When an IMPOSTER calls

Apr 1, 2001 12:00 PM, By JEANNE BONNER

We tell our banks to instruct their customers to shred documents, not to carry their social security cards. in a wallet.Quote Here.

Every day in the United States, banks are besieged by phone calls from customers. Here is a typical call: “Hello, my name is Jeanne Bonner. I have an account with the bank, but I cannot remember my PIN. Could you tell me what my PIN is?”

The problem is that the caller may not actually be a customer of the bank. It could be a pretext caller — someone who illegally tries to extract personal data about a customer in the hopes of gaining access to his accounts. The person could also insist that she is Jeanne Bonner or could even be able to provide customer data such as an address or an account number.

Banks also face scam artists who telephone customers pretending to be their bank. The pretext caller asks the customer to verify personal data — including the person's PIN — ostensibly as part of banking policy. If the customer thinks it is a legitimate bank representative, he might unwittingly reveal critical personal data.

“Pretext calling is a huge problem in the banking industry,” says Charlotte Birch of the American Bankers Association (ABA). “Thousands of pretext calls are made each day, and bank employees must be trained to detect such calls and react. Customers must be taught to recognize some red flags as well. Banks, for example, will never call customers to ask for their PIN.”

In this age of wireless communications, identity theft is an issue that concerns everyone — security departments, companies and private citizens alike. The advent of the Internet has augmented the ways a person's identity can be stolen. The banking and financial services industry is at a particular risk to these scams.

According to the Federal Trade Commission (FTC), which has established an identity theft hotline, there were an estimated 500,000 cases of identity theft in 2000, each case costing victims $17,000 on average. Statistics compiled by the General Accounting Office showed financial losses of $745 million due to identity theft in 1997 (before the proliferation of Internet e-commerce). The ABA estimated that total check-related losses for the banking industry amounted to $679 million in 1999.

The federal Gramm-Leach-Bliley Financial Services Modernization — also known as the Privacy Act — is changing the way banks, insurance companies and other financial institutions deal with customer data in large part by forcing them to disclose publicly what data they collect, with whom they share it and how they share it.

The sharing of customer data among banks, insurance companies and third parties can often lead to identity theft. A typical opportunity for identity theft presents itself when a person applies for a mortgage or a car loan. “In order to fill out the application, a person needs to provide critical personal data including a social security number and bank account information. It can lead to trouble because third parties can sell a customer's personal data,” says Russell Barker of the ABA.

Other common practices leave consumers open to victimization. In some states, including Georgia and Nevada, the motor vehicle department commonly asks for a driver's social security number when issuing a driver's license. Banks themselves are guilty of requiring social security numbers when opening an account.

The financial modernization bill, passed overwhelmingly by Congress and signed into law by former President Clinton in the fall of 1999, requires financial institutions to comply fully on July 1, 2001. Many banks have formed internal task forces to deal with the burden of compliance.

Gramm-Leach-Bliley stipulates the following rules for banks and financial institutions:

• Financial institutions must have policies and procedures in place to protect customer data;

• They must compose a privacy policy statement if they do not have one already, and they must distribute the statement to customers;

• Financial institutions must disclose the customer personal data information they collect;

• They must disclose with whom they share the data;

• They must notify their customers in writing that they have the right to opt out of information sharing.

“In essence,” says Birch of the ABA, “banks must define which data is private and which data is public. The banks also must come clean about the information they share with third parties.”

The ABA convened a task force to examine ways to help its member banks with compliance issues. As a result of the task force, the ABA created a privacy toolbox which it issued to its member banks — some thousands of banks across the United States. The toolbox helps banks deal with the new requirements. The ABA also created a video that dramatizes possible scenarios and provides proper responses. ABA spokes-people appeared on local news programs to disseminate information about the new guidelines.

Part of the toolbox is a victim theft kit that helps bank customers deal with pretext calls. The kit contains an affidavit from the bank, letters to police bureaus and telephone numbers of agencies that can help. “Our member banks take identity theft very seriously and try to be very proactive in preventing it,” says Catherine Pulley of the ABA.

The toolbox also contains sample privacy statements and an inventory list to help banks assess their policies in light of the new legislation. It also contains a manual for training employees.

The ABA has issued voluntary guidelines similar to best practices. These guidelines includes such policies as stipulating that bank employees log off of their computers when they are dealing with private customer data should they need to leave their desks.

The ABA also helps banks in drafting instructions to their customers. “We tell our banks to instruct their customers to shred documents, not to leave bills in the mail box for the mail man, not to carry one's social security card in a wallet. Preventing identity theft is a partnership between banks and their customers,” says Pulley.

In combatting identity theft, pretext calling is one of the most significant issues that banks grapple with. Many calls are made each day in the hopes that the bank employee will mistakenly provide information about a client. Although bank employees are trained to detect and handle such calls, many pretext callers become quite belligerent and insistent.

“There are organizations of pretext callers who call banks all day just hoping one person will be convinced,” says Pulley.

The new legislation is landmark for a number of reasons. It is the first time that banks have had to publicly disclose their privacy policies. It also comes at a time when incidents of identity theft are on the rise. Consumer data including credit card numbers and sensitive medical information can be bought easily over the Internet.

According to the drafters of the Gramm-Leach-Bliley Act, the law provides the most comprehensive financial privacy safeguards that have ever been passed into law. According to the ABA, banks are thrilled with the new legislation. Hopefully, consumers will be thrilled with a renewed sense of protection.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue