Online Banking and Identity Theft

December 2003

There's a surprise in store for the technophobes among us: When it comes to identity theft, the Internet turns out to be a godsend to banks and their customers. In fact, a recent study has found that online banking, far from being the weak link in the financial chain, actually enhances security against identity theft.

 

James Van Dyke, founder and principal analyst of Javelin Strategy and Research, a Silicon Valley-based consultant for financial services companies, has recently released a report that quantifies the benefits to banks of online account management. Its findings in the area of identity theft and related fraud are especially noteworthy. Van Dyke — who also contributes to Online Banking Report, a leading industry publication — calculates that approximately 10 percent of the $50 billion annual cost that identity theft inflicts on the industry could be avoided if consumers adopted online account management and electronic statements. Among his conclusions are these attention-grabbing estimates:

• Earlier detection of identity theft and account takeover via online account management and email alerts would save the industry $2.5 billion. 
• The reduction in stolen paper statements brought about by replacing them with electronic statements would save another $2.4 billion.

As for the supposedly higher risk to consumers who engage in online transactions, Van Dyke says it's mythical — a widely credited but erroneous belief that stems largely from the average consumer's discomfort with new technologies. In reality, he asserts, a consumer stands a greater chance of getting hit by lightning than of becoming a victim of fraud or identity theft when using electronic bill payment and account services. As consumers get past their fear of the unknown — presumably by knowing a little more about the thing they fear — Van Dyke believes they'll realize that online account management is one of the best tools available for limiting damage from identity theft.

Turning Off the Paper

In addition to saving consumers and businesses $5 billion each year, "turning off the paper" can help prevent more than one million cases of identity theft, says Van Dyke. That's partly because viewing and paying bills and statements online eliminates two of the most common techniques used by identity thieves: mail theft and "dumpster diving" for sensitive personal information. It also makes such information far less accessible to prying eyes inside the recipient's home or business. As Van Dyke notes, "The biggest sources of identity theft are friends and family, and a paper shredder is not going to help you with that. By the time you shred the document, someone has already seen it."

Consumers also bring a different rhythm to online account management. "When people look at their online statements, they look four times per month on average, compared to their once-monthly paper statement," Van Dyke explains. "Plus, the data is more current instead of being locked in a 30-day window." These more frequent looks at more up-to-date data are yet another way in which turning off paper bills can help reduce the costs of identity fraud. The damage from identity theft mounts with each additional hour that the criminal is able to exploit the stolen information. Online banking tends to reduce the criminal's window of opportunity, says Van Dyke. "Banks need to embrace email and account alerts, and give their customers online features so they can be more vigilant."

Of course, there is a significant potential problem with storing and transmitting data electronically: A database can be a supremely sweet target for identity thieves. For banks and for their customers, digital security thus takes on an importance analogous to the physical security exemplified by vaults and armored cars. As analyst Ariana-Michele Moore of Celent Communications argues, "The greater risk is taking that paper data, storing it in a computer database, and having that system breached. Instead of getting information one bit at a time on paper, a thief can get all that data at once with a click of the finger."

Balancing Protection and Privacy

There's another issue waiting in the wings for unwary financial institutions: consumer privacy. Any system that provides an effective shield against identity theft also runs the risk of conjuring up privacy concerns and related objections from consumer watchdog groups. In its broadest form, the concern is that such a system could put the bank — or the government, for that matter — in a Big Brother role. Unfortunately, says analyst Ariana-Michele Moore, any firm that implements a truly efficient identity theft defense is likely to get tagged with just such a title. From a financial institution's point of view, the optimal system would include a huge database with complete data on each consumer — name, Social Security number, residential address, spending habits, and so on. Such a system could easily validate information about a consumer and recognize abnormal patterns that might indicate fraud. The downside is that for many people, such safeguards constitute a significant threat to their individual freedom.

One exemplary instance is the firm ImageData, now known as Identico. ImageData developed a product called TrueID that incorporated driver's license photos into a fraud prevention system. At the point of sale, a merchant would scan the license into an ImageData device. If the license was valid, a photograph of the person would be displayed; the merchant could then compare that photo with the person awaiting approval.

This solution was seen by many as a powerful precursor to the use of biometrics; the firm even received a $1.5 million grant from Congress. But the system's original design called for the system to be populated with photographs from state Departments of Motor Vehicles. The South Carolina Attorney General's Office immediately objected that the photos were being used without consumer consent. Today, after a brief period of discomfort, the company has adopted a modified solution that follows an opt-in protocol rather than an automatic enrollment model — providing a fine example of how a company can adapt its solution to consumer concerns, while still offering the industry a viable method for preventing fraud.

Another privacy brouhaha was provoked recently when the Bush administration suggested giving financial services firms access to the Social Security Administration database for use in verifying applications. The administration argued that this would give financial institutions instant confirmation of the name in which a given Social Security number had been issued, benefiting both banks and consumers. But the proposal was strenuously criticized by privacy groups, who insisted that this was an inappropriate use of Social Security records — and that the danger of disseminating this information so widely was simply too great.

The Bigger Issue: Consumer Confidence

There is a fine line between protecting consumers and invading their rights and their privacy — and the issue won't be going away anytime soon. The unfortunate result may be that privacy concerns — however legitimate — will be a barrier to developing effective measures for preventing identity theft. One way of keeping this conflict in check may be to give customers access to their information. However, this could in turn become a breeding ground for further identity theft, since such a database would also be a gold mine for would-be scammers. And so the challenge continues.

Mark Coons, president of American Special Risk, is in the business of insuring banks against identity theft losses. As he's quick to point out, though, such losses are only part of the banks' problem with identity theft. If banks don't address its impact on customers, says Coons, identity theft could eventually erode trust in the institutions themselves. "In the short term, the issue is monetary loss," he explains. "In the longer term, the catastrophic loss exposure here is consumer confidence."