While the fraud at Wells Fargo is troubling in every aspect, it points to a larger problem: How were thousands of employees able to open bogus accounts, and in some cases transfer money out of real consumer accounts, all without the consumer being involved?
To paraphrase the movie "Cool Hand Luke," what we have here is a failure to authenticate.
As widely reported in September, Wells Fargo employees submitted applications for more than half a million consumer credit card accounts and 1.5 million deposit accounts, unbeknownst to the consumers whose names were associated with these accounts.
In some cases bank employees went as far as to create fake email addresses and PINs. It was more than an annoyance for consumers — they racked up delinquency fees and their credit records were damaged in many cases.
The employees were incentivized to open the accounts to hit numbers so they would receive bonuses, or at least keep their jobs. Wells Fargo has fired 5,300 employees related to the behavior and was fined $185 million by the Consumer Financial Protection Bureau, and ordered to issue $5 million in refunds to customers.
Less appreciated is the problem that in addition to motivation, the employees were given the means to commit fraud. They had enough access to consumers' personal information to open the accounts — full name, date of birth, Social Security number, address, etc. — to pass a single, knowledge-based factor of authentication.
Had Wells Fargo simply complied with Federal Financial Institutions Examination Council guidelines on multifactor authentication across all channels, there would have been substantially less fraud.
Setting up a new account requires consent. Consent requires a customer interaction. The guidance makes it clear that two factors of authentication should be used for each interaction.
We know the bank did not comply because if it had, a consumer would have needed to be involved on each account opening. Banking requires at least two separate factors of authentication (asking two knowledge questions is not two separate factors).
The first factor is something you know, for example a Social Security number. By itself, this is easy to beat.
The second factor can be something you own, such as a driver's license, debit card, computer or mobile device. This is very hard to beat.
Alternatively, that second factor could be something you are — i.e., a biometric such as a voice or fingerprint. This is also hard to beat.
Beating two authentication factors on thousands of accounts without tripping an internal auditing system? Impossible.
While the Wells Fargo fraud was perpetrated by insiders who had access to consumer data, that doesn't limit the failure. With the preponderance of data breaches the last few years, many consumers have personal information floating around on the dark web available for purchase. It's more important than ever that our federally insured banking institutions comply with regulatory authentication guidance.
It's well past time that strong adherence to authentication rules, as well as the enforcement of those rules, became the new normal. Not only will that protect the consumer but it will protect financial institutions from threats both inside and outside.
Don Thibeau is the chairman and president of the Open Identity Exchange, a global trade group focused on identity authentication that promotes collaboration among competing firms to build trust in digital transactions.