Fed to banks: Take basic steps to stop identity
You usually don't turn to government
paperwork for white-knuckle reading, but get a load of the latest
from the Federal Reserve.
The Fed's supervisory
letter on identity theft and pretext calling recommends what
banks should do to combat identity theft and invasions of privacy.
The document makes you wonder just how much common sense bank employees
If the supervisory letter were
a baby manual, it would suggest that parents feed an infant who
is hungry, and hint that maybe it would be a good idea to change
the diaper when baby poops.
The Fed's intentions are laudable.
Identity theft, in which impostors take out loans and open accounts
using innocent victims' names and Social Security numbers, has become
an increasingly common crime. An estimated half-million people were
victimized in 2000.
Many impostors get what they want
by "pretext calling" -- talking a customer-service person into giving
out privileged information such as account balances, passwords and
PINs, account numbers, mothers' maiden names, even Social Security
Many identity thieves use pretext
calling to change the address of their victims' bank and credit
card accounts. That way, their victims don't get account statements
in the mail, so they remain ignorant of their victimhood.
Fly your fraud flag
Federal regulators recognized that banks need some guidelines for
fighting identity theft and pretext calling. Here are some of the
- Banks should take "appropriate" steps to ensure
the accuracy and truthfulness of information on application forms.
For example, a bank could check to see if a ZIP code and area
- Banks "should verify customer information before
executing an address change" and send confirmation of an address
change to the old address and new address.
- If a customer orders a new credit card or box of
checks and at the same time makes an address change, the bank
"should verify the request with the customer."
- Banks shouldn't give out sensitive customer information
over the phone unless the caller knows a password or can answer
a question that an impostor shouldn't be able to answer.
- Some victims of identity theft put a "fraud alert"
on their credit records, asking that someone make a confirming
phone call whenever someone tries to open an account in that person's
name. The Fed's letter asks banks to make that phone call.
Think about that for a sec. You put a fraud flag on
your credit report, asking to be notified whenever someone tries
to open an account in your name -- and regulators are asking (not
telling) banks to follow your instructions. Would the Fed issue
this suggestion if banks were complying with consumers' wishes?
"Believe it or not, I do think it's necessary for
the regulators to tell banks to take these precautions," says Beth
Givens, director of the Privacy
Rights Clearinghouse. "Many credit grantors are sloppy with
their applicant verification procedures. It is quite easy to get
credit in somebody else's name if you just have a minimum of personal
information about them and know how to manipulate the system."
When a bank detects questionable activity, such as money laundering
or embezzlement, it has to file a document called a Suspicious Activity
Report and send it to federal regulators. The SAR has 20 checkboxes
that correspond to different types of suspicious activity -- from
violations of the Bank Secrecy Act to wire transfer fraud. There's
even a box for "mysterious disappearance" of employees.
But identity theft and pretext calling don't make
the grade. They don't have checkboxes. So in the supervisory letter,
the Fed asks banks to check the box styled "Other," and to fill
in the adjoining blank to denote identity theft or pretext calling.
Besides betraying a possible lack of concern about the problem,
the lack of a checkbox denoting identity theft and pretext calling
will make it more difficult to track cases. When the feds want to
know how many SARs were filed concerning wire transfer fraud, they'll
know because all they'll have to do is count how many times that
box was checked. But identity theft will just be listed under "Other."
The Fed's letter goes on to say that banks should
give their customers information about how to prevent identity theft
and what to do if they fall victim to identity theft. It says banks
can start by referring their customers to the identity
theft section of the Federal Trade Commission's Web site.
The letter adds that banks should have trained employees
who know how to handle identity theft problems.
Another source of advice, not mentioned in the Fed's
letter, is the Identity
Theft Resource Center, affiliated with Privacy Rights Clearinghouse.
-- Posted: May 15, 2001