Hackers Think Bank's Data Is Greener

As marketing techniques - especially marketing "research" techniques - become more aggressive and competitive, banks should hone their techniques for guarding data. Many of the entities looking for data about potential customers believe that banks are fertile ground. In fact, they believe that the grass on the banks' side of the database fence is very, very green. This is why the bank regulatory agencies are becoming increasingly concerned about the adequacy of banks' efforts to protect the privacy of their customers.

The FFIEC, through its member agencies, has released guidance on one of the emerging techniques for mowing the green fields of bank data. Pretext Phone Calling, although highly labor intensive, can produce results worth the effort - especially if bank staff is service-oriented and takes extra steps to help customers. Unfortunately, in this situation, those extra steps can result in breaching the customer's privacy by releasing personal information to individuals who have no right to access it.It begins when the bank employee receives a phone call from a person who sounds "very nice." All the person is asking for is a little help, perhaps even a little emergency help. Innocent sounding statements such as "I'm in my broker's office and I need to know how much available cash I have in my checking/savings/MMDA account." Or, "I'm being prequalified for a mortgage loan. I've forgotten when I opened my account - could you please check?"

Generally, when faced with requests such as these, the first thought of bank employees is that customer service is what makes the difference between you and the competition. Yes, one shouldn't be free and easy with customer information, but if the customer seems to be who he says he is, how can it hurt?The problem is: how do you really know who is on the other end of that phone call?

The FFIEC guidance provides some standards and some cautions. The most standard forms of identity verification - social security number, and mother's maiden name - are now readily available. If the fraudulent caller has the customer's name, they probably have lots more. They are not calling you to find out the social security number- they already have it.

The difficulty here is that much of the information about your customers is available to hackers who are enterprising enough to go after it. As a result, personal information may no longer be effective for security identification.

The FFIEC advises banks to develop alternative forms of identity verification, such as a security code selected by the customer or assigned by the bank. Strengthen the effectiveness of this kind of identification by limiting who may handle such calls. Most employees, receiving a request for information, should refer the call to authorized staff, and take no other action.

For this or any approach to be effective, staff must be trained to recognize information requests that are subject to this control. Everyone should be able to identify situations that required special handling.

In addition to having specially trained staff handle requests for private customer information, the bank could use quick verification techniques, such as determining whether the number the "customer" is calling from matches the number on record in the bank.

The FFIEC also recommends that banks use mystery shopping or staged phone calls to bank staff. The staff members handling of the call would be noted and any inappropriate actions should lead to additional training, policy updates, and procedural reviews.

ACTION STEPS

Review (or find) your bank's privacy policy.
Determine who is authorized to release customer information. Consider whether, given the circumstances of your bank, this should be limited. Take into account issues such as size of bank, size of community, and the feasibility of centralizing this function.
Review your bank's techniques for verifying caller identity. Determine whether, in today's environment, these measures are sufficient.
Review your procedures for releasing information. In addition to customer identify verification, are there other procedures to protect the customer's privacy?
Review training on customer privacy. What does bank staff know about privacy protection? Do the right people know about it? This includes anyone who might take calls from customers or from pretext callers.
Include privacy and the bank's privacy policy in all new employee training. Make sure they know about this before any harm is done.
"Test" staff by making some "pretext" calls. Evaluate how well your staff handles them. While you're at it, you might throw in some fair lending issues, just to make things interesting.