Implemented throughout the United States on August 25, 2011, as part of the Federal Bureau of Investigation's (FBI's) Next Generation Identification (NGI) system. The NGI system compares the fingerprints in its database against a registry of 2.5 million sets of fingerprints of people such as wanted persons, known or suspected terrorists, and sex offenders. The database is designed to include individuals who are repeat offenders of the most serious crimes.

RISC was tested in several states for two years prior to national implementation. While some jurisdictions have local versions of RISC, RISC is the only national database that can assist in identifying individuals wanted for serious crimes in other states.

RISC is a searchable subset of the NGI database's worst offenders, including high-risk offenders such as wanted persons, sex offenders, known or suspected terrorists, and other persons for which rapid identification is needed. RISC seeks to assist law enforcement officers in quickly identifying possible risks presented by suspects and other individuals encountered during traffic stops and other, similar situations. Using this database allows law enforcement to screen detainees and criminal suspects against the database. Through better and more accurate technology such as RISC, the FBI claims that it is providing a more efficient and more effective service. To use the RISC system, a law enforcement officer using a mobile device takes two fingerprints from a subject and remotely queries the database to retrieve results within ten seconds. RISC currently assists thousands of state and local police officers capture and submit images of fingerprints using mobile devices. RISC is authorized under 28 U.S.C. Sections 533 and 534. Supplemental regulatory authorities include 28 C.F.R. Section 0.85, part 20, and 50.12.

A key benefit of RISC for law enforcement is that it makes the searches of NGI by authorized users in field settings much faster and more efficient. Other important benefits include greater protection for the public and law enforcement personnel, enhanced investigative support, and reduced impact of law enforcement activities on innocent persons with biographic similarities to persons of investigative interest.

Authorized NGI users submit a query to RISC electronically using a maximum of ten fingerprints, usually in interaction with potential suspects or similar encounters. The fingerprints are captured by a mobile fingerprint device and transmitted wirelessly to the user agency's existing criminal justice infrastructure, then on to RISC. The submission results in an automated search of RISC records and a generation of response within seconds of the submission. The response is forwarded to the requestor's mobile device. RISC responses are either red, yellow, green, or reject:

In all cases, the RISC response is based solely on a search of RISC, and a negative response from RISC does not necessarily preclude the possibility of responsive records in other biometric or name-based repositories. Also, RISC users may not rely solely on RISC responses to initiate any law enforcement action. Instead, search responses are intended to provide potential links between submitted images and true identities that must be considered with the totality of information available to officers or investigators.

For several reasons, RISC implicates major privacy concerns. In safeguarding privacy and protecting the public's rights and civil liberties, NGI is subject to the same security protections, access limitations, and quality control standards as currently exists for the Integrated Automated Fingerprint Identification System (IAFIS).

A RISC search submitted from a mobile device is not designed or expected to take the place of customary booking procedures that utilize ten-print submissions. The FBI emphasizes to all system users that RISC responses are not to be considered “positive” identifications and must be used only as investigative aids together with other investigative processes and information. In addition, a RISC search makes available biometric-based searches in time-sensitive situations where previously only name-based searches were viable. These biometric-based checks can provide more accuracy than name-based checks alone, reducing the number of erroneous identifications in these situations.

One privacy vulnerability is that RISC's enhanced search-and-response capabilities provide an increased ability to locate information about a specific person that might not otherwise be discovered as quickly or as efficiently, or might never be discovered at all. Although information in NGI and NCIC has been lawfully acquired and accessible to authorized NGI and NCIC users, currently that information may be more functionally obscure as a result of users having to check multiple systems separately or encountering longer response times. This risk is mitigated, however, by the advantages of being able to move quickly and accurately to locate responsive information about a specific person. This capability permits more complete and timely investigative analysis, including more effective and efficient identification of perpetrators and persons who may present increased threats to the safety of the public and law enforcement personnel. The privacy risk is also mitigated by facilitating a more rapid means to eliminate misidentifications and/or rule out concerns that could adversely affect innocent persons.

Another privacy risk could be the intake of records that do not belong in the RISC repository. This risk is mitigated by Criminal Justice Information Services (CJIS) procedures that ensure that fingerprints of wanted KSTs and sex offenders are appropriately flagged as they are entered into IAFIS. RISC extracts records based on those flags.

RISC searches are available only to users authorized to initiate searches of NGI and NCIC for authorized law enforcement or national security purposes. Routine uses for information in NGI are currently promulgated in the system of records notice (SORN) for the FBI Fingerprint Identification Records System (FIRS), and routine uses for information in NCIC are promulgated in NCIC's SORN. In addition to routine use disclosures, this information may be disclosed under other circumstances authorized by the Privacy Act, including disclosures to those Department of Justice (DOJ) personnel who need the information in the performance of their duties.

The results of RISC searches are used by law enforcement officers as leads to determine the identity and relevant history of the subject and take appropriate investigatory action, and, if necessary, precautions for the protection of the investigating law enforcement officer.

The Justice Department may make RISC submissions and receive suspect information similar to other state, local, and federal law enforcement partners. This will primarily encompass the following Justice Department agencies whose missions typically involve interactions in field settings with persons associated with criminal activity or otherwise having a lawful investigative or national security interest: the FBI, the Drug Enforcement Administration (DEA), the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the Federal Bureau of Prisons (BOP), the U.S. National Central Bureau of the International Criminal Police Organization (INTERPOL), and the United States Marshals Service (USMS). In addition, any DOJ component that has previously submitted a latent fingerprint to the NGI ULF file will be notified if a RISC submission hits on that latent fingerprint.

The results of RISC searches are given primarily to authorized NGI and NCIC users to alert a submitting agency's on-scene employees in real time whenever the subject of a RISC submission may be a wanted person, registered sex offender, known or appropriately suspected terrorist, or other person of heightened investigative interest or who may present increased risk to the public and/or to law enforcement personnel.

As RISC searches are being done in the conduct of criminal investigations or issuance of arrest warrants, the affected individuals may not always be specifically aware that personal information is being collected and disseminated. It is the Justice Department's view that individuals planning or engaging in criminal activities may reasonably be charged with constructive knowledge that law enforcement will seek to collect and lawfully disseminate all relevant information to identify them and to deter or prevent them from committing crimes.

Because the information in the RISC subset is collected in connection with law enforcement investigations and/or processing, the suspects involved in these investigations generally do not have the right or opportunity to object to the collection of this information by the source agencies, nor to the forwarding of the collected information for retention in NGI and/or NCIC, nor to the collation of the RISC subset from information in NGI.

Whether certain individuals have the right or opportunity to object to the collection of the fingerprints used to initiate a RISC check, and the consequences for objecting, depends on the location and circumstances of the particular field encounter from which the fingerprints were obtained. All collections must be lawfully obtained under the laws, regulations, and policies to which the agency that obtained the fingerprints may be subject. In many instances, the fingerprints for RISC checks may be collected in connection with law enforcement investigations and/or processing in which the individuals generally may not be accorded the right or opportunity to object to the collection. In other instances, however, a submitting agency may be required under its governing laws, regulations, and/or policies to provide an individual with the right or opportunity to object to the collection; personnel of an encountering agency may, according to their discretion, voluntarily elect to ask an individual to consent to the collection. In some situations where an individual declines to consent to collection, the agency may nonetheless be entitled to proceed with nonconsensual collection based on alternative authority. In other situations, however, an individual's failure to consent may be controlling, and the encountering agency will have to forego the collection and resolve the encounter without the benefit of a RISC check. Even where an individual is able successfully to decline to be subject to a RISC check, the consequences vary. In some circumstances, a RISC check does not affect the eventual outcome of an encounter, so the declination will have no consequences to the individual. In other circumstances, the results of the RISC check could have altered the outcome of an encounter. This might result in an individual's avoiding further law enforcement interest if the encountering agency were aware of derogatory RISC information (e.g., a red, or hit, response), but it could result in an individual's being subjected to prolonged law enforcement interest that might have been avoided if the encountering agency were aware of a nonderogatory RISC response (e.g., a green or no-hit response).

Because of the nature of RISC interactions with suspects, 28 C.F.R. Sections 16.30–16.34 and 20.34 provide the only means for access and amendment of criminal history records. Under these regulations, a subject of an FBI identification record may obtain a copy of his or her own record for review and correction. If the subject thereof believes, after reviewing his or her identification record, that it is incorrect or incomplete in any respect and wishes changes, corrections, or updating, he or she should make application directly to the agency that contributed the questioned information. The subject may also direct his or her challenge to the FBI CJIS Division. The FBI will then forward the challenge to the agency that submitted the data, requesting that agency to verify or correct the challenged entry.

The opportunity to seek access to or redress information in the source records of a contributing federal, state, local, or tribal agency is controlled by the laws and procedures applicable to that agency. To the extent that an agency that contributes information to NGI and/or NCIC has a process in place for access to or correction of the contributing agency's source records, individuals may avail themselves of the process, and if this results in a correction of the source records, the contributing agency should in turn make appropriate corrections in the information contributed to NGI and/or NCIC.

RISC is subject to the same extensive security protections, access limitations, and quality control standards in existence for NGI. Previously identified risks related to potential misuse of the system have been addressed via training, audits, and sanctions. To mitigate any potential risks in these areas, NGI data and infrastructure (which encompasses RISC) are maintained within FBI-controlled secure, restricted areas and are accessible only by authorized personnel. Wireless transmissions and mobile devices outside FBI control are subject to the CJIS Security Policy.

Data integrity, privacy, and security remain a significant part of the enhanced system and the NGI contract. The developer is required to follow all CJIS Division guidelines, appropriate regulations, and specific statutes. Those agencies and entities with electronic connectivity must comply with requirements of the CJIS Division's security standards and operating policies.

The Justice Department claims that RISC does not constitute a new collection type or collection purpose not already encompassed by NGI or NCIC, nor does it represent any expansion of users authorized to access this information. Instead, the Justice Department asserts that RISC merely collates a subset of existing NGI identity records to permit employment of specialized biometric-based search techniques in field encounters, rapid searches of the collated information, and rapid responses to authorized users. In addition, RISC automatically searches RISC submissions against the existing NGI ULF and searches NCIC for any existing NCIC information appropriate for inclusion in RISC responses.

The Justice Department admits that RISC does present certain privacy risks. However, the agency said that these risks can be appropriately mitigated. Specifically, they are mitigated through long-standing technology protections present in the underlying NGI and NCIC systemsl the existing eligibility limitations and careful vetting of system users; and the existing access policies, training requirements, and audits. Privacy risks are further mitigated by the responsibility imposed on each user agency to ensure that the collection and use of fingerprints obtained for RISC submissions are lawful and permissible under the laws and policies of the governmental jurisdiction to which the user agency is subject.

As appropriately mitigated, any additional privacy impact is outweighed by the RISC advantages, including the added flexibility and simplicity via accommodation of searches using fewer than ten fingerprints; rapid real-time search and response capability in time-critical field encounters; enhanced investigative support and crime solving; enhanced accuracy and privacy protection over mere name-based searching, including reduction of false positives; and greater protection for the public and law enforcement personnel.

Further Reading

See also: Criminal justice (criminal procedure); Integrated Automated Fingerprint Identification System (IAFIS); Law enforcement; Next Generation Identification (NGI); Terrorism and privacy.