In the future, whenever anyone says you are required to do something, ask for a citation to law or regulation. This particular caller may say that it's in your customer's interest or even the bank's interest to assist them, but is not in a position to cite you to a law or regulation that requires you to disclose the existence of the customer relationship or provide account information over the telephone. At a minimum, in order to gain some credibility, the caller should have referred you to the Treasury Department Financial Management Service's Tele-Trace program which indicates:
If the payment has not been returned, FMS will call the RDFI to inquire about the reason for nonreceipt.
Obviously, accepting this practice lowers a financial institution's natural thresholds to phishing. However, I am compelled to consider the effects a blanket refusal would have on the customer.
- Routing all such calls to the same person within your institution.
- Asking the caller for his or her full name, employee number(?) and the office where he or she is located.
- Calling the person back at the publicly listed number for that office.
- Asking for all the identifying information he or she has on your customer including any prior payments. Use it to verify that you are talking about the same person.
- Reviewing the account for payments and focus on the information the caller actually needs. This is neither a fishing or a phishing expedition.
- Completing a worksheet with the relevant information, including the name and phone number of the caller, and sending a copy to the customer.
First published on BankersOnline.com 9/11/06