Harvey, Irma and Equifax

Posted September 13, 2017 by Stephen D. Heckard in From the Experts.

Disasters come in all shapes and sizes. Over the past couple of weeks, we have experienced three massive disasters. Two from Mother Nature that could not have been avoided, and one disaster that was man-made, Equifax, that should never have occurred. I have never experienced a hurricane and I hope that I never do. I have been the victim of identity fraud so the Equifax news triggered an immediate reaction.

On Friday, September 8, my associate Darla Brogan, Senior Consultant at ProBank Austin, and I conducted a complimentary webinar “Top Technology Concerns for Community Banks” (Link Below). We discussed Fintech, Cybersecurity, Outsourced Services, Branch Transformation, and Vendor Management. It was obvious from the number of bankers that registered for this webinar that we had selected topics of interest. Following our presentation, we received many questions from viewers and most were on the topic of cybersecurity. A few questions were specific to the recent Equifax breach.

When I first saw the news about Equifax, it took my breath away. A near-nightmare for me was unfolding again. When I applied for a mortgage refinance loan six years ago, I discovered that I had been the victim of identity theft. A loan had been taken out in my name just three days before I filed the refinancing application! An obscure online retailer that offered credit through its website had approved a loan in my name for the purchase of nine video cameras. In discussing this with the company’s Fraud Department, I found that the video cameras were to be shipped to an address in Los Angeles. (I live in northwest Indiana.) After sleuthing a bit on Google, I was able to determine that the address was for a recently deceased woman.

The online retailer quickly searched its order database and found dozens of recent orders pending shipment to the same L.A. address. No doubt that these orders were all funded by fraudulent loans. Fortunately for me, the online retailer was able to cancel the order and no merchandise was shipped, and the loan closed. I had to deal with the aftermath. If my personal data was used again for other loans at other retailers, the whole cycle would repeat. I had to protect myself so I quickly researched what to do. I filed reports with all three credit bureaus, froze my credit, and contacted local law enforcement authorities (who could do little). Lucky for me, I caught this in time, otherwise resolution would have been much more difficult, time consuming and costly.

One of the questions was “What action steps do you recommend community banks take for the Equifax breach?” What a wonderful question! I responded that there was a Federal Trade Commission (FTC) website that could be shared with customers and I provided the link. After giving this question more thought, there is a lot more that can be done.

A community bank may wish to get out in front of this disaster to help their customers protect themselves. After all, this is a massive breach! I am sure that many of your customers were affected. The breach affected 143 million individuals. According to census estimates, there are approximately 323 million Americans; 247 million are above the age of 18 and this group is more likely to be in a credit database than those below the age of 18. The Equifax breach impacts 58% of all Americans above the age of 18 and probably a similar percentage has been affected at your bank. It is staggering! Just staggering!

What can your bank do to protect the financial well-being of your customers? Equifax provides a method to check to see if an individual is included in the breach; however, I have seen reports of varying responses for the same individual. When I checked I wasn’t given a response, but I was directed to their protection enrollment. Unless Equifax specifically reports that an individual is not included, they should assume that they are. Equifax will provide free credit monitoring for one year. However, there is concern that accepting this offer will limit an individual’s legal action in the future. Besides, the parties in possession of the breached data have access to a calendar I am sure. They know that its shelf life is greater than one year. Most of the breached data is evergreen, it never expires or changes. A debit card following the Target breach could be reissued. A breached Social Security number can’t be reissued - at least not easily. Birth dates and drivers’ license numbers were included also. The breached data will still be valid a year from now. Stronger action is required!

First of all, make sure that your customers know they are entitled by law to one free credit report annually from each of the three credit bureaus to verify that their current data is correct. In fact, there is an official website (Link Below) that facilitates retrieving the reports. It is rather simple, I did it this past weekend. Experian and TransUnion accept online requests and provide their reports immediately. Equifax, on the other hand, requires that you complete a form and mail it to them. Harrumph…

If someone suspects their information was breached, they should freeze access to their credit bureau reports. The FTC has a web page that provides instructions for credit freezes (credit bureau inquiries) as well as placing fraud alerts in the event that fictitious accounts were opened (Link Below). Individuals will need to unlock credit bureau access when applying for credit. There may be fees attached to filing credit freezes and unlocking them, which could vary by state. I am sure that Loan Departments will encounter the after effects of credit freezes in the years to come whether you share this information with your customers or not.

Finally, if your customers are victims of identity theft, there is a non-profit organization that provides no-cost assistance to victims of identity theft. The Identity Theft Resource Center (Link Below) is funded largely by corporate donations and this organization may be of great value to your customers.

There is one other consideration for your management team. When a customer calls in and asks for confidential information, how do you ask them to authenticate themselves? Would the information that your customer needs to provide be included in the breached data? If so, are you sure that your bank is disclosing confidential information to your customer or to someone posing as the customer? This question also applies to passwords and debit card PIN resets, and unfortunately, also to someone who ‘lost’ their PIN and needs to unlock a credit inquiry freeze at a credit bureau. The entire industry needs to rethink authentication techniques.

By now most Americans should be aware of the Equifax breach, however, many won’t understand the actions they should take to minimize the impact. As a community bank, you are in a unique position and have an opportunity to guide and protect your customers from harm. Consider reaching out to your customers and sharing this important information. Truly, an ounce of prevention is worth a pound of cure.

Let’s continue to keep family, friends, and associates that may be in areas impacted by Harvey and Irma in our thoughts. They are in survival mode. I doubt that they are concerned about the long-term impact of a breach after surviving these hurricanes. Let’s remember to reach out to them at a later date and share this information so they can assess their status and take protective action.

Top Technology Concerns for Community Banks Webinar Annual Credit Report Extended Fraud Alerts and Credit Freezes Identity Theft Resource Center