07 March 2008, 18:57

ID fraud - the top 25 leaky institutions

Research by the University of California has identified twenty-five American corporations that top the bill for customer complaints about ID fraud. Data obtained from the Federal Trade Commission under the US Freedom of Information Act reveal just how leaky financial services companies can be. Nevertheless, in terms of raw complaints count, Chris Hoofnagle of the Berkeley Center for Law and Technology found that a small proportion of even this top 25 dominate the field. Bank of America/MBNA came top for raw complaints count, accounting for 7.24 per cent of all complaints in the 2006 sample: almost half as many again as the nearest contender, the AT&T group. Despite some high profile instances of identity fraud in the past, eBay/PayPal came near the bottom of the list at 0.83 per cent of the total complaints. Several ISPs feature in the top 25: notably T-Mobile and Comcast, but banks clearly outperform them in the leakiness stakes, and it seems that in general the larger the bank the more it tends to leak. The one exception to this proved to be HSBC, which had an estimated 20 per cent more incidents per billion dollars deposits than Bank of America/MBNA. However, the relative size of the two banks tends to disguise the real scale of the problem. Whereas HSBC averaged 190 complaints per month, Bank of America/MBNA averaged 1117.

The Berkeley research paper expresses caution in presenting these findings, stressing that they represent a small arbitrary sample of the complaint space: data were analysed only for three randomly selected months in 2006. This limitation was apparently due to delays associated with disclosures under the Freedom of Information Act and restrictions imposed by the Federal Trade Commission to facilitate managing the very high potential volume of raw data.

The FTC itself reported in 2007 that almost 10 million US citizens fell victim to ID fraud in the previous year, the total losses amounting to $47.6 billion. The agency made a distinction between misuse of existing accounts and all other causes including the fraudulent creation of new accounts. Some 67 per cent of incidents targeted existing accounts but resulted in just under 30 per cent of the monetary losses.

The Berkeley paper draws attention to weaknesses in the complaint procedures that result in anecdotal reports with a significant amount of ambiguous information that had to be aggregated and in some cases eliminated from the sample. It points out that other sectors in addition to financials, notably public utilities, may well show similar patterns and indeed scale of ID fraud. The author proposes that better reporting mechanisms be implemented, citing previous work that assesses current reporting in detail and proposes concrete improvements.