Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

Data15 min read

Biometric Verification: Fingerprint, Facial and Voice

Biometric verification for US compliance: fingerprint, facial and voice recognition under BIPA, BSA/AML, FinCEN CDD Rule, and FTC Section 5 enforcement. Liveness detection best practices.

CheckFile Team
CheckFile Teamยท
Illustration for Biometric Verification: Fingerprint, Facial and Voice โ€” Data

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Biometric verification is the 1:1 comparison of a live biometric sample against a previously enrolled reference template to confirm that a person is who they claim to be. It covers fingerprint, facial and voice recognition. In the United States, these processing activities are governed by a fragmented patchwork of state laws โ€” most notably the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/ โ€” and federal frameworks including the Bank Secrecy Act (BSA), 31 USC ยง5311 and FTC Act Section 5, which the Federal Trade Commission uses to enforce against unfair or deceptive biometric data practices.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Requirements vary by jurisdiction and sector. Consult a qualified professional for guidance specific to your situation. This article reflects the US regulatory landscape as of April 2, 2026.

What Is Biometric Verification?

Biometric verification performs a 1:1 match between a live biometric sample and a stored template linked to a known individual. It is fundamentally different from biometric identification, which compares a sample against an entire database of unknown individuals (1:N matching). This distinction has direct regulatory consequences in the United States, particularly under state biometric privacy laws and emerging FTC enforcement guidance.

There is currently no comprehensive federal biometric privacy law in the United States. The regulatory landscape is driven by state legislation โ€” with Illinois BIPA as the most aggressive framework โ€” and by sector-specific federal requirements under the BSA, FinCEN CDD Rule (31 CFR 1010.230), and FTC Act Section 5.

The Three Primary Modalities

Modality Mechanism Typical EER Common Use Cases
Fingerprint Minutiae analysis (ridges, bifurcations) 1โ€“2% Access control, mobile KYC
Facial recognition Facial geometry, 3D landmarks 0.1โ€“2% Remote onboarding, e-KYC
Voice recognition Spectral voiceprint analysis 2โ€“5% Phone authentication, call centres
Iris Unique iris pattern analysis 0.01% Border control, high-security access

The Equal Error Rate (EER) is the operating point at which the False Acceptance Rate (FAR) equals the False Rejection Rate (FRR). For high-security deployments, the target FAR is below 0.01%. A lower EER indicates a more accurate system.

The distinction between 1:1 verification and 1:N identification matters significantly under US law. Facial recognition systems that identify unknown individuals from databases โ€” deployed in public or semi-public spaces โ€” face the greatest regulatory scrutiny and litigation exposure. BIPA does not formally distinguish between verification and identification, but courts have applied the statute broadly to any collection or use of biometric identifiers or information, including face geometry scans and fingerprints, regardless of whether the system operates in verification or identification mode.

The Regulatory Framework

State Biometric Privacy Laws: BIPA and Beyond

Illinois BIPA (740 ILCS 14/) is the most consequential state biometric privacy law in the United States. It regulates any private entity that collects, captures, purchases, receives through trade, or otherwise obtains a biometric identifier or biometric information. Key obligations under BIPA include:

  • Section 15(a): Establish and maintain a written, publicly available policy governing retention schedules and guidelines for permanently destroying biometric data.
  • Section 15(b): Before collecting a biometric identifier, provide written notice, disclose the purpose and duration of collection, and obtain a written release from the individual.
  • Section 15(c): Prohibit the sale, lease, trade or profit from biometric identifiers or information.
  • Section 15(d): Prohibit disclosure without consent, except to complete a financial transaction requested by the subject, as required by law, or pursuant to a warrant.
  • Section 15(e): Use reasonable standard of care for storage, transmission and protection of biometric data.

BIPA carries a private right of action: $1,000 per negligent violation, $5,000 per intentional or reckless violation, plus attorneys' fees (740 ILCS 14/20). Class action exposure has produced settlements exceeding $650 million in the financial services and technology sectors.

Critical exemption: BIPA's Section 25(c) contains a financial institution exemption covering entities subject to the Gramm-Leach-Bliley Act (GLBA, 15 USC ยง6801 et seq.) and their service providers. Traditional banks and credit unions that are GLBA-regulated are generally exempt from BIPA. However, fintech companies, third-party identity verification vendors, and non-bank financial services providers that are not themselves subject to GLBA are not covered by this exemption and face full BIPA exposure.

Other significant state laws:

  • Texas CUBI (Capture or Use of Biometric Identifier Act), Tex. Bus. & Com. Code ยง503.001: Prohibits capturing biometric identifiers without informed consent. Enforced by the Texas Attorney General; no private right of action.
  • Washington My Health MY Data Act (SB 1155, 2023): Regulates consumer health data including biometric information. Private right of action, enforced from July 2024.
  • California CCPA/CPRA: Classifies biometric information as "sensitive personal information" under Cal. Civ. Code ยง1798.121. Consumers have the right to limit use and disclosure of sensitive personal information. Enforced by the California Privacy Protection Agency (CPPA).
  • Trend: As of 2026, 15 or more states have enacted or have pending biometric-specific or health-data legislation covering biometric identifiers.

Federal Framework: BSA, FinCEN and KYC Obligations

Biometric verification in financial services is governed federally by the Bank Secrecy Act (BSA), 31 USC ยง5311, and implementing FinCEN regulations. The FinCEN Customer Due Diligence (CDD) Rule (31 CFR 1010.230) requires covered financial institutions to:

  1. Identify and verify the identity of customers (31 CFR 1020.220 for banks, 31 CFR 1023.220 for broker-dealers).
  2. Identify and verify the identity of beneficial owners of legal entity customers.
  3. Understand the nature and purpose of customer relationships.
  4. Monitor for and report suspicious activity.

Biometric verification satisfies the "verify" element of KYC when implemented with adequate documentary controls. FinCEN has issued guidance confirming that digital identity verification methods, including biometrics, may be used to satisfy Customer Identification Program (CIP) requirements under 31 CFR 1020.220(a)(2), provided the institution's CIP addresses the risk-based approach to verifying identity through document or non-documentary methods.

NY DFS 23 NYCRR 500: The New York Department of Financial Services cybersecurity regulation requires covered financial institutions to implement cybersecurity policies governing the protection of nonpublic information, which expressly includes biometric records under the 2023 amendments to 23 NYCRR 500.01(g). This imposes specific access controls, encryption, and incident response requirements on any covered entity that processes biometric data.

FTC Enforcement Under Section 5

In the absence of a federal biometric privacy statute, the FTC exercises enforcement authority over biometric data practices under Section 5 of the FTC Act (15 USC ยง45), which prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC's 2023 policy statement on commercial surveillance confirmed that collecting biometric data without adequate disclosure, or using biometric data for purposes materially different from those disclosed at collection, may constitute an unfair or deceptive practice subject to enforcement action and civil penalties.

NIST Standards and Federal Accuracy Benchmarks

The National Institute of Standards and Technology (NIST) provides the primary technical benchmarks for biometric systems used in federal and regulated contexts:

  • NIST SP 800-76-2 (Biometric Specifications for Personal Identity Verification): Specifies biometric data formats and accuracy requirements for federal PIV credentials.
  • NIST Face Recognition Vendor Testing (FRVT): The authoritative benchmark for facial recognition algorithm accuracy. Results document demographic differentials in accuracy across race, sex and age โ€” directly relevant to FTC fairness enforcement and enterprise risk management.
  • NIST SP 800-53 Rev. 5: Includes biometric-specific controls under the Identification and Authentication (IA) control family, referenced in federal procurement and by NY DFS.

Liveness Detection

Liveness detection is the technical layer that distinguishes a live person from a presentation attack โ€” a printed photo, a 3D mask, or an injected deepfake video feed. It is an essential component of any remote biometric verification system.

Passive liveness detection โ€” which analyses texture, depth and micro-motion without requiring any user action โ€” reduces presentation attack success rates by over 95% in benchmarks conducted under ISO/IEC 30107-3, according to iBeta evaluation results (ISO/IEC 30107-3).

Active vs Passive Liveness

  • Active liveness: The user is prompted to perform a specific action โ€” blink, turn their head, read a displayed code. Effective against static spoofs but introduces friction in the user journey.
  • Passive liveness: Analysis runs in the background without user instruction. It detects deepfakes, masks and digital video injection attacks. Recommended for low-friction onboarding flows.

For financial institutions subject to FinCEN CDD requirements, NIST SP 800-76-2 and ISO/IEC 30107-3 Level 2 certification provide the appropriate technical benchmark for liveness detection deployed in remote KYC applications. The absence of certified liveness detection exposes both BIPA and BSA/AML compliance programmes to meaningful gap risk.

Performance Metrics

FAR, FRR and EER in Practice

  • FAR (False Acceptance Rate): The probability that an impostor is incorrectly accepted by the system. A FAR of 0.01% means that on average one fraudulent attempt in 10,000 succeeds.
  • FRR (False Rejection Rate): The probability that a legitimate user is incorrectly rejected. A high FRR generates friction, support costs and customer abandonment.
  • EER: The operating point where FAR equals FRR. It is the standard metric for comparing biometric systems. Typical values: fingerprint 1โ€“2%, face 0.1โ€“2%, iris 0.01%.

For regulated KYC applications, industry practice targets a FAR below 0.01% with ISO/IEC 30107-3 Level 2 certified liveness detection.

CheckFile Platform Data

Our platform records a fraud detection recall of 94.8%, a false positive rate of 3.2%, and an average verification time of 4.2 seconds. Identity document fraud accounts for 19% of all document fraud detected โ€” a figure that makes the combination of documentary analysis and biometric verification not merely best practice, but operationally necessary for institutions with meaningful fraud exposure.

Deployment: Best Practices

Matching Modality to Context

The appropriate biometric modality depends on the channel, the risk level and the regulatory requirements. Fingerprint scanning is well-suited to physical environments such as branches and kiosks. Facial recognition is the dominant choice for remote digital onboarding. Voice recognition integrates naturally into telephone and call centre authentication flows.

Building a Layered Identity Verification System

Biometric verification alone does not satisfy AML due diligence obligations under the BSA. It must be combined with documentary verification (OCR analysis, forgery detection, MRZ validation of US passports, Real ID Act-compliant driver's licenses and state IDs) and data verification (OFAC sanctions screening, FinCEN beneficial ownership checks, SSN validation). This layered approach constitutes a compliant KYC programme under FinCEN CIP and CDD requirements.

For a broader view of how employers and regulated entities structure identity checks, see our article on background check documents and employer verification.

Practical US Compliance Steps

  1. BIPA assessment: Determine whether your organisation is a "private entity" under 740 ILCS 14/3 and whether the GLBA exemption (Section 25(c)) applies to your entity and each third-party vendor you use.
  2. Written biometric policy: Establish and publish a retention and destruction schedule before any biometric collection begins (BIPA Section 15(a)).
  3. Informed consent: Obtain written releases before collection, specifying purpose and duration (BIPA Section 15(b)). For Texas: obtain informed consent before capturing biometric identifiers (Tex. Bus. & Com. Code ยง503.001(b)).
  4. California CCPA/CPRA: Implement a "Limit the Use of My Sensitive Personal Information" opt-out mechanism for California residents where biometric data is processed as sensitive personal information (Cal. Civ. Code ยง1798.121).
  5. FinCEN CIP/CDD: Document your biometric verification method within the Customer Identification Program (31 CFR 1020.220) and ensure biometric evidence is linked to the CDD record (31 CFR 1010.230).
  6. NY DFS 23 NYCRR 500: For covered financial entities, ensure biometric records are protected under the cybersecurity programme, with access controls, encryption at rest and in transit, and breach notification procedures.
  7. Vendor due diligence: Third-party biometric vendors who are not themselves GLBA-covered entities retain full BIPA exposure. Contractual indemnification and data processing agreements must address Section 15(e) obligations.
  8. Incident response: Establish a breach notification plan. While there is no single federal biometric breach notification law, the FTC's Health Breach Notification Rule (16 CFR Part 318) and over 50 state breach notification statutes may require notification when biometric records are compromised. SSNs exposed in a biometric data breach trigger nearly universal state notification requirements.

For more on document fraud detection techniques that complement biometric verification, see our article on AI document fraud detection.

Risks and Limitations

Biometric verification carries specific risks that differ from those of password-based authentication. Biometric templates are permanent: unlike a password or Social Security Number (SSN) subject to reissuance procedures, a compromised biometric template cannot be changed. Injection attacks โ€” where a synthetic video stream is substituted for the camera feed โ€” bypass systems without certified liveness detection. Algorithmic bias, documented in NIST FRVT results across race, sex and age groups, exposes operators to FTC enforcement risk under Section 5 and potential fair lending liability under the Equal Credit Opportunity Act (ECOA, 15 USC ยง1691) where biometric data informs credit decisions. Operators processing biometric data of US residents through offshore processors must address applicable state data localisation and transfer requirements.

Frequently Asked Questions

Is biometric verification required for KYC compliance under US law?

Biometric verification is not universally mandated for KYC under US federal law. The FinCEN CIP rule (31 CFR 1020.220) requires identity verification but permits both documentary and non-documentary methods โ€” biometrics are one compliant non-documentary approach. Biometric verification becomes effectively required where a financial institution's internal risk assessment determines that remote onboarding of high-risk customer segments demands it, or where a specific state regulator mandates a particular assurance level for digital onboarding.

Does BIPA apply to banks and financial institutions?

BIPA Section 25(c) provides an exemption for financial institutions subject to GLBA (15 USC ยง6801 et seq.) and their affiliates and service providers that are themselves subject to GLBA. Traditional banks, credit unions, broker-dealers and other GLBA-covered entities generally fall within this exemption. However, fintech companies, independent identity verification vendors, and technology providers that are not subject to GLBA are not exempt and face full BIPA obligations โ€” including the private right of action at $1,000โ€“$5,000 per violation under 740 ILCS 14/20. Institutions should verify exemption status at the vendor level, not just the institutional level.

What is liveness detection and why is it necessary?

Liveness detection verifies that the biometric sample comes from a physically present person, rather than a photograph, mask or deepfake. Without this layer, a facial verification system can be defeated by a printed photo or a recorded video. ISO/IEC 30107-3 Levels 1 and 2 are the market reference standards for presentation attack detection. NIST SP 800-76-2 references liveness requirements for PIV-compliant systems. For FinCEN CIP purposes, the absence of liveness detection in a remote digital onboarding flow creates a documented gap in the risk-based identity verification methodology.

How should biometric templates be handled under applicable US law?

Under BIPA Section 15(e), biometric data must be stored, transmitted and protected using a reasonable standard of care at least as protective as the standards applied to other confidential and sensitive information. Templates must be destroyed when the initial purpose for collection has been satisfied or within three years of the individual's last interaction with the private entity, whichever comes first (BIPA Section 15(a)). For NY DFS-covered entities, biometric records are nonpublic information under 23 NYCRR 500.01(g), requiring encryption at rest and in transit and access controls. Because a compromised biometric template cannot be changed, template storage controls require a higher standard of care than those applied to standard personal data.

Is there a federal biometric privacy law in the United States?

As of April 2026, there is no comprehensive federal biometric privacy statute in the United States. Legislative proposals including the American Data Privacy and Protection Act (ADPPA) have been introduced in Congress but have not been enacted. The regulatory landscape remains a patchwork of state laws โ€” with Illinois BIPA as the most aggressive โ€” supplemented by sector-specific federal requirements (BSA/FinCEN for financial services, FTC Section 5 for unfair and deceptive practices, and HIPAA where biometric data intersects with protected health information). Organisations operating across multiple states should maintain a state-by-state compliance matrix updated for new legislation, which is advancing rapidly.

Biometric verification is a technically mature, legally complex capability that forms an increasingly central part of compliant identity verification programmes in the United States. Deploying it responsibly requires a clear understanding of the Illinois BIPA framework, applicable state law obligations in Texas, California, Washington and a growing number of other states, BSA/FinCEN KYC requirements, and the NIST technical standards that govern accuracy and liveness detection.

CheckFile provides a document and identity verification platform that integrates biometric analysis within a layered, BSA/AML-compliant framework. Explore our security architecture, compare pricing plans based on your verification volume, or visit our fraud and data guide for a broader view of the threat landscape.

Explore further

Discover our practical guides and resources to master document compliance.

Related articles

Data9 min

AI vs Manual Document Verification: ROI Comparison

Side-by-side ROI comparison of AI versus manual document verification across 8 criteria.

Read
Data10 min

Document Fraud Statistics and Trends 2026: US Data

Document fraud costs US businesses over $8.8 billion in 2026. Latest statistics from FBI IC3, FinCEN, and FTC.

Read
Data9 min

Cost of Compliance: True Cost of Manual Checks

Manual document verification costs $12-22 per check in the US. Full breakdown of direct costs, hidden expenses, and FinCEN fines with ROI calculations.

Read