Preventing Data Theft at the Branch Level

In the wake of highly publicized cyber-breaches, such as the data theft from 34 European banks in July, bank management may be more focused than ever on security threats from outside the bank. In fact, based on a March 2014 survey, cybersecurity is the number one risk concern of more than half of U.S. bank directors.

At FMSI, we believe this attitude, while valid, may be putting banks at risk in other ways. Certainly, data and financial security is crucial in cyberspace. Yet, statistics show that major threats still lurk inside and around the branch as well. Let’s look through the data.

Data Loss by the Numbers

In Verizon’s 10th annual Data Breach Investigations Report, a collection of more than 63,000 security incidents contributed by 50 global organizations engaged in security monitoring or prevention, financial institutions topped the charts in terms of data breaches. Out of 1,367 security incidents with confirmed data losses, financial institutions suffered 465 – more than the next three hardest-hit industries combined. This report also found that for the financial industry, cyber-activity (specifically, web app attacks) led to the largest percentage (27%) of security incidents.

But here’s where it gets interesting. Among security incidents that financial institutions experienced, payment card skimmers, insider misuse, theft and miscellaneous errors accounted for 37% of security incidents combined. In all of these categories, a bank can often mitigate those risks at the branch level.

For example, consider insider misuse, theft and miscellaneous errors, which together account for 15% of security incidents. Eliminating as many manual, paper-based processes as possible can be very helpful in dealing with those threats. Although some banks cling to the notion that paper recordkeeping is safer than digital storage, digital technology is actually the most secure option – when it is protected by appropriately robust security mechanisms. Digital data storage also gives banks a leg up in mitigating “old-school” risks such theft by deception.

Among the security incidents caused by miscellaneous errors, the Verizon report cited such problems as sending files out to the wrong individual or address. When branch data, such as lobby sign-in information, customer service assistance sessions and other information-gathering activities are protected by systems that do not allow random access to personalized information, the opportunities for misuse, loss or error regarding data within the branch is greatly reduced.

Similarly, insider misuse becomes more difficult when customer information is properly secured and access restricted. This is true, not only for insider misuse that leads to data theft, but also for incidents of fraud and embezzlement. As documented in an anti-fraud manual from the FDIC, insider abuse accounts for more than half of all fraud and embezzlement cases closed by the FBI.

One of the warning signs of fraud cited by the manual is, “Insider keeps an unusual number of customer files in his/her office.” When banks implement technology that enables them to maintain all transaction, customer assistance and personal data digitally, the need for “customer files” is eliminated and auditors can quickly see when and by whom all access occurred.

Furthermore, digital data collection supports data analysis that banks can use to mitigate problems ranging from suspected in-branch identify theft to careless or inconsistent personnel behavior. In one example of a bank with which FMSI worked, implementation of a digital lobby tracking system, integrated across all branches, enabled the bank to thwart attempts at identity theft. When a customer service representative became suspicious of an individual trying to open a bank account and denied the person’s request, the “customer assistance” component of the lobby tracking solution stored the information. Subsequently, the individual attempted the activity at another branch and was caught there, as well, thanks to the previous visit’s record being available to authorized personnel. The bank continues to use this technology to check every new application to ensure other branches have not already flagged them as suspicious.

To thwart payment card skimming (22% of all financial institution security incidents in the Verizon report, with 87% occurring at bank ATMs), as well as other thefts and frauds, a beneficial risk mitigation tactic is to use technology-based platforms, such as in-branch video displays, to educate both staff and customers on potential risk factors. These include not only trending in-branch scams, but also suspicious activity that might be the precursor of a theft.

The media has reported numerous instances where alert bank customers reported on suspicious ATM activity, and because branch personnel were trained to communicate these customer comments to management immediately, criminals were stopped before they could install payment card skimmers and cameras on the bank ATMs.

Reputation Risk

One area of risk not touched on by most financial risk studies is the increasing risk of financial exposure and loss of reputation from fraudulent and criminal activities. Here, the branch also plays a role in risk mitigation. With identity theft on the rise, the majority of consumers now believe any entity involved in exposing their data, whether accidental or not, should be held financially accountable.

Even more importantly for bank risk, the U.S. Court of Appeals for the Eleventh Circuit earlier this year issued a landmark decision by approving a settlement for victims in data breaches that were not able to prove direct harm (financial losses or identity theft). After hearing the case on appeal, the federal court remanded the case back to the district court that had dismissed it, allowing several of the claims, including those pertaining to negligence on the part of employees, to remain.

Banks are also being exposed to risk in their handling of identity theft, and other claims that customers make in person at the branches. For example, an identity theft on which JPMorgan Chase & Co. improperly reported resulted in a Chase customer experiencing problems getting financing and opening checking accounts. Despite the fact that credit reporting agency CHEXSystems, Inc. also made some errors, because Chase personnel had failed to record certain details and take appropriate actions, the courts in a subsequent suit found that Chase’s behavior was negligent and had caused injury to the former customer (Rogers v. JPMorgan Chase Bank, N.A., 2012 U.S. District Court).

What likely began as a clerical oversight on the part of Chase was compounded by bad decision-making and improper recordkeeping at the branch level that resulted in a financial loss to the bank (and certainly lost them a customer). Had the bank been more diligent and had more effective technology in place for its recordkeeping, none of this might have happened.

As a result of these very real threats of liability due to bank staff handling of victims and their reports, management should implement every possible technology that can track and report on personnel activities, both as a whole and at the branch level, to ensure accurate and timely decision making and provide proof of appropriate action, if required.

Ms. Deen is chief operating officer of Alpharetta, Ga.-based Financial Management Solutions, Inc. (FMSI), which provides financial institutions with business intelligence and performance management systems for efficient branch staff scheduling and lobby management. She can be reached at [email protected]