LONDON (AP) — "This call may be monitored."
You hear it every time you phone your bank about a lost credit card or an unexpected charge. You may realize your bank is recording you, but did you know it could be taking your biometric data, too?
An Associated Press investigation has found that two of America's biggest retail banks — JPMorgan Chase & Co., and Wells Fargo & Co. — are quietly recording the biometric details of some callers' voices to weed out fraud. The technology, sometimes called voiceprinting, is aimed at bad guys rather than legitimate customers, but legal and privacy experts alike still have reservations about the practice.
"Reducing fraud is a good thing," said Jay Stanley, an analyst at the American Civil Liberties Union. But he warned that "we can't anticipate what bright new uses this database will be put to in the future."
Blacklists help banks by alerting them to repeat calls from clever crooks who try to break into people's accounts armed with personal data gleaned from credit bureau reports or stolen in high-profile cyberattacks like the ones which have rocked Target and other major U.S. retailers.
Mark Lazar, a vice president at Verint Systems Inc., said that when combined with other fraud detection techniques, voice biometric blacklists were effectively blocking the bad guys from banks' call centers.
"Within a few months we see a 90 percent reduction in the types of calls these fraudsters are making," he said.
The technology is winning converts fast. Avivah Litan, an analyst with technology research firm Gartner, estimates that by next year, 25 major U.S. call centers will be using some form of voiceprint technology, a five-fold increase over last year.
As it stands, seven major American financial institutions are already using blacklists or have run pilots, said Shirley Inscoe, an analyst with the Aite Group, a research and advisory firm.
Inscoe declined to identify the institutions, but said they largely saw them as a quiet and effective way of dealing with fraud.
"It's in the background. It doesn't affect the call in any way," said Inscoe. "Nobody even knows it's happening."
Many governments and businesses use voiceprinting openly.
A recent AP survey of 10 leading voice biometric vendors found that more than 65 million people worldwide have had their voiceprints taken, and that several banks, including Barclays PLC in Britain and Minneapolis-based U.S. Bancorp, are in the process of introducing their customers to the technology.
But fighting fraud happens more discreetly.
One person familiar with Verint's deployment said that the company's technology has been at work at Chase's credit card arm since last year, when Verint's predecessor, Victrio, was helping screen roughly 1 million calls a month.
Two people familiar with how the technology is being used at Wells Fargo said the San Francisco-based bank struck a deal for a similar voice biometric blacklist provided by Israel-based NICE Systems Ltd.
NICE and Verint declined to comment on their customers. Chase and Wells Fargo declined to comment in any detail on their fraud prevention strategies.
Chase spokeswoman Patricia Wexler said the company was "exploring many types of biometric authentication," but did not use voice biometric technology with customers. She declined to say whether the company was using the technology to screen calls for suspected criminals.
At Wells Fargo, spokeswoman Natalie M. Brown said "... sharing any information about our fraud prevention measures would jeopardize their effectiveness."
Banks may run into trouble when they deploy voice biometric technology secretly, legal experts say. That's because some states, such as Illinois and Texas, restrict the collection or sharing of biometric data.
A confidential company memo obtained by the AP provides some insight into companies' attempts to build legal cover for their work.
The document, dated Aug. 1, 2013, lays out NICE's plans for the creation of a blacklist shared across a consortium of different companies. It carries advice from NICE to U.S. banks suggesting that they deal with issues of consent by changing the traditional message at the beginning of each call to say: "This call may be monitored, recorded and processed for quality assurance and fraud prevention purposes."
"Creating a voiceprint from the call falls under 'processing,'" the memo explains. "Sharing the voiceprints within the consortium is for the purposes of fraud prevention."
Tech and privacy lawyer David Klein, the managing partner of New York-based Klein Moynihan Turco, said he had doubts about whether playing a canned message to callers counted as getting consent to gather biometric data.
"It's at best a passive, assumed consent that they're obtaining from the calling party," he said.
It isn't clear that banks are using the suggested language. A recent call to Chase's credit card support number was met with a recorded message saying: "This call will be monitored or recorded." Nearly identical language played during a call to a Wells Fargo number.
Neither Wells Fargo nor Chase responded to questions specifically addressing the legality of their voice harvesting.
NICE confirmed that the memo was genuine. It said the purpose was merely to suggest new language for telephone calls and did not constitute legal advice.
Industry observers said that, regardless of the legal issues, few would raise a fuss over the collection of biometric information from suspected criminals.
Banks "truly are trying to protect legitimate customers," said Inscoe. She said the blacklists had to be seen in the context of organized gangs that call banks repetitively to try to break into accounts.
The ACLU's Stanley said he understood the anti-fraud argument but worried about where the technology could lead.
"Collection of information about people always starts with narrow purposes that nobody objects to," he said. "But then it broadens from there and that's where the trouble can start."