Saturday, 7 March 2009

Say it ain't so, Chuck Schwab

Following my own advice after American Express cancelled my card, I applied to Charles Schwab Bank for a new credit card to use when travelling abroad.

(I used to have a different Charles Schwab Bank credit card, but it had a 3% surcharge for foreign currency transactions, and the bank cancelled it last month because I hadn't used it for months. I've had issues with Schwab and Schwab Bank before, which remain unresolved, but they relate to my ATM card and bank account, not my credit card. This could still affect my ability to get other credit cards, though, since I still haven't been able to get Schwab or Schwab Bank to notify the credit bureaus that it was a bank error on Schwab's part for them to freeze my accounts for travelling to Syria , without notice to me, when I had done nothing illegal or in violation of any of their disclosed terms.)

Typically, credit card companies don't disclose their full terms and conditions until after they have approved your application and issued you a card. My new card arrived in the mail yesterday, along with an "agreement" including the following unpleasant surprise:

WE MAY MONITOR AND RECORD TELEPHONE CALLS

You consent to and authorize FIA Card Services, any of its affiliates, or its marketing associates to monitor and/or record any of your telephone conversations with our representatives or the representatives of any of those companies. Where you have provided a cell phone number directly to us, or placed a cell phone call to us, you consent and agree to accept collection calls to your cell phone from us. For any telephone or cell phone calls we place to you, you consent and agree that those calls may be automatically dialed and/or use recorded messages.

As I had explained previously to AmEx, outbound robocalls to numbers from which I have called my bank or card issuer, whether landlines or cell phones, are likely to convey their recorded messages to other people at those phone numbers -- not to me. At a minimum, that gives away the fact that a particular (named) person, associated with a particular phone number, has an account with a particular financial institution. In many cases, that's all a pretexter needs to take over their account.

As for manual calls, when a financial institution or other business asks customers to provide personal information "to verify your idenity" or "for security [sic] purposes" in response to outbound calls from the business, the customer has no way to verify that the call is actually coming from who it claims to be from, or to whom they are actually providing their personal information. By making such outbound calls and requests, indistinguishable from those made by telephone "phishers" and pretexters, a business conditions consumers to accept those practices as legitimate, rather than properly presuming them to be fraudulent, and thus makes life easier for all identity thieves.

So the practices to which these credit card terms would require me to give my "consent" would facilitate information security breaches and identity theft, endangering me and others.

Heeding their mantra, Talk to Chuck , I called Schwab Bank and spoke with one of their customer service representatives first thing this morning. "I totally understand your concerns," she said, and from our conversation that seemed to be true. She claimed that neither she nor her supervisor were familiar with or had access to the terms of the agreement being sent to holders of credit cards issued through their bank, but said that, "We would only use a number you give us.... If we call you with a recorded message, we wouldn't give any information except, 'This is Charles Schwab Bank. Please contact us.' ... We always tell customers, if they have any doubt about who is calling from the bank, to hang up and call us at the number on their statement or on their card."

Well said. But if that's their practice why do their legally binding written policies require customers to consent to something completely different? Could she confirm the statements she had made in writing, as part of my agreement for my credit card? And how could I report this to the person(s) responsible for security and privacy vulnerabilities?

"Those departments are closed on Saturday, but I'll get in touch with them on Monday." She offered to call me back on Monday, but when I reminded her that I wouldn't talk to anyone who called me and claimed to be from my bank, she immediately said, "Of course", gave me her direct number and extension, and told me to call her on Monday.

I haven't activated my card yet, and won't unless and until I get clear written answers explicitly withdrawing, replacing, or overriding the terms in the agreement I received with the card.

The card says "Charles Schwab Bank" in big letters on both sides, and appears to have a bundle of features developed and offered exclusively through Schwab Bank for Schwab brokerage customers. But the fine print on the back of the card says that it is actually issued by FIA Card Services , formerly "MBNA", a Delaware subsidiary of the Bank of America. I assume that Schwab can dictate the terms on which it allows the card to be marketed in its name to its customers. I have, however, contacted both Schwab and the Bank of America to report the security and privacy vulnerability created by their policy.

Is the B of A (FIA Card Services) just playing "follow the AmEx leader"? Or are other card issuers trying to make this the new normal? I've requested updated copies of the terms for all of my credit cards, to see if any of the others have snuck similar terms into their agreements without my noticing. [Update, 8 March 2009: The day after I published this article, I got a comment from a reader: "Thought you might want confirmation of this practice spreading. I received an email that my Paypal credit card has made the same change to terms. I will cancel tomorrow." See the comments to this article for more details including the text of the proposed new terms of service. The Paypal Mastercard is issued by GE Money Bank .]

Why would they want to do this, anyway? Insufficient concern for their customers' privacy, security, and protection against identity theft, obviously. But they had to have some further motivation, or why would they bother.

Especially from the language in the terms from FIA Card Services, I suspect that card issuers (who in the case of FIA Card Services are also major issuers of unsecured credit card debt-based securities) are mainly acting on fear of debtors who only have a cell phone (or abandon their landline to the debt collectors, or port their landline to a cell phone), and then use the greater legal protection against calls to cell phones (as compared to that for landlines) to escape being harassed by debt collection and/or marketing robocalls.

Card issuers may have a secondary purpose of ensuring their "right" to market add-on products and services to the growing number of people who don't have a landline, or don't answer their landline. That seems to be more of a focus of the AmEx terms. But my working hypothesis is that these new FIA Card Services / B of A terms are intended primarily to establish "permission" for harassment later by debt collectors. All rights under these agreements can be assigned by the card issuers, so it establishes (irrevocably, at least if its terms stand up in court) the "right" of whomever buys the debt -- or any of their sub-contractors, asignees, or minions -- to harass you with as many recorded messages every day as they please. Forever.

I'll let you know whatever I hear. Because of constant comment spam, all comments are moderated, and won't appear until I approve them. But I welcome and will publish any comments or other response from Charles Schwab (talk to us, Chuck, please), Charles Schwab Bank, FIA Card Services, and/or the Bank of America.

[Previous: AmEx cancelled my card. Now what should I do? ]

[Follow-up: AmEx continues to spam me ... after closing my account ]

Link | Posted by Edward on Saturday, 7 March 2009, 07:38 ( 7:38 AM) | TrackBack (1)
Comments

The customer service representative at Charles Schwab Bank I had spoken with Saturday called me back this morning to say that she had checked with her supervisor and with the issuer of the Schwab Bank credit card, and that, "You can have them annotate your account as to which number they should call. They won't use any number you don't authorize them to call."

Can they put that it writing, explicitly overriding the contrary language in the written notice of terms I was sent? If that's what they do, why do they require my agreement to written terms that would allow them to do something completely different? And what about robocalls that might disclose my personal information to other people who might answer the phone at the same phone number(s) I use?

"I'll check with my supervisor, and get back to you on that."

Has my message been forwarded to their privacy office and the office responsible for reports of security vulnerabilities? "Yes."

Have you gotten any response from them yet? "No."

I'll keep you posted on any further developments.

Posted by: Edward Hasbrouck, 9 March 2009, 10:37 (10:37 AM)

Mr. Hasbrouck, thank you very much for contacting us. I'm looking into this for you and will get back to you asap.

Sarah Bulgatz
[designated PR Contact for "Privacy and Security", The Charles Schwab Corporation]

Posted by: Edward Hasbrouck, 9 March 2009, 10:43 (10:43 AM)

Edward -- Thanks for the message. Just want to let you know we are following up and I'll get back to you soon.

[Betty Reiss, designated Media Relations Contact for "Consumer Information Security / Identity Theft" and "Credit Cards", Bank of America]

Posted by: Edward Hasbrouck, 9 March 2009, 10:55 (10:55 AM)

From: Betty Riess [@bankofamerica.com]
To: Edward Hasbrouck
Date: Fri, 13 Mar 2009 10:04:56 -0700

Dear Mr. Hasbrouck:

As you requested, I did contact our Privacy executive about your concerns with the customer agreement on your Charles Schwab card, which is issued by FIA Card Services. The privacy of customer account information is a top priority.

The clause about cell phones that you reference in the customer agreement applies specifically to collection calls from us only if your account becomes past due. While we are obtaining consent to call cell phone numbers for collection calls, we currently do not call a cell phone number for collection purposes unless that is the contact number that has been directly provided to us by the customer.

Regarding your concern about leaving messages, when we do attempt to reach a customer and we have to leave a message, we do not provide any customer account information. We also have authentication standards in place to confirm that we are talking to our customer before sharing any confidential information. For reasons of security, we do not disclose the specific measures we have in place to confirm a customer's identity. Also, if a customer wants to confirm that this is a legitimate call from FIA Card Services, they can call the customer service number on the back of their card to verify the call.

FIA Card Services does not place sales or marketing calls to cell phone numbers. In addition, customers can opt out of all marketing-related calls from us by requesting to be added to our Do Not Call list. To do this, customers may call the toll-free number on the back of their credit card.

I hope that clarifies our practices and addresses your concerns.

Betty Riess
[Bank of America / FIA Card Services]

Posted by: Edward Hasbrouck, 16 March 2009, 09:41 ( 9:41 AM)

From: privacy@schwab.com
To: Edward Hasbrouck
Date: Fri, 13 Mar 2009 21:00:40 +0000 (GMT)

Subject: Re: security and privacy vulnerability report

Dear Mr Hasbrouck:

We understand the concerns you have raised in your email. To help adequately address these issues, we have forwarded your email to our Client Advocacy Team.

A representative from our Client Advocacy Team will be contacting you as soon as they have researched your concerns. We appreciate your patience in this matter and look forward to working with you to resolve it.

Please contact us if you have any further questions or concerns.

Ashley Taylor
Client Advocacy Team
Charles Schwab & Co., Inc.

Posted by: Edward Hasbrouck, 16 March 2009, 09:44 ( 9:44 AM)

From: "Bulgatz, Sarah" [@schwab.com]
To: "Edward Hasbrouck"
Date: Fri, 13 Mar 2009 14:53:34 -0700

Dear Mr. Hasbrouck:

In response to your inquiry, we have worked with FIA Card Services to review your concerns regarding the terms of service that apply to your Charles Schwab Bank Visa card. We understand that FIA Card Services has sent you an email addressing your concerns and explaining their collections and automated phone practices as card issuer and servicer.

We believe that their response, attached, provides adequate information to address your questions.

In addition, we at Schwab would like to reiterate that we take privacy and information security very seriously. Schwab does not place automated calls to clients to engage in any type of marketing activity. When we need to contact a cardholder on any issue affecting their account, we call the preferred phone number(s) they have provided to us, and if we need to leave a message we will only identify that the call is from Charles Schwab and request the customer to return the call. If we succeed in reaching the account holder, we verify their identity using authentication procedures that are reviewed by our information security organization to properly authenticate the caller. Because fraudsters and identity thieves are constantly evolving their tactics, we regularly review our processes at Schwab and revise them when necessary to protect our customers. If at any time a customer questions the legitimacy of the call, we encourage them to call us back at the number printed on the back of their card.

Thank you for contacting us on this matter. We appreciate hearing from our clients, and we value your business.

Sarah Bulgatz
Director, Corporate Public Relations
The Charles Schwab Corporation

Posted by: Edward Hasbrouck, 16 March 2009, 09:49 ( 9:49 AM)

From: Edward Hasbrouck
To: Betty Riess [@bankofamerica.com], Sarah Bulgatz [@schwab.com]
Date: Thu, 19 Mar 2009 11:51:15 -0700

Thank you for your messages. Unfortunately, they fail to address my concerns, to answer the specific questions I asked, or to include any point of contact for your respective Privacy Officers or the person(s) responsible for handling reports of security vulnerabilities.

You both make a variety of statements about what you *do*, but appear to have taken great care to avoid making any similar statements about what you *will do* in the future. This leaves me with several questions:

(1) Are you prepared to convert the statements about your practices in your message to me into contractual commitments binding your future actions, by incorporating them into your terms and conditions?

(2) If not, why not?

(3) If not, why should customers place any faith in your statements?

(4) If you aren't doing these things (such as making outbound calls to telephone numbers other than those the customer has specifically requested you to call) why are you asking customers to consent to those practices?

(5) Why do you believe that customers *should* consent to those practices?

You have invoked the mantra of "security by obscurity" as the reason why "we do not disclose the specific measures we have in place to confirm a customer's identity." But that ignores the issues I raised:

"Outbound robocalls to numbers from which I have called my bank or card issuer, whether landlines or cell phones, are likely to convey their recorded messages to other people at those phone numbers -- not to me. At a minimum, that gives away the fact that a particular (named) person, associated with a particular phone number, has an account with a particular financial institution. In many cases, that's all a pretexter needs to take over their account. As for manual calls, when a financial institution or other business asks customers to provide personal information "to verify your identity" or "for security [sic] purposes" in response to outbound calls from the business, the customer has no way to verify that the call is actually coming from who it claims to be from, or to whom they are actually providing their personal information. By making such outbound calls and requests, indistinguishable from those made by telephone "phishers" and pretexters, a business conditions consumers to accept those practices as legitimate, rather than properly presuming them to be fraudulent, and thus makes life easier for all identity thieves."

Finally, you ignored my questions regarding the relationship between Charles Schwab Bank and Bank of America. So that I can accurately advise my readers who they should hold responsible for the imposition of these terms, please let me know, as I previously asked, "which entity is authorized to set the terms under which cards that carry the Charles Schwab Bank name are issued, or whether under the agreement between Schwab Bank and FIA Card Services changes in terms must be agreed to by both of those two parties."

Sincerely,

Edward Hasbrouck


Posted by: Edward Hasbrouck, 19 March 2009, 11:45 (11:45 AM)

From: Betty Riess [@bankofamerica.com]
To: Edward Hasbrouck
Date: Tue, 24 Mar 2009 14:03:28 -0700

Thank you for feedback. However, we believe that our disclosure is clear and our practices are sound.

Posted by: Edward Hasbrouck, 24 March 2009, 14:42 ( 2:42 PM)

The ads that say "talk to chuck" are just BS. Just try to! They don't handle their own credit cards and the company they employ is bad news.

Posted by: Jack Gaarder, 24 April 2009, 12:15 (12:15 PM)

It is completely apparent that these women do not possess the know-how knowledge, basic business acumen, and average intelligence to appropriately respond to your legitimate concerns and questions. Their thoughtless emails and stone-walling tactics only work with the desperate consumers and NOT with the educated consumers. The best and most effective approach to these business entities (BoA, Schwab, Amex...) is NOT to do business with them -- take your money elsewhere. Afterall, they are under Federal Regulations to provide liquidity and fund complex positions, and without the depositors' funds, they will all be out of a job!

Posted by: sophie, 26 April 2009, 00:57 (12:57 AM)

Responding to B.Riess from BoA:

While you publicly boast your company's "clear disclosure", your company's CEO & Chairman Kenneth Lewis is being investigated by the NY Attorney General and the US Congress for concealing material information from the shareholders to enrich himself and avoid getting sacked!

Your clueless claims of your company's "sound business practice" does not explain the fact that it has cost this country taxpayers billion of dollars of bailout money.

You should really be sacked!

Posted by: Sophie, 26 April 2009, 01:11 ( 1:11 AM)

Looks to me that Schwab has a clear policy and is doing nothing wrong. Don't want people to extend you credit, don't ask for credit.

Posted by: Alan, 27 April 2009, 06:54 ( 6:54 AM)

"Looks to me that Schwab has a clear policy and is doing nothing wrong. Don't want people to extend you credit, don't ask for credit."

You are obviously missing the point! The issues ARE NOT whether or not credit should be extended but about security measures necessary to protect the cardholders and his privacy.

Posted by: Martijn, 27 April 2009, 17:09 ( 5:09 PM)

My comment may not be directly in relation to this matter. My specific problem is with Schwab and a material weakness in their internal controls.

On 11-4-09 I discovered that my brokerage account had been hacked to the toon of $239,000 thru internet fraud. No satisfaction from Schwab to this point.

Frankly, it may have been one of their reps that committed the fraud. Their security gaurantee is a joke. Do not trust your money with Schwab.

Looking at a long drawn out lawsuit!

Posted by: michael lawrence, 7 December 2009, 19:56 ( 7:56 PM)
Post a comment









Save personal info as cookie?