Changes in address, changes in risk management
Posted: March 23, 2008 Filed under: finance, risks, Security Leave a comment »This blogger recently updated his mailing address with two large financial institutions. Both residences were still in use, which allowed for receipt of the confirmation letters. As a general security precaution, it is standard practice to send a letter about the address change to both addresses. In case the change of address proves unauthorized this gives the legitimate owner a fighting chance to realize something is wrong. The two letters revealed a difference in risk management:
Institution A had a chatty, verbose style congratulating the account-holder on the recent move– which was not the case here. “As an added safeguard, would you please take a moment to verify the address change you requested. New address: <…> “ The letter was interesting enough signed by Fraud Operations and concluded with good-luck wishes at the new address. (This being NYC it’s understandable all the luck is necessary.)
Institution B sent a more brief one paragraph message, with phone numbers prominently shown on the upper-right hand corner. “For your protection the new address is not disclosed on this mailing. If … this change was made without your authorization, please visit …. or call the numbers listed above.”
Is printing the new address a security problem? If the customer moved, the new occupant at the same residence probably knows at least their name because a ton of junk mail will arrive addressed to the previous, and sometimes even earlier residents. Junk mailers seems to be slowest in updating their databases probably because the data made its way there after going through a series of intermediaries. In other words it is ancient. Learning their new address on the other hand is not as easy, unless there was direct interaction: for example if the new occupants bought the house from the previous family in which case the address was likely disclosed as part of the paperwork. But there are cases when one family member or person moves out on less than friendly terms, and wants to avoid being tracked.
cemp
Bank of America and know-your-customer
Posted: March 22, 2008 Filed under: finance, privacy Leave a comment »Financial institutions in the US are subject to know-your-customer regulations which requires them to verify the identity of customers. These rules are designed to identify money-laundering and terrorist network financing operations; in fact some provisions derive from the PATRIOT act. This is one reason opening a bank account requires government issued ID and social-security number. Virgin Islands or Switzerland may be portrayed as havens for hear-no-evil, no-name private banking in the average Hollywood crime caper. The strict banking regulations make it unlikely they will be opening a US branch anytime soon.
But when it comes to a more basic notion of knowing the customer– such as having a clue about them before mailing out credit card offers– it turns out the banks could use some help. “Usted ha sido previamente calificado para una tarjeta de credito que podria ahorrarle dinero.” says the message visible in the envelope. Not a Spanish speaker? Neither is this blogger but that would not stop Bank of America from sending an unsolicited, pre-approved credit card offer in Spanish. Twice.
In fairness, after opening the envelope it turned out to be bilingual: there were two copies. That is a good thing: from New York subways to product manuals, there are good signs that institutions are adjusting to the reality of a diverse America. More importantly both versions appeared to offer the same basic terms: it would have been blatant discrimination if the APR were higher on the Spanish offer for example. It is a small error, but indicative of the impersonal nature of credit. One would expect that with a cottage industry in consumer data-mining and extensive dossiers compiled on all US residents, a bank would be able to determine the primary language of a customer they are trying to solicit business from. BoA, or more precisely the random company where they outsourced the credit-card offer carpet bombing operation, did make a decision in putting one of the two variants first, visible in the envelope window. From their point of view the recipient is not a person with a language preference but a one-dimensional statistic, reduced to the FICO score.
cemp
