Authored by Anthony Kimery via BiometricUpdate.com,
When employees begin reporting to JPMorgan Chase’s new Manhattan headquarters later this year, they will be required to submit their biometric data to enter the building.
The policy, a first among major U.S. banks, makes biometric enrollment mandatory for staff assigned to the $3 billion, 60-story tower at 270 Park Avenue.
JPMorgan says the system is part of a modern security program designed to protect workers and streamline access, but it has sparked growing concern over privacy, consent, and the expanding use of surveillance technology in the workplace.
Internal communications reviewed by the Financial Times and The Guardian confirm that JPMorgan employees assigned to the new building have been told they must enroll their fingerprints or undergo an eye scan to access the premises.
Earlier drafts of the plan described the system as voluntary, but reports say that language has quietly disappeared. A company spokesperson declined to clarify how data will be stored or how long it will be retained, citing security concerns. Some staff reportedly may retain the option of using a badge instead, though the criteria for exemption remain undisclosed.
The biometric access requirement is being rolled out alongside a Work at JPMC smartphone app that doubles as a digital ID badge and internal service platform, allowing staff to order meals, navigate the building, or register visitors.
According to its listing in the Google Play Store, the app currently claims “no data collected,” though that self-reported disclosure does not replace a formal employee privacy notice.
In combination, the app and access system will allow the bank to track who enters the building, when, and potentially how long they stay on each floor, a level of visibility that, while defensible as security modernization, unsettles those wary of the creeping normalization of biometric surveillance in the workplace.
Executives have promoted the new headquarters as the “most technologically advanced” corporate campus in New York, and that it is designed to embody efficiency and safety. Reports suggest that the decision to make biometrics mandatory followed a series of high-profile crimes in Midtown, including the December 2024 killing of UnitedHealthcare CEO Brian Thompson. Within the bank, the justification has been framed as protecting employees in a volatile urban environment.
Yet, the decision thrusts JPMorgan into largely uncharted territory. No other major U.S. bank has been publicly documented as requiring its employees to submit biometric data merely to enter a headquarters building.
In other contexts, biometrics in finance have been used primarily for authentication. U.S. Bank, for example, has tested voice biometrics to replace passwords for certain customer-service and internal systems. The pilot aimed to reduce friction and fraud risk, not to manage physical access.
Other large banks, from Citigroup to Bank of America, have explored biometric technologies internally, but there is no evidence any have adopted a mandatory, company-wide biometric entry policy.
Industry analysts say that while JPMorgan’s move is unusual, it aligns with a broader pattern. “Banks and financial organizations use biometrics as internal control, securing staff access to sensitive data and restricted areas,” said an assessment by HID.
That logic – tying biometric verification to high-risk environments such as trading floors or data centers – has long guided the sector’s security philosophy. JPMorgan though is applying the same logic to an entire corporate headquarters, covering thousands of workers from senior executives to administrative staff.
The legal environment helps explain why this can happen in New York but would be riskier in states like Illinois. Unlike Illinois’s Biometric Information Privacy Act which requires written consent, retention schedules, and penalties for misuse, New York has no comparable statute regulating employer use of biometric data.
A 2021 New York City ordinance mandates signage and bans the sale of biometric identifiers in public-facing establishments but explicitly exempts financial institutions. That leaves JPMorgan’s policy largely governed by internal privacy statements and whatever contractual assurances exist with its technology vendors.
In its London offices, JPMorgan already uses a voluntary hand-geometry system to control access to secure zones which the company says stores only encrypted templates that it cannot reverse-engineer.
The mandatory program in New York appears to build on that experience, though the bank has not released technical details about encryption, storage, or data segregation between systems. Nor has it disclosed whether a third-party vendor will manage the biometric templates or if they will be housed on JPMorgan servers.
Critics warn that the bank’s decision could normalize coercive data collection across white-collar workplaces. Biometric identifiers are immutable. Once compromised, they cannot be replaced like a password or badge.
Labor-rights attorneys note that, even if employees technically consent, the choice is illusory when access to one’s job depends on enrollment. They also point out that biometric logs could theoretically be correlated with productivity or attendance data, creating a new vector for workplace monitoring.
Still, corporate adoption is accelerating, propelled by a security industry eager to market “frictionless” access control. Vendors pitch biometrics as faster and more reliable than keycards or PINs, eliminating lost credentials and streamlining compliance audits.
In sectors handling large financial transactions, the case for stronger authentication is easy to make. For banks that have weathered cyber-attacks and insider threats, the allure of definitive identity verification is powerful.
The unanswered questions revolve around governance and accountability. Will JPMorgan publish a formal biometric privacy policy for employees, outlining how long data is retained and under what conditions it will be deleted? Who audits the system? What rights do workers have to challenge inaccuracies or demand erasure? None of that is public.
The bank has remained silent even as press coverage intensifies.