How Sberbank collects consent for biometrics processing

    TL; DR: Sberbank collects consent to the collection and processing of biometric data without properly informing its customers about it.


    If we talk about biometric data, then so far the most interesting sector for their use in private business is banking. The point is simple - biometrics can add an additional layer of security to the relationship between the bank and the client, thereby cutting off a number of completely stupid scammers.

    However, the legislative regulation of the industry is still slightly stalled - due to the size of Sberbank, a situation is developing that is similar to the transfer market between cards: that is, there is Sberbank, which holds 80% of the market, and there is a system from the Central Bank of the Russian Federation, to which Sberbank is not in a hurry to join without proper motivation.

    With biometrics, this is the case: there is a Unified Biometric System (EBS), it is controlled by Rostelecom. Sberbank is opposed to EBS because it has its own system in which data collection is simpler and already has “millions” of customers.

    But wait a minute ...

    Yes, the question suddenly arises - what, really, millions of Sberbank customers in Russia have given informed consent to the provision of their biometric data?

    But do millions really know that they gave it?

    Since I recently “gave it” (of course, not consciously), let me tell you how it looked.


    It all started with the fact that the Sberbank.Online application began to offer the very same biometrics. I pressed the button "Not Now", but I did not refuse at all. I wanted to know more about what will be collected and how.

    Then I came to the bank branch, straight to the cashier, to withdraw money from the card. And then the miraculous happened.

    The cashier asked to insert a card to confirm the withdrawal operation. I looked at the terminal screen, and there something was written in small print about biometrics.

    This was my motivated and informed consent: the cashier says “insert a card”.

    That is, once again: in the wonderful system of Sberbank (“blockchain”, “bigdata”, “machines lerning”), the check mark “Let sign the consent” was simply lit. Information about this appeared at the cashier, who, without explaining anything, simply says: leave the card, enter the PIN code and agree.

    To withdraw money, the terminal window looks, of course, different.

    Could I fully read what I agree to from the terminal screen? Of course not. This is a small screen, and the consent, I think, is quite long. Is it possible to collect consent in this way? Of course not. This cannot be motivated and informed consent.

    Contacting Sberbank

    “Blockchain”, “bigdata”, “machine learning” did not help the assistant in the bank chat to find out if I agreed to the processing of biometrics. I was sent to call the hotline.

    They confirmed on the hotline that I really agreed, but how and when, specifically, they don’t have such information. Still would.


    1. Sberbank collects consent to the processing of biometric data using the terminal and your card with the PIN code.
    2. Do not hope that you can read this entire agreement in this case. Maximum 2-3 lines of text.
    3. Of course, that the cashier herself does not explain (and not the fact that she knows) that you sign.
    4. That is why Sberbank has the biometrics of millions of customers.

    More details

    An article from The Bell about the situation with biometrics and Sberbank
    Interview with German Gref (there’s just a little bit about biometrics)

    Also popular now: