Closing a Window of Opportunity Identity Theft

RMA Journal, The, Nov, 2001 by Karen Jones Currie

Warning signs and preventive measures are offered by a review examiner with the FDIC to help banks fend off identity theft. Mitigants include implementing standards for safeguarding customer information, detecting pretext calls, making it tougher to pull off inside jobs, preventing "dumpster diving," and looking out for a sudden increase in credit card applications.

Since November 1999, when the Federal Trade Commission launched its Identity Theft Hotline and Data Clearinghouse, through June 2001, a whopping 69,370 consumers reported being victims of identity theft. Nearly half of the crimes involved credit card fraud, in which thieves either ran up charges on an existing account or, more often, opened new credit card accounts. Stolen personal information was also used to open new utility services or deposit accounts, or to take out new loans.

Typically, once the thief has used the available credit, he or she defaults on the payments and moves on to the next victim. The majority of the consumers do not realize they have been victimized until many months, or even years, later. By then, the thief is long gone and the consumer is left to suffer the consequences.

Although the effects of identity theft are undeniably devastating to victims who may have to spend years trying to clear their good names, it is generally financial institutions that bear the financial burden of identity theft. As bankers are only too aware, consumers are liable only for up to $50 of fraud losses on credit and debit cards, and banks usually limit consumer liability for fraud losses on other deposit accounts. When it comes to fraudulent installment and mortgage loans, the bank takes the entire loss, less the proceeds of collateral sales, if any. Fraud losses must be absorbed through earnings and not through the Allowance for Loan Loss (ALL), which can be used only for losses arising from poor credit quality of "real" borrowers. Finally, in most cases, the bank's losses are under the deductible limit of the bank's blanket bond insurance coverage.

ID Thefts and Banks

The U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN) recently announced an astonishing increase in the number of incidents of identity theft reported by financial institutions. According to FinCEN's June 2001 SAR (suspicious activity report) Activity Review, 617 SARs were filed from January through November 2000, compared to only 44 incidents reported in 1997, the first full year of required SAR reporting. FinCEN further noted that the majority of the reported identity theft involved credit and debit card fraud, check fraud, loan fraud, and, to some extent, wire transfer fraud.

Warning signs of possible identity theft include:

Address change ,especially to a mail drop. Thieves most commonly intercept bank statements, credit card or home equity line solicitations, convenience checks, and other financial correspondence by changing the address of the victim. Often thieves will divert the mail to a "drop" at a mailbox rental and receiving firm.

Increase in customer complaints. Have customers called to say that they haven't received their bank statement, check order, credit card, and the like? Do records show not only that customers received the missing documents, but that they have been using the new checks or credit cards? Have they called you to notify you that they are victims of identity theft?

Unusual number of customers with common names, phone numbers, and/or addresses. Recently, one bank was able to uncover a mortgage fraud ring through the 75 "unrelated" accounts that were linked by only four different phone numbers.

First payment default. This type of fraud is evidenced by multiple irregularities in residence/business addresses, individual names, incorporation documents, tax returns, and credit bureau reports. These days, competitive pressures demand fast and easy loan approval. This is true for consumer and mortgage loans as well as business loans. Invariably, banks become alerted to a fraud because the criminal immediately defaults on the loan payments. However, it may be three or four months before a bank charges off the account. In the meantime, delinquencies are high, which never looks good to the board of directors or the examiners.

Protecting Against ID Theft

Several steps can help protect the bank and its customers from identity-theft-related crimes:

Post the guard. Implement standards for safeguarding customer information. Not only is this a good idea but it is required by Section 364.101 of the FDIC Rules and Regulations (12 C.F.R.[section] 364.101), and examiners will be reviewing this area in all future examinations. The Gramm-Leach-Bliley Act (Sections 501 and 505(b)) requires that banks have a security program that:

* Ensures the security and confidentiality of customer information.

* Protects against any anticipated threats or hazards to the security or integrity of customer information.

* Protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.