CPA INSIDER

What CPAs should know about facial-recognition technology

The ability of artificial intelligence-powered applications to identify people by their face brings business opportunities and potential regulatory perils.
By John Murawski

Facial-recognition technology, controversial for its potential abuses in crowd surveillance and in law enforcement, is getting a warm reception among some businesses for its potential payoffs. 

The uptick in adoption of facial-recognition systems in retail, banking, travel, and other sectors calls on CPAs and other business leaders to assess the benefits of the technology against the risks. Among those that have publicly acknowledged their use of it are Wells Fargo for accessing customers' online bank accounts; Delta Air Lines for passenger boarding on international flights; and New York apartment complex Park Avenue Green for tenants entering the building. 

The technology can identify individuals by mapping out the features of a human face and matching those unique characteristics with images stored in databases. While it's accurate in identifying people in controlled laboratory conditions, critics say performance can suffer in real-world circumstances if lighting conditions and camera angles are suboptimal.

The risks include the potential for automating racial or gender bias, which can happen if facial-recognition systems are not trained on representative datasets and develop problems. Privacy concerns can also come into play when businesses store unique biometric data of their employees and customers on corporate servers, although vendors say the data is generally encrypted and anonymized. 

The benefits of facial-recognition systems can include higher security, fewer delays, customized service, and other conveniences. As the technology improves in performance, prices come down, and public confidence improves, facial-recognition systems could become ubiquitous as a business tool, some predict. 

"If you look at countries like China, that's essentially where our future is heading," said Melissa Doval, CPA, the CEO of Kairos AR Inc., a Miami-based facial-recognition vendor with more than 100 clients. 

"There's probably a chance that you won't need to carry any identification with you anymore. Everything will be digital on our mobile. Everything will be verified via your face."

Government intervention

Recent efforts by municipal and state governments to ban or restrict government use of facial-recognition systems by police and other agencies may ultimately contribute to its adoption in the business world. A potential slowdown in government spending on the systems is pushing Japan-based NEC Corp., a leading vendor of the technology, to expand in the U.S. commercial market, according to The Wall Street Journal. NEC is currently testing use cases in a variety of industries, the WSJ reported in September, and eyeing sectors such as aviation, education, entertainment, health care, hospitality, and retail. In addition, the company plans to introduce a body-recognition system next year, according to an October WSJ report.

Facial recognition is not regulated at the federal level in the United States but instead is subject to a patchwork of local standards or no standards at all. A bill introduced in the U.S. Senate this year would require companies to obtain consent from people whose facial data is collected, stored, and analyzed by facial-recognition systems. The Illinois Biometric Information Privacy Act requires companies doing business in the state to get a person's written consent to collect and store biometric data, such as electronic fingerprints or facial scans.

The California Consumer Privacy Act, which goes into effect in January, gives state residents the right to know what data businesses collect from them and the right to request that companies delete the data, including biometric information. The act applies to all businesses that collect data on California residents, not just those with operations in the state. 

Other measures are being considered across the country. The city of Portland, Ore., is considering a proposal to ban city agencies and private businesses from using facial-recognition technology, and three New York bills would impose guidelines on landlords and businesses using biometric access control systems.

Regulatory uncertainty is one of the biggest impediments to adoption and one of the biggest challenges that businesses face when considering such a system, said Merritt Maxim, a vice president and research director at Forrester Research Inc.

"There's a lot of legal and other things afoot, and the environment is very fluid," Maxim said. "You need to be aware of that because what is appropriate for your users today may no longer be appropriate for regulators tomorrow."

Nick Ingelbrecht, a research director at Gartner Inc., said that the legal void puts the onus on companies to create their own internal policies for privacy and data protection, based on professional advice from CPAs, lawyers, ethicists, and other experts. Corporate policies should be clearly stated and in line with the company's ethics or its clients' ethics, and also with customers' expectations, said Hayley Sutherland, a senior research analyst for AI software platforms at International Data Corp. 

"They do not want to invest in a product today that may become illegal to use in two years' time, or is likely to upset staff on one hand and customers on the other who may regard facial analysis as intrusive and unwarranted surveillance," Ingelbrecht said by email.

Uses of facial recognition

Among the least controversial uses for facial-recognition systems are biometric access control systems. These voluntary systems allow employees and clients to enter secure areas or physical facilities by using their visage as a unique access code. 

A variant of this application is also being adopted by airlines for "frictionless" boarding and by banks to give customers access to their safe deposit boxes or online accounts. Globally, some companies have begun experimenting with using facial recognition for activating vending machines and ATMs, and the applications could multiply to any function that requires a password, personal identification number, or swipe card.

With biometric access, the invasiveness factor is minimized because employees and customers self-enroll into the facial-recognition database. Customers can opt out if they don't feel comfortable having their faces scanned by artificial intelligence (AI) machines. 

A number of major carriers, including Delta Air Lines, American Airlines, and Star Alliance, with more than two dozen member airlines, have recently introduced, expanded, or announced the development of biometric boarding options. The system recognizes a passenger's face instead of a boarding pass, matching the face to travel account information in a U.S. Customs and Border Protection database. 

Retailers and others are also using facial recognition to track customer shopping patterns by demographics such as age and gender, several vendors said. Businesses can use the data to design marketing campaigns, develop product displays, and devise other business strategies using aggregate data to identify statistical patterns in customer behavior. 

The systems can also be used to identify specific people so that employees can mobilize to provide speedy check-in and other customized services to VIPs and loyal customers recognized by a camera when they enter an establishment. 

Facial-recognition technology is also used for security, such as when businesses create watchlists with biometric information on known shoplifters, disgruntled employees, or other persons of interest. When the camera matches a face with the database, the security team receives an alert, enabling them to monitor the person or take other action. 

Many companies already have watchlists but lack the staff to use them effectively, and they turn to facial-recognition systems to methodically scan every incoming person against the list, said Daniel Putterman, the co-CEO of Kogniz Inc., a startup with dual headquarters in San Francisco and Montreal. Kogniz launched its product in April, and it's used by some 30 companies to watch for shoplifters, loiterers, former employees, vandals, drug users, and others. 

"All these entities are already recording video, taking pictures of people, and looking for these people," Putterman said. "We are just automating something that all of these businesses are having trouble maintaining."

Genesis Concepts & Consultants LLC, a San Antonio-based consulting firm with 10 consultants, uses facial recognition and fingerprint recognition for access control and monitoring at a multistory office building that also houses a bank, federal contractors, and a field office of the Department of Homeland Security. 

An additional benefit of the biometric access system is that it helps keep an eye on staff, said CEO Gregory Hudson. "We know who's doing 40 hours and who's not, so it's a behavior modification platform as well," he said. 

Genesis Concepts' vendor is FaceKey Corp., also based in San Antonio. FaceKey's biggest customer is multinational equipment manufacturer Diebold Nixdorf, which integrates the FaceKey technology into its own products that manage safety deposit boxes for banks by verifying customers' identities, said Annette Starkweather, CPA, FaceKey's vice president of operations and business development.

Genesis Concepts is also a reseller for FaceKey. Most of FaceKey's several hundred customers are small businesses, such as private schools, day care centers, small manufacturers, private clubs, hospitals, churches, and a prison pharmacy, said Starkweather. 

The system contains two cameras, one of which uses infrared lighting so that it can't be fooled with a photograph, Starkweather said. The facial data is encrypted through conversion into a numerical code, protecting the personal data from potential hackers or misuse, she said

Still, it's not uncommon to encounter resistance to the technology, she said. Starkweather said that some find it intrusive, in part because it tells the boss when employees are out of the building, not working.

"The buy-in has to come from the top people," she said "We have had the supervisor refuse to use it. We've had the supervisor say, 'Over my dead body.' They didn't buy." 

Facial-recognition technology tips

Experts offer the following advice for implementing facial-recognition technology:

Make sure your system does not automate bias. Companies should test systems during implementation and regularly after deployment, said Ingelbrecht, the research director with Gartner. He said bias is inevitable, invisible, and hard to detect, and it's important to have processes in place that recognize the risk and mitigate against it. Sutherland, of International Data Corp., said users should ensure algorithms are trained on a robust, diverse dataset, supplementing with synthetic data (generated by algorithms rather than real events) if necessary, even after systems are deployed.

Manage privacy concerns. Ingelbrecht suggests companies follow the European Union's General Data Protection Regulation guidelines as a best practice, even if they operate outside Europe. Regulations are continually evolving, and compliance with GDPR is a good precaution for strict rules that could be adopted in the future. Biometric data should be encrypted and converted into a numerical code, said Starkweather, of FaceKey. Access to the data or information should be restricted to a dedicated person, she said. And Sutherland noted that customers want to know how and when their data is being collected, shared, and used, and companies using facial recognition should prioritize transparency, with options for consent, opting in, and redaction, such as blurring faces and other personally identifiable features, wherever possible.

Keep data secure and avoid hacking. Standard IT cybersecurity policies and technology will protect facial-recognition data to a reasonable level, Ingelbrecht said. In addition, businesses should monitor internal employee access to data by setting stringent rules on data sharing and maintaining audit trails and logs. He also recommends using anonymization and end-to-end encryption technologies where appropriate.

Handle regulatory risk and uncertainty. Companies can appoint a privacy officer or similar function under the chief data officer, Ingelbrecht said. They should be transparent with staff, stakeholders, and customers about their use of the technology, through disclosures and notices. Sutherland said companies should consider involvement in one or more AI ethics consortia, such as the Partnership on AI, to ensure their organization stays in the loop on best practices and keeps abreast of legal developments, evolving standards, and changing public expectations.

John Murawski is a freelance writer based in North Carolina. To comment on this article or to suggest an idea for another article, contact Jeff Drew, a JofA senior editor, at Jeff.Drew@aicpa-cima.com.

SPONSORED REPORT

2019 State of Financial Reporting Survey

We surveyed nearly 600 finance and accounting professionals on their month-end close and reporting processes. See the results.

VIDEO

What RPA is and how it works

Robotic process automation is like an Excel macro that can work on multiple applications, says Danielle Supkis Cheek, CPA. RPA can complete routine, repetitive tasks such as data entry, freeing up employee time from lower-level chores.