Consumer demand for better ID security has banks scrambling to upgrade identification, verification and authentication procedures and practices
Relieved to be finally rid of Saddam, Americans are turning their attention to Mammon. As George W. Bush knows only too well from his father's experience, nothing can turn a popular incumbent out of office faster than a shaky economy.
But at least the first President Bush didn't have to worry about a public angered at having their credit card, Social Security, or bank account numbers stolen, or at receiving a bill for thousands of dollars in goods and services that were never authorized.
Identity theft crimes are, or should be, near the top of the current Bush reelection team's agenda. The reason: smoldering resentment over identity theft could impact next year's election campaign. Americans are more concerned about identity theft than unemployment or corporate fraud, according to a survey of 2,000 people conducted in April by Star Systems. Nine out of ten Americans demand new federal legislation, while two-thirds say the financial services industry needs to do a better job of verifying the identity of customers who open bank accounts (66 percent) and credit card accounts (72 percent). Some 5.6 percent of respondents reported being victims of identity theft, which translates to 12 million people. When credit/signature debit card fraud and ID theft were combined, close to 15.9 percent of consumers say they have been the victim of one of these crimes.
Exact figures on ID theft are hard to come by, in part because the crimes can go undetected for months. "It often takes more than a year to discover that you've been a victim, that somebody's gotten your information and they've been using it to commit fraud," said Barbara Span, vice president at Star Systems. "Once it's discovered, it can take years to clean up the problem. Meanwhile, the fraudster is still out there perpetrating more fraud."
Indeed, a distinguishing feature of identity theft is that the victim is often unaware that a crime has occurred. "If they've established a new address on your card, you wouldn't be receiving statements," said Don Ghee, senior operating risk manager at JP Morgan Chase. "They might be kiting balances, or doing what's called credit balance fraud, where you write checks to pay but the checks bounce. It can take up to 12 months to discover, with a phone call from a credit card company asking when you're going to pay off a $2,400 balance."
"It's very professional," he added. "Organized crime is not only in loansharking and drugs, but is also in identity theft. There are gangs getting out of the drug business because identity theft is more lucrative."
Adding to the difficulty of measuring ID theft is the fact that it's often classified under different headings. "An account may be closed or overdrawn, there's check fraud, or a credit card is closed for nonpayment," Span said. "When actually it's fraud resulting from ID theft."
The Federal Trade Commission recorded 161,819 complaints from ID theft in 2002. Credit card fraud topped the list at 42 percent, followed by phone or utilities fraud (22 percent), bank fraud (17 percent) and employment-related fraud (9 percent).
THE WAR AGAINST ERROR
Losses from credit card fraud alone will hit $2.5 billion next year, according to Celent Communications. Methods range from skimming devices to spoof sites to stealing credit card solicitations straight from a victim's house. Celent pegged total ID theft losses at $8 billion next year, but the actual number could be far higher.
"When we look at the number of U.S. adults who've been victimized 12 million and multiply that by the average loss $2,000, that's nearly $24 billion," said Span.
Recognizing that ID theft could become a formidable political issue, legislators have passed a number of laws, beginning with the Identity Theft Act of 1998, which made it a federal crime "to knowingly transfer or use a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law."
Identity theft prevention is at the root of other key legislative measures, including the USA PATRIOT Act, the Gramm-Leach-Bliley Act and the Basel II Capital Accord.
Regulators have issued rules to implement section 326 of the PATRIOT Act, which requires financial institutions to verify the identity of any person opening an account, to maintain records used to verify a person's identity, and to determine whether the person appears on any list of known or suspected terrorists or terrorist organizations.
Under the rules, which go into effect in October, institutions will be required to implement procedures for collecting standard information such as a customer's name, address, date of birth, and Social Security number.
"Section 326 is important because it relates to knowing your customer," said Span. "It requires than an institution have in place a method to verify an identity, from requesting two forms of ID and looking at them, to recording them on the application form and keeping a record of them."
Still, the PATRIOT Act provides only a minimum standard for ID theft prevention. In order to fulfill the law's mission-denying terrorists and other criminals access to the financial system-financial institutions need to go further.
"When you think of all the crimes that are at this crossroads-money laundering, access to our financial system by terrorists, ID theft and fraud-it suggests that financial institutions need to look at more than just the minimum standard," said Span.
Banks have long been required to set aside a portion of their capital to cover expected losses due to fraud. But the spate of ID theft cases has caused them to review their definition of "minimal and acceptable losses."
"Lenders have always been willing to accept a certain amount of risk, and fraud losses have been an area of complacency," according to Christine Pratt, senior analyst in TowerGroup's consumer credit practice. "It's critical, though, that they revisit their assumptions on the fraud issue, and now is the time."
While the best way to combat losses from ID theft is to prevent a stolen identity from being used in a loan application, the patterns of ID theft are often random and unpredictable, noted Pratt. "As a result, many lenders have been unable to justify the expense of implementing sophisticated technologies to authenticate a person's identity at the point of sale."
SHARING THE RISK
Because business lines tend to employ their own risk management solutions, banks often lack the comprehensive, enterprise-wide view needed to combat ID theft. "A lot of the solutions today are point solutions for managing a particular line of business," said Jim Gahagan, vp, financial services industry strategy at PeopleSoft. "While something might not be perceived as an operational risk by a particular line of business, when you look at it in the context of the organization, it could be."
Faced with Basel II's requirement (scheduled to go into effect 2006) that they set aside capital to cover losses due to operational risk, banks are beginning to take a more holistic approach. "For the first time, banks are going to be required to have a capital charge associated with operational risk," he said. "To identify the areas of operational risk and quantify those losses."
Risk management has moved to the top of investment priorities of financial institutions. This year, 42 percent of large financial institutions will spend between $500,000 and $2.5 million on IT for risk management (accounting for 9.2 percent of total IT spending), according to GartnerGroup.
Risk management responsibility is shifting from individual departments to the corporate level. "Centralized approaches have been transferred to top executives to support risk initiatives," according to Vincent Oliva, vp and research director at GartnerGroup.
That, in turn, will affect the way IT services get delivered, Oliva said. "The new enterprise-wide view of risk management will dramatically affect the technical environment in financial services."
TECHNOLOGY GIVE AND TAKE
But technology, noted TowerGroup's Pratt, can fuel both the problem and the solution. "The Internet and other self-service channels have markedly increased the incidences of credit card fraud and the footprint of identity theft. Yet the Web has proven a strong ally for providing new identity verification solutions."
For example, the Web enables smaller institutions to access fraud databases, such as Primary Payment Systems' National Shared Databases, which contain records on 200 million checking accounts from most of the nation's largest financial institutions. Primary Payment Systems, a Scottsdale, Ariz.-based risk solutions provider, has released a Web-based version of its identity verification tool, Identity Chek. The Web-based version will help smaller institutions comply with the USA PATRIOT Act, as well as protect against fraud.
Used by 21 of the 30 largest U.S. financial institutions, Identity Chek processed more than 30 million inquiries last year. Performing as many as 60 tests on each inquiry, Identity Chek detects and notifies the institution about invalid, inconsistent and unusual elements on checking and savings accounts, loans, credit card applications and address changes.
"There are different kinds of tests and cross-checks to detect invalid or inconsistent information," said Span of Star Systems, whose parent company, Concord, owns Primary Payment Systems. "A test consists of, for example, matching the birth date with the Social Security number. Or a Zip code with the street address."
The online version of the service opens it up to smaller and mid-size institutions. "We're introducing it in Web-based form so an institution can perform simple real-time queries," Span said, adding that fraud is moving down-market. "The larger institutions traditionally didn't know their customer as well. Now that they've instituted these measures, the fraud has moved in the direction of smaller institutions. You don't know your customer as well as you used to."
One reason "knowing your customer" has gotten harder, said Chase's Ghee, is that "with each new technology, we've stepped further back from the customer."
He added, "The accumulation of data through technology has outpaced the policies and procedures used to protect it."
An identity theft prevention strategy involves three steps: identification, verification and authentication. Identification is checking for personal information such as name, physical attributes or credentials such as Social Security, driver's license, passport, etc. Verification is the process of proving that the credentials are genuine. The final step, authentication, is associating an individual with a unique identifier, such as a password, physical token or biometric attribute (fingerprint, voiceprint, retinal scan, etc.) that establishes the individual's identity as genuine.
The need to authenticate applies to people inside as well as outside the organization.
"The preponderance of threats in the industry are from the inside," said Don Parker, head of information services at Comerica. The Detroit-based institution has spared no expense in securing its internal information. "We have a hardened perimeter, tiered firewalls, DMZ structures, site filtering software. And we have elements on the inside-host-based intrusion detection systems, application-level authentication."
The objective, he said, is to balance the need for access with security. "We need to grant access to those that need it, and only those. "
Access should be granted on a need-to-perform basis, said Ghee. "Need-to-know is too broad. If I'm doing two executive complaints a month versus someone who's answering customer calls constantly, I don't need online access."
Information security, he noted, extends "from the physical documents to the highest-tech online applications. "
A sound information security policy encompasses prevention, detection and recovery. "When it comes to a security incident, our first preference is that it not happen at all," said Parker. "We do things that target the human side. Things like our awareness program on what is good security practice.
"Our second preference is that if a security compromise has to happen, we want to know about it. We have intrusion detection tools.
"The last element is recovery. If it has to happen, and we know about it, we need to recover from it. That involves things like a computer incident response plan."
Getting employees involved in information security is crucial. "Awareness is the number one factor for success," said Ghee. "When CSRs take it personally, it's amazing what you catch."
Often, it comes down to common sense, such as guarding against shoulder surfing. "Don't leave customer information on a terminal when you go to lunch," he said. "Conduct penetration tests and physical walkthroughs. You'd be amazed at what you find."
Customers, too, need to be made aware of the need for information security. "We are not properly involving the customer," Ghee said. "Customers are unaware or oblivious to the threats."
Make information security a product feature, he suggests. "When we make information security a product feature, we are explaining why we need to ask them."
Because customers tend to balk at anything that adds to transaction time, customer personnel are sometimes lax about enforcing information security policies. That inevitably leads to friction with risk operations staff. "When you get into the business community, they're not security experts," said Parker. "You get a lower level of adherence to policy and procedures."
The more systems within an organization, the more difficult it is to enforce good security practices. "We centralize security administration," Parker continued. "If someone needs a new ID or a change in authorization privileges, we have a central group that does that."
Still, at the end of the day, risk management personnel often find themselves in a bunker mentality mode. "We spend a fair amount of time worrying about whether we're doing the right things to protect our customers and systems," Parker said. "The attacks, the threats, are more complex, more numerous than ever. That complexity leads to increasing investment in people and tools."
There is no shortage of technology tools aimed at combating ID theft. For example, Attus Technologies, a Charlotte, N.C.-based software company, has introduced a line of ID verification products called WatchDog, which are designed to help institutions comply with section 326 of the USA PATRIOT Act.
Noting that the Sept.11 hijackers had opened bank accounts using false Social Security numbers, Trey Sullivan, CEO of Attus Technologies, said, "With the majority of bank fraud schemes using invalid or expired Social Security numbers, ensuring accurate records is almost impossible without the right compliance software."
When a Social Security number and date of birth are entered into WatchDog, the system validates when the number was issued , the state in which it originated and whether the number is consistent with the customer's age. The system can also validate government-issued photo IDs, including driver's licenses, green cards and other immigration documents. In addition to displaying an exact copy of each photo ID card, the system alerts users to security features such as holograms.
Providers of traditional banking software are increasingly allying with ID verification tools providers. For example, Magnet Communications, a provider of online cash management software, hosts identity verification software from Penley, Inc. at its Atlanta data center. And Computer Sciences Corp. has tapped Identity Systems, a product of Search Software America, for incorporation in its Patriot Protector Service.
Still, security is too important to be left to the experts. "Security isn't the sole jurisdiction of our technologists," said Comerica's Parker. "Frequently, an exposure in technology can be mitigated by a business process that protects against it."
The problem is best dealt with at an industry-level, including sharing best practices. "There's a lot of things that financial institutions compete on, but we don't compete on security," said Parker. "It's not in any of our best interests if any bank gets compromised."
- ID theft victims 6%
- Demand new ID protection legislation 90%
- Want better monitoring of credit card accounts 72%
- Want better monitoring of bank accounts 66%
*Percentages of 2,000 survey respondents, April 2003
Source: Star Systems