Opinion
Opinion Delivered July 26, 2004
Mr. Robert A. Adcock, Jr. Bank Commissioner Arkansas State Bank Department 400 Hardin Road, Suite 100 Little Rock, AR 72211-3502
Dear Mr. Adcock:
You have presented the following question for my opinion:
Will Arkansas law allow commercial banks to use or require types of personal identification known as biometric identifiers, i.e., fingerprints, etc., for customer identification purposes?
You note in this regard that identity theft has become an increasing problem in commercial transactions, and you state: "Therefore, if Arkansas banks are permitted by state law to use biometric identifiers, this would greatly assist the industry."
RESPONSE
It is my opinion that the answer to your question is, generally, "yes," in the absence of any state statute or regulation proscribing the use of biometrics for commercial purposes.
The opinion rendering function of this office is limited to questions of state law. Consequently, I cannot opine conclusively regarding any relevant federal statutes or regulations. See n. 5, infra, in this regard.
The Arkansas statutes are silent regarding the commercial use of biometric identifiers. Although various statutes require fingerprinting for criminal law enforcement and other regulatory purposes, no statute addresses the use of this type of "unique personal characteristic" ( see n. 1, supra) for commercial purposes. Compare Vernon's Texas Statutes and Code Annotated, Bus. C. § 35.50. Nor am I aware of any state regulations in this regard.
Biometric identification is described in Finger Imaging: A 21st Century Solution to Welfare Fraud at our Fingertips, 22 Fordham Urb. L.J. 1327, 1333 (1995):
`Finger imaging' is part of a field of science called biometrics. Biometrics involves the scanning or recording of some unique personal characteristic, . . . against a verified database for positive identification. . . . In finger imaging, the technology converts a fingerprint into a highly detailed and exact electronic image that a computer can interpret and compare to other images. . . .
See, e.g., A.C.A. § 12-12-1006 (taking fingerprints of arrested persons); A.C.A. § 6-7-410 (requiring background check for first-time teacher license applicants, including "the taking of fingerprints."); A.C.A. §§ 17-17-312, 17-19-203, 17-27-313, 17-87-312 (similar requirement for, respectively, auctioneers, professional bail bondsmen, professional counselors, and nurses — note: this list is not exhaustive, but only illustrative of statutes that address the regulatory use of fingerprints for professional licensure).
This Texas statute requires the informed consent of the person whose biometric identifier is being captured for commercial purpose. V.T.C.A. Bus. C. § 35.50 (b). "Biometric identifier" is defined as "a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry." Id. at subsection (a).
For information regarding any federal requirements or limitations, you may wish to contact the U.S. Attorney's Office, the Federal Deposit Insurance Corporation (FDIC), or the Office of the Comptroller of the Currency. Apparently, the U.S. House of Representatives has heard testimony regarding so-called "inkless fingerprint policies" that have been adopted by numerous state banking associations. See Messing v. Bank of America, 143 Md.App. 1, 15, 792 A.2d 312, 320-321 (2002), aff'd. 373 Md. 672, 821 A.2d 22 (2002) (noting testimony before the Computer Generated Check Fraud, Subcomm. on Banking and Fin. Serv. (May 1, 1997)). I am unaware, however, whether any regulations have been promulgated at the federal level that might impact the commercial use of biometrics. But see generally "Gramm-Leach-Bliley Act" (Pub.L. 106-102 (Nov. 12, 1999) and L.J. McGuire, Comment: Banking on Biometrics: Your Bank's New High-Tech Method of Identification May Mean Giving Up Your Privacy, 33 Akron L. Rev. 441, 465 (2000) (observing that Gramm-Leach-Bliley is "the only wide reaching federal legislation in the United States to prevent financial institutions from buying and selling personal information without the individual's permission[,]" and that "[t]he information distributed would include biometric information collected by the banking industry, whether the information is gained from iris scans, fingerprints, or thumbprints.")
Having found no provision in state law that prevents or otherwise addresses the use of biometrics outside those noted above, I believe it may be stated generally that Arkansas law allows commercial banks to use biometric identifiers for customer identification. As noted, there is no state statutory or regulatory impediment; nor do I perceive any actionable constitutional objection based on personal privacy, given the necessity of state action in order to utilize federal and state constitutional protections. See generally NOWAK ROTUNDA, CONSTITUTIONAL LAW § 12.1 (4th ed. 1991). Additionally, although there are common law doctrines that preserve privacy rights, one legal commentator has observed that "[t]he collection and distribution of biometric data does not fit neatly into any one category." See Banking on Biometrics, supra, 33 Akron L. Rev. at 475.
For two thorough discussions of the privacy implications stemming from the use of biometrics in the banking industry, see McGuire, Comment: Banking on Biometrics, supra and P.J. Waltz, Comment: On-Site Fingerprinting in the Banking Industry: Inconvenience or Invasion of Privacy, 16 J. Marshall J. Computer Info. L. 597 (1998).
While it is therefore my opinion that the use of biometric identifiers for bank customer identification violates no state law, it should perhaps be noted in closing that the practice may generate issues under the Uniform Commercial Code. See, e.g., Messing v. Bank of America, supra at n. 5 (requirement of thumbprint identification by non-bank customer deemed relevant to issue of whether the bank's refusal to pay the instrument constituted "dishonor" under the Maryland U.C.C.). According to my review, an issue of this nature would present a case of first impression for an Arkansas court. The Maryland court concluded that the thumbprint identification requirement constituted "reasonable identification" under the relevant U.C.C. provision. Messing, supra, 821 A.2d at 39.
Assistant Attorney General Elisabeth A. Walker prepared the foregoing opinion, which I hereby approve.
Sincerely,
MIKE BEEBE Attorney General
MB:EAW/cyh