Banks see red tape in ID theft rule

But a consumer group says the proposal isn’t strong enough

Wednesday, Aug. 16, 2006

by Kevin J. Shay

Staff Writer

A proposed federal rule mandating identify theft programs at financial institutions has some banking officials worried that the result will be not just more red flags, but more red tape.

But a lawyer with a consumers group says the proposal is not strong enough for consumers, as it allows institutions too much leeway to determine just what are red flags.

The Federal Deposit Insurance Corp. recently proposed that banks, credit unions, credit card companies and other financial services businesses must form an identity theft program that involves issuing red flags when an account could be at risk. Financial institutions have until mid-September to comment on the proposal.

The proposed FDIC rule was mandated by the Fair and Accurate Credit Transactions Act of 2003. So banking officials should not feel picked on, even if they already have such programs in place, said John Hall, a spokesman for the American Bankers Association in Washington, D.C.

‘‘It’s something they had to do,” Hall said.

That said, the association has received comments from banking officials concerned about the level of additional paper work required by the new regulation, Hall said.

‘‘They are concerned about if there will be new forms to fill out and those kinds of issues,” he said. ‘‘Banks already follow prevention programs.”

But the proposal allows financial institutions too much discretion to determine which red flags they can alert consumers about, rather than mandating certain ones, said Gail K. Hillebrand, a senior lawyer in the San Francisco office of Consumers Union, the Yonkers, N.Y., nonprofit publisher of Consumer Reports.

‘‘It’s kind of like the fox guarding the hen house,” Hillebrand said.

The proposal also allows institutions to determine what they should do when they detect a red flag, and some might not do enough to make sure customers know their accounts have been compromised, she said.

More than 85 percent of Americans are concerned about identity theft and almost 40 percent know someone who has been affected by the crime, according to a survey commissioned by SunTrust Banks of Atlanta. About 10 million Americans are victims of a form of identity theft each year, with the estimated total cost to businesses and consumers at more than $50 billion, according to the Federal Trade Commission.

Among the banks involved in such incidents is Mercantile Potomac Bank, a subsidiary of Baltimore banking company Mercantile Bankshares Corp., the largest bank headquartered in Maryland with assets of $17 billion. In May, a Mercantile employee had stolen from his car a laptop that contained customer information such as Social Security and account numbers.

‘‘There is no reason to believe the data have been misused,” said Stephen K. Heine, senior vice president for Mercantile Bankshares’ client service group. ‘‘This is certainly not common.”

The bank offered about 49,000 customers a free one-year subscription to a credit-monitoring service.

Another recent incident involved data stolen from the National Institutes of Health’s federal credit union in Rockville. Officials there could not be reached for comment.

Then there is the woman known as the ‘‘Wig Lady,” who has hit banks in Montgomery County and Washington, D.C., wearing various wigs and disguises to take out victims’ money with stolen debit cards and other information. Police say the woman has stolen more than $200,000 from at least 20 older women’s accounts since September.

Some banks already offer identity theft programs that include red flags.

Bank of America, the Charlotte. N.C., giant that has the most deposits in Maryland with $17.5 billion last year, has an identity theft program that is free for online banking customers, a spokeswoman said. The program raises red flags to alert customers to instances such as when there are password changes or unusually high charges on debit or credit cards.

Online customers can also choose a free security feature that requires an extra level of authentication before accounts can be accessed.

SunTrust Banks — the fifth largest bank in terms of deposits in Maryland with $6.4 billion last year and which has the third most branches in the state with 135 — recently rolled out a program with credit-reporting agency Equifax that monitors credit information. Clients with ‘‘preferred” checking accounts can enroll free, a SunTrust spokesman said.

The SunTrust and Equifax program, which normally costs $49 annually, monitors clients’ credit files weekly and notifies them when it spots red flags indicating key changes. Customers also receive up to $2,500 in identity theft insurance.

Provident Bank of Baltimore, the third largest bank headquartered in Maryland with assets of $6.4 billion, works on educating both customers and employees on ways to guard against identity theft, said Eartha Morris, senior vice president of customer information security. For instance, the bank’s Internet site offers information on protecting from online fraud.

‘‘We support any measure to prevent identity theft,” Morris said. ‘‘We are proactive in this area.”

This report originally appeared in The Business Gazette.