9-13-00, Statement of Richard H. Harvey

Testimony of Richard H. Harvey, Jr.
On Behalf of the American Bankers Association
Before the
Committee on Banking and Financial Services
United States House of Representatives
September 13, 2000

Mr. Chairman, I am Richard H. Harvey, Jr., Vice President, Chief Compliance Officer and Chief Privacy Officer for Chevy Chase Bank. I am here today on behalf of the American Bankers Association (ABA). I serve on both ABA’s Compliance Executive Committee and the Task Force on Responsible Use and Protection of Customer Information. ABA brings together all elements of the banking community to best represent the interests of this rapidly changing industry. Its membership – which includes community, regional, and money center banks and holding companies, as well as savings institutions, trust companies, and savings banks – makes ABA the largest banking trade association in the country.

I would like to thank you, Mr. Chairman, for holding this hearing on the threat to consumers from identity theft and pretext calling. Your leadership has been instrumental in passing critical legislation on identity theft in 1998 and on pretext calling in the 1999 financial modernization bill that bears your name. These strong laws – which make it a federal crime to obtain customer information by false pretenses or to use stolen identity information – should be aggressively enforced.

Maintaining the trust of our customers is the cornerstone of successful banking. It is no surprise, therefore, that the responsible use and protection of customer financial information is the ABA’s top priority. The ABA supported the necessary changes to federal law so that the unlawful use of personal identifying information – such as names, Social Security numbers and credit card numbers – can now be prosecuted as a crime. Now, the theft of one’s identity is a crime and law enforcement is not limited to only investigating the fraud that occurs after stolen identity information is used. ABA was also pleased to support the legislative initiatives that made clear that "pretext calling" is a crime. While we appreciate the continuing concern of Members of Congress on this issue, we believe that these changes are so significant that no new legislation is necessary at this time. To illustrate the breadth of the existing laws, I have appended to my statement the entire text of section 18 U.S.C. 1028 which covers identity theft. The primary focus needs to be on enforcement of that law.

As you have asked me to do in your letter of invitation, Mr. Chairman, I will discuss the nature and scope of the threat posed by identity theft and pretext calling; the ABA’s efforts to help our member banks educate their customers about ways to prevent identity theft and to help those individuals who have been the unfortunate victims of such a crime; and ABA’s views on H.R. 4311.

Identity Theft is a Serious Crime

The banking industry has long believed that it is critical for both the government and the banking industry to work together to help prevent identity theft and to help those who have been the unfortunate victims of this crime. Government statistics show that each year more than 500,000 consumers are victimized by identity theft. Certainly, the Internet and new information technologies raise concerns about the collection and manipulation of information, but these crimes are still committed in very basic ways that rely on traditional sources. For example, fraud artists attempt to steal from valid accounts by obtaining personal information about the target accountholder in various ways such as:

stealing statements from the mailbox;

obtaining names and account numbers from checks used at retail establishments;

"dumpster diving" — i.e., retrieving canceled checks, deposit receipts, bank statements, payroll stubs, or credit applications from dumpsters or trash bins;

buying payroll account information from unscrupulous check-cashing outlets or other sources; or

using telemarketing scams designed to trick customers into revealing personal account information.

The criminal then will use the actual account information in a variety of ways by:

ordering checks through the mail and having them sent to a mail drop, then using the checks for cash or purchases; or

depositing an uncollectible check and receiving cash back; or

requesting a "replacement" credit card mailed to a mail drop.

Fraud artists also use personal information to create bogus accounts.

Fraudulent acquisition of personal information typically involves the use of some pretext, i.e., intentionally inducing, or allowing, a financial institution to incorrectly believe that an individual attempting to gain unauthorized access to customer information is authorized to do so. The most common pretext is a caller falsely informing an employee of a financial institution that the caller is a customer attempting to gain authorized access to his or her own information when in fact the caller is not the authorized customer he or she is pretending to be. The goal is to convince the financial institution employee to drop his or her guard and provide customer information that the employee would not provide if the employee knew the true identity of the caller. In many cases the pretext caller posing as a legitimate customer will have obtained some biographical and account relevant information from other sources or by means of identity theft in order to perform the pretext and further convince the financial institution that the pretext caller is the legitimate customer.

ABA was pleased to work with you, Mr. Chairman, over the last several years on the much-needed change to outlaw this invasive practice. We strongly supported the ban on pretext calling in the Gramm-Leach-Bliley Act.¹

When these crimes are committed, everyone loses — the consumer, the bank, and the government. Because the trust of our customers is paramount to a successful banking system, a unified and consistent approach to these problems is critical.

The Banking Industry Is Working Hard to Combat Identity Theft and Pretext Calling

The responsible use and protection of personal financial information is the top priority of the banking industry. This past year, I served on a task force of bankers that developed voluntary guidelines for use and protection of information. These ten guidelines – which represent core values of our industry – were released on June 6, 2000. We were pleased to be joined by the Financial Services Roundtable and the Consumer Bankers Association in adopting these guidelines.

I would like to draw the committee’s attention to two of those guidelines that apply to identity theft:

Financial Institutions Help Protect Customers Against Criminal Use of Their Information

Financial institutions help protect customers against, and educate customers about how to protect themselves from, criminal use of their information. Financial institutions use a combination of safeguards to protect customer information, such as employee training, rigorous security standards, encryption and fraud detection. Institutions work with law enforcement officials to pursue individuals who fraudulently use information.

Financial Institutions Have Procedures to Prevent Unauthorized Access to Customer Information
Financial institutions maintain security and confidentiality procedures designed to prevent unauthorized access to customer information.

Mr. Chairman, both of these guidelines stress the importance of having both internal and external mechanisms for protecting personal data from activities such as identity theft. ABA has developed materials to help banks meet these challenges, including:

Identity Theft Prevention and Resolution Self-Assessment
This questionnaire allows banks to review procedures and determine the appropriate level of prevention for their institution by researching losses in account takeover and fraudulent applications, reviewing authentication and policies regarding access to data, training employees on keeping information confidential, and communicating to customers about how to prevent, and if need be, resolve identity theft situations.

Identity Theft Communications Kit
This kit contains materials to help banks educate their customers on how to prevent identity theft (including a sample customer brochure, letter to customers, speech, and newsletter article) and how to resolve cases of those individuals who have become victims of identity theft (including information on steps to take and an activity log).

Training Manual: Spotting and Avoiding Pretext Calls
This manual is designed to train bank employees about common pretext methods and how to spot them, deal with, and stop suspected cases. This manual was developed with the assistance of another of today’s witnesses, Robert Douglas, CEO of American Privacy Consultants.

Consumer Privacy Training Video
This 15-minute video – provided free to all member banks – is designed for use by employees at all levels of the institution.

I have attached several documents to my statement. One has tips on preventing identity theft called "Simple Steps to Safeguard Your Identity" and a second is for those individuals who have had their identities stolen called "Victims Steps to Take." We encourage you to use these documents to tell your constituents how to protect themselves from identity theft and what to do if they should ever become a victim of such a crime. I have also included sections of the training manual as well. The greater the awareness of the American public on this issue, the greater the hope that this crime can be prevented.

Banks are taking the initative to conduct their own educational outreach programs. In one case, the bank reached out to elderly citizens because they can be at greater risk of personal account information being stolen, due in part to the fact that more people may be providing various medical care services in the home and because the elderly may rely on others to help manage their financial affairs. At this outreach program, speakers included Mari Frank (and a leading spokesperson on identity theft), and representatives from the New York Commissioner of the Aging, the FTC, U.S. Postal Inspectors Office, AOL, AARP, the Secret Service and a local district attorney.

The ABA has been involved in other outreach programs as well. Over the last two years, for example, ABA staff has crisscrossed the country in radio media tours on identity theft, reaching an estimated 38 million listeners. ABA also produced and distributed a video news release last March, covering the rise in identity theft and showing consumers how to protect themselves from becoming a victim and what to do if they suspect they have been victimized. The news release aired on 173 different newscasts, reaching an estimated audience of nearly 29 million people.

Existing Laws Are Sufficient to Punish Criminals Who Benefit From Stealing Another’s Identity

Mr. Chairman, the ABA certainly supports the goal of attacking identity theft and assisting consumers who have been victimized. We have every interest in finding workable methods to preventing this crime, as the losses banks suffer in these cases are staggering. In fact, in our own survey work (ABA’s 1998 Check Fraud Survey), we found that $3 out of every $4 dollars lost by a community bank to check fraud was due to some form of identity theft.

The new laws and regulations – spearheaded by this committee and included in both the Identity Theft and Assumption Deterrence Act of 1998 and in provisions covering pretext in the Gramm-Leach-Bliley Act of 1999 – are sufficient to punish criminals who benefit from stealing another’s identity. In fact, when the Identity Theft and Assumption Deterrence Act of 1998 was being debated, there was ample discussion on the House floor that the changes being proposed would have a dramatic effect on identity theft criminals. As Congressman McCollum pointed out in his floor statement that follows, law enforcement was confident that the new law would provide them with the necessary tools to prosecute those engaging in identity theft:

The Secret Service has informed the Committee on the Judiciary that if the transfer of personal identifiers were a crime, they would be able to prosecute those persons who traffic in this information and in many cases prevent the fraud that is later committed by those who buy this information from those who sell it.

H.R. 4151 gives law enforcement agencies the authority to investigate these crimes. It amends section 1029 of title 18 to make it a crime to unlawfully transfer or use a means of personal identification.

It seems clear that the 1998 changes were intended by Congress to facilitate the prosecutions of fraud committed by identity theft at any dollar amount. This improvement to federal law, coupled with the myriad of parallel state laws,² should be sufficient to achieve the goal of H.R.4311 and all other related proposals – that is, punish identity theft. Mr. Chairman, we need to have aggressive enforcement of current law.³

While we certainly appreciate the spirit in which H.R. 4311 is offered, we believe that additional legislation is not needed to prosecute pretext and identity theft criminals. Credit card and other financial institutions have security measures in place – such as confirmation of identity before a credit card can be activated – that are best suited to their particular circumstances. We believe that card issuers are in the best position to develop effective and efficient fraud prevention measures. Mandating a preventative measure inevitably ends up being an inflexible and inefficient method to prevent fraud. Criminals are always trying to outsmart the financial services industry and mandated requirements will only temporarily be effective as these criminals find ways around the new rules. When that happens, what is left is just added expenses for regulatory compliance for the card issuer, raising the cost of credit to our customers. Moreover, locking the industry into a one-size-fits-all requirement ends up drawing away funds that could be put toward more effective solutions. Thus, a mandated requirement is not necessary or desirable. Simply put, since card issuers are liable for any losses, they have a natural incentive to ensure that accounts are not used fraudulently.

Mr. Chairman, I appreciate the opportunity to appear before this committee to discuss this important subject. I look forward to answering any questions you or the committee may have.

Simple Steps to Safeguard Your Identity
(Print this article in your communication with constituents)

Up to 500,000 individuals are victims each year of identity theft, a fast-growing form of fraud. Fortunately, a few simple steps can help ensure you stay out of these statistics.

"Identity theft" or "account takeover fraud" involves criminals stealing a person’s personal information. The crooks assume a person’s identity, apply for credit in his or her name, run up huge bills, stiff creditors and generally wreck the victim’s credit record.

Banks put a combination of safeguards in place to protect customers, including employee training, rigorous security standards, data encryption and fraud detection. You can take these steps to avoid becoming a victim:

Don’t give your Social Security or account numbers to anyone over the phone unless you initiated the call.

Tear up receipts, old account statements and unused credit card offers before throwing them away. Crooks could steal information from your trash and use it to get credit in your name.

Review your account and credit card statements as soon as you receive them to check for unauthorized transactions.

Protect your PINs and computer passwords; use a combination of letters and numbers and change them often. Never carry this information with you!

Order copies of your credit report once a year to ensure accuracy. Call any of the three national credit reporting agencies: Trans Union (800) 888-4213, Equifax (800) 685-1111 and Experian (888) 397-3742.

Report any suspected fraud to your bank and credit card issuers immediately so they can start to close accounts and clear your name right away.

By law you are only liable for the first $50 of unauthorized charges against a credit card account. Still, restoring your identity can be a tremendous inconvenience. It’s worth your while to exercise a little preventive maintenance. Protect yourself against this terrible crime.

For more personal finance tips, visit the American Bankers Association’s Consumer Connection at www.aba.com.

Steps to Take if You are a Victim of Identity Theft
(Include these steps when communicating to your constituents)

If you suspect misuse of your personal information to commit fraud, take action immediately. Keep a record of all conversations and correspondence when you take the following suggested steps:

1) Contact your financial institutions & credit card issuers immediately so that the following can be done: access to your accounts can be protected; stop payments on missing checks; personal identification numbers (PINs) and online banking passwords changed; and a new account opened, if appropriate. Be sure to indicate to the financial institution or card issuer all of the accounts and/or cards potentially impacted including ATM cards, check (debit) cards and credit cards. Customer service or fraud prevention telephone numbers can generally be found on your monthly statements. Contact the major check verification companies to request they notify retailers using their databases not to accept these stolen checks, or ask your bank to notify the check verification service with which it does business. Three of the check verification companies that accept reports of check fraud directly from consumers are: Telecheck (800) 710-9898, International Check Services (800) 631-9656 and Equifax (800) 437-5120.

2) File a police report with your local police department. Obtain a police report number with the date, time, police department, location and police officer taking the report. The police report may initiate an investigation into the loss with the goal of identifying, arresting and prosecuting the offender and possibly recovering your lost items. The police report will be helpful when clarifying to creditors that your are a victim of identity theft.

3) Contact the three major credit bureaus and request a copy of your credit report. Review your reports to make sure additional fraudulent accounts have not been opened in your name or unauthorized changes made to your existing accounts. Check the section of your report that lists "inquiries." Request the "inquiries" be removed from your report from the companies that opened the fraudulent accounts. In a few months, order new copies of your reports to verify your corrections and changes to make sure no new fraudulent activity has occurred. Request a "fraud alert" for your file and a victim’s statement asking creditors to call you before opening new accounts or changing your existing ones. This can help prevent an identity thief from opening additional accounts in your name. Here are the major credit bureaus and their phone numbers: Equifax (800) 525-6285, Experian (888) 397-3742 and Trans Union (800) 680-7289.

4) Check your mailbox for stolen mail. Make sure no one has requested an unauthorized address change, title change, PIN change or ordered new cards or checks to be sent to another address. If a thief has stolen your mail to get credit cards, bank and credit card statements, pre-screened credit offers or tax information, or if an identity thief has falsified change-of-address forms, that’s a crime. Contact your local post office and police.

5) Maintain a written chronology of what happened, what was lost and the steps you took to report the incident to the various agencies, financial institutions and firms impacted. Be sure to record the date, time, contact telephone numbers, person you talked to and any relevant report or reference number and instructions.

Sec. 1028. Fraud
and related activity in connection
with identification documents and information

(a) Whoever, in a circumstance described in subsection (c) of this section -

(1) knowingly and without lawful authority produces an
identification document or a false identification document;

(2) knowingly transfers an identification document or a false
identification document knowing that such document was stolen or
produced without lawful authority;

(3) knowingly possesses with intent to use unlawfully or
transfer unlawfully five or more identification documents (other
than those issued lawfully for the use of the possessor) or false
identification documents;

(4) knowingly possesses an identification document (other than
one issued lawfully for the use of the possessor) or a false
identification document, with the intent such document be used to
defraud the United States;

(5) knowingly produces, transfers, or possesses a
document-making instrument with the intent such document-making
instrument will be used in the production of a false
identification document or another document-making implement
which will be so used;

(6) knowingly possesses an identification document that is or
appears to be an identification document of the United States
which is stolen or produced without lawful authority knowing that
such document was stolen or produced without such authority; or

(7) knowingly transfers or uses, without lawful authority, a
means of identification of another person with the intent to
commit, or to aid or abet, any unlawful activity that constitutes
a violation of Federal law, or that constitutes a felony under
any applicable State or local law; shall be punished as provided in subsection (b) of this section.

(b) The punishment for an offense under subsection (a) of this section is -

(1) except as provided in paragraphs (3) and (4), a fine under
this title or imprisonment for not more than 15 years, or both,
if the offense is -

(A) the production or transfer of an identification document
or false identification document that is or appears to be -

(i) an identification document issued by or under the
authority of the United States; or

(ii) a birth certificate, or a driver's license or personal
identification card;

(B) the production or transfer of more than five
identification documents or false identification documents;

(D) an offense under paragraph (7) of such subsection that
involves the transfer or use of 1 or more means of
identification if, as a result of the offense, any individual
committing the offense obtains anything of value aggregating
$1,000 or more during any 1-year period;

(2) except as provided in paragraphs (3) and (4), a fine under
this title or imprisonment for not more than three years, or
both, if the offense is -

(A) any other production, transfer, or use of a means of
identification, an identification document, or a false
identification document; or

(B) an offense under paragraph (3) or (7) of such subsection;

(3) a fine under this title or imprisonment for not more than
20 years, or both, if the offense is committed -

(A) to facilitate a drug trafficking crime (as defined in
section 929(a)(2));

(B) in connection with a crime of violence (as defined in
section 924(c)(3)); or

(4) a fine under this title or imprisonment for not more than
25 years, or both, if the offense is committed to facilitate an
act of international terrorism (as defined in section 2331(1) of
this title);

(5) in the case of any offense under subsection (a), forfeiture
to the United States of any personal property used or intended to
be used to commit the offense; and
(6) a fine under this title or imprisonment for not more than
one year, or both, in any other case.

(1) the identification document or false identification
document is or appears to be issued by or under the authority of
the United States or the document-making implement is designed or
suited for making such an identification document or false
identification document;

(2) the offense is an offense under subsection (a)(4) of this
section; or

(3) either -

(A) the production, transfer, possession, or use prohibited
by this section is in or affects interstate or foreign
commerce; or

(B) the means of identification, identification document,
false identification document, or document-making implement is
transported in the mail in the course of the production,
transfer, possession, or use prohibited by this section.

(d) In this section -

(1) the term ''document-making implement'' means any implement,
impression, electronic device, or computer hardware or software,
that is specifically configured or primarily used for making an
identification document, a false identification document, or
another document-making implement;

(2) the term ''identification document'' means a document made
or issued by or under the authority of the United States
Government, a State, political subdivision of a State, a foreign
government, political subdivision of a foreign government, an
international governmental or an international quasi-governmental
organization which, when completed with information concerning a
particular individual, is of a type intended or commonly accepted
for the purpose of identification of individuals;

(3) the term ''means of identification'' means any name or
number that may be used, alone or in conjunction with any other
information, to identify a specific individual, including any -

(A) name, social security number, date of birth, official
State or government issued driver's license or identification
number, alien registration number, government passport number,
employer or taxpayer identification number;

(B) unique biometric data, such as fingerprint, voice print,
retina or iris image, or other unique physical representation;

(D) telecommunication identifying information or access
device (as defined in section 1029(e));

(4) the term ''personal identification card'' means an
identification document issued by a State or local government
solely for the purpose of identification;

(5) the term ''produce'' includes alter, authenticate, or
assemble; and
(6) the term ''State'' includes any State of the United States,
the District of Columbia, the Commonwealth of Puerto Rico, and
any other commonwealth, possession, or territory of the United
States.

(e) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, or any activity authorized under chapter 224 of this title.

(f) Attempt and Conspiracy. - Any person who attempts or conspires to commit any offense under this section shall be subject to the same penalties as those prescribed for the offense, the commission of which was the object of the attempt or conspiracy.

(g) Forfeiture Procedures. - The forfeiture of property under this section, including any seizure and disposition of the property and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 (other than subsection (d) of that section) of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).

(h) Rule of Construction. - For purpose of subsection (a)(7), a single identification document or false identification document that contains 1 or more means of identification shall be construed to be 1 means of identification.

Spotting Pretext Calls

There are a number of indicators that what at first appears to be a routine and valid request for customer information may instead be a pretext call. The presence of any one of these indicators or a combination thereof does not always indicate a pretext attempt. Financial institutions receive numerous requests every day for customer information. In many of those requests one or more of the following indicators may be present and be perfectly innocent. However, financial institution employees should be aware of these potential indicators and review them on a regular basis in order to be prepared to spot a potential pretext.

Missing Information--Any call or request for customer information where the institution defined requirements for gaining access (PIN, password, last date of deposit and amount, etc.) is not met.

Non-customer Calls--Any call where the requestor of information is not the customer.

Calls Placed From Numbers Others Than Those Listed On The Customer’s Account—If an institution has caller identification capabilities, employees should note whether the phone number displayed matches the phone number(s) associated with the customer account. Particular attention should be given to calls placed from outside the local calling area of the customer and calls that have been placed blocking the caller identification feature.

Callers That Are Hesitant Or Refuse To Give A Callback Number—Any caller that refuses or hesitates in providing the number they are calling from may be concerned about the call being traced back to them. Many pretext callers will immediately hang-up if confronted with a courteous request for the number they are calling from.

Out Of The Ordinary Request--Any call that is out of the ordinary in the type of request made. This includes requests for faxes of account information or statements to numbers outside the local calling area of the customer and requests to mail duplicates of account information to an address other than that on the customer account.

Overly Aggressive Callers—Any caller that becomes belligerent or aggressive when asked routine account identifying information. A favorite demeanor of pretext is to bully the employee into releasing information by threats to speak to a supervisor; close an account; or, make a complaint about the employee.

Overly Talkative Callers—Callers that appear to be laying out a story concerning why they need to bypass the access rules of the institution or who appear to be attempting to distract the employee with excessive chit-chat while posing more account related questions may be constructing a pretext. The best pretexts have the employee offering information not even requested in an attempt to assist the "confused caller".

Overly Absent Minded Callers—Callers that appear to be overly confused or absent minded and are unable to provide even basic biographical information may be placing a pretext call. Many pretexts rely on placing many calls to the institution and picking up one piece of information at a time until enough data is developed to convince the institution that the caller is the legitimate account holder.

Most importantly, remember the pretext caller is a confidence artist. The basis of the confidence game for the pretext caller is to take advantage of the financial services industries reputation as a customer service oriented profession. By appealing to the emphasis placed on customer service within the industry the pretext caller attempts to obtain information they are not legally entitled to. If it feels like a con – it probably is.

Handling A Possible Pretext Call

All financial services industry institutions should develop policies and guidelines for employees to follow when a pretext call is suspected. It must be stressed that the policies and guidelines are to be followed without exception by all employees of the institution. Considerations for policies and guidelines should include:

No Variation From Customer Information Access Procedures—Whatever customer information access procedures are determined to be appropriate for the individual institution should be strictly enforced. No frontline employee should have the authority to deviate from the stated procedures. Legitimate customers will appreciate security procedures when it is explained that the procedures are in force to protect their valuable information. Frontline employees should be instructed that they could be dismissed from their job for deviating from the institution’s customer information security procedures.

Routing Suspected Pretext Calls To A Supervisor Or Security Official--Any suspected pretext call should be brought to the immediate attention of a supervisor or security official within the institution and if feasible the call should be routed to that official. Many pretext attempts will end with a hang-up by the pretext caller as soon as a transfer to another official begins. Many pretext callers would prefer to end the call and try again at a later point than deal with a supervisory or security official.

Recording Suspected Pretext Calls—Where applicable state and federal laws permit, consideration should be given to recording any suspected pretext calls. Several successful prosecutions of pretext callers have been based upon recorded attempts at gaining access to customer information.

Notation Of Suspected Pretext Calls—At all times employees should make note of any suspected pretext call. If possible, notation should be on the individual account so if further attempts to gain access occur other institution employees will be aware of the history of pretext attempts on the account. The notes should include the method of the suspected pretext. Pretext callers will repeatedly call an institution and speak with different employees until they gain access. Notes on the account of attempted access can serve to notify other employees to give the account special attention.

Request A Callback Number—Requesting a callback number will often assist in determining if the call is a pretext. Many pretext callers will immediately hang-up when asked to provide a callback phone number. If the number does not match the phone numbers associated with the account ask the caller where they are and who is the owner of the callback phone number. Most legitimate callers will not mind providing that information and will be impressed with your security efforts on their behalf.

Stopping Pretext Calls

The federal banking agencies are proposing that standards for protecting customer information. Consideration should be given to creating a separate plan or portion of the overall security plan to cover pretext training. The following elements are part of that plan:

Customer Information Security Plan—All institutions should have a customer information security plan. The plan must recognize and address the threat of pretext calls to the integrity of customer’s personal information and the reputation of the institution. An analysis of the institution’s policies on disclosure of customer information should be performed to determine who currently has authority to release information and under what circumstances the release can be made. Procedures should be taken consistent with restricting who may release information and under what circumstances given the reality of pretext calls.

Do Not Deviate From Customer Information Security Procedures—Once a comprehensive plan has been developed to maintain customer information security it must be adhered to uniformly. Supervisors should demonstrate to frontline personnel that they take the procedures seriously by both following the procedures and enforcing them uniformly within the institution.

Use Authorization Codes Or Passwords—Institutions should use authorization codes or passwords for any release of information by phone, fax or other telecommunication device. The code or password should be unique and not consist of other identifying information such as social security number, mother’s maiden name, account numbers or PINs for automated teller transactions.

Refer Questionable Calls To A Supervisor Or Security Official—A supervisor or security official within the institution should handle all calls that are questionable or suspicious. The act of routing a call to a supervisor or security official will deter most pretext callers for fear of further scrutiny of their actions. Legitimate customers will appreciate the attention being provided to maintaining the integrity of their account.

Educate Employees—All employees are potential targets of pretext. All employees should receive regular and repeated education and training in order to understand what pretext calls are and how to handle potential pretext calls in conformity with the overall information security procedures of the institution. Employees need to be repeatedly reminded that the integrity of the financial services industry relies upon the ability of the industry to protect customer’s assets including customer information.

Test Your Customer Information Security Procedures—Internal or third party pretext testing should routinely evaluate any customer information security procedure. This will help to determine weaknesses in either procedures or training that can be addressed in order to maintain the highest security possible.

Educate Customers—Educate customers about the high degree of emphasis placed on customer information security by the institution. Remind customers that they should never provide their customer information to anyone over the phone unless the customer initiated the phone call and is 100% certain whom they are dealing with. When dealing with a difficult customer who wants access to their information but is unable to provide appropriate identifying access information stress that the procedures of the institution are designed to protect their assets from identity thieves.

Report Suspicious Advertisements By Information Brokers, Private Investigators, Collection Agencies And Others In Your Area—Be aware of advertisements you see in local publications, trade journals, magazines, yellow pages, and on the Internet referring to the ability to locate "assets". Particularly advertisements claiming to be able to locate bank account, credit card, stocks, bonds, mutual funds and insurance information. Unscrupulous users of pretext are notorious for claiming within their advertisements that they follow all applicable laws and require appropriate documentation before performing "asset investigations". This has been proven to be historically false. With the enactment of the Gramm-Leach-Bliley Act, there are very precise limited exceptions to the prohibition of the use of pretext to gain customer account information. Most advertisements currently reviewed misstate those exceptions in an attempt to mislead the public. Report suspicious advertisements to local and federal law enforcement and regulatory bodies including the Federal Trade Commission.

Report Pretexting to the Appropriate Authorities—Any cases of suspected pretext should be reported to appropriate legal authorities and the Federal Trade Commission and prosecuted to the fullest extent possible. Most information brokers and private investigators are reusing to accept asset investigations in the State of Massachusetts because of the State’s aggressive prosecution of pretext callers.

____________________________
1. SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.

(a) PROHIBITION ON OBTAINING CUSTOMER INFORMATION BY FALSE PRETENSES- It shall be a violation of this subtitle for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person-- (1) by making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution; (2) by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or (3) by providing any document to an officer, employee, or agent of a financial institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.

2. In fact, about two-thirds of the states have similar identity theft laws

3. There are several other bills that are designed to address the identity theft problem (e.g., limiting the use of social security numbers) but they too can have unintended consequences.