Top Banks Named in New Identity Theft StudyReport Examines Incidents at Major U.S. Financial Institutions
The study, published by the Center for Law and Technology at the University of California, Berkeley, draws from thousands of consumer complaints to the Federal Trade Commission over a three-month period in 2006 - reports obtained by the study's author through Freedom of Information Act requests -- and lists the number of incidents reported not just at banks, but also at top utilities and retail merchants.
Bank of America is named as the institution with the highest frequency of Identity Theft complaints, followed by AT&T, Sprint/Nextel, JPMorgan Chase and Capital One in the top five.
The top five financial institutions listed are Bank of America, JPMorgan Chase, Capital One, Citibank and American Express. Washington Mutual, Wells Fargo, Discover, HSBC and Wachovia round out the top 10 institutions listed. No credit unions are listed among the top 25.
But while the release of this study comes with caveats -- the data is two years old, drawn from a small sample in one year, and relies solely on consumers' perception of where/how Identity Theft incidents occurred - consumer advocates nevertheless hope this first-of-its-kind report turns up the heat on financial institutions to better educate and protect their customers from the threat.
"I still don't think this information is really actionable for consumers, but it is actionable for banks," says the study's author, Chris Hoofnagle, a consumer privacy attorney and senior fellow at the Center. "A lot of people in the banking industry are already writing to me and saying, 'Hey, look at this.' For now, the goal is to get banks talking, because currently they're not. Instead, they're using proxies to engage in the debate in the form of commercials that don't inform the consumer."
Inside the Numbers
Hoofnagle's research began in May 2007, when he filed a Freedom of Information Act request with the FTC for the names of companies and institutions identified in consumer Identity Theft complaints over the previous two years. In light of the sheer number of complaints in 2006 alone - 246,035 - Hoofnagle settled for receiving data from 88,560 complaints from the randomly-selected months of January, March and September 2006. Of those complaints, 42,262 named institutions identified by victims re: fraudulent accounts established in their names or current accounts hijacked by thieves.
In all, Hoofnagle found that the top 25 institutions - banks, utilities and retailers -- account for 50% of the identity theft complaints lodged with the FTC.
Diving deeper, looking solely at banks, Hoofnagle divided the estimated number of incidents by each bank's total deposits to arrive at an estimated rate of Identity Theft per $1 billion in deposits.[See chart.]
By raw count, Bank of America leads the pack of all institutions with 1,117 complaints per month in 2006. When projected annually and divided by per billion of deposits, however, HSBC fares the worst, with 21 incidents per billion annually (BoA has 18). ING, in contrast, has less than one incident per billion annually.
Once Hoofnagle's research went public, banks quickly fired back, saying the study is flawed. Bank of America representative Betty Reiss says the study doesn't jibe with independent surveys that have shown Bank of America as one of the top banks when it comes to protecting consumers from ID theft.
What's more, says Reiss, "if somebody who is a customer of Bank of America is a victim of Identity Theft, it doesn't necessarily mean that the theft, or compromise, originated at Bank of America. A lot of times consumers don't know how the identity theft originated or where it originated."
Hoofnagle's approach may even be counter-productive, says Doug Johnson, vice president for risk management policy at the American Bankers Association in Washington, D.C. Today, he says, banks cooperate through institutions like the Financial Services Information Sharing and Analysis Center to combat fraud -- a system that could be undermined by making Identity Theft protection a competitive factor among banks. "Institutions have every motivation already [to combat ID fraud] in order to protect not only their customer, but their institution," Johnson says.
The FTC reluctantly complied with the FOIA request, says agency ID theft expert Betsy Broder, fearing consumers might misinterpret the data. There's already evidence that consumers are drawing errant conclusions based on the Berkeley study, she says.
The agency has several concerns about Hoofnagle's methods. First, the consumer complaints are anecdotal and are primarily used for law enforcement purposes, not scientific research. What's more, they only represent a small slice of total numbers of thefts, as well, meaning that any conclusions drawn from them will lack context.
"There's a lack of clarity as to what these numbers mean," says Broder. "Does it mean the accounts were opened at the bank, that information was obtained at the bank and used elsewhere -- it's not clear what consumers are indicating. The best you can say is it's anecdotal and doesn't necessarily reflect national trends, and it doesn't necessarily suggest that this listing of companies correlates with overall fraud trends at any one of these financial institutions. Maybe it does, maybe it doesn't."
A Crucial First Step
But that's exactly the point, consumer advocates say. Proponents say such studies are critical for consumers trying to navigate a world of digital identities without the benefit of hard data about the form and frequency of threats. Instead, as Hoofnagle points out in the study, they face humorous commercials from banks such as CitiBank, which had an average of 413 complaints per month in 2006 and ranked among the banks most cited by consumers.
Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse in San Diego, says the Berkeley study has one major problem: the two-year-old data is stale. On the other hand, he says, consumer discussion boards have been mentioning the same banks that Hoofnagle points out in his study -- especially fraud concerns by consumers around HSBC. "Perhaps he's picked up on something here," says Stephens.
At the very least, these kinds of government data are likely to dramatically change the equation for financial institution security officers, experts say. The study comes as the banking community is already preparing to meet compliance with the Identity Theft Red Flag Rules set to take effect in November.
"Banks don't want Identity Theft going on, and they want to discourage it, but the question is whether they're doing everything they can or whether they need to adopt new procedures or security measures that would cut down on this sort of thing, and whether there should be regulation to require some kind of minimum security standard to prevent Identity Theft," says Mark Budnitz, a consumer law professor at Georgia State University in Atlanta. "Right now, it seems apparent to me that this is something banks would rather deal with themselves quietly ... yet Identity Theft is an epidemic with very serious consequences ... and [occurrence of Identity Theft] is an essential ingredient in whether consumers are going to trust banks."
Warts and All
The three biggest caveats to the study are that it underreports the issue because it relies solely on consumer complaints; there's nothing in the data distinguishing new accounts from account takeovers, which are two essentially different crimes with different implications for banking institutions; and the denominator -- total deposits -- is not as accurate as the number of total customer accounts would be.
Such flaws are no reason to keep the data bottled up, Hoofnagle says. In fact, the researcher says he'll continue to request information and fine-tune his research to make it more actionable. An upcoming report, he says, will have enough information for consumers to start making decisions based on his figures, raising the stakes even more for banking security divisions from Los Angeles to Boston.
"Yes, some of these events are going to be caused by the negligence of the consumer," Hoofnagle says. "I don't think that weighs in favor of suppressing all the data."