Letters to Regulators
ICBA's Comments on the FDIC's Study "Putting an End to Account-Hijacking Identity Theft"
February 8, 2005
Dear Sir or Madam:
The Independent Community Bankers of America (ICBA)1 appreciates the opportunity to comment on the Federal Deposit Insurance Corporation's recent study, "Putting an End to Account-Hijacking Identity Theft." ICBA applauds the FDIC's efforts in conducting the study as the financial sector continues its fight against identity theft.
ICBA commends the FDIC for taking steps to address this important topic for community banks and our customers. The ICBA also encourages the FDIC to work with industry firms and associations, along with other federal banking agencies, to address the serious and growing consumer problems associated with identity theft.
Overview of ICBA Comments
ICBA believes that a more consistent definition of identity theft should be instituted throughout the financial services industry; the definition used by the Federal Trade Commission (FTC) is perhaps the most acceptable presently. However, varying definitions only complicate the situation. For example, ICBA believes that rather than account hijacking, "account takeover" is the term currently used and accepted by the industry. Moreover, the ICBA disagrees that account takeover is a form of identity theft, as there are safeguards in the financial system that allow customers to know that their account has been taken over.
ICBA encourages continued dialogue between the public and private sectors through the promotion of information sharing. Furthermore, ICBA member banks would benefit from guidance on identity theft. However, as a general rule, guidance should not be - nor become - mandatory requirements. Rather, best practices or a series of Q&As would be among the best short-term solutions. Furthermore, ICBA suggests that interagency cooperation, and communication throughout the financial industry is critical. ICBA looks forward to participating in such a dialogue.
The ICBA does not agree that two-part authentication is a necessary solution at the present time. As in the case of the Gramm-Leach-Bliley Act, guidelines for safeguarding customer information and many other areas of banking operations, the ICBA believes a risk-based approach would be the most appropriate solution.
Although the use of biometrics is an innovative solution to the security dilemma, implementation could be rather costly and unnecessarily burdensome, especially for community banks. The inherent weaknesses - as set forth by the FDIC's Account Hijacking Study - simply outweigh their benefit at this time. ICBA believes that more examination and a thorough analysis of the results on securing accounts is needed to find alternative methods of securing the sector. At this time, it is premature to begin implementing biometrics across the board.
DEFINITION OF ACCOUNT HIJACKING AND IDENTITY THEFT
ICBA believes that a better definition of identity theft should be created for use across the financial services industry. The ICBA appreciates the seriousness of "account takeover," as a fraud perpetrated against consumers and banks. However, the ICBA has serious reservations about classifying account hijacking as identity theft.
Identity theft, as defined in the FDIC's study on page 4, is "the use of personal identifying information to commit some form of fraud." However, the ICBA believes that there should be a clear distinction drawn between the use of someone's identifying information to perpetrate fraud and fraud involving another's legitimate existing account.
In June 2004, the ICBA filed a comment letter with the FTC raising concerns about the FTC's proposed definition of identity theft. The FTC's final rule defines identity theft as "a fraud that is committed or attempted using a person's identifying information without authority." While ICBA does not fully endorse this definition, the association believes that it would best suit the banking and finance sector and consumers to have a consistent definition.
The ICBA continues to be concerned that a definition that encompasses too many types of fraud dilutes the meaning of identity theft and could have unintended consequences. For example, under the Fair and Accurate Credit Transactions Act of 2003, victims of identity theft are granted numerous rights to protect themselves and to recover from instances of identity theft. The ICBA continues to believe that a narrower definition of identity theft is important to prevent these rights from being diluted. Identity theft should be the abuse of another's identity and not frauds involving another's legitimate accounts.
According to the FDIC's study, "account hijacking" is "the unauthorized access and misuse of existing account information primarily through a scheme known as phishing." Although phishing incidents have not been as extensive at the community banking level compared to larger multi-national financial institutions, its impact has been felt by community banks as phishing is among the fastest growing consumer frauds in the U.S. with far reaching effects on all firms.
While account takeover is a serious problem, the ICBA does not believe that account takeover should be classified as identity theft. First, the person that initially established the account was properly using his or her own identity. Since the account was properly established, that person is in the best position to know if fraud has been committed. For example, the person should be receiving regular account statements and can detect improper charges by reconciling the statement when it arrives. Additionally, as consumers are often warned, if the account statement does not arrive when it should, the customer can contact the financial institution holding the account. This is very different from the situation where a consumer's identity is used to open an account about which he or she has no knowledge and therefore has no means to take steps to address the problem.
It is of great importance that a clear set of definitions be created and utilized across the industry. Presently, there are too many definitions to describe activities and define terms, which prevents the fluidity of discussion. Therefore, a uniform set of acceptable definitions is integral to future discussion about the problem.
While the ICBA disagrees with the FDIC's premise that "account hijacking" is identity theft, the ICBA also believes there are many other elements in the study that are relevant to steps that can and should be considered to address the problems of identity theft.
COMMUNITY BANK EFFORTS TO SAFEGUARD CUSTOMER IDENTIFICATION
Many community banks offer customers online banking services and this delivery channel is becoming increasingly popular. Therefore, ICBA appreciates the FDIC's efforts to offer guidance. ICBA members that offer online banking services continue to take steps to secure their online banking services from fraud, including identity theft, account takeover and phishing, among others.
IT security is important to ICBA member banks and their customers. Encrypting website pictures to prevent against phishing and spoofing attacks, establishment of intrusion prevention/detection systems and the implementation of policies and procedures to prevent internal changes from compromising the site protect ICBA member banks from fraudulent attacks. An informal survey of a sample of ICBA members found no successful breaches of the banks' online banking services despite a handful of attempts. ICBA bank customers' accounts are protected using a number of methods: access to online accounts is denied after three consecutive password errors are encountered, websites "time out" after remaining idle certain time periods and in some cases, customers must be physically present to sign up for online service access.
In addition to taking steps to safeguard customer information, ICBA banks offer educational programs and brochures designed to help community bank customers understand issues surrounding identity theft. In-bank materials, account statement publications, website materials and other methods of education promote identity theft awareness. ICBA and its members are committed to increasing customer knowledge about these issues. This is not only mandated by the federal banking agencies' rules on safeguarding customer information, but also is a matter of good business practice and maintaining good customer relationships. ICBA has made tools available to community banks to help them educate their consumers. ICBA's identity theft brochure entitled "Protect Your Good Name," outlines the preventative measures customers can take to protect their personal assets. Member banks have found these to be useful in their lobbies and as statement inserts.
ICBA believes the industry is currently undertaking appropriate responses to identity theft, and the association has been proactive by educating community banking consumers across the nation. Communications programs such as the Financial Services Information Sharing and Analysis Center (FS/ISAC) have been excellent vehicles to share financial security information.
Information sharing is a key to success in finding a solution to the current dilemmas the financial sector faces; this includes cooperation between the industry, government and other private firms. All could benefit from a discussion of technology issues pertaining to the general topic of online fraud (including identity theft and account hijacking). A banking-security summit could possibly produce an Online Fraud Best Practices document for potential dissemination to trade associations, banks and other sector-related firms. ICBA applauds the FDIC's scheduling of a symposium on this issue on February 11th. ICBA suggests that, like this symposium, future meetings be initiated by a coordinated effort of the federal banking agencies.
AVAILABILITY OF GUIDANCE BY BANKING REGULATORS
ICBA recommends that non-mandatory guidance be provided by the federal banking agencies to improve knowledge regarding terms and viable solutions to the security issues the industry faces. As suggested by one ICBA member, "the regulatory agencies have had a chance to review, question and test a variety of bank security methods. Their accumulated experience and their charter for consumer protection are a good combination for being a well informed and trusted source." ICBA and its members are concerned, though, that any guidance will create regulatory mandates that produce unnecessary burden for the industry, especially community banks. For example, a series of questions-and-answers to frequent questions or suggested best practices might be a useful approach. However, the ICBA also believes that any such guidance must be developed with input from the industry and through a coordinated effort of all stakeholders, including regulators, vendors and bank customers.
IMPROVING AUTHENTICATION AND ACCESS TO ACCOUNTS
It is important to stress that any methods advocated for protecting the security of bank customers' accounts should be user-friendly and cost efficient for both banks and their customers, yet stringent enough to prevent a hacker or online thief from obtaining personal information and using it for financial gain.
Two-factor authentication is one method to secure information currently. Many ICBA members use username and password to authenticate customers, but additional security measures are also taken; hosting the website on a secure server, 128-bit encryption, and firewalls installed by a third party. ICBA recognizes that using username and password does not meet the definition of two-factor authentication.
However, ICBA encourages a risk-based approach to solving the authentication dilemma in the financial industry's continuing effort to secure the sector rather than mandating two-factor authentication at this time. A cost-benefit analysis is an important element to determining what method of authentication is most appropriate. One size does not fit all when defining two-factor authentication; ICBA strongly believes that terms of authentication for customers are best determined by market participants based on a cost-benefit analysis and assessment of risks.
Although there are countless solutions on the market, obstacles prevent their immediate use. For example, customers who receive multiple Key FOBs (referred to as Password-Generating Tokens in the FDIC study) for multiple bank accounts may find this security method unwieldy and inconvenient. These factors must all be considered and carefully evaluated before recommendations are made.
In a similar light, ICBA also believes the use of scanning software to identify and protect against phishing may be appropriate. In the aforementioned ICBA informal survey, slightly more than half of the respondents were unaware that such software existed. Of those that were aware, more than half said they have not considered purchasing the software. A key factor in bankers' decision not to purchase the software was cost and effectiveness. This suggests that enhanced education for bankers about possible solutions is an important component of any effort to address the problem of identity theft. It would be inappropriate to mandate such software for community banks that have minimal risk of phishing attacks.
There are inherent weaknesses with using biometrics to access bank accounts, including cost and inconvenience, especially at the community bank level. As required by the FACT Act, the Treasury Department is undertaking an analysis of the use of biometrics and its possible applications. The ICBA recommends that Treasury's analysis be factored into future discussions.
Additional weaknesses with biometrics are outlined in the FDIC study. For example, page 31 cites at least seven key obstacles found with current applications of biometrics: a lack of universality; difficulty with uniqueness found between groups such as identical twins; problems with permanence as people age; collectibility may prove to be troublesome; performance may be inaccurate; obtrusive means may invalidate acceptable methods of sample collections and the technology behind biometrics may become easier to decipher. While biometrics may be a promising solution in the future, the ICBA believes that it is premature to draw any conclusions about the utility of biometrics as a security device for the present time.
ICBA will continue to promote and support the overall aims and ideas expressed in the FDIC's Account Hijacking study: taking steps to continually safeguard customer information; continuing educational programs to assist consumers' understanding of online fraud such as account hijacking, phishing and spoofing; and continuing dialogue between the public and private sector for the benefit of information sharing. ICBA members and their customers look forward to continued discussion on this topic to assist in the ongoing fight against online fraud.
Should you have any questions or need additional information, please contact the undersigned by telephone at (202) 659-8111 or by e-mail at firstname.lastname@example.org.
Thank you for the opportunity to comment.
1 The Independent Community Bankers of America represents the largest constituency of community banks of all sizes and charter types in the nation, and is dedicated exclusively to representing the interests of the community banking industry. With nearly 5,000 members, ICBA members employ more than 225,000 Americans and hold more than $778 billion in total assets. For more information, visit ICBA's website at www.icba.org.