DeepGreen Bank, a two-year-old Internet-only subsidiary of Third Federal S&L Association of Cleveland, originated over $1 billion in home equity loans in 2001. The bank, which outsources its account processing to a Sanchez e-Profile platform, also uses security software from Entrust to protect its corporate data.
Like any other financial institution, DeepGreen Bank is concerned about the marked increase in identity theft, and realizes the need to improve the protection of personal customer information. This task is made all the more difficult by the fact that DeepGreen Bank is totally electronic, and unlike a brick and mortar business, can not utilize the traditional assets used to verify customer identity.
David Hadley, chief technology officer of DeepGreen Bank, spoke with BS&T senior associate editor Ivan Schneider about the some of the technologies DeepGreen uses to ensure information security and combat identity theft.
BS&T: How does DeepGreen Bank reach its customers?
HADLEY: We have our Web site, our B2C channel. We also have a series of B2B marketing relationships with online portals such as LendingTree, MortgageIT and Citizen's Advantage.
BS&T: What's your approach to information security?
HADLEY: As any financial institution, we're very interested in computer security and computer integrity. From a systems perspective, we go through a significant amount of processes and controls to ensure and to safeguard our customers' information. From knowing the customer, to Gramm-Leach-Bliley, all of those rules apply to an online bank just as they do to a traditional bank.
We draw upon a wide variety of resources to pull together a composite picture of network intrusion and hacking. We monitor many different lists and bulletin boards to ensure that we are up to compliance with the patches and security notifications.
BS&T: What kind of measures do you take to prevent identity theft?
HADLEY: We have a series of processes and controls that are in place that we have built out through the last year or so, that prevent identity theft from occurring. I'm not saying that it doesn't happen to us, but we certainly have manageable numbers.
Technology companies and providers-people like Entrust and Baltimore Technologies, Verisign and RSA Security-have very robust technologies that assist with verification and authentication of individuals. That's the foundation of what DeepGreen Bank does to preserve and to safeguard the customer information that we have within our computer system.
That level of maturity is not prevalent in the financial services and mortgage industries. There is no access control list, for example, that keeps track of who a person is. Right now, the only thing that we can do with complete certainty for personal identification is thumbprints and retina scans, and that just is not a feasible way of conducting business in the financial services space.
Some of the solutions that have been developed by our technology providers, in terms of encrypted keys and establishing ways of managing control lists, are a far more viable solution for the financial services industry to maintain verification and authentication of specific individuals.
That's the issue we have with the traditional bank. Somebody walks in with all of the appropriate identification, with Social Security cards, driver's licenses and enough contextual information to assume someone's identity in that bank's eyes.
BS&T: What authentication methods do you anticipate in the future?
HADLEY: There's a great example of stuff that's going on in Canada, where the government of Canada is issuing digital identification keys to every Canadian citizen. With that, you can get your municipal records, you can get access to government-based information, and as that knowledge base grows, it becomes a more prevalent way of doing business. You are then able to authenticate against a validated key. That becomes important when you deal with county clerks, when you would file the various liens that would be a component in an authentication scheme that would be used at a financial institution.
If you want to see what's coming down the road in the United States, it's a good idea to watch the regulatory agencies. In order to maintain some level of synchronization within the industry, you're going to need some sort of legislation to steer the institutions in a set and defined direction. Gramm-Leach-Bliley goes a long way in defining how we do safeguarding of customer information. Now, all the banks comply with Gramm-Leach-Bliley in such a way that there are policies and procedures and controls in place for safeguarding customer information and to deter fraud.
It's that type of step, that with the appropriate use of technology, will allow the financial services industry to basically come up to speed.