Yes, we believe that a correspondent bank may retain customer fingerprints on its server without violating Illinois and federal privacy laws.
Neither Illinois nor federal financial institution privacy laws prohibit banks from storing biometric data, such as fingerprints. The Illinois Personal Information Protection Act (PIPA) requires banks to implement and maintain reasonable security measures to protect personal information (which may include fingerprints) from unauthorized access. However, banks that comply with Gramm-Leach-Bliley Act (GLBA)’s information security standards — as implemented by the interagency guidance included in our resources below — are deemed to comply with the PIPA’s requirements. Additionally, the Illinois Biometric Information Privacy Act, which protects biometric information (including fingerprints), has an exemption for financial institutions that are subject to the GLBA.
For resources related to our guidance, please see:
-
GLBA, 15 USC 6801(a) (“It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”)
-
Interagency Guidelines Establishing Information Security Standards (FDIC)
-
Illinois Personal Information Protection Act, 815 ILCS 530/45(a) (“A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”)
-
Illinois Personal Information Protection Act, 815 ILCS 530/45(d) (“A data collector that is subject to and in compliance with the standards established pursuant to Section 501(b) of the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, shall be deemed to be in compliance with the provisions of this Section.”)
-
Biometric Information Privacy Act, 740 ILCS 14/25(c) (“Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.”)