Original Story: wsj.com
Banks have hired armies of security experts to combat shadowy hackers from breaking into customer accounts.
Now, a top law-enforcement official says banks should also focus closer to home.
New York Attorney General Eric Schneiderman is urging big banks, such as J.P. Morgan Chase & Co., Bank of America Corp. and Wells Fargo & Co., to rein in their tellers’ access to some customer data and take other steps to detect potential misbehavior, according to a letter he sent to the banks Friday. A Washington DC criminal lawyer is reviewing the details of this case.
Mr. Schneiderman’s office continues to investigate numerous instances of tellers accused of stealing customer data and money, a person familiar with the matter said. While teller-fraud cases often get overlooked because of the small dollar amounts involved, Mr. Schneiderman and his investigators believe there are hundreds of examples going on across the country, the person familiar with the investigations said.
“Bank customers are still at risk,” Mr. Schneiderman wrote in the letter, a copy of which was reviewed by The Wall Street Journal.
Mr. Schneiderman also wrote that banks should be more alert to unusual activity by employees and report suspicious conduct to authorities. A Des Moines criminal lawyer is following this story closely.
In addition to Bank of America, J.P. Morgan and Wells Fargo, the letter was sent to Citigroup Inc., Banco Santander SA, Capital One Financial Corp., HSBC Holdings PLC, PNC Financial Services Group Inc. and TD Bank. Most of the banks declined to comment. HSBC and TD Bank both said they are serious about protecting customer information. HSBC said it has “strict security safeguards” to protect customer privacy and is “committed to continually enhancing those safeguards as needed.” TD Bank said it offers “multiple layers of security protection against fraud and has tools in place to monitor for unusual or suspicious activity.”
While other agencies have carved out niches investigating money laundering or interest-rate rigging, Mr. Schneiderman in recent years has focused among other things on tellers and other low-level employees allegedly stealing customer data.
The initiative, internally named “Operation Pen & Teller,” a play on the magician duo Penn and Teller, underscores that banks’ regulatory risks extend beyond the billion-dollar penalties for mortgage abuse and consumers’ risks go further than sophisticated cyberattacks.
In Mr. Schneiderman’s investigations, tellers often first search a customer database for people with common names and high balances. Then, they use the customers’ Social Security numbers and other personal information to withdraw cash from other branches. They also at times use the stolen information to create fake identification documents. A Birmingham criminal defense attorney provides counsel and strategic advice to individuals, corporations, and other entities facing criminal investigations or charges.
Mr. Schneiderman’s office last year announced the arrest of five people that it accused of running an identity-theft ring focused in Westchester County, N.Y. Three were tellers that had worked at banks including Bank of America, J.P. Morgan, TD Bank and Wells Fargo.
Mr. Schneiderman’s office said the tellers passed customer information to two accomplices. One used the information to create fake identification documents; the other arranged for people to impersonate customers across the New York City area, Connecticut and Massachusetts. The five stole a total of $850,000 by using the personal data of hundreds of customers, said Mr. Schneiderman. All five pleaded guilty; the ringleader faces up to nine years in prison.
The four banks reimbursed affected customers. J.P. Morgan, TD Bank and Wells Fargo notified the affected customers and offered free credit monitoring or similar services. Bank of America declined to comment on the details of its response.
A report last year by Mr. Schneiderman’s office found that “insider wrongdoing” such as the tellers’ crimes was the No. 3 cause of data breaches in New York, behind hacking and lost or stolen equipment. The report analyzed the data-breach notices that the attorney general’s office received from 2006 to 2013.
In the letter, Mr. Schneiderman laid out what he saw as weaknesses in the banks’ protocol for protecting customer data from ill-intentioned employees and his suggestions for improvements.
For example, Mr. Schneiderman said his office had found that in many cases, tellers had “unfettered” access to customers’ account information. He suggested limits, such as allowing a teller access only to customer accounts in the local area, unless a supervisor gives permission.
Mr. Schneiderman said much of the wrongdoing could have been caught if the banks had noticed and shared red flags, for example an employee accessing an unusually large number of accounts or looking up accounts without dealing with those customers.
He added that the tellers or co-conspirators who accessed stolen data would sometimes call the banks to ask about an account. A potential red flag: They would sometimes call about multiple, unrelated accounts from the same phone number.
The state official also complained that, when the banks did question tellers, many of them would resign. The bank would then close its investigation, Mr. Schneiderman said, and the teller would find employment at another bank.
Mr. Schneiderman’s letter asks the banks to implement his suggestions and to contact his Criminal Enforcement and Financial Crimes Bureau for further discussion.