What's Driving Tighter ID Theft Security at Your Bank

by Dawn Handschuh, Personal Finance Writer Archive

Until recently, many banks responded to identity theft reactively, waiting until after the damage was done to take action. What action was taken was largely determined by the extent of the dollar loss. Now, after some highly publicized data breaches, banks and other financial institutions have begun to take more seriously the potential negative impact of identity theft on their reputations and customer trust.

What's also fueling greater interest in preventative measures is a federal law requiring banks, credit unions and other financial institutions to create written identity theft prevention guidelines.

The ID Theft Red Flags program became effective January 1, 2008, and implements two sections of the Fair and Accurate Credit Transactions Act (FACT Act) of 2003. While enforcement of bank programs began November 1, 2008, the Federal Trade Commission (FTC) granted a six-month reprieve (until May 1, 2009) for compliance enforcement of state-chartered credit unions and other non-banking businesses that fall under its jurisdiction. (Despite the FTC delay in pursuing enforcement, financial institutions could still be sued by plaintiff attorneys for non-compliance if any data breaches occurred during this time.)

Identity theft prevention guidelines for financial institutions

Under the new rules, every financial institution must create policies for detecting, preventing and mitigating ID theft. The rules affect any business that extends credit, like mortgage brokers, car dealers, hospitals and utility companies.

Specifically, credit and debit card issuers must have policies for checking the legitimacy of change-of-address requests that are quickly followed by a request for a replacement card. Many identity theft scammers try to change the address of another person's credit card bill to their own address, then ask for a new card shortly after that.

The rules also require businesses that use consumer credit reports to create policies governing their actions upon learning of an address discrepancy from a consumer-reporting agency.

The new regulations may prod banks to get stricter about customer privacy. A three-year-old Javelin Strategy & Research survey concluded, "Most banks are missing essential online identity theft prevention capabilities, unnecessarily placing their customers at greater risk of identity fraud." The report stated that banks' resolution services "tend to be manual [and] slow."¹

Footnotes

¹Identity Fraud Safety Scorecard, Javelin Strategy & Research, November 2004