Compliance for facial recognition in financial e-contract signing

With mass implementation of remote working and online transactions in the pandemic era, to meet the needs of transaction convenience, efficiency and cost control, the financial sector turned to electronic signatures using facial recognition and other biometric recognition technologies. However, biometric recognition technology is rarely used simply for electronic signatures. A possible reason is compliance risks that may accompany use of e-contracts and electronic signatures in the realm of private rights are not widely known to users, and cannot be effectively identified.

This article considers laws and regulations on protecting personal information, such as electronic signatures, e-contracts and facial features in China, and regulatory norms in related fields, and briefly analyses the main compliance issues that may be involved in applying facial recognition-based electronic signatures to sign e-contracts in the financial sector.

TRUSTED FINANCIAL E-CONTRACTS

According to article 469 of the Civil Code, the law recognises the use of data messages as a contract signing method. The Process Specification for Online Conclusion of Electronic Contracts (Draft for Comments) issued by the Ministry of Commerce defines an e-contract as an agreement concluded between subjects with equal status, namely natural persons, legal persons and other organisations, to establish, alter and terminate the civil right-obligation relationship with data messages as the carrier by means of electronic communication.

Therefore, e-contracts are not an innovative concept completely separate from traditional contracts, and their purpose is to achieve the same effect as traditional contracts after signing. This aligns with the core goal of risk control for e-contracts, which is to ensure the legal effect of e-contracts is equal to that of paper contracts.

The Civil Code does not clarify the effective elements of e-contracts but, based on the factors taken into account in signing and entry into force of traditional contracts, combined with the generation mode of e-contracts, plus the four national standards for e-contracts and provisions of the Electronic Signature Law, a reliable electronic signature should be considered a key element for an e-contract’s validity.

The signing and effective elements for e-contracts to achieve the same function as traditional paper contracts are: (1) confirmed identity of subjects signing the contract; (2) reliable electronic signature; (3) the contract cannot be unilaterally tampered with after signing; and (4) the contract may be used as evidence and has the legal effect of the original.

LEGAL BASIS

The Electronic Signature Law does not limit ways to implement an electronic signature but, from the perspective of affecting the validity of e-contracts, electronic signatures can be distinguished as reliable and general. Articles 13 and 14 of the Electronic Signature Law expressly stipulate the elements of reliable electronic signatures.

The Electronic Signature Law does not specifically define the implementation method or technical means of electronic signatures. Applying facial recognition technology to signing e-contracts does not go beyond the generally accepted boundary of implementing electronic signatures. Compared with general personal information, biometric information, such as facial features, is characterised by strong recognisability, unchangeability, non-anonymity and irreplaceability, meeting the four characteristics required for reliable electronic signatures. Theoretically speaking, provided the four characteristics are met, biometric information can be identified as a reliable electronic signature defined by law.

MAJOR COMPLIANCE ISSUES

Handling sensitive personal information. Information-intensive financial institutions should pay more attention to protecting sensitive personal biometric information when using the information for electronic signatures.

Use of biometric information for electronic signatures should follow the provisions of the Civil Code; the Provisions on Several Issues Concerning the Application of Laws in the Trial of Civil Cases Related to Processing of Personal Information by Using the Facial Recognition Technology; the Personal Information Protection Law; and other laws and regulations protecting sensitive personal information.

In particular, when dealing with sensitive personal information, authorisation via broad or presumed consent is prohibited by law. Acquired facial biometric information should be stored properly and the retention time determined based on the principle of minimum necessity.

Attention should be paid to distinguish the elements required for using facial recognition purely as a means of identity verification and as an implementation method for reliable electronic signatures. If biometric recognition such as facial recognition is intended to be the implementation method for financial e-contract signatures, ensure that the four basic characteristics required for reliable electronic signatures are met.

Avoid using biometric features as the only form of signature. When formulating signing terms for e-contracts, financial institutions should provide more than one or a limited amount of options for signature or prevent users from making a choice. The Regulations on Network Data Security Management (Draft for Comments), issued by the Cyberspace Administration of China on 14 November 2021, prohibit use of biometric features including face, gait, fingerprint, iris and voiceprint as the only means of personal identity authentication. Therefore, a variety of options for implementing electronic signatures should be provided in e-contracts.

Electronic data storage and evidence presentation. To ensure financial e-contracts signed with electronic signatures using facial recognition meet the standards for judicial review and determination, financial institutions should fully notarise the electronic evidence involved in transactions and ensure they have satisfactory electronic evidence storage.