Banks are not finding it easy to comply with industry regulations.
Take Title V of the Gramm-Leach-Bliley Act. My firm's research into developments in enterprise privacy management and identity verification found that before July 1 of last year, bank managers and technologists struggled to ensure their compliance with Title V, which requires that banks mail notices informing customers of their privacy policies.
Then there's the USA Patriot Act, hastily signed into law after the terror attacks of last September, has bankers up against an Oct. 25 compliance deadline. They must "implement reasonable procedures" at the new-accounts desk to verify potential customers' identity. They also have to maintain records of the information used during the verification and screen new customers for affiliation with terrorist organizations.
As was the case with the Gramm-Leach-Bliley Act, the proposed regulations issued by the Department of the Treasury and the Federal Reserve Board for the Patriot Act contain nothing outlandish or unexpected. They specify the types of documents customers must present when opening accounts in person or remotely and how long verification records must be maintained.
Do banks need to follow these proposed regulations to the letter of the law?
It can be argued that Gramm-Leach-Bliley has had minimal impact - less than 5% of consumers opted-out of data sharing with unaffiliated third parties, despite the public outcry from privacy advocates.
Will the USA Patriot Act really prevent terrorists from using the United States' financial infrastructure to fund terrorism? Does the act do anything but add cost and complexity to the business of banking? Aren't identities currently verified at account opening anyway?
Skepticism about the USA Patriot Act's ability to help prevent terrorism is understandable, but so is the fact that the law addresses identity theft.
Identity theft is a rapidly growing problem. False and stolen identification documents and personal information are readily available to crafty crooks, the perpetrators are rarely seen and almost never caught, and the money they get away with is virtually irretrievable. According to the Privacy Rights Clearinghouse and a study by the University of California at San Diego, an identity theft costs consumers an average of $808, and the cost to the bank is $1,800 per incident.
Given these data along with various estimates from the Federal Trade Commission and other law enforcement agencies, Meridien Research estimates that more than $2.8 billion will be lost to identity theft in 2002.
If it is not contained, this problem could cost U.S. consumers and institutions more than $8.6 billion by 2006, when the number of fraud cases related to stolen identity could reach one million. On average, 1% of U.S. households will have to deal with this issue. Where are 1% of your customers going to turn when they realize that they have become a victim? Who will they expect to solve this problem? None other than their financial services provider.
The USA Patriot Act is good for financial services companies and their customers, so firms should comply with it. Technology can help validate the ID material provided at account opening and verify that the individuals in front of your customer service agents or on your Web site are who they say they are. Most identity-verification solutions rely on a combination of publicly available third-party data providers and decision-making software. Some will even pinpoint previous instances of fraud, such as check fraud or application fraud.
The near future will bring the creation of organizations whose primary activity will be to serve as the clearing house for identity-related consumer information. Their efforts will be augmented by banks' ability to leverage customers' previous relationships with other financial service providers through publicly available data can greatly reduce exposure to identity theft-related fraud.
More important, it will soon be generally accepted that banks bear the greatest responsibility to stop this crime from occurring. The tools are available, and the opening of an account presents an ideal opportunity to strengthen identity verification.
Despite the recent privacy legislation, banks are still permitted to capture and use personally identifiable, nonpublic consumer information to prevent fraud. Fortunately for consumers, banks cannot share this information with third parties for marketing purposes without the consumer's permission.
Accordingly, banks, brokers, insurers, and others in the industry have to disclose the purposes for capturing and using consumer data in their privacy policies. By clearly articulating the value of adequately protected personal information to consumers and their financial service providers, banks and similar companies can build and preserve customer relationships from the foundation of trust that underlies the successful delivery of financial services.
