This article is adapted from my company’s Learning Library, a source of honest insights on a range of industry challenges, products, and opportunities. It’s an estimated 13 minute read. There are two reasons why I’m cool with sharing this article here:
- I wrote the original.
- The Learning Library isn’t about selling, rather informing, just like here!
Your members have certain expectations of their credit union. A robust checking account. An easy place to accumulate savings. A destination for needed loans. And that’s just the big picture. Even more basic assumptions include:
- Money I deposit will be safe
- The amount I see is the amount I have
- If someone steals from my account through ID Theft or fraud, the institution will make me whole
Are any of these going “too far”? I think we can agree they are universally held expectations. Yet you know financial theft is on the rise, and now may be wondering: “If we make them whole, who makes us whole?”
Great question. And it goes in line with what brought you here: Should our credit union provide ID Theft/Recovery Solutions to account holders?
Since it’s happened to my family (and millions of others), and it sucked, I’m on the side of, “Yes!”. My company offers this as a service through Value-Added Checking (that link goes to a description of the concept, not a product page). It’s something my company cares about deeply, so I feel obligated to share the details with you. Then, after reading, you can determine if some sort of protection makes sense at your credit union. Below, I’ll illuminate some surprising findings about digital theft and what it means for your credit union.
First, let’s look at the realities of financial theft.
Hacks Happen. A Lot.
With more of our lives saved “in the cloud”, the amount of personally-identifiable data on any of us increases daily. Each new service (supposedly) makes our lives easier and more connected. Unfortunately, that also means those who would do us harm have a lot more information to use. It’s not like I’ve ever written about the dangers of bad passwords or anything…
In the Identity Theft Resource Center’s (ITRC) 2017 Data Breach report, they found what you would expect. Breaches are up. A lot. In 2017, 1,579 data breaches exposed nearly 179 million records. If that sounds like a huge number, you’re not wrong.
That’s a 44% increase in number of breaches and a mind-boggling 389% increase in records exposed!
2017 was a big year for data breaches. Yet it pales in comparison to 2018. In just the 10 major corporate hacks, almost 2 billion (non-unique) records were exposed.
And Then There Was Equifax
Who can forget the infamous Equifax hack of 2017? In one of the most darkly ironic hacks ever publicized, one of the top credit bureaus lost control of their information. The very company whose business model it is to protect people’s most sensitive personal information. And then, Equifax handled it with the grace of a puppy tumbling down a pile of freshly washed laundry, without all the cuteness.
In a scene reminiscent of an old Seinfeld episode, Equifax took their time even admitting to the hack (and changing the story of its extent numerous times). Then, they set up a special customer assistance web page. Except, they didn’t use their own trusted domain. Nor was it signed with their normal security certificate. And it asked for your social security number, in a mind-boggling faux-pax of internet security practices.
In fact, it looked suspiciously like a phishing site.
So, predictably, within hours, hackers had cloned the support page, and did so well even Equifax staff were forwarding affected customers to the fake site! (Where new groups were able to steal more customer information, thus making the hack even worse)
Things didn’t go well for the vast majority of us whose personal information was now…somewhere.
Is Getting Hacked Inevitable?
Are you connected to the internet in some way? Then, unfortunately, yes. Experts agree it’s not a matter of if, it’s a matter of when. In fact, I was at a credit union industry conference where security had a top focus. Every security expert present offered the following advice: “Have a security breach plan. It’s going to happen. It’s going to stink. But when you have a plan in place, at least you can mitigate the damage faster.” Needless to say, upon hearing these speakers, the room filled with clackering teeth and nervous tics.
As a financial institution, you possess two things which thieves love:
- Personal information of people who may also have money elsewhere
So they’re going to try and get in. How does that affect your account holders and institution? And what can you realistically do?
Meeting Customer Expectations While Protecting Your Own Interests
Like it or not, when a member or customer’s account is breached, it’s going to take resources and dollars to rectify. And guess who pays? Let’s watch it play out.
Remember that plan we mentioned above? Now’s the time to put it in action. Your account holders expect you to handle it and make everything right again with their financial situation.
Of course, you know it’s not always easy, nor is it that simple.
There are two ways your customers can experience losses:
- Individual account is compromised.
- Financial institution’s systems are compromised.
From the perspective of your members or customers, they don’t care what happened; they just want access to their money (see Basic Assumptions from the beginning). If hackers gained access to just a single account, you can lock it down and assist the account holder in resetting passwords, replacing cards, and anything else necessary, as well as reimbursing for lost funds. Keep the idea of reimbursement on the back burner for just a moment.
If it’s not a single account, but rather, the entire financial institution system, the effort needed to get back to normal can be substantial. (Another piece of wisdom from that industry conference: Getting everything back to 100% takes longer than your IT team estimates. They’re working hard; it’s just a lot to do!) Expenses and staff time can pile up as the direct effects of a hack make themselves known. Recovering from backups or other systems adds time and money to an already stressful process for all involved.
After a lot of hard work and cooperation, kudos to your team; the hack is behind you all. Back to business!
Ah, but what about the actual monetary losses from account holders? Whether it was one or many accounts, the expectation is that the money was safe, thus, it has to return! According to a study by Javelin Research, mean fraud amount per individual is $1,038. Yet their total out of pocket loss averaged $48.
No worries, someone else pays…right?
We’re Covered, Right?
No. The buck stops with you. Most institutions write off the dollar losses of breaches and fraudulent access as a “cost of doing business”. While Federal Regulations do protect account holders, liability shifts to the corresponding financial institution.
So how much might you need to pay? Under the Electronic Funds Transfer Act, account holders’ losses are limited based on when the error or fraud gets reported:
- Within two business days, account holder loss is $50.
- Within 60 days, account holder loss limit is $500.
- Past 60 days, the account holder will probably be out the money and any overdraft fees incurred as a result.
Remember the average out of pocket loss was $48. Your financial institution makes up the difference (and often ensures the account holder suffers no losses at all).
And, of course, there’s insurance (or special bonds) to protect you as well. Except… it’s rare for it to apply. According to bank execs we spoke to during research for this article, the deductibles on this coverage are typically much higher than the average account balance.
So your institution simply absorbs these losses.
Additional Costs of ID Theft
Beyond the hard costs of restoration for your institution and/or account holders, the additional “soft costs” of time and resources add up quickly. Things including:
- Assisting customers to restore their accounts
- The cost of issuing new cards
- The time your staff must take to ensure this happens smoothly
Plus, since identity theft affects a wide range of an individual’s life data, there is work involved contacting law enforcement, social security, DMV, loan-holders, and other agencies.
Becoming “Numb” To Financial Security
“Comfortably Numb” is more than a great song. It’s also how many people view protecting their personal information. With massive breaches and individual hacks now a regular occurrence, the general public is more indifferent to them than ever before. In fact, an Experian survey indicates consumers may actually be making it even easier for thieves:
While 84 percent of respondents acknowledge being concerned about the security of personal information online, nearly two-thirds (64 percent) agree it’s “too much of a hassle to constantly worry about securing personal information online.” The majority say staying on top of financial transactions is a challenge (53 percent), and nearly half (48 percent) don’t even check their credit reports regularly for errors or suspicious activity.
So if your own account holders are more vulnerable than ever to these losses, yet the money lost is overwhelmingly borne by your financial institution, what can you do?
Should financial institutions offer ID Theft insurance?
That’s a question only you can answer. Before you do, let’s first look at:
- What ID Theft Insurance Covers
- What ID Theft Insurance Does Not Cover
- ID Theft Insurance vs. Restoration
- Proactive vs. Reactive Coverage
- Costs of coverage
ID Theft Insurance
Thanks to Federal protections, average out of pocket cash loss is $48 to consumers. That’s why some organizations advise against the purchase of Identity Theft insurance. These services (such as LifeLock) offer coverages from $10,000 all the way to $1,000,000, yet, as research shows, these amounts of liability and losses are extremely unlikely. The real impacts for most are felt in the Restoration process.
ID Theft Restoration
2 billion accounts had personal information stolen. Much of that data was sold to criminal enterprises around the planet, where it is held for varying lengths of time (often to let the monitoring expire) before acting upon it. Depending on how much information is available, fraudsters may accomplish a full takeover or cloning of a consumer’s identity. That opens up a world of criminal opportunities, from new credit cards to pension and social security payment kidnapping!
The first step upon discovering ID Theft is a freezing of all applicable accounts. Recent transactions get reviewed, illuminating suspect transactions. Then, new account numbers (and cards) must be issued. And that’s just for one financial institution.
How many places do you have money saved or borrowed in some form? Each needs to be contacted, along with at least one credit bureau (to put a freeze on any credit inquiries or approvals). Take a breath, because we’re just getting started.
Now that immediate monetary accounts are secure, you need to reach out to law enforcement. Then the Federal Trade Commission, and even mortgage, rental, and utility companies. We’re talking any entity where a consumer has a business relationship.
I wish I were exaggerating. When my family member’s social security number was somehow exposed, not only did they find dozens of fraudulent charges on their credit card, they also saw unpaid bills from their power company for a residence that was not theirs. Yes, a criminal was using the stolen identity to (not) pay for electricity at another home! And this doesn’t include the dozens of new in-store credit cards and accounts at financial institutions unfamiliar to the family member.
Up to 1,200 Hours
Clear your schedule, because this could take a while. According to LifeLock, the average time spent fixing an identity theft issue is seven hours, usually over the course of a day, but up to a month. In extreme cases, people may spend up to 1,200 hours over the course of a year or more resolving identity theft problems. As a popular meme says, “Ain’t nobody got time for that!”
Needless to say, this can become a major source of anxiety, stress, and even time lost from work. As your account holder’s primary (or favorite) institution, they will be looking to you for help. What do you have to offer?
Much of this lost time and resources (for both the people affected and your institution) can be avoided with a proactive, resolution-based ID Theft insurance system. How?
What’s the difference between Proactive and Reactive?
I’ll answer with another question: What’s better, dealing with fraud after it happens or just stopping it at the first sign of a problem?
Not a difficult answer. Stopping fraud before it causes problems is the objective of Proactive programs. Monitoring tools run 24/7, catching suspicious activity as it happens, then notifying the individual through text message (SMS), e-mail, and even phone alerts in the moment. This prevents most damage from taking place.
A Reactive program simply provides tools to check credit bureau reports and other personal information, along with a variety of tips on keeping their personal data safe. With no constant monitoring, a problem gets discovered because something already went wrong, making restoration a greater challenge.
No matter which coverage an individual has, both provide assistance in the event of fraud. However, the degree to which they get you back to normal depends on the naming: “Restoration” or “Resolution”.
Which is better? Resolution or Restoration?
This is a trick question, right? Unfortunately, it’s not. While both work towards the same outcome, each have a unique approach.
The Resolution approach is more DIY and generally includes advice and a step-by-step process for the consumer. There is no dedicated person at the company assisting, however, they may offer customer service to answer questions.
With Restoration, the affected individual works with the ID Theft insurance company. Typically, a specialist gets assigned to their case, and that person will help them with the legwork…the calls, communications, and paperwork necessary to ensure their identity is fully restored.
No matter which approach a person chooses, costs incurred by them during the process can be reimbursed by the insurance company (up to stated limits).
What Does ID Theft Insurance Cost?
As we covered above, premiums can vary greatly depending upon the coverage chosen: whether it is Proactive or Reactive, if it is for Restoration or Resolution, and what the limits are.
LifeLock, the largest of the retail ID Theft Insurance providers, prices their plans between $9.95 and $29.95 per month (increasing after the first year).
Due to the importance of having as many account holders covered as possible, over 600 financial institutions currently integrate ID Protect (Full disclosure: My company offers this product.) into their Value-Added Checking. This is blanket coverage, available at a fraction of the cost of any retail plan, and is generally part of a revenue-generating benefit bundle tied to your account holder’s checking account.
What ID Theft Insurance Does For Your Institution
- Relieves hard and soft costs to your institution
- Helps prevent instances of fraud
- May shift restoration responsibilities to insurance company
To me, ensuring your account holders have peace of mind is well worth the effort. Plus, your own institution saves staff time and money. Also, if you offer it as part of a Value-Added Checking program (whether it’s provided by my company or someone else), it helps differentiate your credit union.
Learn Even More
My company has a Learning Library where we discuss this and other topics. Think of it like this blog, except with more detail on your products, better answers, and fewer (blatant) geek references. I’m here to help illuminate challenges to credit unions. The Learning Library dives deep into everything so you get honest insights without jumping site to site.