10:06 AM
Connect Directly

ABA Endorses Customer Identity Verification System

The American Bankers Association endorses ID Point.

The American Bankers Association has endorsed ID Point, an identify verification and validation service of LexisNexis, Inc., Dayton, Ohio.

Based on similar products used by various government agencies, ID Point has been adapted to the needs of banks, insurance companies, brokerage firms and other entities that must implement the customer identification provisions of the USA PATRIOT Act.

LexisNexis developed ID Point in accordance with best-practices guidelines from the ABA, which had been seeking a solution for its members. "We have great expertise in policy and the regulatory aspects of the Patriot Act, the compliance aspects, and the business of banking," said John Hall, spokesman for the ABA. "We developed the product together, telling them how their technology can best comply with the Patriot Act in a way that helps banks as well as their customers, and doesn't impede them."

ID Point searches 330 public record databases using the information requested of a new customer, starting with name, address, Social Security number, date of birth and telephone number. Additional information such as office telephone numbers and prior addresses can also be requested.

Bankers can use ID Point from a Web client for real-time results, or to transmit a batch of names to the National Fraud Center. "The smaller community banks, which may open five accounts per day, are using the HTML version," said James Vaules, CEO of the National Fraud Center and a former section supervisor with the FBI. "Banks that deal with more than 100 a day and thinking of how to integrate it into their overall workflow will probably be using the batch mode."

Each data element is checked against a sizable subset of available public record databases. "We're looking for the database that gives the best result, most often, and that has the most current information," said Vaules. "Once we find the result, we go and check it in a second database, and a third."

ID Point uses the search results to generate a numeric score, indicating the degree to which the public record contains either corroborating information, curious discrepancies, or "red-flag indicators" of fraud. "Red-flag indicators might be that the address provided is a prison or a P.O. box. It could be that the telephone is a disconnected number. It could be that the Social Security number was issued before the date of birth of the person," said Vaules.

"We're trying to make sure that the score that we're returning is as reliable as we possibly can, based upon the available databases," he added.

ID Point offers proactive suggestions for how to correct data entry errors, such as transposed digits. "It'll come back and show you that the information does not match, and it'll also show you what might be the correct match," said Vaules. "It cleans up the data before it returns it."

Thus, ID Point not only protects against identity fraud at account opening, but also supports ongoing data quality initiatives. On some occasions, said Vaules, a customer will purposely misstate a Social Security number. "But most of the time, it's a human error."

Once a customer's identity has been ascertained, ID Point checks the name against government watch lists maintained by the Office of Foreign Assets Control (OFAC) for known or suspected terrorists. Finally, the date-stamped results are filed along with copies of the documents used to open the account, allowing the bank to demonstrate to regulators that a proper search was conducted. "Under the Patriot Act you have to verify identity, you have to save the identity check, and you have to hit against the OFAC list," said Vaules.

Banks are well-advised to go a step further, following the spirit as well as the letter of the law. "There's nothing that I have seen in any of the regulations that say you have to identify who the employee was who conducted the search," said Vaules. "I have a feeling that bank policies and procedures will probably address that."

He added, "If I were a bank, I'd certainly want to know."


ID Dilemma Universal
Banks are not the only institutions that need to improve ID procedures. Merchants continue to suffer from online crime caused, in part, by unverified consumer transactions. Fortunately, businesses plan on adding more ID safeguards this year.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.