Identity fraud is on the increase.
And because technological advances make it easier than ever for fraudsters to access and use personal data, it is now vital to take stringent steps to authenticate caller identity and cut the risk of revealing personal information.
Principle 7 of the Data Protection Act 1998 requires that appropriate technical and organisational measures are put in place to protect the security of information (i.e. including who has access to if for example).
There is no clear answer to the number and nature of questions that must be used to verify the identity of an individual caller. This is something to be decided on a case- by-case basis, bearing in mind:
- the nature of the information held
- the potential damage that could arise from inadvertent disclosure of it
Where the information includes financial information, it is likely to be targeted by fraudsters, and the potential damage caused as a result of any disclosure is extensive. The level of protection it requires is therefore higher than for personal data less likely to be of value to fraudsters.
What does this mean?
The aim of authentication is to check the identity of an individual before granting them access to the information you hold about them, so the fundamental issue is to ensure you ask sufficient questions (i.e. in number and nature) to satisfy yourself that they are who they say they are.
The guidance I have read sets out various factors and good practice ideas that should be considered when deciding what measures should be put in place. I have extracted the main points that are relevant in this instance and set them out below:
- The questions asked should not relate to information that is available in the public domain, as this would be readily available to, and open to abuse by, fraudsters. Instead, questions should be such that only the individual who provided them knows the answers.
- Asking the individual to confirm their account reference number alone will not be sufficient, as it does not eliminate the risk of a fraudster accessing the agreement and pretending to be the individual named in it.
- The points above suggest it will not be sufficient to ask a single question, but that it will be necessary to ask a mixture of questions (i.e. individual agreement number, date of birth for example), the answers to which should be sourced from different locations. The number of questions that should be asked will depend on how specific the questions are and how likely it is that a third party could have access to them.
- Often, individuals communicating with financial institutions will do so from a limited number of locations, so additional identification techniques may need to be used; for example caller ID.