Two major federal efforts to curb the widespread use of Social Security numbers are putting banks-the largest private-sector users of those nine sensitive numbers-on defense.
Social Security numbers are the crucial piece of data used to commit the 10 million to 15 million cases of identity fraud cited annually. ID theft is the impetus behind a bill recently approved by the House Ways and Means Committee to "bar the sale, purchase or display of a Social Security number in both public and private sectors," with some exceptions. The bill is expected to see a full House vote this fall, but there is no Senate version yet.
The easy availability of Social Security numbers in the public and private sectors, combined with the numbers' widespread use as accurate identifiers, have greatly facilitated ID theft, notes Michael McNulty, the Social Security subcommittee chairman of the Ways and Means Committee. "It is time to place common-sense limits on the use of Social Security numbers by government and businesses in order to reduce their easy availability and ensure the privacy of this sensitive information." The bill, which has 24 other House cosponsors, would require public and private entities to limit access to this data and to use safeguards to prevent breaches.
Separately, the Federal Trade Commission sought comments until recently from the public on the private sector's uses of Social Security numbers, the necessity of those uses and alternatives. The FTC's involvement is part of the President Bush's Identity Theft Task Force.
Analysts say banks privately are adamantly against these efforts, but worry about being perceived as being on the wrong side of a hot consumer issue that contributes so directly to fraud. Jacob Jegher, senior analyst at the Boston-based consultant Celent, warns banks: "If they disagree [about the need to protect the numbers], it does not reflect very positively on them," he says.
In a letter to the FTC, the American Bankers Association says that many of the current uses of Social Security numbers benefit consumers and to limit the banks' use of them would raise "significant regulatory and operational problems for banks and for their customers."
Avivah Litan, vp and analyst at Gartner Inc., says that new-account bank fraud, just one type of ID fraud, is almost exclusively pegged to stolen Social Security numbers. The average loss more than doubled to $5,962 in 2006 from $2,678 in 2005.
Many retail banks have stopped using full Social Security numbers for authentication in telephone and online banking in the past few years, she says, with many institutions opting to use only the final four digits. But most banks still require a customer's full number to open an account or apply for a loan.
Litan says credit can be extended without the use of the full nine-digit number, and cites Bill Me Later as one example. But Social Security numbers are ingrained in banks' IT systems, so it's easier-and less expensive-for banks to continue the practice. "It's not in the bank's best interest to change this," she says.
Celent's Jegher agrees that banks rely too heavily on Social Security numbers and, consequently, put customers at risk. Using a full nine-digit number when extending credit is not problematic, even if banks keep the numbers in a database, he says. But he is convinced that using even a partial Social Security number in telephone banking is too risky. Once an account is opened or a loan is extended, banks should switch to an alternative user ID. Moreover, since up to 70 percent of bank fraud is on the inside, limiting employee access to customers' Social Security numbers may be more important in fighting fraud. (c) 2007 U.S. Banker and SourceMedia, Inc. All Rights Reserved. http://www.us-banker.com http://www.sourcemedia.com