Voice Biometrics - Antifraud FAQ
Overview
This page provides answers to frequently asked questions regarding Omilia's Voice Biometrics (VB) technology.
Frequently Asked Questions
How is consent for voice biometric recognition obtained from customers?
The customer (e.g., a bank) is responsible for ensuring regulatory compliance. This includes implementing appropriate consent mechanisms, such as through an Interactive Voice Response (IVR), when using Omilia’s VB functionality.
How are biometric recordings stored and secured?
Biometric recordings are considered Personally Identifiable Information (PII). Omilia's Storage Service stores these recordings in Amazon Web Services (AWS) S3 buckets. All buckets are encrypted at rest by default using Server-Side Encryption with AWS Key Management Service (SSE-KMS) keys.
What are the regulatory responsibilities for enabling Voice Biometrics?
The customer, acting as the data controller, is responsible for complying with all applicable privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These responsibilities include obtaining end-user consent and conducting any required Data Protection Impact Assessments (DPIAs).
As a data processor, Omilia adheres to the customer's agreed-upon instructions and assists with carrying out any required DPIAs. Omilia is also obligated to inform the controller if an instruction is believed to infringe upon the GDPR.
Who determines the retention period for biometric data?
Voice biometric data is retained using a global setting that currently applies a 2-year retention period. This technical requirement exists because the continuous provision and improvement of our models to the customer requires retaining data over this timeframe to maintain quality and accuracy. We recommend that customers incorporate this 2-year retention requirement into their data processing instructions to us. Customers should ensure that their legal basis for processing and their data protection notices to data subjects account for this retention period.
How does the system protect against artificial voice and vishing attacks?
The system incorporates Liveness Detection to protect against artificial voice-based attacks. Its features include:
Text-to-Speech (TTS) detection
Replay attack detection
Out-of-domain vocabulary detection (e.g., detecting off-topic speech during a banking call).
For more info, read the article.
How does the system identify a customer after their initial registration?
After a customer enrolls, the system verifies their identity on subsequent calls through the voice verification process.