Biometric Verification: Fingerprint, Facial and Voice

Biometric verification is the 1:1 comparison of a live biometric sample against a previously enrolled reference template to confirm that a person is who they claim to be. It covers fingerprint, facial and voice recognition. In Canada, these processing activities are governed by federal privacy legislation — principally the Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c. 5 — as well as provincial laws, most stringently Quebec's Loi 25 (An Act to modernize legislative provisions as regards the protection of personal information), and financial sector obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), SC 2000, c. 17, administered by FINTRAC.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Requirements vary by jurisdiction and sector. Consult a qualified professional for guidance specific to your situation. This article reflects the Canadian regulatory landscape as of April 2, 2026.

What Is Biometric Verification?

Biometric verification performs a 1:1 match between a live biometric sample and a stored template linked to a known individual. It is fundamentally different from biometric identification, which compares a sample against an entire database of unknown individuals (1:N matching). This distinction has direct regulatory consequences in Canada, particularly under PIPEDA's consent and proportionality requirements, the Office of the Privacy Commissioner (OPC) guidance on biometric surveillance issued in 2021, and the Quebec Commission d'accès à l'information (CAI) requirements under Loi 25.

Biometric data is classified as sensitive personal information under PIPEDA Schedule 1, Principle 4.3.4, and under Quebec Loi 25 Article 12. This classification triggers enhanced consent obligations, heightened security requirements, and — in Quebec — notification to the CAI before operating any biometric database used to identify natural persons (Loi 25, Article 44).

The Three Primary Modalities

The Equal Error Rate (EER) is the operating point at which the False Acceptance Rate (FAR) equals the False Rejection Rate (FRR). For high-security deployments, the target FAR is below 0.01%. A lower EER indicates a more accurate system.

Verification vs Identification: A Critical Legal Distinction

Canadian regulators have drawn attention to the distinction between verification and identification primarily in the context of surveillance. The OPC's 2021 investigation into Clearview AI (OPC findings, 2021-02-02) confirmed that facial recognition operated in 1:N identification mode — scraping images to identify individuals without consent — constituted a serious violation of PIPEDA. Biometric verification in regulated financial onboarding contexts, where an individual's Canadian passport or provincial driver's licence is matched against a live selfie, is a different operation: consent-based, purpose-limited, and proportionate. The regulatory treatment differs accordingly, but the enhanced sensitivity of biometric data under PIPEDA and Loi 25 applies regardless of the matching mode.

The Regulatory Framework

PIPEDA: Biometric Data as Sensitive Personal Information

Under PIPEDA, Schedule 1, Principle 4.3.4, biometric data is explicitly identified as sensitive information requiring a higher level of protection. The ten fair information principles of PIPEDA apply to all biometric processing by private sector organisations:

• Principle 4.1 (Accountability): The organisation is responsible for personal information under its control. This includes biometric templates held by third-party processors.
• Principle 4.2 (Identifying Purposes): Purposes for biometric collection must be identified at or before the time of collection.
• Principle 4.3 (Consent): Meaningful consent — generally express consent for sensitive data such as biometrics — is required. Consent obtained under duress or as a condition of service where biometric use is not necessary is not meaningful consent.
• Principle 4.4 (Limiting Collection): Collection is limited to what is necessary for the identified purposes.
• Principle 4.5 (Limiting Use, Disclosure, Retention): Biometric data shall not be used or disclosed for purposes other than those for which it was collected, and must be retained only as long as necessary.
• Principle 4.7 (Safeguards): Security safeguards appropriate to the sensitivity of biometric data must be applied.

A Privacy Impact Assessment (PIA) is considered best practice — and in practice required under OPC guidance — before deploying any biometric system. The OPC's 2011 guidance on biometrics and the 2021 biometric surveillance guidance both confirm that collecting biometrics without a PIA creates a systemic compliance gap.

Quebec Loi 25: The Strictest Provincial Regime

Quebec's Loi 25 imposes obligations beyond PIPEDA and represents the most stringent provincial privacy framework in Canada. Key provisions affecting biometric verification:

• Article 12: Personal information that is sensitive — including biometric data — is subject to enhanced protection measures.
• Article 44: Any person who operates a biometric database to identify, locate or profile natural persons must notify the Commission d'accès à l'information (CAI) before operating that database. This notification obligation applies to verification systems that maintain enrolled biometric templates.
• Article 63.1: Privacy Impact Assessments are mandatory for any project involving the collection of personal information from Quebec residents where there is a risk of privacy harm.
• Article 8: Technology-based data collection that is not apparent to the individual — including passive liveness detection or background biometric analysis — requires specific disclosure.
• Article 25: Personal information must be destroyed or anonymised when the retention period expires. Biometric templates are subject to this requirement.

Enforcement: The CAI has order-making powers and can impose administrative monetary penalties of up to $25 million CAD or 4% of worldwide turnover for violations of Loi 25.

Bill C-27: The Proposed Federal Privacy Reform

Bill C-27 (Digital Charter Implementation Act, 2022) proposes to replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and establish a new Personal Information and Data Protection Tribunal. As of April 2026, Bill C-27 has not yet received Royal Assent. Key proposed changes relevant to biometric verification include:

• A codified definition of "sensitive information" that encompasses biometric data.
• Consent exemptions for legitimate business activities, subject to a privacy interest assessment.
• Administrative monetary penalties of up to $10 million CAD or 3% of global gross revenues for standard violations, and up to $25 million CAD or 5% of global gross revenues for serious violations.
• A right to transparency regarding automated decision-making systems that use biometric data.

Organisations should monitor Bill C-27's progress and build compliance programmes that satisfy both current PIPEDA obligations and the anticipated CPPA requirements.

PCMLTFA and FINTRAC: AML/KYC Obligations

Biometric verification in financial services is governed by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA, SC 2000, c. 17) and FINTRAC's implementing regulations. Reporting entities — banks, credit unions, money services businesses, securities dealers and others — are required to verify the identity of clients in accordance with the PCMLTFA Regulations (SOR/2002-184).

FINTRAC permits identity verification through:

1. Government-issued photo identification: Canadian passport, provincial driver's licence, PR Card, or other government-issued photo ID.
2. Credit file method: Confirming identity through a credit file in Canada that has been in existence for at least three years.
3. Dual-process method: Using two pieces of information from reliable sources.
4. Affiliate or member method: Confirmation from a financial institution affiliate.

Biometric verification supports the government-issued photo identification method when a live selfie is matched against the photo on a Canadian passport (passport number format: two letters followed by six digits) or provincial driver's licence. FINTRAC's guidance on digital identity verification (September 2023 update) confirms that biometric facial verification can satisfy the photo identification method when the biometric system and the process for verifying documents meet appropriate technical standards.

FINTRAC also issues guidance on ongoing monitoring obligations: biometric verification of returning clients at transaction thresholds must be integrated into the broader AML compliance programme, including suspicious transaction reporting obligations under PCMLTFA Section 7.

OPC and the 2021 Biometric Surveillance Guidance

The OPC issued its investigation report into Clearview AI on February 2, 2021 (OPC investigation report, 2021-01-01 to 2021-02-02), jointly with the provincial commissioners of British Columbia, Alberta and Quebec. The findings established that:

• Collecting biometric facial recognition data from publicly available online images without consent violates PIPEDA.
• The mass collection of biometric data for commercial purposes cannot be justified by a legitimate interest where it lacks meaningful consent.
• Biometric data has a unique and heightened sensitivity because it is permanently associated with the individual and cannot be changed if compromised.

This OPC guidance applies directly to any commercial entity deploying facial recognition in a manner that captures biometric data from individuals who have not consented — including in retail, security and customer service contexts.

IRCC Biometrics: Immigration Context

Immigration, Refugees and Citizenship Canada (IRCC) requires biometric collection (fingerprints and a photo) from most foreign nationals aged 14 to 79 applying for a temporary resident visa, study or work permit, or permanent residence. This programme, administered under the Immigration and Refugee Protection Act (IRPA, SC 2001, c. 27), is separate from private sector biometric compliance obligations but informs the broader regulatory environment in which biometric data is used for identity purposes in Canada. The Permanent Resident Card (PR Card) serves as the primary identity document for landed immigrants and is accepted for FINTRAC identity verification purposes.

NIST Benchmarks and Canadian Adoption

NIST Face Recognition Vendor Testing (FRVT) benchmarks are referenced by Canadian federal agencies and financial institutions as the standard for evaluating facial recognition system accuracy and demographic fairness. The RCMP's use of NEC NeoFace facial recognition — subject to an OPC investigation concluded in 2021 (OPC Investigation of the RCMP's Use of Clearview AI) — highlighted the need for documented accuracy assessments using NIST-equivalent benchmarks before deploying facial recognition in law enforcement and regulated contexts.

Liveness Detection

Liveness detection is the technical layer that distinguishes a live person from a presentation attack — a printed photo, a 3D mask, or an injected deepfake video feed. It is an essential component of any remote biometric verification system.

Passive liveness detection — which analyses texture, depth and micro-motion without requiring any user action — reduces presentation attack success rates by over 95% in benchmarks conducted under ISO/IEC 30107-3, according to iBeta evaluation results (ISO/IEC 30107-3).

Active vs Passive Liveness

• Active liveness: The user is prompted to perform a specific action — blink, turn their head, read a displayed code. Effective against static spoofs but introduces friction in the user journey.
• Passive liveness: Analysis runs in the background without user instruction. It detects deepfakes, masks and digital video injection attacks. Recommended for low-friction onboarding flows.

For FINTRAC-regulated entities using biometric verification to satisfy the photo identification method for KYC, ISO/IEC 30107-3 Level 2 certification provides the appropriate technical benchmark. The absence of certified liveness detection creates a documented gap in the identity verification methodology and undermines the reliability of biometric evidence for PCMLTFA compliance purposes.

Performance Metrics

FAR, FRR and EER in Practice

• FAR (False Acceptance Rate): The probability that an impostor is incorrectly accepted by the system. A FAR of 0.01% means that on average one fraudulent attempt in 10,000 succeeds.
• FRR (False Rejection Rate): The probability that a legitimate user is incorrectly rejected. A high FRR generates friction, support costs and customer abandonment.
• EER: The operating point where FAR equals FRR. It is the standard metric for comparing biometric systems. Typical values: fingerprint 1–2%, face 0.1–2%, iris 0.01%.

For regulated KYC applications, industry practice targets a FAR below 0.01% with ISO/IEC 30107-3 Level 2 certified liveness detection.

CheckFile Platform Data

Our platform records a fraud detection recall of 94.8%, a false positive rate of 3.2%, and an average verification time of 4.2 seconds. Identity document fraud accounts for 19% of all document fraud detected — a figure that makes the combination of documentary analysis and biometric verification not merely best practice, but operationally necessary for institutions with meaningful fraud exposure.

Deployment: Best Practices

Matching Modality to Context

The appropriate biometric modality depends on the channel, the risk level and the regulatory requirements. Fingerprint scanning is well-suited to physical environments such as branches and kiosks. Facial recognition is the dominant choice for remote digital onboarding, particularly for verifying Canadian passports and provincial driver's licences at account opening. Voice recognition integrates naturally into telephone and call centre authentication flows.

Building a Layered Identity Verification System

Biometric verification alone does not satisfy AML due diligence obligations under the PCMLTFA. It must be combined with documentary verification (OCR analysis, forgery detection, MRZ validation of Canadian passports and PR Cards) and data verification (FINTRAC-compliant beneficial ownership checks, OSFI-regulated sanctions screening, Social Insurance Number (SIN) validation where applicable). This layered approach constitutes a compliant KYC programme under FINTRAC's compliance programme requirements (PCMLTFA Section 9.6).

For a broader view of how employers and regulated entities structure identity checks, see our article on background check documents and employer verification.

Practical Canadian Compliance Steps

1. Privacy Impact Assessment (PIA): Conduct a PIA before any biometric system deployment, documenting the purpose, legal basis, data flows, security controls and retention schedule. Mandatory in Quebec under Loi 25, Article 63.1; best practice under PIPEDA OPC guidance for all provinces.
2. Express consent: Obtain express, informed consent before collecting any biometric data. Consent must specify the purpose, the retention period, and any third-party disclosures. In Quebec, a technology-specific disclosure is required under Loi 25, Article 8.
3. Quebec CAI notification: If operating a biometric database that identifies, locates or profiles individuals from Quebec, submit the required notification to the CAI before operation (Loi 25, Article 44). Include the purpose, the categories of data collected, and the security measures in place.
4. FINTRAC CIP integration: Document the biometric verification method within the Customer Identification Program and link biometric evidence to the PCMLTFA-required identity verification record. Ensure the biometric process satisfies FINTRAC's photo identification method requirements.
5. Retention and destruction: Define retention periods before deployment. Biometric templates must be destroyed or anonymised when the purpose for collection has been fulfilled (PIPEDA Principle 4.5; Loi 25, Article 25). Automated deletion processes should be implemented and documented.
6. Third-party processor agreements: Under PIPEDA Principle 4.1, accountability for biometric data transferred to processors remains with the collecting organisation. Written data processing agreements must require processors to meet equivalent privacy and security standards, including prohibition on secondary use.
7. Breach notification: Under PIPEDA Section 10.1, organisations must report to the OPC and notify affected individuals of any breach of security safeguards involving personal information that poses a real risk of significant harm. Biometric template breaches will almost always meet this threshold given the permanent and irreplaceable nature of biometric data.

For more on document fraud detection techniques that complement biometric verification, see our article on AI document fraud detection.

Risks and Limitations

Biometric verification carries specific risks that differ from those of password-based authentication. Biometric templates are permanent: unlike a password or — subject to limited procedures — a Social Insurance Number (SIN), a compromised biometric template cannot be changed. Injection attacks — where a synthetic video stream is substituted for the camera feed — bypass systems without certified liveness detection. Algorithmic bias, documented in NIST FRVT results across race and gender groups, creates risk under the Canadian Human Rights Act (RSC 1985, c. H-6) and provincial human rights codes where biometric data informs employment or services decisions. The OPC has emphasised that the permanent nature of biometric data requires organisations to apply a higher standard of security than is applied to standard personal information (OPC, Key Steps for Organizations Collecting Biometric Information, 2023). Operators processing biometric data of Canadian residents through offshore processors must address PIPEDA's accountability principle (Principle 4.1) and, in Quebec, the cross-border transfer provisions of Loi 25, Article 17, which require a Privacy Impact Assessment before any transfer outside Quebec.

---

Frequently Asked Questions

Is biometric verification required for KYC compliance under PCMLTFA?

Biometric verification is not universally mandated for KYC under the PCMLTFA. FINTRAC permits multiple identity verification methods including documentary, credit file, and dual-process methods. Biometric facial verification supports the photo identification method when a live selfie is matched against a government-issued photo ID such as a Canadian passport or provincial driver's licence. It becomes the practical standard for remote digital onboarding where in-person verification is not feasible, and where the risk profile of the customer segment warrants a higher assurance level.

Does PIPEDA require express consent for biometric data collection?

Yes. The OPC has consistently confirmed that biometric data requires express consent rather than implied consent, given its heightened sensitivity under PIPEDA Schedule 1, Principle 4.3.4. This means the individual must be clearly informed of the purpose of collection, the retention period, and any third-party disclosures, and must actively agree before collection begins. In Quebec, Loi 25 imposes additional technology-specific disclosure requirements under Article 8 and prohibits biometric collection where a less privacy-invasive alternative is available to achieve the same purpose.

What is liveness detection and why is it necessary?

Liveness detection verifies that the biometric sample comes from a physically present person, rather than a photograph, mask or deepfake. Without this layer, a facial verification system can be defeated by a printed photo or a recorded video. ISO/IEC 30107-3 Levels 1 and 2 are the market reference standards for presentation attack detection. For FINTRAC-regulated entities, the absence of liveness detection in a remote digital onboarding flow creates a documented gap in the identity verification methodology. The OPC has noted that biometric systems deployed without adequate technical safeguards against spoofing may fail the PIPEDA Principle 4.7 safeguards requirement.

How should biometric templates be handled under PIPEDA and Loi 25?

Under PIPEDA Principle 4.7, biometric templates must be protected by security safeguards appropriate to their sensitivity — including encryption at rest and in transit, access controls, and audit logging. Under Principle 4.5, templates must be destroyed or anonymised as soon as the purpose for collection is fulfilled. Quebec Loi 25, Article 25 imposes the same destruction requirement with a deadline tied to the purpose of collection. Because a compromised biometric template cannot be replaced, the standard of care for template storage must be higher than that applied to other personal information. Incidents involving biometric template breaches must be reported to the OPC under PIPEDA Section 10.1 where there is a real risk of significant harm.

What is the Quebec CAI notification requirement for biometric databases?

Under Loi 25, Article 44, any person who operates a technology — including a biometric verification system — that allows for the identification, location or profiling of natural persons must notify the Commission d'accès à l'information (CAI) before putting it into operation. This obligation applies to organisations that maintain enrolled biometric templates for the purpose of verifying individuals over time. The notification must include the purpose of the database, the categories of personal information collected, the security measures in place, and the retention period. Failure to notify the CAI is an offence under Loi 25 and can result in administrative monetary penalties of up to $25 million CAD or 4% of worldwide turnover.

---

Biometric verification is a technically mature, legally regulated capability that forms an increasingly central part of compliant identity verification programmes in Canada. Deploying it responsibly requires a clear understanding of PIPEDA's sensitivity-based consent framework, Quebec Loi 25's CAI notification and assessment obligations, FINTRAC's KYC requirements under the PCMLTFA, and the technical standards that govern liveness detection and accuracy.

CheckFile provides a document and identity verification platform that integrates biometric analysis within a layered, PCMLTFA-compliant framework. Explore our security architecture, compare pricing plans based on your verification volume, or visit our fraud and data guide for a broader view of the threat landscape.