The fight between financial institutions and fraudsters is an eternal one, and a key battlefield remains identifying customers at the initial point of interaction and onboarding.
In short, making sure that a person or entity is who they say they are, is difficult in the digital age.
New practices determining how banks collect Social Security data from customers spotlight the frictions between security and risk — not just to the banks, but to the customers themselves.
The Financial Crimes Enforcement Network (FinCEN) began seeking commentary March 28 on new rules tied to the Customer Identification Program that mandate how banks collect Social Security data — specifically, on collecting the full nine digits, rather than just the final four numbers, while using a third-party to obtain the full Social Security number.
“Generally, for a customer who is an individual and a U.S. person, banks are required to collect a full Social Security number (SSN) from a customer,” FinCEN said in an announcement at the time.
The request for information was proposed in consultation with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., the National Credit Union Administration and the Board of Governors of the Federal Reserve System.
The initial request seeks to “evaluate the risks, benefits and safeguards” if banks are given the go-ahead to collect partial SSN information from customers (a practice known as combined collection).
“Since the CIP Rule was adopted in 2003, FinCEN is cognizant that there has been significant innovation in the way that customers interact with financial institutions and receive financial services, as well as significant innovation in the customer identifying information collection and verification tools available to financial institutions,” the agency wrote.
“Many banks now partner with non-bank financial institutions (third-party service providers) to facilitate new financial products and services, such as buy now, pay later (BNPL) loans that extend credit at point-of-sale to customers,” the agency added.
FinCEN also said technology now recognizes more of consumers’ identifying attributes, including “email addresses, geolocation and internet protocol (IP) address locations,” that banks may collect for their “risk-based verification procedures.”
But FinCEN said in the document that permitting partial SSN collection could result in increased fraud. By way of example, failing to get full SSNs could result in increased identity theft.
The commentary period will end May 28.
In the meantime, any pushback on the part of the regulators on the combined collection method would mean that customers would manually input the full string of SSN data, which represents a ripe target online for fraudsters and might dissuade them from applying for the products and services in the first place. The financial institutions themselves would conceivably have more sensitive personal data on hand.
The PYMNTS Intelligence report “The State of Fraud and Financial Crime in the U.S.” found that account takeovers — aided by compromised credentials — were 11% of fraudulent transactions. Synthetic IDs represented just less than 5% of fraudulent transactions.