I. INTRODUCTION
Pursuant to provisions in the Gramm-Leach-Bliley Act (GLBA), federal banking agencies are directed to ensure that banks have policies, procedures and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect fraudulent access to such information. The provisions of the interagency guidance discussed below supplement the “Interagency Guidelines for Establishing Standards for Safeguarding Customer Information” by focusing on the protection of customer information specifically against identity theft and pretext calling.
II. IDENTITY THEFT
Identity theft is the fraudulent use of an individual’s personal identifying information. Often, identity thieves will use another individual’s personal information such as a social security number, mother’s maiden name, date of birth or account number to fraudulently open new credit card accounts, charge existing credit card accounts, write checks, open bank accounts or obtain new loans. They may obtain this information through a number of means, including: (a) stealing wallets that contain personal identification information and credit cards; (b) stealing financial institution statements from the mail; (c) diverting mail from its intended recipients by submitting a change of address form; (d) rummaging through trash for personal data; (e) stealing personal identification information from workplace records; or (f) intercepting or otherwise obtaining information transmitted electronically.
III. PRETEXT CALLING
Pretext calling is a fraudulent means of obtaining an individual’s personal information. Pretext callers may contact financial institution employees, posing as their customers, in order to access customers’ personal account information. Information obtained from pretext calling may be sold to debt collection services, attorneys and private investigators for use in court proceedings. Identity thieves may also engage in pretext calling to obtain personal information for use in creating fraudulent accounts.
IV. RELEVANT FEDERAL LAW
Several federal criminal statutes address illegal conduct associated with identity theft and pretext calling:
A. Section 1028 of the Federal Criminal Code (18 U.S.C. 1028) makes it a crime to knowingly use, without lawful authority, a means of identification (such as an individual’s social security number or date of birth) of another person with the intent to commit a crime.
B. Section 523 of the Gramm-Leach-Bliley Act (15 U.S.C. 6828) makes it a crime to obtain customer information of a financial institution by means of false or fraudulent statements to an officer, employee, agent or customer of a financial institution.
C. Section 523 of the Gramm-Leach-Bliley Act makes it a crime to request another person to obtain customer information of a financial institution, if the requester knows that the information will be obtained by making a false or fraudulent statement. This generally means that a banking organization requesting customer information that is obtained by pretext calling could be subject to criminal sanctions if the institution knew how the information would be obtained.
V. PROTECTING CUSTOMER INFORMATION
Banks can take various steps to safeguard customer information and reduce the risk of loss from identity theft. These include: (1) establishing procedures to verify the identity of individuals applying for financial products; (2) establishing procedures to prevent fraudulent activities related to customer information; and (3) maintaining a customer information security program.
A. Verification Procedures
Verification procedures for new accounts should include, as appropriate, steps to ensure the accuracy and veracity of application information. These could involve using independent sources to confirm information submitted by a customer; calling a customer to confirm that the customer has opened a credit card or checking account; or verifying information through an employer identified on an application form. A bank can also independently verify that the zip code and telephone area code provided on an application are from the same geographical area.
B. Fraud Prevention
To prevent fraudulent address changes, banks should verify customer information before executing an address change and send a confirmation of the address change to both the new address and the address of record. If a bank receives a request for a new credit card or new checks in conjunction with a change of address notification, it should verify the request with the customer.
When opening a new account, a bank should, where possible, check to ensure that information provided on an application has not previously been associated with fraudulent activity. For example, if a bank uses a consumer report to process a new account application and the report is issued with a fraud alert, the bank’s system for credit approval should flag the application and ensure that the individual is contacted before it is processed. In addition, fraud alerts should be shared across the organization’s various lines of business.
C. Information Security
In early 2001, federal banking agencies issued “Interagency Guidelines Establishing Standards for Safeguarding Customer Information.” The Guidelines require banking organizations to establish and implement a comprehensive information security program that includes appropriate administrative, technical, and physical safeguards for customer information. To prevent pretext callers from using pieces of personal information to impersonate account holders in order to gain access to their account information, the Guidelines require banks and other financial institutions to establish written policies and procedures to control access to customer information.
Other measures that may reduce the incidence of pretext calling include limiting the circumstances under which customer information may be disclosed by telephone. For example, a bank may not permit employees to release information over the telephone unless the requesting individual provides a proper authorization code (other than a commonly used identifier). Banks can also use caller identification technology or a request for a call back number as tools to verify the authenticity of a request.
Banks should train employees to recognize and report possible indicators of attempted pretext calling. They should also implement testing to determine the effectiveness of controls designed to thwart pretext callers and may consider using independent staff or third parties to conduct unscheduled pretext phone calls to various departments.
VI. REPORTING SUSPECTED IDENTITY THEFT AND PRETEXT CALLING
Current regulations require banking organizations to report all known or suspected criminal violations to law enforcement and regulatory agencies on Suspicious Activity Reports (SARs). Criminal activity related to identity theft or pretext calling has historically manifested itself as credit or debit card fraud, loan or mortgage fraud, or false statements to the institution, among other things.
As a means of better identifying and tracking known or suspected criminal violations related to identity theft and pretext calling, a bank should, in addition to reporting the underlying fraud (such as credit card or loan fraud) on a SAR, also indicate within the SAR that such a known or suspected violation is a result of identity theft or pretext calling. Specifically, when identity theft or pretext calling is believed to be the underlying cause of known or suspected criminal activity, the bank should, consistent with the existing SAR instructions, complete a SAR in the following manner:
VII. CONSUMER EDUCATION AND ASSISTANCE
Banks should provide customers with information about how to prevent identity theft and necessary steps to take in the event a customer becomes a victim of identity theft. An excellent source of information for consumers is the Federal Trade Commission’s website at http://www.ftc.gov/.
The OCC has provided a customer education brochure that banks may use which outlines eight steps that customers should take in protecting themselves from identity theft, including the following:
Banks should also assist their customers who are victims of identity theft and fraud by having trained personnel to respond to customer inquiries, by determining whether an account should be closed immediately after a report of unauthorized use and by prompt issuance of new checks or new credit, debit or ATM cards. If a customer has multiple accounts with the institution, it should assess whether any other account has been the subject of potential fraud.
VIII. FDIC SUPERVISORY POLICY ON IDENTITY THEFT
The FDIC has issued a “Supervisory Policy on Identity Theft”, describing the characteristics of identity theft. The policy also sets for the FDIC’s expectations that institutions under its supervision take steps to detect and prevent identity theft and mitigate its effects in order to protect consumers and help ensure institutions’ safe and
sound operations. Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver’s license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.
A. Characteristics of Identity Theft
At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses. Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.
Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer’s name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer’s payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.
B. FDIC Response to Identity Theft
The FDIC’s supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers’ sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim.
1. Supervisory Action
As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines). The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. (See NBA Compliance Handbook, Vol. I, Security tab "Authentication in an Electronic Banking Environment: FFIEC Guidance" article.) Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. (See NBA Compliance Handbook, Vol. I, Security tab, "Security Breaches: Response Programs State and Federal Regulatory Policies" article.) The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. (See NBA Compliance Handbook, Vol. I, Security tab, "Information System Security" articles.) Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.
The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA). These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA’s fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions’ compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA
C. Consumer Education
The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers’ awareness of this type of fraud and what they can do to protect themselves.
Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government’s lead agency for combating identity theft.
D. Conclusion
Financial institutions have an affirmative and continuing obligation to protect the privacy of customers’ nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.