Which banks in Canada, Australia and New Zealand mandate biometric authentication for online banking and what laws govern that practice?
Executive summary
Biometric authentication is spreading through banking products in Canada, Australia and New Zealand, but the reporting provided contains no definitive evidence that Canadian or New Zealand banks currently "mandate" biometric sign‑in for all online banking; in Australia some retail banks have rolled out or announced biometric requirements for specific journeys (for example voice authentication and new‑customer selfie matching) while regulators in all three jurisdictions have moved to tighten rules governing how biometric data may be used [1] [2] [3] [4]. Vendors and industry analysts frame biometrics as both a compliance response and a fraud‑fighting imperative, an angle that shapes much of the available coverage [5] [6].
1. Which banks mandate biometrics today — the evidence (and its limits)
Available sources provide concrete examples of banks deploying biometrics but stop short of documenting universal mandates: an Australian bank announced facial biometric matching for digital identity verification for new customers effective September 2025, illustrating an operational requirement for that onboarding path rather than a blanket mandate for every online login [1], and ANZ is cited as having launched voice authentication in mobile channels as an authorisation factor [2]; the materials supplied contain no named Canadian or New Zealand banks that legally require biometrics for all online banking access, and do not show regulatorally imposed mandates forcing banks to replace passwords with biometrics [3] [4].
2. What the regulatory landscape actually requires in Canada, Australia and New Zealand
Regulators have moved from permissive advice toward prescriptive controls: in Canada the Office of the Privacy Commissioner updated guidance on biometric information on 11 August 2025, signalling stricter expectations around collection, storage and proportionality though the guidance itself is not a statute and applies as supervisory direction to organisations handling biometric data [3]; Australia’s biometric legal environment is evolving with sector guidance and obligations tied into broader strong‑customer authentication expectations and privacy law commentary [7] [8]; New Zealand issued the Biometric Processing Privacy Code 2025, which came into force on 3 November 2025 with a compliance grace period until 3 August 2026 and imposes necessity, proportionality and specific handling rules on agencies undertaking biometric processing [4].
3. How banks are using biometrics in practice — consent, device templates and 'step‑up' flows
Banks are largely positioning biometrics as an optional or contextual control: vendors and banks emphasise local template storage and device‑based matches to reduce regulatory risk and meet consent expectations, and many deployments are implemented as multi‑factor or "step‑up" authentication when risk is detected (for example during onboarding, device binding or high‑value transactions) rather than as a single mandatory gate for every session [5] [8]. Industry commentary also highlights the rapid uptake of biometric options across financial services, but these pieces come with vendor and vendor‑friendly framing that emphasizes security benefits while downplaying risks such as deepfakes or consent friction [9] [10].
4. Conflicting narratives, vendor incentives and what’s still unknown
Commercial reporting and vendor blogs predict near‑universal adoption and stricter law harmonisation across G7 states, an optimistic projection that aligns with vendor revenue incentives and product roadmaps [6] [11]. The supplied sources reveal regulatory tightening in principle but do not document statutory mandates compelling banks to make biometrics compulsory; important gaps remain — notably, independent confirmation from individual bank policies in Canada and New Zealand, and specific statutory texts imposing mandatory biometric use — and the available materials should not be read as definitive proof of nationwide banking mandates in those countries [3] [4].
5. Practical takeaway for customers and policymakers
The trend is clear: banks in these markets will increasingly offer or require biometrics for particular high‑risk journeys, and regulators expect necessity, proportionality, informed consent and strong data‑handling safeguards — Canada’s OPC guidance and New Zealand’s Biometric Processing Privacy Code are concrete regulatory milestones to watch, while Australia’s evolving privacy and sectoral guidance shapes acceptable practice [3] [4] [7]. Where source material is silent — specifically on legally binding mandates for all online banking in Canada and New Zealand — the record is inconclusive and further primary documentation from individual banks and statutory texts would be required to prove a blanket mandate [3] [4].