[ Report Home | Previous Page | Next Page ]
PIRG Identity Theft II: SECTION III: PIRG'S PLATFORM ADDITIONAL AMENDMENTS NEEDED TO PROTECT IDENTITY THEFT VICTIMS AND PREVENT ERRORS
While PIRGs support legislation making identity theft a crime, such as bills introduced in California by Assemblyman Kevin Murray, (D-Los Angeles), AB 156, and in Congress by Senator Jon Kyl (R-AZ), S. 512, this solution to the problem does not go far enough. Identity theft victims need stronger protections under credit issuing and credit reporting laws. As described above, the new amendments to the federal Fair Credit Reporting Act (FCRA) make substantial improvements to benefit individual consumers who have been victimized by errors in their reports. However, those improvements will not, in our view, adequately assist identity theft victims. Further, the federal changes made compromises on existing privacy laws and also failed to address obvious privacy problems.
The following amendments would greatly improve the accuracy and privacy of reports. Some amendments may overlap, and are listed in priority order within each section. Some amendments could only be enacted by Congress, due to preemption, and are so noted.
The most critical identity theft amendments, in PIRG's view, include the following:
- providing free credit reports,
- providing blocking,
- requiring matching of at least four points of correspondence, such as exact name and exact address, between credit reports and credit applications,
- improving address verification, and
- closing the credit header loophole.
(1) GIVE CONSUMERS GREATER FREE ACCESS TO THEIR REPORTS
(a) Free report mailed annually: As passed by the Colorado State Senate, but not into final law, require disclosure of right to a free report to include a copy of the consumers' credit report. The final Colorado bill, as enacted, still laudably requires an annual notice from the Big Three credit bureaus to all credit active consumers describing their rights under the law, including their new right to a free report annually on request.
(b) Free credit report annually upon request: Consumers should have the ability to request a copy of their credit report with the three major credit reporting agencies at least once a year in order to check for fraud and other inaccuracies. Under the FCRA (including new amendments), consumers who have been denied credit, are unemployed, indigent or victims of identity theft will have the right to obtain a free copy of their credit report. Consumers should not have to wait until they are a victim of fraud, however, to find out what is being reported about them. Renita Frasier of Sacramento, California, when finally alerted to her identity theft and directed to obtain a copy of her credit report, found that it contained over 15 fraud accounts. Currently, Vermont, Georgia (2/year), Massachusetts, Maryland, Colorado and New Jersey effective in January) allow consumers to obtain one free credit report annually upon request. Connecticut ($5) and Maine ($3) limit the amount of the fee to less than $8.
(c) Report following request: Require that consumers get an automatic copy of their credit report at their current address, with a detailed phone number and address for any requestor, following any request for it. As an interim step, bureaus should notify all consumers, at their old address and new address, any time their credit report is requested within 30-60 days of an address change by the consumer.
(d) Credit scores: Give consumers access to credit scores and explanations as part of their credit reports. Instant credit offers are a primary precursor to identity theft, yet neither the FTC nor the credit industry will explain the credit scoring systems derived from credit reports that make instant credit possible.
(e) Notice of inquiries and subscriber names: Bureaus should be required to improve disclosure of inquiries and subscriber codes by providing an explanation of how to interpret information on the credit report. Bureaus should be required to provide all consumers, not only fraud victims, with the name and toll-free telephone number of a contact for all trade lines and inquiries appearing on a consumer's credit report.
While the new FCRA amendments do require better disclosure of persons that obtain the consumer's credit report, a credit reporting agency is only required to provide an address or phone number of the person or company of the person procuring their credit report if the consumer requests it. Many consumers may not know that they can request the address and phone numbers be included on a copy of their credit report. Time is of the essence for victims of identity theft who need to contact creditors with whom their names have been used fraudulently quickly and easily to minimize the damage done by their imposter.
(2) PREVENT OTHERS FROM WRONGLY ACCESSING REPORTS
(a) Allow consumers right to block: As the Rosenthal bill (CA) originally proposed, grant all consumers the right, upon request, to block access to their credit reports and credit scores without their informed consent, through use of a secret password or PIN. As an interim step or as a second option, consumers should be notified whenever their credit report has been accessed, with a clear explanation of the name of the requestor and a means of contacting them, as well as a request code linked to the request.
Our preferred position, of course, is that all reports be automatically off-line except under a consumer's authority, but a good first step would be to provide the option. Many victims, like Jennifer Bloom (experience discussed above), report that placing a fraud flag and a statement directing all creditors to call them before approving any credit applications did nothing to prevent new fraudulent accounts from being opened. In fact, many creditors do not actually see the fraud flag since they do not receive a full copy of the consumer's credit report, but only a credit score. (The score does not indicate that a consumer's credit report has been flagged due to fraud.)
Mari Frank, identity theft victim from Laguna Beach, California whose identity was stolen from an illegally accessed credit report, contends that any reforms to help identity theft victims should include a provision to prohibit the issuance of credit reports without the consumer's permission. Celebrities and other VIPs now have their reports off-line. Average consumers should be afforded the same privilege as a matter of law. It is important that any such blocking provision also apply to the release of a credit score on a consumer. Further, blocking must not remove a consumer from the credit system. A consumer who elects blocking should not be prevented from applying for and obtaining credit and loans when they do provide their express written authorization to the credit grantor to obtain information from credit reporting agencies. The bureaus, as part of their disinformation campaign against the Rosenthal bill, alleged that such off-line blocking with a PIN or secret code was impossible. Yet, David Medine, FTC associate director for credit practices, agrees with us that it is "technically feasible." (Personal communication with PIRG's Ed Mierzwinski, June 1997; also quoted in "Are You A Target for Identity Theft?," Consumer Reports Magazine, Sept 1997, at page 16.)
(b) Close credit header loophole: As part of its 1994 consent decree with TRW (now Experian) prohibiting target marketing from credit reports, the FTC made a serious mistake. It defined certain sensitive personal information contained in credit reports as exempt from the definition of credit report. Under the TRW loophole, the credit bureaus now traffic widely in so-called "credit headers," which include all of the demographic information found in a credit report that is not associated with a specific credit trade line or public record.
Credit headers may include names, addresses, previous addresses, telephone numbers, social security numbers, and even mothers' maiden names. Credit headers are re-sold in bulk and used by other firms as the core of such products as the Nexis-Lexis "P-Trak" database and other so-called people finders. U.S. Sens. Dianne Feinstein (D-CA) and Charles Grassley (R-IA) have proposed PIRG-supported legislation, S. 600, to close the credit header loophole and further restrict the sale and use of social security numbers and other information by government agencies. Identical companion legislation, H.R. 1813, has been proposed by Rep. Jerry Kleczka (D-WI). In addition, consumers who opt-out of pre-screening uses should be presumed to have opted out of header uses, if any header uses are then allowed under the act.
(c) Permission: Until full blocking is enacted, states should require all prospective users to ask a consumer's permission. Under current laws, only Vermont requires the subject's (oral) permission to access a credit report. The new federal law requires prospective employment users to ask a consumer's permission. Requiring consumer authorization will not slow down legitimate inquiries by creditors -- most ask already -- but will discourage illegal access through superbureaus and information brokers and will require credit bureaus to improve auditing of non-regular users.
(d) Unique identifier: Ideally, Congress should require creditors and credit bureaus to replace use of the social security number as identifier with a more accurate, less accessible code.
(e) Opt-out: (Federal proposal) Reverse the opt-outs to be opt-ins. Or, strengthen the opt-out provisions of the FCRA's pre-screening and affiliate sharing sections. Make it easier for consumers to learn about opt-outs. Reverse the hierarchy of the existing opt-out so that the permanent opt-out is the default and the limited, 2-year opt-out is either repealed (preferred) or made the secondary option.
(f) Fraud flags: Generation of credit scores should be blocked on any report containing a fraud flag (or even an error dispute), unless additional verification is made that the report is accurate and that the credit request is from the actual consumer. Also, some creditors, credit score contractors and credit bureaus are making the presence of a fraud flag or dispute statement a negative factor in the calculation of credit scores. Consumers should not be penalized for exercising their rights of redress.
(g) Ban target marketing: Federal law should codify the FTC's enforcement position by explicitly prohibiting the use of credit reports for target marketing. The FTC states that the FCRA does not allow the use of credit reports for non-credit target marketing purposes. Unfortunately, Trans Union has challenged this view in court. Marketers do not need information from credit reports for non-credit purposes. Direct marketing firms already have too much information about consumers and do a poor job of protecting privacy. Last year, Metromail subcontracted to a company that hired prisoners in Texas to do data entry. A convicted rapist contacted one consumer and sent her a highly offensive, sexually explicit letter, using the personal information from her record to describe her.
(3) ENSURE ACCURACY OF REPORT AND REPORT RECIPIENT
(a) Match points of correspondence: As the Murray bill (CA) originally proposed, credit reporting agencies should only be allowed to release a credit report in response to a credit application which matches the information on file with the credit reporting agency on at least four identifiers, including complete first and last name, social security number, current address, and date of birth. Secondary identifiers which may be used to determine a match could include, but not be limited to, driver's license number, current employer, mother's maiden name, and phone number.
Currently operative consent decrees allow the bureaus to ship a credit report that matches the credit application in only any two or three points of several of correspondence, which is inadequate to prevent either theft of identity or credit denial due to inaccuracy. This sloppy credit application verification leaves victims with dozens of fraudulent credit accounts that contain completely bogus information except for their name and only one or two other correct identifiers.
(b) Address confirmation--New credit accounts: Credit bureaus should be required to disclose to the creditor that an address on the application does not match the address listed for that consumer on the credit bureau's file so that the creditor may be alerted that it is a potential fraudulent application. Creditors should be required to send confirmation notices to the all address(es) listed on the named applicant's credit report.
When information from a credit or loan application is furnished to a credit reporting agency with an address that is different from the address that the credit reporting agency has on file, rather than reject the request for a credit report, the credit reporting agency may simply replace the old address with the new address--even if it is a fraudulent one being used by an identity thief. Creditors claim that they often do not know whether the address on a credit application matches the named consumer's credit report, because they may not see the entire report, but rather, only get a credit score or an approval or denial of the credit application based on the criteria they provide to the credit reporting agency. Jennifer Bloom experienced this the hard way. She was denied a student loan due to a delinquent account totaling $5,400 with First USA. It granted a Visa card to someone who knew everything, but not her correct address.
(c) Address confirmation--Existing credit accounts: All banks and other creditors should be required by law to send a confirmation to consumers whenever an address change is requested on the account. As a lesser step, a confirmation should be required for all address changes within 45 days of a request for an additional card on a new account.
Identity thieves use victims' personal information to commit "account takeovers." They call up existing creditors and request new credit cards to be sent to a different address. While some creditors have procedures to verify whether the person requesting the new card is in fact the true cardholder, many banks and other creditors do not. Commendably, the U.S. Postal Service implemented an address-change notification last year in response to some highly publicized identity theft cases wherein the victims' personal financial information were obtained from mail diverted to the thief through a fraudulent change-of-address form filed with the Post Office. (See Appendix E--sample notification sent by U.S. Post Office in response to address-change request.)
Retailers and banks opposed such an address change notification requirement contained in a 1997 California identity theft bill, SB 930, claiming it would be too costly and burdensome. Considering all the marketing pieces of mail these companies send out, it is hard to believe that the cost of sending out a notification would be prohibitive, especially when it might prevent thousands of dollars of fraud losses.
(d) NCOA: Enforce provisions of the postal regulations that prohibit use of the National Change of Address (NCOA) database for target marketing lists.
(4) HELP EXISTING THEFT VICTIMS
(a) Fraud notification: Credit bureaus and creditors should be required to develop a fraud notification system that eliminates the current burden on victims to make dozens of phone calls and obtain numerous notarized statements at great cost.
(b) Artificial intelligence: Creditors should increase the use of artificial intelligence programs to identify patterns of fraudulent use. Notify consumers of suspected fraud activity.
(c) Disclosure: Creditors should insert brochures in account statements on identity theft, describing the procedures consumers should follow. Brochures should include 800# numbers for the creditor's and the credit bureau fraud hotlines. Fraud victims who contact hotlines should receive "fraud kit," describing additional steps to take.
(5) IMPROVE ACCURACY AND PRIVACY
(a) Subscriber duties: Require credit bureaus to establish, by contract, the names of individuals with access to subscriber terminals. Require all access to be by unique individual password to maintain audit trail of violations. Require credit bureaus and re-sellers to verify identification and purposes of subscription applicants and report requestors and to conduct ongoing audits of existing customers.
While the new FCRA amendments require additional duties for resellers of information to verify the identity and purposes for which their subscribers will use their information, there remains the problem of people who illegally access credit report databases from authorized subscriber terminals. Mari Frank and other victims have reported that their identity was stolen by someone who had access to an authorized subscriber's terminal.
(b) Deletion of inquiries related to fraudulent accounts: All credit reporting agencies should be required to delete fraudulent inquiries related to accounts they have determined to be fraudulent. Further, credit bureaus should be required to investigate a consumer's dispute and delete inquiries which were not from companies with whom the consumer initiated a business transaction nor from a company that extended a firm offer of credit to the consumer.
A frequent reason given by creditors for refusing new accounts is that the consumer has "too many inquiries" on his or her credit report. Every time anyone obtains a copy of a consumer's credit report for determining whether or not they should extend credit, regardless of whether they actually do extend credit, that company is listed as an inquiry on the consumer's report. Identity theft victims often have dozens of inquiries listed on their credit report. Some result in fraudulent accounts being opened and others represent failed attempts by an identity thief to open accounts. Credit reporting agencies are required under the FCRA to delete information that is determined to be fraudulent, but identity theft victims report that inquiries associated with the fraudulent account information and/or the inquiries related to attempts to open fraudulent accounts continue to be listed on their credit report, causing them to be denied credit.
(c) Civil penalties: Increase the use of administrative civil penalties against regulated banks, department stores and credit bureaus to force improved complaint handling so that (1) error and identity theft victims have problems solved immediately and (2) potential theft patterns posing systemic threats to the financial system are identified more quickly.
(d) Truncation: Expand recent actions by financial regulators and credit bureaus, such as account number truncation on ATM receipts and credit reports, that have helped limit access to full account numbers.
(e) Activation: All credit cards and ATM debit cards should be mailed "unactivated" and only activated after complete verification of the recipient's identity.
(f) Right to sue: Grant consumers a private right of action to sue furnishers of information for any violation of Section 623 of the FCRA, as amended in 1996, to ensure better compliance and protect the financial system from fraud.
(g) Higher furnisher accuracy standard: The new law's limited "knowing" accuracy standard on furnishers should be upgraded to a requirement that furnishers, like credit bureaus, follow "reasonable procedures" to avoid errors. In the interim, agencies should use their administrative enforcement authority to punish banks and department stores that fail to remove fraudulent entries on existing accounts of victims or add fraud accounts to the credit reports of victims.
(h) $1000 Minimum damages per violation: The federal FCRA does not provide for minimum statutory damages to consumers for violation of the FCRA by credit bureaus or furnishers. Consumers should not have to tediously prove actual damages in each complaint. Bureaus count on the difficulty of establishing actual damages when they refuse to settle disputes with consumers.
(i) Bank safe harbor: Repeal provisions of the 1996 federal amendments which wrongly amend the FCRA to establish a safe harbor for financial institutions by restricting agency authority to examine banks for FCRA compliance.
(j) Royalties to consumers: The concept that information belongs to the database owner, rather than to the subject, impedes the protection of personal privacy. If consumers must be paid a fee for each use of information about them, companies will treat the information more carefully.