Blacklist of 'risky' bank staff to counter insider fraud

Major US financial institutions are working to set up a new defence against insider fraud: a database of employees who are known to be scam risks.

Banks and similar organisations already run reference and background checks on new employees but an extra security measure is needed, according to Bits, a consortium of 100 of the largest US financial institutions, including JPMorgan Chase and Wachovia. The new database, announced on Wednesday, will list information on employees at financial institutions who were fired because they compromised customer data or knowingly caused financial losses, the group said.

Cheryl Charles, a senior director at Bits, said: "There is a phenomenon of people being able to literally walk down the street to another financial institution and get hired." In one case, the same scammer was hired by three institutions, she said. "This new database is going to help prevent that kind of thing."

Reports of insiders attacking financial services systems are on the increase. In a 2004 Deloitte survey of IT security in the industry, 35 per cent of companies said they had come under an attack from an internal source. That's up from 14 per cent in 2003.

That trend has been reflected in high-profile security breaches at banks. In one example in April, police in Hackensack, New Jersey, arrested nine individuals who were allegedly involved in selling the personal information of just under 700,000 people. Eight of the suspects were bank employees, and Bank of America and Wachovia were among the big companies that had to notify customers that their account information had been stolen.

The compilation of information on insider risks is meant to help prevent such breaches, Charles said.

She said: "Unfortunately, there is not a good way today to track who these people are. So we're putting them in a database - of course, consistent with the law and making sure nobody's privacy is violated." The database is currently under development and should be ready by mid-2006, Bits said.

The blacklist is one of the ways financial institutions are fighting fraud. Banks are also increasingly protecting their online services and putting up shields against phishing attacks.

The Federal Financial Institutions Examination Council recommended earlier this month that banks introduce multiple-factor authentication by the end of 2006.

Joris Evers writes for CNET News.com