Personal
Protection: Consumer Demand for Better ID Security
has Banks Scrambling to Upgrade Identification, Verification
and Authentication Procedures and Practices
Relieved to be finally rid of Saddam, Americans are turning
their attention to Mammon. As George W. Bush knows only too well from his father's
experience, nothing can turn a popular incumbent out of office faster than a shaky
economy.
But at least the first President Bush didn't have to worry
about a public angered at having their credit card, Social Security, or bank account
numbers stolen, or at receiving a bill for thousands of dollars in goods and services that
were never authorized.
Identity theft crimes are, or should be, near the top of
the current Bush reelection team's agenda. The reason: smoldering resentment over identity
theft could impact next year's election campaign. Americans are more concerned about
identity theft than unemployment or corporate fraud, according to a survey of 2,000 people
conducted in April by Star Systems. Nine out of ten Americans demand new federal
legislation, while two-thirds say the financial services industry needs to do a better job
of verifying the identity of customers who open bank accounts (66 percent) and credit card
accounts (72 percent). Some 5.6 percent of respondents reported being victims of identity
theft, which translates to 12 million people. When credit/signature debit card fraud and
ID theft were combined, close to 15.9 percent of consumers say they have been the victim
of one of these crimes.
Exact figures on ID theft are hard to come by, in part
because the crimes can go undetected for months. "It often takes more than a year to
discover that you've been a victim, that somebody's gotten your information and they've
been using it to commit fraud," said Barbara Span, vice president at Star Systems.
"Once it's discovered, it can take years to clean up the problem. Meanwhile, the
fraudster is still out there perpetrating more fraud."
Indeed, a distinguishing feature of identity theft is that
the victim is often unaware that a crime has occurred. "If they've established a new
address on your card, you wouldn't be receiving statements," said Don Ghee, senior
operating risk manager at JP Morgan Chase. "They might be kiting balances, or doing
what's called credit balance fraud, where you write checks to pay but the checks bounce.
It can take up to 12 months to discover, with a phone call from a credit card company
asking when you're going to pay off a $2,400 balance."
"It's very professional," he added.
"Organized crime is not only in loan sharking and drugs, but is also in identity
theft. There are gangs getting out of the drug business because identity theft is more
lucrative."
Adding to the difficulty of measuring ID theft is the fact
that it's often classified under different headings. "An account may be closed or
overdrawn, there's check fraud, or a credit card is closed for nonpayment," Span
said. "When actually it's fraud resulting from ID theft."
The Federal Trade Commission recorded 161,819 complaints
from ID theft in 2002. Credit card fraud topped the list at 42 percent, followed by phone
or utilities fraud (22 percent), bank fraud (17 percent) and employment-related fraud (9
percent).
THE WAR AGAINST ERROR
Losses from credit card fraud alone will hit $2.5 billion
next year, according to Celent Communications. Methods range from skimming devices to
spoof sites to stealing credit card solicitations straight from a victim's house. Celent
pegged total ID theft losses at $8 billion next year, but the actual number could be far
higher.
"When we look at the number of U.S. adults who've been
victimized [12 million] and multiply that by the average loss [ $2,000], that's nearly $24
billion," said Span.
Recognizing that ID theft could become a formidable
political issue, legislators have passed a number of laws, beginning with the Identity
Theft Act of 1998, which made it a federal crime "to knowingly transfer or use a
means of identification of another person with the intent to commit, or to aid or abet,
any unlawful activity that constitutes a violation of Federal law."
Identity theft prevention is at the root of other key
legislative measures, including the USA PATRIOT Act, the Gramm-Leach-Bliley Act and the
Basel II Capital Accord.
Regulators have issued rules to implement section 326 of
the PATRIOT Act, which requires financial institutions to verify the identity of any
person opening an account, to maintain records used to verify a person's identity, and to
determine whether the person appears on any list of known or suspected terrorists or
terrorist organizations.
Under the rules, which go into effect in October,
institutions will be required to implement procedures for collecting standard information
such as a customer's name, address, date of birth, and Social Security number.
"Section 326 is important because it relates to
knowing your customer," said Span. "It requires than an institution have in
place a method to verify an identity, from requesting two forms of ID and looking at them,
to recording them on the application form and keeping a record of them."
Still, the PATRIOT Act provides only a minimum standard for
ID theft prevention. In order to fulfill the law's mission-denying terrorists and other
criminals access to the financial system-financial institutions need to go further.
"When you think of all the crimes that are at this
crossroads-money laundering, access to our financial system by terrorists, ID theft and
fraud-it suggests that financial institutions need to look at more than just the minimum
standard," said Span.
Banks have long been required to set aside a portion of
their capital to cover expected losses due to fraud. But the spate of ID theft cases has
caused them to review their definition of "minimal and acceptable losses."
"Lenders have always been willing to accept a certain
amount of risk, and fraud losses have been an area of complacency," according to
Christine Pratt, senior analyst in TowerGroup's consumer credit practice. "It's
critical, though, that they revisit their assumptions on the fraud issue, and now is the
time."
While the best way to combat losses from ID theft is to
prevent a stolen identity from being used in a loan application, the patterns of ID theft
are often random and unpredictable, noted Pratt. "As a result, many lenders have been
unable to justify the expense of implementing sophisticated technologies to authenticate a
person's identity at the point of sale."
SHARING THE RISK
Because business lines tend to employ their own risk
management solutions, banks often lack the comprehensive, enterprise-wide view needed to
combat ID theft. "A lot of the solutions today are point solutions for managing a
particular line of business," said Jim Gahagan, VP, financial services industry
strategy at PeopleSoft. "While something might not be perceived as an operational
risk by a particular line of business, when you look at it in the context of the
organization, it could be."
Faced with Basel II's requirement (scheduled to go into
effect 2006) that they set aside capital to cover losses due to operational risk, banks
are beginning to take a more holistic approach. "For the first time, banks are going
to be required to have a capital charge associated with operational risk," he said.
"To identify the areas of operational risk and quantify those losses."
Risk management has moved to the top of investment
priorities of financial institutions. This year, 42 percent of large financial
institutions will spend between $500,000 and $2.5 million on IT for risk management
(accounting for 9.2 percent of total IT spending), according to GartnerGroup.
Risk management responsibility is shifting from individual
departments to the corporate level. "Centralized approaches have been transferred to
top executives to support risk initiatives," according to Vincent Oliva, VP and
research director at GartnerGroup.
That, in turn, will affect the way IT services get
delivered, Oliva said. "The new enterprise-wide view of risk management will
dramatically affect the technical environment in financial services."
CUSTOMER WINS
Customers, too, need to be made aware of the need for
information security. "We are not properly involving the customer," Ghee said.
"Customers are unaware or oblivious to the threats."
Make information security a product feature, he suggests.
"When we make information security a product feature, we are explaining why we need
to ask them."
Because customers tend to balk at anything that adds to
transaction time, customer personnel are sometimes lax about enforcing information
security policies. That inevitably leads to friction with risk operations staff.
"When you get into the business community, they're not security experts," said
Parker. "You get a lower level of adherence to policy and procedures."
The more systems within an organization, the more difficult
it is to enforce good security practices. "We centralize security
administration," Parker continued. "If someone needs a new ID or a change in
authorization privileges, we have a central group that does that."
Still, at the end of the day, risk management personnel
often find themselves in a bunker mentality mode. "We spend a fair amount of time
worrying about whether we're doing the right things to protect our customers and
systems," Parker said. "The attacks, the threats, are more complex, more
numerous than ever. That complexity leads to increasing investment in people and
tools."
There is no shortage of technology tools aimed at combating
ID theft. For example, Attus Technologies, a Charlotte, N.C.-based software company, has
introduced a line of ID verification products called WatchDog, which are designed to help
institutions comply with section 326 of the USA PATRIOT Act.
Noting that the Sept.11 hijackers had opened bank accounts
using false Social Security numbers, Trey Sullivan, CEO of Attus Technologies, said,
"With the majority of bank fraud schemes using invalid or expired Social Security
numbers, ensuring accurate records is almost impossible without the right compliance
software."
When a Social Security number and date of birth are entered
into WatchDog, the system validates when the number was issued , the state in which it
originated and whether the number is consistent with the customer's age. The system can
also validate government-issued photo IDs, including driver's licenses, green cards and
other immigration documents. In addition to displaying an exact copy of each photo ID
card, the system alerts users to security features such as holograms.
Providers of traditional banking software are increasingly
allying with ID verification tools providers. For example, Magnet Communications, a
provider of online cash management software, hosts identity verification software from
Penley, Inc. at its Atlanta data center. And Computer Sciences Corp. has tapped Identity
Systems, a product of Search Software America, for incorporation in its Patriot Protector
Service.
Still, security is too important to be left to the experts.
"Security isn't the sole jurisdiction of our technologists," said Comerica's
Parker. "Frequently, an exposure in technology can be mitigated by a business process
that protects against it."
The problem is best dealt with at an industry-level,
including sharing best practices. "There's a lot of things that financial
institutions compete on, but we don't compete on security," said Parker. "It's
not in any of our best interests if any bank gets compromised."
Copyright 2003 CMP Media LLC Bank
Systems & Technology June 1, 2003, BYLINE: Steven Marlin |