The number of identity-theft related suspicious activity reports filed by depository institutions spiked between mid-May and July, during the height of Equifax Inc.'s massive data breach.
And the number could continue to rise. On Oct. 12, the company took a customer assistance page offline, amid fears of another possible hack.
Tim Scholten, president of consulting firm Visible Progress LLC, said that all of the tools banks use to know their customers have been compromised, and that organizations across the board will have to think about identity verification in a "completely different manner."
"I think it's something banks and organizations are going to struggle with until they come up with additional security measures that go outside of the normal information that the credit bureau uses," Scholten said. "Every time you get another piece of data that's exposed, you've got to have something that is changeable."
"I think it's going to end up being things like secret codes and that sort of thing that people are going to need to use," he added. "That's why you see banks using two-factor authentication."
In September, Equifax announced that hackers gained access to credit card numbers of about 209,000 U.S. consumers, and dispute documents for about 182,000 U.S. consumers. Overall, as many as 145.5 million could be impacted, with hackers gaining access to names, Social Security numbers, birth dates, addresses and driver’s license numbers.
"Anybody older than 18 years old is probably exposed," Scholten said. "If you think about it in those terms, it doesn't go away."
But even before Equifax, suspicious activity reports, or SARs, were on the rise. Credit card fraud, the most common type of identity-theft related SARs filings, steadily increased between 2013 and 2016.
Financial institutions use SARs filings to report unusual activities or transactions to regulators and law enforcement. The Financial Crime Enforcement Network, or FinCEN, has touted the reports' role in tracking organized crime. According to FinCEN's website, there is "no way to provide an exhaustive list of potentially suspicious transactions," but red flags include activities that "vary substantially" from customers' normal practices.
Since FinCEN's release of a uniform SAR form in 2012, the number of suspicious activity reports has continued to climb, though some say the growing number of reports could be "defensive filings."
Scholten, and Lily Thomas, senior vice president and senior regulatory counsel for the Independent Community Bankers of America, both said the hack will lead to innumerable expenses for banks. A handful of small financial institutions have already filed a lawsuit against the company, claiming it will cause them to incur significant costs and a decrease in lending.
"As with any breach, banks are going to be left holding the bag and paying for a lot of the costs that are associated with the breach, from issuing payment cards to notifying their customers, investigating claims of fraud or identity theft, refunding any fraudulent charges, obviously increasing monitoring of accounts," Thomas said. "It's just a whole slew of things that are going to end up trickling to banks to cover and to pay for."
Legislators have expressed uncertainty about who should be held responsible for cyberattacks, and banks are worried hackers could use breached information to open new accounts.
On Sept. 12, Senate Banking Committee Chairman Mike Crapo, R-Idaho, said there is still uncertainty around "data security and proper regulatory treatment." But Scholten and Thomas say the blame shouldn't be put on banks.
"I don't know what direction they're going to choose to go, but I don't see regulators doing nothing," Scholten said. "Do I regulate banks, or do I regulate and penalize the people that had a breach?"
Thomas said banks are already in the position of being "heavily regulated," and secure their customers' information "pretty well."
"It's kind of difficult to say how regulations will go moving forward, particularly with the third party," Thomas said. "We would certainly like to see that any entity that's holding personal identifiable identification have standards similar to banking standards."