I'm am writing the pretext calling policy & procedures and am looking for any input that anyone has. What do you require a customer to verify before call center personnel gives out info. Currently we require they give us the account number and then verify date or amount of last deposit.

We require date of birth, date and amount of last deposit and work phone if one is available.

FYI - I just got a new American Express card yesterday. When I called to activate it via touchtone phone, I was given the following prompts:

-Enter a 4 digit PIN (message seemed to indicate that this would be for ID purposes and not for ATM)
-Enter last 4 digits of SSN
-Enter mo/day of mother's birthday

None of these represents a truly secure solution.

I would recommend you look at the new training materials being offered by BankersEdge.

True solutions are really hard to find but SSN's and dates and amounts of last deposit are to easy.

We have been testing Bank security for months offering no charge if we can't break in, if I had a dollar for every banker who has told me yes it's a problem but not at this bank or this branch I'd be rich.

You need systems AND you need to test them rigorously. We use are methods as training tools, not to beat people over the head.

Please understand ID theft is a business, the people who do it and make pretext calls to your bank are very good at what they do or they wouldn't still be making a living.

Please feel free to call if you want to know how good your systems are, the offer remains, no break in, no charge.

Matthew Read
Compliance Officers Association, Privacy Officers Association, AACFE,MICM,SHRM.

Any verbal identifier has inherent weaknesses. If they are still your best option, consider asking new customers for the "county" of their birth. Unlike some common verifiers, the person who finds a lost checkbook will not have it at his disposal and it is a bit more imaginative and unavailable than "mother's maiden name." Caller ID can also be a valuable tool for your end of the conversation.

I just got back from a seminar that said Date and/or Amount of last deposit isn't good enough for the reason stated by Ken/Pegasus. They are suggesting asking a question (like what is done on the Internet) such as "What elementary school did you attend?" or "What is your Grandmothers maiden name?" Unfortunately, our system doesn't have a place for this information and you would have to get that information for all signers.

I was actually thinking of having customers give us a Code Word (Could be a Pet's name, a child's name, a favorite color or ice cream flavor, whatever) to put on their account.

Problem is - where to put this "Code Word" on the system to verify when the customer calls. And what happens if the customer forgets their "Code Word." And what is to prevent an employee from finding out Code Words and then quitting the Bank?

Second problem - how do you retroactivly assign Code Words for existing customers?

Face it - this whole issue is a double-edged sword that will cut deeply both ways. You cannot have perfect security without seriously inconveniencing almost all of your customers... (I'm sorry - you'll have to come into the branch for a Retina Scan before I can tell you your balance....), and whatever security procedures you DO put in place - there is a criminal out there that has already figured out how to circumvent it.

For what its worth!

Just recently, I read and heard about code names. These are very good, however, they should not be anything "associated" with the individual. Those become very easy for "people in the business". A suggestion was to look up a word in the dictionary.

That word could be varied. They also suggested that if the word needed to be changed, vary it rather than a complete change. An example was to use the word with a number following it....

In response to using the county of birth. Heck, I don't even know that! I would have to look at my birth certificate. I also believe that a pretext caller will go and look up this information when they discover it is needed to gain information from a certain bank. Same is true of elementary school, grandmother's maiden name or anything else that a savy research expert could find.

I agree that what ever we do, it will be an inconvenience to our customers. We are ITI users and it is my understanding that they will doing an enhancement that will allow us to enter a question that the customer wants to use to be identified and the answer. As a previous poster said, this is not a big deal when you are opening new accounts. But it will be an incredible amount of work to enter this information for our entire customer base.

Privacy is indeed the nightmare that will never end!

Dolly Nugent
VP/Compliance & CRA Officer
Citizens Business Bank

I don't know how much help it will be, but we have also been addressing this problem. It would be impossible to let the customer set a password for their accounts, simply because you would never get all of them to do so, not to mention the time and energy to imput this information into your system. We decided to use the Customer Information Number (CIF#) on our data systems. This number is assigned by our system when a customer is added. This number is already on the system and unique to the customer. We then used our data system to print cards with this number on them, which we would mail to the customer along with a letter explaining what this number was for and why. It saved having to rely on our customers to give us information to use, or using information that could be known by others such as SS#.

I use a code word whenever possible. I came upon it by chance, it makes sense to me, but anyone else would have to do some very deep and devious research to come up with it. I use it consistently because I tend to forget what password I used for which server. This way, I can remember easily. My only concern is that, because I use it so consistently, some hacker might be able to figure it out and then use it in other places. There really is no perfect solution.