We had a merchant call today and want to verify the name and address and debit card number of our customer. Can we do that? We didn't think we could (without customer's consent). The merchant informed the bank employee he spoke with that we are a bank and we are required to give third party verifications. I have never heard of third party verifications. Please help......thanks.

No one is required to provide third party verifications. Under the privacy regulation you may provide this data, if you can take reasonable steps to verify that the transaction is one initiated and authorized by the consumer.

However, because of the difficulty in verifying the legitimacy of such transactions, many institutions have stopped performing them.

I would exercise great care before cooperating with such requests.

It is the option of the bank (barring any more restrictive state privacy law) to provide 3rd party verification. As already stated, many banks have chosen to not take such liability.

If your bank does or chooses to provide such info – it is very important to try to establish if the caller is legitimate and has a legitimate need for the info.

You will need to develop your own procedures but questions/actions like this should be asked of the caller:

What is your name/address/phone number? Why do you need this info? Is the customer (account owner) there or know about this request for information? What are you going to do with the information?

After researching the information (and verifying if the business is in the phonebook, reviewing other methods to establish if the caller is legit, even calling your customer), then the bank calls back to the 3rd party.

What is your bank’s tolerance/risk level? Identity theft is a growing crime…

As mentioned, privacy allows these verifications, but it is absolutely essential to authenticate the caller's need to know. This is often most easily accomplished by getting a confirmation of the transaction from the customer.

With debit card transactions, I get as much info as possible from the caller about the transaction (name, card number, billing address, shipping address, etc.) Basically all of the stuff the caller wants to verify. If nothing matches- I will tell them that the info doesn't match our records without telling them what is in our records. After all, if the merchant is calling because they suspect fraud, I believe I do my customer the most good by assisting the merchant in stopping the fraudulent transaction quickly.

If they give me info that matches (or a partial match) I do not confirm the match, but I offer to call the merchant back after I have completed my verification. Then, after calling the customer and getting a confirmation, I will return the call to the merchant with the appropriate answer.

A bit out of my element here, but perhaps my comment will prompt a more knowledgable one.

I think the merchant misunderstands the Address Verification System(AVS). The merchant is to include the address (numeric only) in the authorization message for the card issuer to verify. The card issuer is to respond with a "value" based on the address components. The verficiation is required for internet and mail/telephone order transactions.

Use of the automated process allows enables you to know that you are dealing with a merchant - responding to demands over the telephone is not one of the program elements.