ID Theft: SARs On The RiseIdentity Theft Reports Jump; Most Attributed to Family
John Summers, a project officer at FinCEN and a lead in FinCEN's report, "Identity Theft: Trends, Patterns and Typologies Reported in Suspicious Activity Reports", says ID theft perpetrated by family, friends and business partners ranked No.1 among SARs filed by U.S. depository institutions in 2009. "In 27.5 percent of the filings, this was the highest," he says. "It basically means someone close to them was getting access to their files and using their information."
Summers says only 3.5 percent of the ID theft incidents reported in SARs related to computer viruses and Trojans, such as Zeus. For vishing and phishing, the incidents reported were even fewer. "The only ones I found were in new data, and it would only come out to .15 percent," he says. "That does not mean those types of attacks did not occur and account for theft and losses. It just means that the victim was not aware and did not report it as a phishing (or vishing) attack."
ID theft incidents are getting a lot of attention these days. FinCEN has been tracking ID theft since 2001, but incidents of reported ID theft cases have steadily increased over the decade, with relatively significant increases cropping up in SARs in 2008 and 2009. The study released this month is the first to focus solely on ID theft. "As the numbers increased, the study became of interest," Summers says.
ID theft is a crime facilitator, he adds, which is why it's critical to adequately track it. "People don't steal identities just to steal identities," Summers says. "They do it to commit a crime and get the money."
SARs: Tracking ID TheftFinCEN added ID theft as a characterization of suspicious activity to its depository institution SAR form in July 2003. In May 2004, FinCEN added ID theft to its securities and futures industries SAR form.
The study notes the increase in ID theft has been reported by other federal agencies as well. In November 2007, the Federal Trade Commission published study results that gauged the impact ID theft has on the general public. In April 2007, The President's Identity Theft Task Force released a report on ID typologies and their scope, and also listed potential remedies to reduce the number of ID theft incidents. And the U.S. Department of the Treasury, federal banking agencies and the FTC jointly issued the Identity Theft Red Flags Rule, which took effect in November 2008.
In the FinCEN study, of the 372 depository institutions reviewed - a mix of banks and credit unions of varying assets sizes - the majority of ID theft incidents, not surprisingly, were reported by the largest financial institutions.
Identity theft was the sixth most frequently reported characterization of suspicious activity, trailing money laundering, check fraud, mortgage-loan fraud, credit-card fraud, and counterfeit-check fraud. In the study, FinCEN defines identity theft as involving the theft and misuse of unique identifying information, such as financial account numbers, depository accounts, investments, loans, credit cards, online payment accounts, officially issued federal or state identification documents, and biometric information.
Impersonation of an actual person without consent also fell into the ID theft definition, whether that impersonation occurred in-person or through an electronic form or other medium.
The most important takeaway from the study, Summers says: The narrative section on the SAR, which provides the most critical information. "It is very key to the analysis," he says. "Since we added the identity theft box in 2003, we've used the narrative to tell law enforcement what happened; and the more information the banks can provide in the narrative, the more the regulators and law enforcement can do."