Your Face Is the New ATM PIN and the Bank Forgot to Mention It
Philippine banks are piloting facial recognition at ATMs and tucking the opt-out deep in the app. Convenience is the pitch. Consent is the part nobody read.
Walk up to certain ATMs in Metro Manila this year and there is a fair chance the screen will ask you to look at the camera before it asks for your PIN. Some prompts call it a pilot. Some call it an upgrade. Almost none of them call it what it is: a banking system that wants a scan of your face on file, often after a consent flow most customers blew past.
The rollout has been quiet on purpose. There has been no town hall, no press conference, no Senate hearing. Industry communication has mostly been a push notification, a long Terms update, and an enrollment prompt designed to feel routine.
Buried where you won't find it
The opt-out usually exists somewhere. It is just engineered to be a pain. In most banking apps, the enrollment for facial features sits on the home screen with a smiling stock photo next to it, while the switch to refuse or disable it lives several taps deep, under security or authentication sub-menus that change names every product update.
That asymmetry is the product. One path is a single tap. The other requires you to know what you are looking for and to keep tapping past where any normal person stops.
Banks will tell you the scan is encrypted, stored locally, processed on-device, hashed, tokenized, pick your buzzword. What they tend not to spell out in plain Tagalog or plain English is how long the template is retained, whether the camera software comes from a third-party vendor with its own data practices, and what happens to your face data if you close the account.
The BSP rules everyone is racing past
The Bangko Sentral has guidelines on biometric authentication. The National Privacy Commission has rules on consent being freely given, specific, and informed. Privacy advocates argue that a toggle hidden inside an app most people open only to check if their salary landed is not freely given consent. It is consent by exhaustion.
The pitch is fraud prevention. Card skimming is real. Account takeovers are real. Nobody is arguing that ATM security should stay frozen in 2008. The question is who decided that the fix is a permanent biometric on a private server, and why that decision happened without anyone outside the bank's product team in the room.
What a face scan actually costs you
A PIN you can change. A password you can reset. A face you cannot. Once a biometric template leaks, and Philippine institutions across government and the private sector have a long, documented track record of leaks, it leaks forever.
The institutional pattern after every breach has been familiar: an email apology in corporate English, a vague promise of audits, sometimes a free year of credit monitoring nobody signed up for. None of that gives you a new face.
If you want out, here is the boring part. Open your banking app. Dig into Settings, then look for anything labeled security, biometrics, or face verification. Turn off what you can. Screenshot the confirmation. Then walk into the branch and ask, in writing, that any enrolled biometric template be deleted under the Data Privacy Act. Keep the receipt. The teller will look confused. Wait anyway.
