Reports that the September 11th hijackers opened 35 U.S. bank accounts are causing banks and regulators to reevaluate customer verification procedures.
The hijackers entered random digits in response to requests for a Social Security number, according to published reports. Even with rudimentary verification, random numbers should have failed the test. Since the SSN itself contains information about when and where it was issued, it's statistically likely that any given string of nine random digits (and almost certainly some of the 35 nine-digit strings) would have produced an ill-formed, bogus SSN subject to a challenge and further investigation.
However, bank officials failed to detect the false Social Security numbers they had been given, according to Dennis M. Lormel, chief of the FBI's Terrorist Financial Review group, as quoted by The New York Times. The FBI declined to identify which bank or banks Lormel had referred to in the Times interview.
Although 14 accounts were opened at SunTrust branches in Florida, the documentation presented at account opening by the foreign nationals did not include SSNs, fake or otherwise. "We followed standard account opening procedures," said spokesman Barry Koling at SunTrust Banks, Atlanta. "They had proper documentation and we ran it through the proper checks."
That's one reason that fortifying the financial system requires more than just keeping better track of SSNs.
Just as improvements in intelligence, visa issuance, flight school monitoring, airport security and cockpit protection have sharply curtailed the hijacking threat, stronger identity verification during the account opening process will make it far more difficult for terrorists to find or exploit weak links in the financial system to fund their activities.
To start, laggard institutions must catch up with industry best practices. For example, branch systems from Alltel, Little Rock, Ark., can perform name and Social Security verification at account opening through either ChexSystems, Dallas, or NCPS, Rockland, Mass. "If a discrepancy is found, the user has the opportunity to end the sale pending further investigation," said Mike O'Malley, product manager for Alltel's Service Delivery suite. "We've had that feature in the product for over five years."
Yet the extra cost associated with verification may have been viewed as unnecessary for low-margin accounts. "The know-your-customer rules were taken quite seriously in lending procedures and with securities and investing-type relationships with consumers, but banks didn't see huge risks in opening a checking account," said Dennis Behrman, analyst at Meridien Research.
Soon, the expense of checking SSNs, at least, will become a moot point. In July, the Treasury Department announced a joint effort with the Social Security Administration to build an online SSN verification service for financial institutions.
But the service might only have limited benefits. "We will either tell you a SSN and name match with our records, or we will say that it doesn't match with our records-we don't go any further," said Kurt Czarnowski, regional communications director for the Social Security Administration in Boston.
Banks will therefore have to continue to rely on third-parties to confirm a customer's identity. Indeed, LexisNexis has become the preferred provider of public records to the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN), and has also been working closely with the American Bankers Association on USA PATRIOT Act compliance.
Some advocate adding a private component to public data. "One possible way to provide broader protection against illegal use might be to establish a PIN for the Social Security number," said Sen. Chuck Grassley, R-Iowa, in a statement to the Senate Finance Committee. "Just like an ATM card, a lost or stolen Social Security number would be useless to the criminal without the PIN."
The SSA already uses PINs for certain applications, such as for address changes by current benefits recipients. "We are exploring the use of PINs and passwords for people to have online access to ever more direct services," said the SSA's Czarnowski.
Furthering the concept, industry participants envision PIN verification between the SSA and potential creditors, an idea which could extend to other areas in banking. "While not foolproof, the methods currently employed by ATMs may bear review for potential use with SSNs," said Rob Evans, director of industry marketing at NCR, in Senate testimony. "Specifically, a SSN could function as the card, and a PIN assignment to the number would add a level of security."
Additional security could be garnered by using imaging technology to aid in the evaluation of foreign passports, visas, or driver's licenses. Although difficult to imagine a widespread deployment across all branches of U.S. depository institutions at this stage, some banks might find it worthwhile.
Eyeing an opportunity, Imaging Automation, Bedford, N.H., has begun marketing its document verification solution to financial institutions. The iA-thenticate platform, currently used by the INS and several European border control and police agencies, can test a standard identity document for its known refractory properties, capture its digital image, and check information against government lists of known or suspected terrorists. "There are some significant security features within those documents that are very difficult to reproduce," said Dalton Hall, senior director at Imaging Automation. "We can determine whether that document's been tampered with, doctored, or expired."