Compliance and Regulatory Alerts, Bates Research | 01-31-24
Identity Theft Week - Preventing Unauthorized Account Takeovers
This week is Identity Theft Awareness week, sponsored by the FTC. ID Theft occurs when an individual pretends to be someone else, typically to obtain credit or other benefits in the victim’s name. Financial institutions are required to implement an ID Theft Prevention Program as part of the FACTA Red Flags Rule, and a number of other consumer regulations require institutions to reimburse consumers for unauthorized payments from their account due to ID Theft and to refrain from collections activities on loans obtained via ID Theft. The financial loss to institutions is staggering. FinCEN recently reported that ID Theft was the second highest category for SARs related to identity, with approximately 423,000 SARs covering $45 billion in suspicious activity for 2021 – the most recent data available. (see https://www.fincen.gov/news/news-releases/fincen-issues-analysis-identity-related-suspicious-activity)
An increasingly harmful form of ID Theft is Account Takeover, where a bad actor gains unauthorized access to a victim’s account. This is done on deposit accounts and HELOCs in order to transfer funds out of the account. It can also be done on HELOCs and other loans to obtain the routing # and account # of a bank account linked for making auto payments. Then that account is victimized.
Preventing Account Takeover has become increasingly difficult due to the number of data breaches that have resulted in NPI from a large percentage of the population being posted on the dark web. An institution might not be able to fully rely on traditional identifiers like Name, Date of Birth, and Social Security number as a means to authenticate to a call center (for example), as it’s likely that a bad actor has that information on a customer. Because of this, it’s important for an institution’s call center to refrain from the following without obtaining an additional element of authentication:
- Providing an additional piece of NPI, such as account #, to callers.
- Allowing the changing of MFA information (typically phone numbers and email addresses).
With the right call center procedures, institutions can make significant strides toward thwarting Account Takeover that results from ID Theft.
Risk Assessments, Independent Reviews, Policies & Procedures, and Training