Ranking Banks Based on Incidents of Identity Theft
posted by Daniel Solove
Chris Hoofnagle just released a new report entitled Measuring Identity Theft at Top Banks. In the report, he ranks the top 25 US banks according to their relative incidence of identity theft. The report is based on consumer-submitted complaints to the FTC where the victim identified an institution.
In a previous paper called Identity Theft: Making the Unknown Knowns Known, Chris argued that there should be mandatory public disclosure of identity theft statistics by banks. Since the financial institutions don’t currently release such data, we have no idea which institutions are being more effective at reducing identity theft than others.
For his new paper, Chris made a FOIA request last year to the FTC for two years of consumer complaint data. The FTC found it too burdensome to release two years’ worth of data, so “the request was limited to three randomly-chosen months in 2006, January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions were identified by victims.” Chris’s paper is based on an analysis of this data.
From the abstract:
There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.
This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section. The author welcomes constructive criticism, suggestions, and comments in an effort to shine light on the identity theft problem.
This is a fantastic endeavor, as more information on how institutions are protecting against identity theft is sorely needed. Chris admits that his study has some limitations and could be improved if financial institutions would supply more information to the public. But based on the information Chris could find out, this report is quite revealing. Hopefully, it will spark more transparency from financial institutions in the future.
Here is one of many charts in the paper. The chart below is of incidents of identity theft relative to the size of each institution.
February 27, 2008 at 11:06 am
Posted in: Articles and Books, Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
Responses (1)
dcuser - February 28, 2008 at 11:41 am
I’m dubious of the value of raw ratios. I haven’t looked at the study, but it seems to me that it would be awfully important to control for or acknowledge two things that could throw the ratios way out of whack for some institutions:
(1) Banks with disproportionate credit card operations (including B of A, after its acquisition of MBNA), since credit cards probably account for the lions’-share of identity-theft incidents (the numerator of your ratio), yet are not associated with any increase in deposits (the denominator); and
(2) Banks that involve almost exclusively online consumer interactions (like HSBC), since the internet may be both the prime method of identity theft, and the prime way in which user laziness or error (using unsecured wireless; inadequate firewalls; using unsecure computers at internet cafes) causes the security breach that makes identity theft possible.
It simply doesn’t make sense to compare an exclusively internet banking operation with one where lots of the customers are little old ladies walking up to the window every month. Nor does it make sense to include credit card based identity theft. Unless the study acknowledges and deals with these problems, comparison between institututions has little value.
Leave a Reply