from his role.

A “serious misconduct” dismissal is likely to prevent the man from being re-employed in the finance sector. 

In addition to the $500 claim, the man also disputed a different, unknown $49.97 transaction at the same time. This was refunded by the bank.

Face recognition data

One aspect of the case likely to raise questions is the bank’s admission that it used facial recognition authentication records in some capacity to try and prove who made the disputed transactions.

“[CBA]’s case … (in short summary) is that it investigated the disputed transactions and determined that the applicant must have been responsible for them,” the commission’s deputy president Gerard Boyce wrote.

“This is because the applicant was at the … venue on the day that the disputed transactions were made, and/or facial recognition software (embedded within the Commonwealth Bank app) was used to make and/or view (review) the transactions.”

The ex-employee countered that “his cousin, who he says shares access to his phone’s facial recognition capabilities, could [also] have been responsible for the transactions.”

CBA enabled iPhone users to log into its banking app using Face ID back in 2017.

CBA’s privacy policy for its app states that it doesn’t “collect or store [biometric] information in the CommBank app”.

However, it appears that any time a smartphone-based payment is either authenticated using facial recognition, or the user logs into the app with facial recognition to check on their transactions, this is logged by the app, and these logs can be used as a data point in investigations.

How detailed the logs are - and how definitively they tie a specific individual to a transaction - is not clear.

Also unclear is whether the user consent collected at the time the app is downloaded would cover this use of facial recognition-related data.

The unfair dismissal case remains unresolved.

In response to detailed questions from iTnews, a CBA spokesperson said: “We do not comment on matters currently before the courts.”