Identity Theft

In October 1998, the Congress passed the Identity Theft and Assumption Deterrence Act of 1998 to address the problem of identity theft. Specifically, the Act amended 18 USC ? 1028 to make it a federal crime for anyone to:

knowingly [transfer] or [use], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.

While identity theft is not a new problem, advanced technology (in particular . the Internet) is proving to be a powerful facilitator. According to the Federal Trade Commission (FTC) and law enforcement agencies, identity theft is increasing at an alarming rate. For example, in March 2000, the FTC received and responded to roughly 400 such complaints and inquiries. The FTC currently logs approximately 1,700 complaints and inquiries a week connected with all types of identity theft. Identity theft was the top consumer complaint received by the FTC during calendar year 2000. *

SAR analysis corroborates the FTC's experience. In 1997, the first full year of required SAR reporting, 44 instances (fewer than four per month) of identity theft were reported. From January through November 30, 2000, there were 617 SARs filed (56 per month) reporting identity theft. A total of 1,030 SARs filed during the period April 1996 through November 2000 reported identity theft. Nearly half of these reports were referred to (primarily state and local) law enforcement by the filing institution.

A total of 194 financial institutions from 41 states and the District of Columbia reported some form of identity theft. California and North Carolina account for almost 30 percent of all reports of identity theft. Minnesota, Washington, and New York rank next in order for the number of SARs filed. Seventy-two percent of the retrieved SARs describe fraud perpetration in the form of check fraud, consumer loan fraud, mortgage loan fraud, credit/debit card fraud, and, to some extent, wire transfer fraud.

SAR narratives generally indicate that the most common ways to become the victim of identity theft are through the loss or theft of a purse or wallet, mail theft, and fraudulent address changes. There are also numerous instances of .insider. knowledge; i.e., persons who may share a residence, relatives, or even bank employees stealing the identity of another person. These individuals have easy access to personal information such as a checkbook bearing account numbers, Social Security Numbers (SSN) and business records. Often, the SARs do not describe how an individual perpetrator came to obtain a victim's identifying information. In the cases where a relative was involved, it was usually an adult child of the victim. SARs describe young adults applying for credit cards or bank accounts (usually via the Internet) using their parents. pertinent information except for changing the date of birth to reflect their own.

Once the perpetrator has obtained personal information, that person will open a bank account in the victim's name (or access a current account). The perpetrator will then begin depositing fraudulent, worthless or counterfeit checks into the account. Most deposits are carried out via automated teller machines (ATMs). Before checks are cleared, the perpetrator will withdraw cash on the account via ATMs. Check deposits usually average between $2,000 and $3,000 each with the total activity amounting to $20,000-$30,000. In some instances, the fraudster will deposit empty envelopes, with a dollar amount annotated, into an ATM. Once the bank detects the fraud, most of the perpetrators are discovered and turned over to law enforcement. In most instances, the bank will suffer a loss.

Numerous narratives describe the fraudulent use of another individual's SSN to obtain car loans. In most cases, the assumed SSN, along with other identifying data, is used to purchase or lease high-end automobiles such as Jaguar, BMW, Mercedes Benz, Lexus, and sports utility vehicles. Most of the loans in this category average approximately $30,000. Loans are usually easily approved. Almost across the board, the bank becomes alerted to the scheme because the perpetrator will immediately default on the loan payments. It is a daunting task for the bank to ascertain who actually purchased/leased the vehicle in question. If the vehicle is recovered, it is normally auctioned off so that the bank can recover some of the loss.

Another common scenario described in the narratives is mail intercepts. An individual will steal an unwitting victim's mail to obtain bank checks or convenience checks issued by credit card companies. The thief will then write checks against the victim's account. The victim does not become aware of the intrusion until receipt of a monthly statement from the bank or credit card company.

Another common depiction is that of the perpetrator informing the bank of a change of address for an account holder. Once new checks are printed with the change of address they are mailed to the individual who requested the address change. Again, this goes unnoticed by the victim until the victim realizes that he/ she has not received a monthly statement from the bank.

Perhaps not as common, but described enough in the narratives to warrant mentioning, are individuals preying upon the elderly either by ingratiating themselves to the person in order to obtain personal information, or by a more overt method such as pick-pocketing. Also indicated as a means of obtaining information are the use of SSNs or other personal identifiers of deceased individuals.

Some banks report fraud .rings. operating in their jurisdictions. Washington, Texas, and North Carolina banks report fraud rings apparently based in Nigeria taking over the identities of numerous customers. The members of the fraud rings deposit fraudulent checks into the accounts of these individuals, and then withdraw the money in the form of money orders or via debit cards at ATMs. A bank in Delaware uncovered a fraud ring operating out of New York. The bank identified 75 accounts that were linked by four different phone numbers. Individuals making phone calls from these numbers reported lost or stolen debit cards issued on these accounts. The bank issued new cards and convenience checks that were intercepted at JFK Airport in New York. The intercepts were accomplished by members of the fraud rings, who then redirected the cards and checks to cooperating merchants in Saudi Arabia.

Over a one-year period, a bank in North Carolina investigated 113 suspect applications for business loans. In all instances, an application for a loan of $100,000 per business was made. Many of the applications appear to have similar handwriting or had been typed on the same typewriter. Not all of the applications have the same suspected area of fraudulent information. There are multiple irregularities in residence/business addresses, individuals. names, incorporation documents, mail drops, tax preparers, tax returns, and credit bureaus. It is suspected that most of the guarantors for these loans have been victimized by identity theft. According to the SARs filed by this bank, the bank stands to lose close to $7 million.

Another similar ring uncovered in California involved leases for as many as 400 vehicles through multiple financial institutions. The vehicles were also linked to a group dealing in large quantities of drugs. Individuals obtained leases using fraudulent income documents (primarily W-2s) then subleased the cars to individuals in other states. It appears that the ring leaders convinced unsuspecting third parties to allow their names and SSNs to be entered as signatories on the leases. The individuals signed blank credit applications and were told that by doing so they would receive a certain percentage of the profit on these investments. To date, only one vehicle has been recovered.

The FTC has developed a pamphlet to assist consumers in avoiding identity theft and, in instances of abuse, steps to take in addressing stolen identities. The pamphlet can be obtained from the FTC's website at www.consumer.gov/idtheft. In addition, the Federal banks. supervisory agencies recently released guidance to banking organizations on identity theft and pretext calling. The guidance can be found on each of the agencies. websites:

• Federal Deposit Insurance Corporation at www.fdic.gov;
• Federal Reserve Board at www.federalreserve.gov;
• National Credit Union Association at www.ncua.gov;
• Office of the Comptroller of the Currency at www.occ.treas.gov; and,
• Office of Thrift Supervision at www.ots.treas.gov.

Financial institutions should refer to Section 5 of this issue of the SAR Activity Review for Special SAR Form Completion Guidance Related to Identity Theft and Pretext Calling.

* Washington Post. February 4, 2001, .Your Money and Your Life,. by Michelle Singletary.

Excerpted from SAR Activity Review Issue 2, page 14