RatedWithAI

RatedWithAI

Accessibility scanner

Biometric PrivacyJuly 12, 2026

BIPA and AI Banking: Facial Recognition ATMs and Branch Security 2026

Banks and credit unions are rolling out AI facial-recognition ATMs, contactless teller verification, and branch security systems to cut fraud — and walking straight into BIPA's biometric consent requirements in the process. A narrow GLBA exclusion doesn't cover everything.

Customers, Too
BIPA applies to walk-in customers scanned by AI systems, not just employees
Narrow Exclusion
GLBA carve-out doesn't automatically cover every AI biometric use case
Per-Scan Damages
Cothron v. White Castle's per-scan standard applies to banking deployments too

Why Banks Are Deploying AI Biometrics

Facial-recognition ATMs let customers authenticate without a card, cutting card-skimming fraud. AI-enhanced branch security cameras flag known fraudsters or repeat check-fraud actors before they reach a teller. Contactless verification speeds up in-branch service. Each of these systems processes facial geometry — a biometric identifier under Illinois law.

Financial institutions have historically assumed banking data is broadly exempt from state privacy laws because of the Gramm-Leach-Bliley Act. That assumption is riskier than it looks once AI-driven facial recognition enters the picture, because BIPA's exclusion for GLBA-covered information is narrower and more fact-specific than a blanket exemption.

The result: a growing category of banking AI deployments — customer-facing ATMs, branch security, fraud-pattern facial matching — sit in a genuine compliance gray zone that courts are still working through, rather than in a settled safe harbor.

The GLBA Exclusion Is Narrower Than It Sounds

BIPA excludes biometric information collected, used, or stored in compliance with the Gramm-Leach-Bliley Act's federal financial privacy framework. Banks often read this as "we're a regulated financial institution, so BIPA doesn't apply to us." That reading has not held up uniformly:

Scope of GLBA Itself
GLBA governs disclosure and safeguarding of nonpublic personal financial information — it was not written with facial-recognition biometric collection in mind, and whether a specific AI biometric use case falls within GLBA's actual regulated scope is a case-by-case legal question, not an automatic pass.
Third-Party Vendor Systems
Many AI facial-recognition ATM and security systems are built and operated by third-party vendors, not the bank directly. Whether the vendor's processing of biometric data is itself 'in compliance with' GLBA — a framework aimed at the financial institution, not the vendor — is an unresolved question courts have approached differently.
Non-Customers Captured on Camera
Branch security cameras using AI facial recognition capture anyone who walks into frame, including non-customers, companions, and bystanders whose biometric data has no connection to a financial account relationship GLBA was designed to regulate.

Where Banking AI Systems Create BIPA Exposure

  • Facial-recognition ATM authentication that scans customer faces without a documented, GLBA-scoped consent process specific to biometric collection
  • AI branch security cameras that run facial matching against a fraud watchlist, capturing biometric data from every person on camera, not just flagged individuals
  • Contactless teller verification systems processing facial geometry for identity confirmation at the counter
  • Voice-based phone banking authentication using AI voiceprint matching, which is a separate biometric identifier under BIPA alongside face geometry
  • Third-party fraud-prevention vendors whose AI models process biometric data across multiple bank clients, potentially without bank-specific consent documentation

Compliance Checklist for Financial Institutions

1. Map Every AI Biometric Touchpoint
  • Inventory every system that captures facial, voice, or other biometric data — ATMs, branch cameras, phone banking, fraud detection
  • Identify which systems are operated directly and which run through third-party vendors
  • Don't assume GLBA coverage without documenting the specific legal basis for each system
2. Customer Consent and Disclosure
  • Publish a written biometric data policy covering purpose, retention, and destruction schedule for any AI facial or voice recognition system
  • Obtain documented consent before enrolling a customer in facial-recognition ATM or voiceprint phone authentication
  • Post clear signage at branches and ATMs disclosing AI facial-recognition security systems, addressing non-account-holder exposure
3. Vendor Contracts
  • Require AI security and fraud-detection vendors to confirm their own BIPA compliance posture in writing
  • Get contractual commitments on biometric data retention, deletion, and prohibition on cross-client model training using your customers' data
  • Confirm vendor liability and indemnification terms specifically cover biometric privacy claims
4. Retention and Deletion
  • Set a defined retention period for biometric data tied to account closure or the end of the security/fraud-prevention purpose
  • Confirm both the bank's systems and any third-party vendor systems delete biometric data on schedule
  • Document deletion practices to demonstrate compliance if challenged

Frequently Asked Questions

Our bank is headquartered outside Illinois. Do we still need to worry about BIPA?

Yes, if you have any branch, ATM, or facial-recognition-enabled service touching an Illinois resident or Illinois location. BIPA applies based on where the biometric data is collected or where the affected individual is located, not where the institution is headquartered.

If we only use facial recognition for fraud prevention, not customer convenience, are we exempt?

No blanket exemption exists for fraud-prevention purposes specifically. The purpose of collection can factor into a GLBA-exclusion analysis in some circumstances, but fraud-detection systems still process biometric identifiers and generally still require a documented compliance basis, not an automatic pass.

Does the GLBA exclusion cover employees using biometric login for internal banking systems?

Employee biometric login for internal systems is a separate question from GLBA, which is focused on consumer financial privacy. Employee-facing biometric systems (like fingerprint or facial login) are generally analyzed under the same employer-employee BIPA framework that applies to biometric time clocks, independent of GLBA.

What's the realistic penalty exposure for a mid-size bank with a non-compliant AI ATM rollout?

Exposure scales with the number of biometric scans, similar to employer time-clock cases. A facial-recognition ATM network processing thousands of customer authentications without documented consent can accumulate substantial per-scan statutory damages exposure ($1,000–$5,000 per violation) well before any single lawsuit is filed.

Don't Rely on GLBA as a Blanket Shield

The single most common mistake financial institutions make with AI biometric systems is assuming federal financial privacy law automatically covers state biometric privacy law. It doesn't, and the gap is exactly where BIPA exposure lives.

Map every AI facial and voice recognition touchpoint, document the specific compliance basis for each one, and treat customer biometric consent with the same rigor you'd apply to employee biometric consent.

Related Reading