The basis of last week’s NY Times article, “Banks Rely Too Heavily On Social Security Numbers, Report Finds,” stems from the annual Javelin Strategy & Research Banking Identity Safety Scorecard, which looked at the consumer security practices of 25 large banks and credit unions.
In a review of these banks, Javelin found that too many are still using customer Social Security numbers for authentication purposes, a practice that Phil Blank, managing director of security, risk and fraud for Javelin, says hands over key information that criminals use to perpetrate identity theft.
“Customers must provide their Social Security number when opening a bank account, but it shouldn’t be used routinely for other purposes, because telling people to keep their number private but habitually asking for it sends the wrong message. This is something the financial institutions really need to do some work on. The consumer should not be trained that it’s O.K. to give up your Social Security number.”
While I’m sure most financial institutions are aware of the newly published FFIEC guidelines around banking authentication, which go into effect January 2012, I’m a bit surprised that more banking institutions have not yet modified the use of personally identifiable information (PII) like the Social Security number, date of birth or mother’s maiden name for customer authentication.
The stark reality for financial institutions is the customer authentication processes that are being deployed across all channels today are insufficient. With customer satisfaction, profitability, compliance and brand at risk, the industry needs to move in a new direction. Regardless of what drives financial institutions to modify their existing procedures, they will be scrutinized if the current processes used to authenticate customers are not enhanced.
Authenticating customers has become rather problematic. Since Automatic Number Identification (ANI), the use of PII and knowledge-based authentication (KBA) are no longer viable methods for validating caller identity, not to mention the fact that customers don’t like the interrogation that inherently comes along with these processes. Financial institutions need to consider more innovative, cost-effective solutions rather than continually modifying old technologies or simply adding new KBA questions that challenge the goodwill of their customers and add time to every call.
The ability to undetectably validate customers over the telephone channel is a powerful new way to better service customers, minimize the risky handling of PII, and keep fraudsters in check. By non-intrusively identifying customers before a call is answered, the TrustID® network-based Physical Caller Authentication tool simplifies the customer authentication process without relying on KBA, and is paving the way for banks to transform the customer experience while meeting new regulatory scrutiny.
One of the primary benefits of TrustID that I’ve written about is how it is invisible to the criminals and undetectable to upstanding customers. Knowing what inbound calls are high risk prior to answering the call provides financial institutions a huge advantage over the criminals, and provides banks an opportunity to dramatically improve the customer experience through reduced interrogation while fulfilling the FFIEC’s multi-factor authentication best practices for identifying customers.