Your bank account information is for sale, despite federal law

In a shadowy world seemingly ignored by regulators, dozens of private investigators and data brokers are selling private bank account information.

Give them a name, address and Social Security number and they boast they can find accounts and how much is in them, down to the last cent.

Your account, your neighbor’s, your parents’ — all can be had for a price, and, even at a time of heightened interest in protecting personal privacy, government authorities are doing little to stop it, an investigation by The Atlanta Journal-Constitution found.

So companies seemingly thumb their noses at long-standing federal regulations and policies put in place by the banks themselves to protect financial privacy.

Fees range from $200 to $500 per search. Turn-around times can range from a week to a month. Some even offer special deals for repeat customers.

Buyers include attorneys who can use the information to garnish accounts or decide if someone is worth suing. A spouse might want to see if a partner is hiding money.

How do the brokers do it?

They say it’s legal, but none would specify how they obtain information that typically is supposed to be accessed only with the consent of the account holder or a court order.

For some who have long questioned how this industry exists, the silence is itself a troubling sign that account information is being obtained illegally.

“How someone could say it’s legal to get someone else’s bank account number or balance without a court order, I don’t know,” said Philip Segal, a New York attorney and former journalist whose book, “The Art of Fact Investigation,” explored the issues attorneys face when trying to find assets and other information.

The federal Gramm-Leach-Blilely Act of 1999 made it illegal to obtain financial information under false pretenses, such as by impersonating an account holder on the phone — a phenomenon commonly known as pretexting. The act also requires banks to take steps to safeguard customer privacy.

In the years immediately after the law took effect, the Federal Trade Commission took steps to shut down hundreds of companies advertising that they could get bank account information.

But when the AJC took a fresh look, it found that the sale of banking information remains prevalent, even by firms with well-known reputations for having used pretexting in the past.

One, Docusearch, was at the center of a highly-publicized murder case in which a 20-year-old New Hampshire woman, Amy Boyer, was killed by a stalker. A lawsuit filed by Boyer's parents in 2002 revealed that the stalker had paid Docusearch for employment information and that pretexting had been used to obtain it.

Today, on a website that touts the company as “online and trusted for over 20 years,” the Idaho-based firm says its “proprietary software” allows it to legally find bank accounts and balances “like no one else can.”

Rob Douglas, a former private investigator who worked with the FTC after Gramm-Leach-Bliley and helped Boyer’s parents with their lawsuit, said companies continue to traffick in financial information because they work in an environment in which there is little fear of enforcement.

‘Trade secrets’

The website of Perma Investigations and Polygraph Examinations, a company operated by Roswell private investigator Marc Perlson, says the firm can locate bank accounts and balances nationwide. It also boasts it can monitor accounts for 30 days and provide "the best time to levy."

When contacted by the AJC in 2018, Perlson declined to be interviewed, stating in a phone message that he can’t discuss his methods “due to trade secrets and proprietary stuff that we as investigators have learned.”

The website for another a company, Asset Analysts, said it could find “active bank accounts” through its access to the SWIFT system, the Brussels-based messaging system used by banks and corporations to move money.

“We are a SWIFT registered company and can conduct searches legally and testify in court on the methods,” the website said.

However, after inquiries from the AJC, the website was replaced by a notice that said the site had either been moved or deleted.

Records show that the Asset Analysts website was created in 2018 and that the firm was incorporated at about the same time using a UPS store on the outskirts of Jackson, Miss., as its address.

In a statement to the AJC, SWIFT said that it is a secure service with strict policies in place to protect the confidentiality of its messages. Moreover, SWIFT does not have individual account data, nor does it have access to it, the statement said.

The Docusearch website doesn’t go into detail about how the company obtains banking information except to say that its software uses “third party providers of electronic transactions.” There is no pretexting, the website says. It also states that anyone who orders an asset search will be interviewed prior to the search being conducted.

The company’s president, Dan Cohn, told the AJC that most of his customers are attorneys or private investigators who don’t have his resources. He declined to discuss his process for finding bank accounts except to say he does it legally and he believes he performs an important service.

“I get where the public says, ‘That’s horrible. How can he find out personal information that’s supposed to be private?’” he said. “But there’s a lot of good that comes from it. Otherwise, people would go around accruing debt, not paying judgments, and there would be no recourse.”

A ‘black box’

The AJC began looking at the issue of bank account privacy  after a Lawrenceville woman, Connie James, provided the newspaper with documents showing that a private investigator obtained her account balances without her consent. The P.I. was working for attorneys who wanted to garnish the accounts to satisfy a judgment for delinquent homeowners association dues.

James knew nothing about the arrangement between the lawyers and the P.I. until she filed a grievance with the State Bar of Georgia, which provided her with the documents.

Her case points to one of the reasons bank accounts can be so readily bought and sold: They are a valuable commodity for attorneys seeking to enforce judgments or assess whether lawsuits are feasible.

Basically, it’s a matter of convenience. Without a bankruptcy filing or some other form of public financial disclosure, an attorney seeking to enforce a judgment by garnishing would have to use post-judgment discovery, a process that adds expense and can take months.

The relationship between information brokers and attorneys is a “black box,” Segal, the New York attorney, said. Brokers closely guard their methods, while their attorney clients accept the information without question.

Many of the companies examined by the AJC appear to be marketing directly to attorneys or other private investigators, stating on their websites that they require a judgment before searching.

In some cases, they claim their methods are legal or call themselves Gramm-Leach-Bliley “compliant,” although they don’t describe how the information is obtained.

Are they pretexting?

The AJC asked four of the Atlanta area’s largest financial institutions — SunTrust, Wells Fargo, Chase Bank and Bank of America — to describe their policies for protecting customers’ privacy.

All said they do not reveal account information to third parties unless they have the customer’s consent or are responding to a court order. They also said they have processes in place for verifying phone calls regarding customer accounts.

The Georgia Bankers Association said protecting account privacy is “serious business” for banks and noted that they use various methods — including questions and answers, code numbers and verbal passwords — for making sure calls for customer information are legitimate.

But with so many companies unwilling to explain how they get the banking information they sell, many observers believe the information is being obtained through pretexting.

“If they weren’t pretexting, there would be no problem in telling you what they do and who does it,” Segal said.

In the one major criminal prosecution involving information brokers — a 2007 federal case known as “Operation Dialing for Dollars” — investigators found that a Seattle-area company used pretexting to wheedle personal information from banks, the Social Security Administration and even the Internal Revenue Service.

The evidence included a series of scripts, with one listing ways to convince bank employees to give up customer information. Among the ploys: “Well, I told my daughter to buy gas, did she do something else with it?”

The script also contained a page with the toll-free numbers for several financial institutions, including Wells Fargo, Bank of America, Chase, Citibank and Wachovia.

In one two-year period, the couple who ran the firm, BNT Investigations, made $535,000, the government found.

Douglas said pretexting works with financial institutions because employees in banking call centers typically aren’t concerned with account security.

“Pushing new accounts, pushing new products, reading the bit on the call screen, that’s primary,” he said. “Security is secondary. Always has been, always will be. If you know the techniques, and you’re skilled at it, you can beat them every time.”

Because of their far-flung bureaucracies, larger financial institutions are particularly vulnerable, he said.

“It’s almost like the bigger the bank, the easier it is to defeat them,” he said.

Limited enforcement

The FTC’s efforts to enforce Gramm-Leach-Bliley have been spotty since the agency’s initial efforts after the law was passed.

In a 2001 case known as “Operation Detect Pretext,” the FTC sifted through websites and other places where information brokers were advertising to see signs that they were using pretexting to obtain financial information.

The agency sent warning letters to about 200 firms. It also set up an elaborate sting operation in which it created bank accounts at a Washington, D.C. area bank and called on information brokers to see if they would find them.

In the end, however, civil penalties were assessed against only three companies, and none of the fines was significant. In fact, in one case, the FTC imposed a $15,000 fine on a Baltimore company and then suspended it.

Four years later, the FTC obtained a $40,000 judgment against the same company for using pretexting to obtain phone records, which became illegal in 2006. This time, the agency agreed to suspend the remaining amount due after the firm paid $3,000.

Douglas, who helped coordinate the sting operation, said the outcome of those cases helped create the impression that the profitability of selling bank account information outweighs the risk of being caught.

“The long and short of it is the FTC, although we found hundreds of companies (that appeared to be operating illegally), they only went after a couple,” he said. “And then they said, ‘If you’re good boys and girls, we’re not even going to enforce the penalties and collect the money.’”

The FTC declined to make anyone available for an interview. Instead, it provided the AJC with a statement in which it said protecting consumer privacy is a high priority.

The statement noted that the FTC has brought more than 500 enforcement actions related to a range of privacy issues since 2000. It also said the agency has been actively policing pretexting and will “remain vigilant as practices in this area evolve.”

When federal prosecutors pursued the “Dialing for Dollars” case, it was the Social Security Administration, not the FTC, that conducted the investigation, and the outcome again left some feeling as if it missed the mark.

The case led to guilty pleas from nine defendants, including six private investigators, but it stopped short of prosecuting the attorneys who ultimately received the information.

At one of the sentencings, the judge who oversaw the case asked why no lawyers had been charged.

The chief prosecutor, Kim Frierson, was candid in response: Nobody would talk.

“This industry operates primarily because of the don’t ask, don’t tell, don’t reveal, don’t screw your clients,” she said.