On 27 April 2017, the CNIL authorised nine financial institutions to implement, on an experimental basis, a device for authenticating customers by voice recognition. The CNIL recognised that this type of authentication method is more user friendly than others. However, the CNIL stated that the project must comply with the following requirements: prior consent of the data subjects; limited duration; limited scope; guarantees in terms of confidentiality; and a project review must take place at the end. In relation to biometric identification, the CNIL stated that it favoured systems under which the data subject retains control over their biometric data. This involves storing the biometric data on a device held by the data subject or in a database in an encrypted format for which only the data subject holds the key. Finally, the CNIL noted that, under the GDPR, any such project would first be subjected to a Privacy Impact Assessment.