Banks need to stop relying on Social Security numbers
Our data is no longer secure. Personal information that we thought was infallible, such as our date of birth or home address, is now all too easily attainable for fraudsters. The Equifax and T-Mobile data breaches, which compromised huge amounts of unique customer data, show that we can no longer be so complacent — especially with regard to Social Security numbers.
SSNs have been central to the American identity infrastructure for years, being used as a key identifier, something it was never designed for. But its value is now in question. For U.S. policymakers, these breaches should act as a wake-up call to decide America’s future relationship with SSNs. For too long there has been an overdependence on SSNs, and more scrutiny as to whether they are used as identifiers in the financial services industry is needed. Even more important is for policies to be implemented with a long-term plan for reducing their use in favor of more secure verification methods.
The way we use SSNs today is completely at odds with the thinking behind their introduction. SSNs were created by the Social Security Administration as a way of tracking the earnings history of workers for benefits. On the bottom of the card it even used to read, "for Social Security purposes, not for identification.” And yet it has since become the de facto national identification method in America. Renting an apartment, applying for a job or opening a bank account often require a user to hand over their SSN as a form of identification. Since its inception, over 450 million SSNs have been issued. However, the numbers have been so widely requested and distributed that they are no longer private, especially given the frequency of data breaches. Proving our identity in this way has meant that many different parties hold personal information on individuals, increasing their susceptibility to identity theft.
U.S. banking processes have also had SSNs baked into their identification process for years. In fact, SSNs have been the gold standard for identifying and verifying the credit history of prospective customers. Most banks have been storing them on old technology at the core of their platforms, making a potential move away from SSNs exceptionally difficult. On top of this, none of the many business units within a bank are connected to each other. For instance, the loans department and checking department will need to prove a customer’s identity separately.
To solve the SSN problem, there’s an onus on banks to take action and reorganize themselves in establishing a central system for proving customer identity. But it’s perhaps unrealistic to expect banks and other financial institutions to go cold turkey with SSNs. Nonetheless, there are several organizations that no longer value collecting SSNs from users and have committed to stop using them altogether. The Aetna health care platform, for instance, has initiated a process of moving away from using SSN as an identifier to protect the privacy of its members, and it no longer allows other companies that work with them to use SSNs as employee ID numbers.
There need to be policy initiatives from the government that improve the current ways in which banks verify a customer’s identity. The recent Economic Growth, Regulatory Relief and Consumer Protection Act included a section on “reducing identity fraud” that directed the Social Security Administration to start offering a new service to financial institutions to electronically verify that a name/SSN/DOB exists. By having electronic consent, banks can verify identities more quickly and at scale and check that an SSN on an application is genuine. It was also encouraging to see the recent announcement of a White House national cybersecurity strategy, which included a commitment from the government to “evaluate how to improve the end-to-end life cycle for digital identity management, including over-reliance on Social Security Numbers.”
But we need to go further in reducing the use of SSNs altogether. A priority for financial institutions when sending someone through an anti-money-laundering process is to have reasonable assurance that the individual is who they claim to be. Because of the lack of a better alternative, this has traditionally been done using an SSN. Instead, new policies are needed to encourage banks to develop technology that allows them to explore the use of other, more secure methods for identity verification. Real-time data (like asking for the last transaction on a debit card), for example, would make it harder for fraudulent actors to gain access to the data.
Modernizing the current identity system in America is crucial to overcome its heavy reliance on SSNs. Banks and government must be involved to make that happen. Having an SSN today makes an individual extremely vulnerable to identity theft. What’s certain is that if we continue to rely on centralised databases holding personal identifiable information used to identify us, we will continue to see large-scale data breaches occur, which then lead to a greater catalog of stolen identities for fraudsters to use. Changing the system will require proactive action from policymakers to get ahead of the problem in a way that enhances security, privacy and convenience for the consumer.