China’s guidelines for facial recognition payments stress biometric data protection

The Payment & Clearing Association of China has introduced its first guidelines for facial recognition payments, addressing user consent and biometric data collection and storage, writes Caixin Global.

Biometric payment terminals are gaining popularity in emerging markets such as India and China, with global transaction values estimated at $254 million in 2024, compared to just $84 million in 2019.

According to the new rules, companies need to encrypt facial image data and stored it separately from details such as bank numbers and other personal information. Merchants and other companies receiving the transaction are not allowed to retain facial image information.

Financial institutions in the country should enter agreements with merchants to prevent intermediaries from retaining biometric facial images, they should give consumers the option to choose or decline facial recognition-enabled payments and they must clearly explain the service agreement, explains Wang Xinyue, a senior partner at Beijing law firm Anli Partners.

However, verification should not be solely based on facial prints, the guidelines state. Depending on risk, multi-factor authentication should be introduced for extra security. Should institutions fail to properly verify identification, they need to have a compensation mechanism, and budget for risk plans, insurance and emergencies.

Facial recognition payments in China are even accepted by street vendors, but the technology is still not regulated under the law. Wang believes self-regulation is a great option for the time being, because an industry agreement can help further innovation and prevent risk.

Chinese companies Tencent and Alibaba Group were the first to introduce facial recognition payments, currently monopolizing China’s third-party mobile payment market.

Caixin sources say Tencent and government-owned China UnionPay have partnered on a facial recognition payment project.

International interest in data retention policies is growing. Last year, Northern Ireland police published a formal public policy on biometric data retention as part of a settlement agreement for a court case brought by the Northern Ireland Human Rights Commission (NIHRC).

Article Topics

biometric data  |  biometric payments  |  biometrics  |  China  |  data collection  |  data protection  |  facial recognition  |  identity verification  |  multifactor authentication  |  regulation