I want to play a game with you, sort of like the compliance equivalent of the Rorschach inkblot test. I’m going to throw out a phrase and I want you to write down the first acronym that comes to mind.
Ready? Here we go……
1) Credit card numbers
2) Social security numbers
3) Bank account information
I’m betting most of you came up with the following answers:
1) PCI
2) PII
3) ?
I’ve been fascinated for a few years now as a regulatory compliance professional about how little attention one of the most significant risks remaining in the digital world receives anywhere in my industry. Everyone has gone absolutely nuts when it comes to credit card numbers. There’s a significant groundswell around personally identifiable information as is evidenced based on the growing number of state laws being passed to oversee such things. But try and find anything in the pipeline seeking to protect your bank account information in the public domain and there’s “ “ (aka crickets).
Earlier this month we celebrated a milestone event in our family and a fair number of gifts we received were presented in the form of personal checks. I had in my hands full name and addresses, bank routing details and individual account numbers from dozens of people at my disposal to do with as I pleased. And while I was honorable and simply deposited them (for some of my friends I apparently did so a little too quickly) the potential for fraud was huge. Consider that of the nearly two dozen companies I conduct business with each month (e.g. mortgage, car loans, utilities, etc), more than two-thirds accept online checks in lieu of credit cards. If you’ve never paid via an online ACH payment or check, all you need to do is provide the bank routing number (got it right there on the check), the individual bank account (got that too) and on occasion the name of the institution (but again, you have that right there in front of you). Really when you boil it down to bare essentials, it’s somewhat the equivalent of giving someone your credit card information on a piece of paper that than gets circulated through multiple touch points before it is completely processed.
It’s insane, it’s unnecessary and most of all it’s unacceptable, and I’m betting it’s the next big information security flashpoint in the banking industry.
One of my colleagues considers checks to be archaic and thinks they should be eliminated altogether. Another suggested that they should be protected exactly the same way credit card numbers are being handled these days courtesy of the PCI standard. I was thinking of something a little simpler to start with. Why don’t they simply eliminate printing the routing and account details and rely exclusively on barcode technology as a Phase 1 sort of exercise? It’s an embedded technology and while far from tamper-proof it would certainly eliminate the biggest exposure currently in existence. I’d like to think that my money is a little harder to access than by my simply writing a check to a local service company and having someone in their office copy down the details and use them to make an unauthorized purchase. It’s not likely they’d have a barcode reader and so that would be the first logical step to take.
But whatever steps the industry takes to remedy this problem, one thing’s certain: Something has to be done. At this point in the evolution of identify theft and online fraud, it’s not as if the oversight bodies can claim ignorance. They know that the criminal element continually pursues the lowest hanging fruit, and right here and now the exposure provided courtesy of the printed bank check is just about dragging on the ground.
It’s time for the industry to change and hopefully before this reaches epic proportions. Because if bank customers become afraid or reluctant to use personal checks as a method of payment, it’s going to become a huge problem for commerce in general. Considering where our economy is at the moment, I doubt we can easily withstand such an event.