The Office of the Comptroller of the Currency detailed safeguards Thursday that national banks should adopt to protect confidential customer data from telephone scam artists.
In an advisory letter to national banks, acting Comptroller Julie L. Williams warned that they could face lawsuits or criminal charges for violating state laws if personal data are revealed without a customer's permission.
"Institutions have an obligation to ensure that their customers' account information is not improperly disclosed," she wrote.
The new guidelines come on the heels of increasing alarm among policymakers over the practices of so-called "information brokers" who dupe employees at financial companies into revealing customer account numbers and balances. Just two weeks ago the House Banking Committee approved a bill that would make it a federal crime to obtain customer information from a financial institution through deceptive or fraudulent means.
Information brokers often pose as bank customers to obtain data they can sell to lawyers, debt collection services, or private investigators. The information is then often used against the victims in lawsuits and other court proceedings. It may also be sought by "identity thieves" planning to empty a victim's financial accounts or open up fraudulent credit card accounts.
To prevent these abuses, Ms. Williams said, banks should tell employees precisely what types of information may be given over the phone and under what circumstances. "All banks should have procedures in place and train employees in the types of things to watch out for," she said in an interview.
She also said banks should prohibit disclosure of account information over the phone unless the caller gives an authorization code similar to an ATM personal identification number. Customers also should be allowed to change their codes regularly, she said.
Ms. Williams warned that many common procedures such as asking for a customer's Social Security number or mother's maiden name are inadequate. Also, the codes should not be ones already in use as checking account or ATM numbers.
"Because of technological advances, some pieces of information that used to be hard to find are now easier to learn," she said.
Banks should also use technological means to protect data, such as caller identification services, she added. "If the phone number on customer records differs from the caller's, an employee should not disclose account information until identification can be verified by other means."
Finally, a bank's internal auditors should periodically try to obtain customer data over the phone, to test how well safeguards are followed. Large banks may even want to hire outside auditors, she said. "Any weaknesses detected should be addressed through the adoption of enhanced training, procedures, and controls."
Bankers suspecting an illicit attempt to obtain confidential data were advised to file a suspicious activity report with banking regulators and to contact the Federal Trade Commission and state law enforcement agencies.
The guidelines were developed with other banking and federal law enforcement agencies, including the Federal Bureau of Investigation and the Internal Revenue Service. The Federal Deposit Insurance Corp., the Federal Reserve Board, and the Office of Thrift Supervision are expected to issue similar guidelines next week.
Though the new guidelines are aimed only at preventing confidential data from being revealed to impostors over the phone, Ms. Williams also urged banks to act to prevent information from being stolen through burglary or illegal access to computer systems.
Employee access to confidential information should be limited on a need- to-know basis, she said, and all sensitive documents should be stored securely or disposed of.
