We have asked our phone center to ask customers for a call back number and for the date & amount of their last deposit, but I am wondering what others are doing to ID customers on the phone. Has anyone actually given their customers "pin" numbers or passwords to use? I am thinking our customers would not use them or would forget them. Caller ID has been shot down as an option. I have tried to have them use information that we already have such as the DOB of a joint account holder. Any suggestions would be greatly appreciated.

The second area I am working on is change of address. Does anyone actually send two confirmations for every change of address? Is this necessary if the customer makes the request in person? How are you handling change of addresses from the post office, you know, the little yellow stickers?

Everyone here has always been very helpful, and I thank you in advance for your help!

------------------
Opinions stated are not necessarily that of my employer.

We do not permit address changes based upon Post Office address change notices. We do utilize these new addresses as needed to attempt contact. We send a letter asking the individual to contact the bank ASAP. No reference is made in the letter to any account or relationship.

No follow up is performed on an address change requested by a customer coming in to the bank. The address change form is completed, signed and dated by the customer. Obviously, we should obtain ID prior to accepting address change form if customer is not personally known to bank employee. Address changes requested via internet and phone are confirmed. We try to obtain written confirmation by sending letter with signature line to acknowledge request and providing return envelope.

In the past, we tried to include date and amt of last transaction/deposit, however, particularly on joint accts and when debit and ATM card use is prevalent, too many people didnt know this info.

Thus far, no one that supplied us w/acct no, SSN and DOB turned out to be a fraudster.

On change of address, like Brenda, we also dont use the post office change of address notice as a confirmation, but rather as an indication to contact the customer to verify the change. We learned this one the hard way.

Customer had to go to prison, so he gave his business partner (and we later learned sometime paramour) POA to transact business for him while he was in prison. She had the post office change his address, and from there proceeded to steal everything he had. He didnt learn of the theft because (he said), when he didnt receive bank statements, he thought it was a problem w/the prison mail system.

I AM NOT ENGAGED IN PROVIDING LEGAL ADVICE AND THE VIEWS EXPRESSED ARE NOT THOSE OF MY EMPLOYER

We do not permit address changes over the telephone. Customer must come into the branch and sign an authorization form so it can be verified back to the signature card. Best way I know of! Once the precaution is explained to the customer, they are happy campers.

We established the above items when Privacy came out.

Opinions are mine not my employer

We regularly test our banking clients information security systems through social engineering techniques we have yet to find a bank with a fool proof system as there are so many approaches that can be taken to obtaining the information.
We know that a determined and specific identity thief is likely to contact your customer before he contacts you, if he/she wishes to impersonate the customer and that he may well do so posing as you. This means that all the information your customer might have can be obtained. The only true solution is a call back system and even then you will get breaches with callers insisting that they are at thier accountants office or some other place where you don't have the telephone number.
Education of customers is necessary updating of records is essential we have found that a program of collecting customer cell phone numbers has worked well with may clients.
Also be aware that actually posing as the customer is one of the least likely entry routes to your institution.
There is no substiute for proper testing and training I would be very wealthy with just one dollar from each branch or bank that says they know its a problem in general but it doesn't happen here.

Matthew
(Tobi this is informative nothing more!)

Excellent suggestions! This is an issue that's extremely personal for some customers. You might check out some of the identification schemes used by Internet retailers for their sign-up forms. Examples include:
- Favorite pet's name
- Favorite TV show
- Favorite TV or radio station call letters
- Favorite comic book or comic strip character
- Favorite actor

By using a non-standardized option instead of an alpha or numeric PIN, you reduce the likelihood of compromise. You might also consider sending out a statement stuffer that advises your customers of the pending changes -- and asking them to consider, in advance, what information that they would like to use.

------------------
Dana Turner
Security Education Systems
danaturner@bankersonline.com
830-535-6500
Opinions expressed are always those of my employer.