Editor: How big is the problem of identity
theft?
Knapp: Identity theft is a tremendous problem. Victims of
identity theft can spend years clearing the damage to their credit rating
resulting from the false transactions that took place using their names. The
financial loss to the institutions involved can entail millions of dollars.
I
recently saw an estimate that worldwide identity theft has resulted in the loss
of $221 billion, with $74 billion directly related to U.S. citizens.
Editor: Please give an example of how a corporation's identity
can be stolen.
Knapp: In one recent case, a corporate account
was opened with checks, each in the amount of hundreds of thousands of dollars.
Running the corporation's name through a national database, we found out that it
had a California address unlike the New York address used on the application.
Further investigation revealed that the corporation owned several office
buildings in New York. The checks were from the tenants of these buildings,
which had been stolen from a bank's lock box. After opening the account with the
stolen checks, the perpetrators planned to use debit cards or checks against the
stolen funds. We were able to put a stop to the scheme immediately because our
system of detection had become sophisticated enough to spot the
problem.
Editor: Why aren't the criminal penalties for identity
theft an effective deterrent?
Knapp: The typical bank robbery
involves a loss in the neighborhood of $1800. Prosecuted federally, the bank
robber will receive a sentence anywhere from 10 to 20 years.
In
contrast, a typical identity theft involves a loss in the range of $70,000 to
$100,000. It is almost impossible to track down and prosecute. If caught, the
identity thief is typically prosecuted as a white collar criminal and will
receive a sentence in the neighborhood of 18 months.
The point is that
identity theft is a low-risk, high-gain crime with a limited chance of
detection, identification and prosecution.
Editor: What is the
PATRIOT Act's framework for combating identity theft?
Knapp:
The Act requires financial institutions to use due diligence to detect, identify
and prevent identity theft and its related money laundering schemes. The Act's
definition of financial institutions is very broad. It includes money forwarders
within the informal system called HAWALA. This is the movement of money around
the globe through personal contacts used to avoid detection by the international
legal and regulatory community or any country's government tracking
cash.
Editor: What led to the "know your customer"
requirements?
Knapp: Credit card fraud is believed to be one of
the primary methods of financing terrorism throughout the world. Investigation
of the 9/11 attacks revealed that 15 of the 19 perpetrators had opened a total
of 37 checking accounts at one major bank and that all were opened using false
Social Security numbers that no one had verified. That is one of the reasons
that the PATRIOT Act requires that all financial institutions take positive
steps to verify their customers' identity.
Editor: Based on your
professional experiences, what procedures add efficiency to the process of
verifying a customer's identity?
Knapp: I served the FBI in
various investigative and management positions for 28 years. One of the
highlights of my career was serving as the supervisor of all organized crime
investigations for Nassau and Suffolk Counties in New York. In that role, I
supervised the investigation into the crash of TWA Flight 800.
Later I became
a corporate vice president and director of asset management for a major
brokerage house in New York City. There I detected and prevented significant
losses through identify theft in the opening of brokerage accounts.
My
success was based on a procedure I developed for scanning all of the firm's one
million accounts opened annually and verifying them using one of the largest
public record databases in the world. The system used the rules that I developed
to detect a false identity. Some of the most obvious include flagging any
mismatched or false social security number and any discrepancy between an
address or name on public record and the information on the application.
Editor: What role can corporate counsel play in addressing
identity theft?
Knapp: Most financial institutions have assigned
all responsibility for PATRIOT Act compliance to the general counsel's office.
As well as helping the corporation to address statutory mandates, corporate
counsel play an important role in identifying policies, procedures and practices
to detect, deter and investigate identity theft to help protect the corporation
from civil liability in the event a customer, supplier or employee brings a
common law action based on the corporation's handling of personal
information.
Editor: What practical tips do you have for
corporate counsel for dealing with identity theft?
Knapp: They
ought to establish procedures to verify the identity of clients that are opening
accounts or conducting financial transactions. Numerous public record databases
can be used with some rudimentary analysis to prevent identity theft. I did it
when I was working at a brokerage house using a simple procedure with three
analysts to review one million accounts. Our investment in detection and
prevention was not significant considering the exposure to potential
loss.
Editor: Please give us an example of an identity
theft.
Knapp: Several years ago, 15 men residing within one mile
of each other had their records stolen by a Social Security employee who sold
them to identity thieves. Fourteen separate accounts were opened by telephone
calls to branches around the country of the brokerage house where I was working.
The calls were all made on Holy Thursday, which was also the first day of
Passover, leading into a three-day weekend.
Before my system was
automated, all new applications were to be faxed to me if they were phoned-in,
walk-in or cold-call accounts. Only seven of the 14 branches followed my
procedures. Based on mismatched addresses, I was able to identify each
application that was faxed to me as fraudulent.
Seven branches did not
follow my procedures. One month later, going into the Memorial Day weekend,
those seven accounts each received a cashier's check for $3,500,000 with wire
instructions to wire $300,000 immediately to another bank for further credit to
a gold buying service. The scheme was to transfer the gold into each one of
these accounts and then to ship it overseas.
Six of those seven offices,
under another requirement of my office, faxed copies of the cashier checks to me
for clearance. I was able to determine that six checks were
counterfeit.
The branch that failed to do the first requirement of
sending in the application as well as the second requirement of sending in a
copy of the cashier's check, in fact, wired out $30,000 before the check had
cleared.
Then the branch found the alerts from my office to all my
branches warning about the plot. I sent the alerts because I had found out that
all the major brokerage houses in the country had been targeted. Over $100
million of fraudulent cashier's checks had been deposited into these brokerage
houses.
Thankfully, I tracked the funds that had been wired out of my broker
house's branch to an Internet back in Houston within minutes and was able to
freeze the account. The only thing it cost my brokerage house was $6,000 in
legal fees as we went through the process of getting the funds back. The
individuals responsible for this scheme were never
identified.
Editor: What lessons can be
learned?
Knapp: Corporate counsel need to be in the forefront of
helping their companies in developing policies, procedures and compliance
awareness to thwart identity theft. Knowing how the company interfaces with its
clients in establishing accounts and processing transactions, checkpoints can be
implemented at critical junctures to avoid substantial losses.
Automating the review system can help glean the potentially troublesome
accounts from the legitimate transactions. This leads to problems being resolved
quickly and also minimizes any disruption to the corporation's ongoing
business.
Having immediate access to the legal process for freezing an
account at another institution is also a critical element. This entails
maintaining good relationships with government enforcement agencies so that you
can call the right person when a crisis arises.
Editor: How
difficult is it to stop an identity theft once an account has been
opened?
Knapp: Once an account is opened, you are at the mercy
of the perpetrator. If the perpetrator has been successful in getting a phony
check on record, he or she can draw out good funds, even though bad funds went
into the account. One of the main vehicles for such schemes involves the balance
transfer checks that are sent unsolicited with credit card statements each
month. This area has grown into a huge problem.
The goal is to detect the
identity theft at its formative stage and prevent the account from being opened.
My entire approach was based on that principle.
Editor: How
does a perpetrator avoid detection?
Knapp: The perpetrator must
have a mail drop to prevent the victim of identity theft from learning about the
fraud. If the perpetrator successfully establishes a mail drop without being
detected, then he or she will initiate a transaction. With each step, the
perpetrator monitors the steps that the financial institution is taking in
response. The perpetrator can abort at any point and avoid detection. Most
institutions want that to happen because they don't want to be in the business
of law enforcement.
I would encourage financial institutions to take an
active role in investigating any planned scheme, even if it has been aborted. If
financial institutions do not take the initiative, the perpetrator is likely to
try again in hopes that the guard will be down.
Published January 1, 2004.