By Alex Salkever Who needs a secret Swiss bank account when one with a reputable bank in the U.S. will do just fine -- and probably receive less scrutiny? That's the disturbing question raised by recent FBI disclosures that, more than a year before the September 11 attacks, the mass murderers opened 35 U.S. bank accounts -- 14 of them at SunTrust Banks -- simply by filling in random digits where the application forms asked for Social Security numbers. SunTrust says the accounts there were opened with proper identification and background checks, but they weren't opened with Social Security numbers. That leaves 21 accounts in question -- and lots of doubts about U.S. banking procedures.
The banks seem to have demonstrated precious little concern that anything was amiss. Yet, the accounts allowed the terrorists to move hundreds of thousands of dollars undetected.
SIMPLE CHECKS. It's very easy to say "there oughta be a law" in a time of heightened national security. But this is one case where a new legislation is very much in order. Banks and financial institutions -- largely exempt from liability under existing law -- should be held financially liable for breaches in their customer-screening policies.
No, I don't mean a slap on the wrist. I mean hit the banks and credit-card companies with heavy penalties for not cross-checking to ensure that people opening accounts are who they claim to be, not crooks and terrorists. Make it worth the banks' corporate while to get the information right in the first place.
What's the harm of letting someone open a bank account with fake information? The September 11 massacres may have been funded, in part, by cash funneled through these accounts. But such fraud was going on long before last fall.
TELLTALE SIGNS. Tens of thousands of Americans have been the target of identity theft, where massive debts have been run up in their names on phony accounts. In such cases, a person's credit can be ruined for years by what amounts to the economic equivalent of a drive-by shooting. Greater vigilance by financial institutions not only serves a national-security purpose but also an economic-security purpose.
Really, checking someone's identity against the truth isn't that hard to do. First, banks should be required to verify that the stated Social Security number actually exists. That alone would have tripped up the al Qaeda members when they were trying to open U.S. bank accounts.
Second, banks should be required to pull a credit report on every individual seeking to open a account, and they should use it to make sure that nothing is amiss. A big tip-off of malfeasance, for example, would be a recent change of address followed by a rash of account openings. That can be a sign of fraudsters who hijack credit-card bills, change the address of the statements, and then assume the identity of the rightful cardholder.
QUESTIONABLE APPLICANTS. Furthermore, banks should be required to ask a few simple questions of an applicant, questions that can be verified against a credit report. What was the person's last address -- and the one before that? Who holds the mortgage on the property? How many credit cards does the applicant have? The only way a terrorist or scam artist could know that information would be by pulling a credit report, something that can and does happen. But it obtaining such records requires a higher level of sophistication, so even those simple questions would trip up many fraudsters.
Banks and credit-card outfits also should be required to later contact the person listed on the credit report to verify the absence of fraud. An account representative at a conscientious financial institution might be surprised to find that, no, Mr. Smith hadn't applied for a new credit card. Better still, send a letter to both their old and new addresses. At least that gives the customer the chance to intervene and stop the damage before it spins out of control (see BW Online, 1/8/02, "How E-Mail Could Foil Fraudsters").
True, some banks have already adopted very good antifraud policies and screen applicants closely, checking all their information. But these steps need to be mandated by law.
UNWITTING ALLY. Clearly, there are financial institutions that still don't live up to their responsibilities. The reason is very simple: Penalties for failure to perform due diligence are minimal. At worst, a bank or credit card is defrauded out of monies. In the case of plastic, merchants take the loss -- not the card issuers. For bank execs, a new account is a new customer.
As the al Qaeda hijackers found out, banks that aren't diligent are among a terrorist's best friends. Ditto for those seeking to steal identities. The buck should stop with the banks and credit-card companies. An ounce of prevention, folks, is worth a pound of national security. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column