Australian Bank Employs Facial Recognition for Disputed Transactions

Published Date : 7/22/2025 

Commonwealth Bank of Australia (CBA) is using facial recognition logins to verify disputed transactions, raising questions about privacy and biometric data usage. 

Commonwealth Bank of Australia (CBA) has reportedly been using facial recognition logins to its banking app to gauge whether customers who dispute transactions are legitimate. This innovative but controversial approach was highlighted in an unfair dismissal case involving a former CBA employee.

IT News reported on the case, which revolves around a former employee who disputed multiple transactions totaling $500 from an unknown merchant. The employee claimed he did not recognize the name of the third-party point-of-sale company used by a pub where he spent the money, which appeared on his statement instead of the pub's name.

In its investigation into the disputed funds, CBA found that facial recognition embedded within the Commonwealth Bank app was used to make and review the transactions at the pub. CBA concluded that the former employee was aware of his actions and lodged the dispute with fraudulent intent, leading to his dismissal for 'serious misconduct.' This dismissal has significantly affected his chances of finding another job in the financial sector.

The ex-employee argues that it might have been his cousin, who shares access to his phone's facial recognition capabilities. The case is currently pending before the Australian Fair Work Commission.

The $500 in question may seem small, but the implications of the case are substantial. According to CBA’s privacy policy, the CommBank app does not collect or store users’ biometric data. However, the bank's ability to track logins and transactions authenticated with face biometrics and use them as evidence in an investigation suggests a narrow interpretation of this policy. CBA was clearly able to link facial recognition logins to specific transactions.

Questions remain about how explicitly the data logs tie a user to a transaction and whether the CommBank app’s fine print includes consent to track biometric data. In comments posted to LinkedIn, Ted Dunstone, CEO of Biometix and BixeLab, highlighted the issues with using facial authentication to track individuals.

'Biometric logins are device-based, not identity-bound. Face ID or similar technologies confirm someone with a registered face used the phone – but not necessarily who. Shared access, especially among family members, is common. And yet, biometric login logs are now being used as quasi-proof of transaction authorship,' Dunstone stated.

In other words, it very well could have been the former employee’s cousin who authorized the transactions. Much like instances where police are found to be overstepping bounds with biometric systems, corporate overreach or opacity in communicating the facts can erode trust in biometrics overall.

Dunstone emphasized that the incident should 'concern all of us in the biometrics and digital identity space.' The industry needs to adhere to rigorous, standards-based testing of biometric systems in real-world conditions and provide clear communication to users about what biometric login really implies. 'In a world increasingly relying on biometrics, there is a risk that people are falsely accused and this leads to serious consequences,' he wrote.

In other CBA news, the bank has reported a new text scam telling users their award points are about to expire and urging them to click a link. CBA advises customers to access their digital banking only through the CommBank app or via the CBA website, never through a link in a text message. 

Frequently Asked Questions (FAQS): 

Q: What is Commonwealth Bank using to verify disputed transactions?

A: Commonwealth Bank is using facial recognition logins to verify disputed transactions in its banking app.

Q: What was the unfair dismissal case about?

A: A former CBA employee disputed transactions totaling $500, claiming he didn't recognize the merchant's name. CBA used facial recognition logs to dispute his claim, leading to his dismissal for 'serious misconduct.'

Q: What does CBA's privacy policy say about biometric data?

A: CBA's privacy policy states that the CommBank app does not collect or store users' biometric data, but the bank can track logins and transactions authenticated with face biometrics.

Q: What are the concerns raised by Ted Dunstone?

A: Ted Dunstone, CEO of Biometix and BixeLab, highlighted that biometric logins are device-based, not identity-bound, and can be shared among family members. This can lead to false accusations and serious consequences.

Q: What new scam has CBA reported?

A: CBA has reported a new text scam telling users their award points are about to expire and urging them to click a link. The bank advises customers to access their digital banking only through the CommBank app or via the CBA website. 

More Related Topics :