Australian Bank Employs Facial Recognition for Disputed Transactions Verifi

Published Date : 7/22/2025 

Commonwealth Bank of Australia (CBA) has been using facial recognition logins to its banking app to verify disputed transactions, sparking concerns about privacy and the reliability of biometric data. 

Commonwealth Bank of Australia (CBA) has reportedly been using facial recognition logins to its banking app to gauge whether customers who dispute transactions are legitimate. This innovative but controversial approach has raised questions about privacy and the accuracy of biometric data.

IT News reported on an unfair dismissal case involving a former CBA employee. The employee disputed multiple transactions totaling $500 from an unknown merchant, claiming he did not recognize the name of the third-party point-of-sale company used by a pub where he spent the money. The transaction appeared on his statement with the name of the point-of-sale company instead of the pub.

In its investigation into the disputed funds, CBA found that facial recognition embedded within the Commonwealth Bank app was used to make and review the transactions at the pub. The bank concluded that the former employee knew what he was doing and that he lodged the dispute with fraudulent intent. As a result, he was fired for “serious misconduct,” which has significantly hampered his chances of finding another job in the financial sector.

The ex-employee argued that it might have been his cousin, who shares access to his phone’s facial recognition capabilities. The case is currently pending before the Australian Fair Work Commission. While the $500 in question may seem small, the implications of the case are substantial. The privacy policy for CBA’s CommBank app states that it does not collect or store users’ biometric data. However, the bank’s ability to track logins and transactions authenticated with face biometrics and use them as evidence in an investigation suggests a narrow interpretation of this policy.

There are still questions about how explicitly the data logs tie a user to a transaction and whether the CommBank app’s fine print includes consent to track biometric data. Ted Dunstone, CEO of Biometix and BixeLab, highlighted the issues with using facial authentication to track individuals in a LinkedIn post. “Biometric logins are device-based, not identity-bound. Face ID or similar technologies confirm someone with a registered face used the phone – but not necessarily who. Shared access, especially among family members, is common. And yet, biometric login logs are now being used as quasi-proof of transaction authorship.”

In other words, it very well could have been the former employee’s cousin who authorized the transactions. Much like instances where police are found to be overstepping bounds with biometric systems, corporate overreach or opacity in communicating the facts can erode trust in biometrics overall. Dunstone emphasizes that this incident should “concern all of us in the biometrics and digital identity space,” which needs to adhere to rigorous, standards-based testing of biometric systems in real-world conditions and provide clear communication to users about “what biometric login really implies.”

“In a world increasingly relying on biometrics, there is a risk that people are falsely accused and this leads to serious consequences,” he writes. In other news, CBA has reported a new text scam telling users their award points are about to expire and urging them to click a link. The bank advises customers to access their digital banking only through the CommBank app or via the CBA website, never through a link in a text message. 

Frequently Asked Questions (FAQS): 

Q: What is the main issue with using facial recognition to verify transactions?

A: The main issue is that facial recognition logins are device-based, not identity-bound, meaning they confirm someone with a registered face used the phone but not necessarily who. This can lead to false accusations and serious consequences.

Q: How did Commonwealth Bank use facial recognition in the unfair dismissal case?

A: CBA used facial recognition embedded in its app to track logins and transactions, concluding that the former employee knew what he was doing and lodged the dispute with fraudulent intent.

Q: What are the privacy concerns associated with CBA's use of facial recognition?

A: There are concerns about how explicitly the data logs tie a user to a transaction and whether the CommBank app’s fine print includes consent to track biometric data, despite the privacy policy stating it does not collect or store users’ biometric data.

Q: What does Ted Dunstone say about the use of biometric logins?

A: Ted Dunstone, CEO of Biometix and BixeLab, says that biometric logins are device-based, not identity-bound, and shared access is common. Using these logs as quasi-proof of transaction authorship can be problematic.

Q: What advice does CBA give to customers regarding text scams?

A: CBA advises customers to access their digital banking only through the CommBank app or via the CBA website, never through a link in a text message, to avoid falling victim to text scams. 

More Related Topics :