Sovereign Bank Branch Exposes You To Identity Theft As A Matter Of "Policy"

Concerned about identity theft, Seth had a fun time recently when he tried to get Sovereign bank to tell him why they need to record his driver’s license number when he withdrew $2.75. The teller kept saying, “It’s our policy,” but even when they finally showed the policy in writing, it only said “must record form of ID” and nothing about writing down license numbers.

    As the teller was completing my transaction, I noticed her copying my driver license number.

    “Excuse me,” I said. “Can you please not write that down? I’m not really comfortable with my driver license number being written on my withdrawal slip.”

    “I’m sorry, that’s bank policy,” she said.

    “Well, um, you saw my license. You know it’s me,” I said. “Why do you need to write down my license information? Identity theft is a really big problem these days.”

    “That’s our policy,” she said.

    “Can I see the policy? I’ve asked before and I’ve never seen it. It seems like every branch seems to have a different interpretation,” I said. “So I’d really like to see it.”

    At this point, the employee next to the teller, who turned out to be a customer service manager, decided to “help” with the situation…

(Photo: BOMBMAN)


    “This is our policy. If you don’t allow us to record that information next time, you can’t withdraw funds,” the manager informed me.

    I explained again that I didn’t see any reason to record this information since the bank now knew who I was. In addition, it was bad practice in protecting customers from identity theft. Before he could explain again that it was “policy,” I said I wanted to see the policy. In writing.

    This is when things became, well, pretty lame, in my opinion.

    After waiting for a bit, the manager produced some documents, which in a fit of apparent pique, he spent some time highlighting with a yellow marker.

    For a moment I actually thought I was going to be shown some piece of bank literature which plainly stated Sovereign’s policy, something I had carelessly discarded from my statement.

    But the manager handed me a sheet which said at the bottom:

    Must record form of ID.

    “This says you must record my form of ID,” I said. “Where does it say you have to write down customer’s license number? Or any other personal information?”

    “Sir, what if there was a problem with this transaction? How then would we be able to prove it was you?” said the manager.

    I was a little dumbfounded. “I guess you could have a policy where you carefully check the person’s identification,” I volunteered. “And then you could say, ‘We have a very strict policy of checking people’s ID.’”

    I didn’t want to mention that writing down my license number proved nothing or in fact that writing down my number could actually … well, you get the idea.

    I noticed the manager had taken back my copy of the policy. I said there was no point in going around in circles and asked for the policy back so I could complain.
    “I can’t give that to you,” he said. “It’s an internal document.”
    “How are customers supposed to know what the policy is?” I asked. “Is this a secret policy?”
    “I just told you,” he said.
    Again, I asked for something showing the policy so I could draft a complaint.
    “I can’t give this to you. What if we change it in two weeks?”

    Ah. I really felt like I was starting to understand why… I never seemed to understand Sovereign’s security policies. I noticed that the tellers were now whispering to each other and looking at me, so I decided to take my tinfoil hat and leave. But that wasn’t before the manager looked at me and said: “Sir, you have to trust us.”

    -Seth”

Seth is right to contest places unnecessarily writing down his personal information, and writing it down on an insecure document. Identity theft is rampant, and it’s thanks in good part to places like this asinine bank. — BEN POPKEN

Comments

Edit Your Comment

  1. etinterrapax says:

    We have to trust them?

    Thanks. It’s a really gray day out, and I needed that larf.

  2. Katharine says:

    And this point you withdrew all of your money and are switching banks right?

  3. mopar_man says:

    @Katharine:

    That’s exactly what I was thinking as I read this. That bank would get none of my business from that point on.

  4. GitEmSteveDave says:

    Except for the fact I have 500 checks for my Sovereign account due to a snafu on the part of the company I ordered them from (they sent me two batches after a ordering/verifying information mix-up, but I got the 2nd batch free, so a great deal. Stylechecks.com, BTW), and that I have a no minimum balance/directdeposit requirement, I would dump them in a heartbeat.

    In November, they sent me a whole new check card, along with a letter saying my # may have been compromised, and I had to switch to the new card , no choice. I check my account everyday, and have had no activity, so I called. The operator(sounded non-american) could offer no explanation of where the breach occurred. I went to a local branch, and they too were no help. So I had to go through all the pain of changing all my info online, and they still couldn’t tell me why.

    This is also why I have most of my money in better banks in better accounts.

  5. creamsissle says:

    On that note, the IRS instructs you to print your SSN on your check. I declined, and I’ll just have to hope that they can properly post my payment using address and name matching only.

  6. Ben Popken says:

    Yeah, and despite all the companies instructions, I never put my customer on my checks. Somehow they still figure out how to cash them.

  7. nightbird says:

    These indentity verifications are becoming increasingly blurred as to where the line is. I work in a medical clinic and talk to insurance companies all day, it’s all about HIPAA in the medical sector. The insurance companies now require enough information to select the relevant patient while mantaining the privacy of everyone else. Sometimes all I need to give is a name and date of birth, other times the insurance company wants every possibly piece of information I have (name, DOB, SSN, address, ect). This gets annoying when I’m transferred to multiple people and I have to give all of this information repeatedly. The real kicker is the few times I’ve requested information from the insurance only to be told “that information is private” after I’ve given them every possible proof of the patient I’m calling about. Thankfully I have a private office so random passerbys aren’t getting all of these details.

  8. SpyMaster says:

    The guy better be careful. Last time I complained about “policies” in a bank…possibly I got a bit loud…they threatened to have me arrested…

  9. mantari says:

    I invoke “credit union” for the automatic win.

    Who cares how many checks you have on hand. Is using up those checks really worth sticking with a bank you don’t agree with? As far as an account minimum, my credit union requires (actually, enforces) that I keep $25 in savings. Beyond that, they don’t care how much is in the account.

    Do yourself a favor and at least _check out_ and investigate what credit unions in your area you can join, and what their policies are. At worst, you lose a little bit of time in a day.

  10. Mike_ says:

    Your Driver’s License Number is not secret. In Michigan, at least, it can be calculated by anyone who knows your full name and birthday (month and day only). Look here.

  11. AlexPDL says:

    Boy do I hate Sovereign bank! So I opened a BankBoston account in Providence (while in college) and then moved to Boston. BankBoston bank SOLD its branches in Rhode Island to Sovereign. Next thing I knew I was being told that I was not a customer at BankBoston. Couldn’t use the ATM in Boston, couldn’t go to “my” bank. So I had to close “my” account in Providence. Of course Sovereign wanted a notarized letter saying that I wanted to close the account. I usually use my local branch notary in … you guessed it Boston!!! It’s so moronic I couldn’t stand it. I started internet banking that same month. That was 8 years ago… and people thought I was nuts.

  12. jitter says:

    Does anyone else think it’s odd that he was withdrawing $2.75? Was this a sting?

  13. chemman says:

    Not quite the level of personal info that is being asked for here, but this just reminded me of an issue I had with Home Depot over the weekend. I went there to buy some fixtures and turns out they didn’t have what I wanted so my total purchase came out to $2.89 (a few screws and bolts I needed), so I paid cash for it. After I handed her the cash, she asked me for my phone number. I inquired why she needed this and she said their system needs it for cash transactions in case there is a problem with the transaction or a recall they need to be able to get a hold of me. I don’t really understand what could go wrong after the fact with my “cash” transaction, and I’ll take my chances with the screws being recalled so I just made up a number instead of argue about it, since there was a long line.

  14. etinterrapax says:

    @Mike_: True in NH also. I still remember mine from when I had a NH license because it was so easy to figure out.

  15. MonkeyMonk says:

    Hell, as recent as 10 years ago Massachusetts used to use people’s SS# as their driver’s license numbers so it was printed right on the card along with your address, photo, etc. An identity thief’s dream.

    The video store I used to manage used people driver’s licence number as their customer number (which in turn was their SS#). What a database that must have been.

  16. cmac says:

    Drivers license numbers can be generated so they’re not top secret. Of course, I had to learn this the hard way by freaking out at a local hospital. I went to visit a friend in the maternity ward of a Memorial Hospital in Florida. Not only did they take my license, THEY ACTUALLY TOOK A PICTURE OF IT, and stored it in their computer for future use. They explained it was “for my convenience”. Thanks, but no. I was nice, I complained, I fought, I argued. Nothing. If I wanted to see the new baby, that was their policy.

  17. aikoto says:

    I’ve just about given up on preventing the data rape anymore. Stopping ID theft is more about preventing them from USING the data rather than from GETTING the data anymore.

    We need a good credit freeze law and we need them badly.

    http://www.jeremyduffy.com/top-issues/credit-security-free

  18. “Sir, you have to trust us.”
    In case that particular manager happens to read this I’ll try and keep my response in the single syllable range:

    NO WE DON’T!

  19. magic8ball says:

    @chemman: I have gotten that response at other places as well. I think that’s just what the employees are told to tell you if you ask. At one place where I paid with a credit card, the cashier told me it was “in case there was a problem with the transaction or the card gets left behind.”

    Usually they have some contingency plan for people who don’t want to give up their personal info; when they ask “Can I get your phone number?” I just say, “No,” and they put something into the system anyway.

  20. Seth_Went_to_the_Bank says:

    “Does anyone else think it’s odd that he was withdrawing $2.75?”

    I was doing laundry!

    Anyway, I should also note that in many states a merchant can NEVER write down your license or other personal information when you’re paying by credit card, for example. Although this doesn’t specifically apply to them, they should probably take it as a good hint that their policies have some serious issues to be worked out.

  21. UnStatusTheQuo says:

    It’s a bank. I put them right up there with furniture stores, used car lots, and the three credit bureaus as far as honesty goes.

    And yes, I have switched banks at least 8 times in as many years due to my distrust of them.

    Anyone know of a bank that doesn’t suck?

  22. FutureRoadie says:

    Isnt it ironic, when I clicked the link to read more, Microsoft warned me that this was potentially a phishing site and asked me if I wanted to continue, too bad I didn’t get a screenshot.

  23. eldergias says:

    If anyone talks to a manager like that again you should ask this: “Can I have your driver license number for my records so that I can verify that you were the person I talked to about this situation?” If they say no, tell them it is the exact same policy that the bank uses and that you just need to verify his identity, and that he should “trust you”.

  24. remthewanderer says:

    This reminds me of a recent internet purchase I attempted to make. I was attempting to buy $20 worth of back issue comic books. Rather than have my stupid mailman fold the comic books so that they fit through my mail slot I had the books shipped to my parent’s address.

    I received an email after I placed my order from the comic book shop asking me to fax them a copy of my drivers license, the front of the credit card I was using for the transaction, and a note stating that I authorize the charges.

    I asked why would I need to do all this? My CC company has both addresses on file as valid addresses. Their response that this was their policy when shipping to an address other than the billing address.

    They lost a lot of business from me……. douches

  25. Good for Seth for asking to see “the policy”. Most places, like this, are referring to an internal memo or verbal direction and have no actual documents to show the customers. I really laughed at “what if we change it in two weeks?”

    I was stopped recently in the DC Metro transit system for taking a photograph. The employee said that it was a policy ever since 9/11 that no photographs could be taken in Metro stations. I calmly asked her where this policy was posted and she got defensive and couldn’t produce anything. I wrote them about it and got a call back telling me that there was no posted policy but that employees were advised to watch out for suspicious behavior (which made more sense to me).

    But the representative that contacted me did admit that there had been absolutely no effort to inform customers of the fact and they maybe overlooked that critical step.

  26. arcticJKL says:

    mantari ,

    Yeah I tried my wifes credit union. They wanted to fingerprint me to open an account.

  27. humphrmi says:

    Ummm, is this a US Bank?

    This is our policy. If you don’t allow us to record that information next time, you can’t withdraw funds

    I’m pretty sure this is illegal. I’m fairly certain that once they have established your identity, they cannot deny you access to your funds. I’m pretty sure that is deeply ingrained in US Banking Law.

  28. phanie says:

    Urban Bohemian:
    The Metro employees decide for themselves what is the policy and what isn’t. Try using the bathroom sometime. They are supposed to let you, but more often than not they will tell you the bathroom is “for employees only”. They need a better handbook for employees and better signage for riders. Stand to the right tourists!

  29. jamesdenver says:

    Good comments. Just because someone gives you a form to fill in doesn’t mean you have to fill it in.

    I was at a new doctor last month for something minor and cosmetic. The “new patient” form requested my mom/dad complete life info, my work information, my SS #, DL #, and on and on.

    I filled out my name and address, and that’s it. As long as my insurances clears and I can pay the co-pay it’s none of their business unless it directly relates to the medical procedure I’m having done.

    Same with the bank – been there and refused. The clear checks are available for viewing by the original writer. My DL number is none of their Fing business.

    james http://www.futuregringo.com

  30. When I lost my wallet a couple of weeks ago, the bank was the only place that DIDN’T insist on writing my driver’s license number down on my checks.

    Although I already knew that to be the case with most places I was surprised when the small pharmacy I always go to insisted on it too. This is a store that doesn’t belong to a chain, got all my business as far as meds go, and I was in there almost every day (it’s near my job). Yet because I had to pay for a check I’m suddenly treated like I’m a criminal.

    Well guess what? The mail-order pharmacist may not be able to “see what’s wrong” with me but they also don’t insist on putting extra information on my checks. I’m never filling a perscription there again.

  31. Firemedic510 says:

    Regions Bank does the same thing. As an Information Security professional, I pointed this out to them (I am also former Regions employee). Deaf ears.

    Change banks. This is the only way they will ever figure this sort of thing out. Share with your friends and family.

  32. velocipenguin says:

    @MonkeyMonk:

    Massachusetts drivers still have the option of doing this; however, the saner among us check the box that substitutes a randomly generated number instead.

    Using SSNs on college IDs used to be standard practice as well, but I believe this was outlawed around 2001.

  33. unwritten07 says:

    “What if we change it in two weeks?”

    more like

    “What if we get sold in two weeks?”

  34. Seth’s story reminds me:

    Years ago when I worked at a Borders, we had to write down customers’ drivers license numbers on checks used for purchases.

    What other commenters have worked a register? Was it common practice for you too?

  35. Brie says:

    >after I’ve given them every possible proof of the patient I’m calling about. Thankfully I have a private office so random passerbys aren’t getting all of these details.

    @nightbird: I appreciate the effort. At my previous optometrist, I once arrived, checked in and was told by the friendly staff “Have a seat, we’ll be with you shortly.” A minute later I was zoning out with a magazine when I suddenly heard MY SSN being recited over the phone, to the insurance company, within full earshot of everyone in the waiting room.

    My insurance account number has changed since then, thank goodness.

  36. jamesdenver says:

    Yes – I’ve worked registers in the 90s and it was common to write DL #, phone #, and ask for social security #!!

    I’m sure businesses still write down DL #. But I haven’t written a check to a local retail business in years (thanks for debit cards).

  37. Crim Law Geek says:

    This might be a bit pie-in-the-sky, but couldn’t you just tell them you don’t have a driver’s license or ID with you (other than your ATM card). If they refuse to let you withdraw, sic the FDIC and/or Controller of the Currency on them. Baking-wise it’s a huge, giant no-no to prohibit people from withdrawing from their account.

  38. Buran says:

    @cmac: So why didn’t you just wait a few days until you wouldn’t have to put up with such BS? If you were asked “why didn’t you come visit”, explain. in detail. The more word gets around about identity-theft-prone businesses the sooner something will be done.

  39. Buran says:

    @jeremyduffy: Thankfully I’m moving to Florida soon (as soon as I find work there). Florida allows you to freeze your credit report, unlike my current state of residence (which has its head up its ass about so many things anyway).

    But you’re right. We need a NATIONAL law.

  40. MarkMadsen'sDanceInstructor says:

    I really think its great that financial institutions are responding to the wave of identity theft and stolen personal information recently by…….asking for even more personal information that they can lose like driver license numbers and fingerprints.

    This just goes to show what we knew already, banks hate you and me.

  41. Buran says:

    @jamesdenver: I had a doctor’s office ask for that just to schedule a consultation. I declined. The receptionist said that they could get it when I actually got to the consultation, which was a better answer. She understood when I explained my reluctance.

    In the end I had to go out of town that day, and also it turned out I didn’t need the procedure in question. So I’m glad I didn’t give them the info.

  42. B Tex says:

    I would like to post a comment on this, but first….I need to get you dl number

  43. faust1200 says:

    I have been authorized by the staff to break in with the following announcement. The Consumerist Forums have been created and we are releasing this info in a limited fashion for now. Visit: http://consumerist.proboards88.com if you want to be one of the first to witness this new chapter in Consumerist history!

  44. acambras says:

    @cmac:

    That doesn’t surprise me, since it’s a maternity ward. It seems like every year someone tries to swipe a newborn from a hospital. They’re covering their butts so that if a baby does go missing, they have the names and photos of everyone who’s been there. I hate to say it, but if they didn’t have that info, people would be “outraged” by the lack of security.

    BTW, earlier today I had to present a photo ID to enter the Connecticut State Office Building (affectionately known to many as the S.O.B.). I know the security guard (from a private security contractor) wrote my name in a log, but I honestly didn’t notice if he wrote down my DL #.

  45. GymLeaderPhil says:

    Most chain retailers use your Driver’s License ID number as an additional tool to prevent bad checks from being used. Simply blocking or locking out the MICR’s account and routing number placed on the bottom of the check in question will not prevent an individual from creating new accounts or cashing payroll/third-party checks when they are in debt to that merchant.

    When a check is placed through a register that reads the MICR (account, routing, and check numbers) it does not verify funds electronically as would a credit/debit purchase. The MICR only reads the numbers printed on the bottom and does not retain any other information (Name on Account, Address, Signature, etc).

    For most locations that cash personal or payroll checks they often times have to verify directly with the financial institution the check resides from prior to cashing.

  46. mac-phisto says:

    the stick in the mud is the patriot act & its interpretation by auditors & banking regulators. requirements to maintain a copy of photo identification supersede state laws that make it illegal. i don’t see why someone in this particular institution translates this into copying down the info on a withdrawal slip. if they need proof of your identity, they could just pull the still images from the security cams.

    this information should already be on file, so there’s no reason to copy it down. but i wouldn’t be too upset over it. that transaction slip is filed in a secure location per banking regulations such as the privacy act. per sovereign bank’s privacy policy:

    “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards, secured files and buildings, and limited access to your information by employees with a need to know to perform their job function.”

    in other words, trust them. if your identity gets stolen, sue the piss out of them.

  47. You-Me-Us says:

    Sorry about the timing of this comment, but when asked for ID, I have been known to whip out my state-issued handgun carry permit. It has my picture, name & address, and signature on it. And nobody ever wants to argue about it.

  48. @You-Me-Us: I need one of those!

  49. Seth_Went_to_the_Bank says:

    “that transaction slip is filed in a secure location per banking regulations such as the privacy act. per sovereign bank’s privacy policy…”

    Um. I’m sure you see in the newspapers how almost every day some bank, or credit card, or giant retailer, announces they’ve “lost” millions of customer information records.

    I’m pretty sure they all have very similar privacy policies.

  50. emax4 says:

    @eldergias:
    If anyone talks to a manager like that again you should ask this: “Can I have your driver license number for my records so that I can verify that you were the person I talked to about this situation?” If they say no, tell them it is the exact same policy that the bank uses and that you just need to verify his identity, and that he should “trust you”.

    Thank you for saying exactly what I was thinking. Especially the “you can trust me…” part. What goes around comes around. If you leave the bank in disgust the best way to do it is to yell out the policy to the other vict, I mean, customers in line.

  51. Baronzemo says:

    I was driving cross country & had an uncashed payroll check drawn on LaSalle Bank(for some reason a lot of entertainment industry checks are run outta payroll companies in Chicago) I was in the middle of an Illinois rainstorm @ rush hour in the Northwest suburbs of Chicago(if you’ve been there, I’m painting a pretty ugly picture, I know) I noticed a LaSalle Bank so instead this crap-of any surprises on the road(who knew Arkansas Credit Unions aren’t in the Co-Op & will merrily charge you $1.50 per withdrawal?) I pulled in to cash it. I of course gave the clerk my drivers license, they wanted the thumbprint & I’m used to that one so I made like an Iraqi voter. Then the perky clerk pointed at my credit card in my wallet & chirped, “I’m going to need the number off of that”. Excuse me? Same story, they called over a “customer service guy” who acted like the Whammyburger Manager in “Falling Down”. We went in circles, I gave no attitude, I said “You’re the bank, your logo is on MY payroll check-this company is down the road(we were in Northbrook, where they shot all the John Hughes movies) you know the assets of these guys-why do I have to give you my credit card #?” And his reply made me realize why it was so easy for John Dillinger to make a living around there, the guy said, “You’re from California-right? So technically I don’t have to cash this check @ all”

  52. teeharold123 says:

    These banks are something else. I tried to deposit cash into someone else’s account at North Fork Bank and I was told that because of the new anti-terrorism laws, I had to either provide some official identification or open an account. After a few minutes of debate regarding privacy and identity theft, I finally submitted and allowed the bank guy to take my driver’s license. He printed out a slip which I had to sign. After obliging him, I asked for a copy of the document. He adamantly denied my request nor would he produce some documentation stating how my information would be used. An I am not even a customer of that bank. I really hate where all this personal information data gathering is headed…

  53. Bay State Darren says:

    Why are all the comments in bloody italics?

  54. Bobg says:

    Kudos to Seth for standing up to be counted. We should all question business practices that we feel are crazy. About fifteen years ago I went to the Kelly Springfield tire store in Cumberland, Maryland for a new set of tires. The counter person asked for my Social Security number (I was paying cash.) When I refused to give it he told me that the company required it. I left and bought the tires elsewhere.

  55. mac-phisto says:

    @Seth_Went_to_the_Bank: you’re right, but those records weren’t stolen off transaction receipts. in the grand scheme, i’d be less worried about a pen & paper record & i’d be more worried that your SSN, DL#, name, address, acct #’s, PINs, phone #, picture & signature are all probably stored in a single digital file that if cracked will be a treasure trove for thieves all around the world.

    i don’t like the policies any more than you, but the policies are reactionary to federal laws. blame your congresspeople for voting on legislation they neglect to read.

  56. Seth_Went_to_the_Bank says:

    Well, I would worry about both. One thing I didn’t mention in my previous response is that we very often (almost never) get a chance to know the source when one is a victim of identity theft. So in many people’s opinion, including mine, eliminating bad practices is crucial.

    In fact, I worry more about handing my driver license to a bank employee precisely because I can control that and the disaster that is electronic records security I have very little control over.

    As you commented on, each bank interprets the Patriot Act differently. I haven’t heard of many banks requiring your DL number be written down during a withdrawal. I agree that Patriot Act is bad legislation.

    I appreciate all the comments (from all).