Banks collect callers’ voiceprints to fight fraud
By Raphael Satter
Associated Press
LONDON (AP) — The caller said her home had burned down and her husband had been badly hurt in the blaze. On the telephone with her bank, she pleaded for a replacement credit card at her new address.
“We lost everything,” she said. “Can you send me a card to where we’re staying now?”
The card nearly was sent. But as the woman poured out her story, a computer compared the biometric features of her voice against a database of suspected fraudsters. Not only was the caller not the person she claimed to be, “she” wasn’t even a woman. The program identified the caller as a male impostor trying to steal the woman’s identity.
The conversation, a partial transcript of which was provided to The Associated Press by the anti-fraud company Verint Systems Inc., reflects the growing use of voice biometric technology to screen calls for signs of fraud.
Two major U.S. banks, JPMorgan Chase & Co. and Wells Fargo & Co., use voice screening, also known as voice biometric blacklists, according to three people familiar with the arrangements, all of whom spoke on condition of anonymity because the system was meant to remain secret.
Altogether seven major American financial institutions are already using such blacklists or have run pilots, said Shirley Inscoe, an analyst with the Aite Group, a research and advisory firm.
Inscoe declined to identify the institutions, but said they largely saw them as a quiet and effective way of dealing with fraud.
“It’s in the background. It doesn’t affect the call in any way,” said Inscoe. “Nobody even knows it’s happening.”
The blacklists are one of a growing number of everyday uses of speaker recognition, once a high-tech tool used by security agencies.
Many governments and businesses use voiceprinting openly.
“A recent AP survey of 10 leading voice biometric vendors found that more than 65 million people worldwide have had their voiceprints taken, and that several banks, including Barclays PLC in Britain and Minneapolis-based U.S. Bancorp, are in the process of introducing their customers to the technology.
Fighting fraud is different.
One person familiar with Verint’s deployment said that the company’s technology has been at work at Chase’s credit card arm since last year, when Verint’s predecessor, Victrio, was helping screen roughly 1 million calls a month.
Two people familiar with how the technology is being used at Wells Fargo said the San Francisco-based bank struck a deal for a similar voice biometric blacklist provided by Israel-based NICE Systems Ltd.
NICE and Verint declined to comment on their customers. Chase and Wells Fargo declined to comment in any detail on their fraud prevention strategies.
Chase spokeswoman Patricia Wexler said the company was “exploring many types of biometric authentication,” but did not use voice biometric technology with customers. She declined to say whether the company was using the technology to screen calls for suspected criminals.
At Wells Fargo, spokeswoman Natalie M. Brown said “...sharing any information about our fraud prevention measures would jeopardize their effectiveness.”
Banks may run into trouble when they deploy voice biometric technology secretly, legal experts say. That’s because some states, such as Illinois and Texas, restrict the collection or sharing of biometric data.
A confidential company memo obtained by the AP provides some insight into companies’ attempts to build legal cover for their work.
The document, dated Aug. 1, 2013, lays out NICE’s plans for the creation of a blacklist shared across a consortium of different companies. It carries advice from NICE to U.S. banks suggesting that they deal with issues of consent by changing the traditional message at the beginning of each call to say: “This call may be monitored, recorded and processed for quality assurance and fraud prevention purposes.”
“Creating a voiceprint from the call falls under ‘processing,’” the memo explains. “Sharing the voiceprints within the consortium is for the purposes of fraud prevention.”
Tech and privacy lawyer David Klein, the managing partner of New York-based Klein Moynihan Turco, said he had doubts about whether playing a canned message to callers counted as getting consent to gather biometric data.
“It’s at best a passive, assumed consent that they’re obtaining from the calling party,” he said.
It isn’t clear that banks are using the suggested language. A recent call to Chase’s credit card support number was met with a recorded message saying: “This call will be monitored or recorded.” Nearly identical language played during a call to a Wells Fargo’s number.
Neither Wells Fargo nor Chase responded to questions specifically addressing the legality of their voice harvesting.
NICE confirmed that the memo was genuine. It said the purpose was merely to suggest new language for telephone calls and did not constitute legal advice.
Industry observers said that, regardless of the legal issues, few would raise a fuss over the collection of biometric information from suspected criminals.
Banks “truly are trying to protect legitimate customers,” said Inscoe. She said the blacklists had to be seen in the context of organized gangs that call banks repetitively to try to break into accounts.
The technology is winning converts fast.
Mark Lazar, Verint’s vice president for intelligence systems, said that when combined with other fraud detection techniques, voice biometric blacklists were effectively freezing the bad guys out of banks’ call centers.
“Within a few months we see a 90 percent reduction in the types of calls these fraudsters are making,” he said.
Avivah Litan, an analyst with technology research firm Gartner, estimates that by next year, 25 major U.S. call centers will be using some form of voiceprint technology, a five-fold increase over last year.
Klein, the privacy and tech lawyer, said the growth of voice biometric technology meant it was time for regulators to take a fresh look at the rules.
“There should be regulation on both the state and federal level that that govern practices with respect to the collection, use and sharing of that data,” he said, “so that we don’t go deeper into George Orwell’s world.”