Letters to Regulators
FACTA Identify Theft Rule
June 10, 2004
Federal Trade Commission
Re: FACTA Identity Theft Rule, Matter No. R411011
Dear Sir or Madam:
The Independent Community Bankers of America (ICBA)1 appreciates the opportunity to comment on the Federal Trade Commission (FTC)'s proposal to implement provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) through rules to further define the terms "identity theft" and "identity theft report," establish the duration of an "active duty alert," and set forth the requirements for the "appropriate proof of identity" for purposes of fraud alerts and active duty alerts in credit report files. The FTC proposes expanding the statutory definitions to provide additional guidance for consumers, credit reporting agencies and users and furnishers of credit reports (e.g., banks).
Definition of Identity Theft
The definition of "identity theft" is critical because it defines the scope of conduct covered by FACTA. While the FTC believes the definition should be sufficiently broad to include legitimate abuse of a consumer's identity, it also believes it is important to focus the definition so that it does not include many other types of fraudulent conduct (for example, credit card fraud or theft). Therefore, the FTC proposes to define "identity theft" as a "fraud committed or attempted using the identifying information of another without lawful authority." The definition would incorporate the existing federal definitions of identifying information, such as name, Social Security number, and date of birth, and so forth to make the definition consistent with established federal law.
The ICBA generally finds this approach appropriate. However, since there is also a fair amount of confusion on what constitutes identity theft, refinement to the final definition would help further address the FTC's concerns. For example, the ICBA agrees that the definition of identity theft should not include misuse or theft of a credit card account or other frauds that can be better addressed through other remedies. Rather, identity theft should be the use of someone else's identifying information to establish new accounts or transactions. For example, if someone's credit card number is stolen, he or she still receives regular statements that indicate the fraudulent transactions and allow the card owner to take steps to address the problem. In fact, most major card companies have procedures that excuse the account-holder from liability for fraudulent purchases. However, we agree those transactions should not be defined as identity theft.
The ICBA believes that identity theft should be given the serious attention it is due. When someone's identity is stolen, he or she is not likely to be aware of the fraudulent transactions for some time, and it is the lack of awareness that creates serious problems for consumers. Because Congress created serious remedies in FACTA to address identity theft, a definition that encompasses too many types of fraud would dilute the meaning of identity theft and could have unintended consequences. For example, if an allegation of theft of a properly established credit card account is treated as identity theft that could become a tempting means for some to avoid legitimate debt by giving them the means to block information on a credit report. Less than reputable credit repair bureaus, which already abuse the system, would have a field day with this type of scam. Even more important, abuses could seriously damage the credit reporting system for all consumers by calling into question the legitimacy or completeness of credit reports. Therefore, to exclude other types of fraud, the ICBA recommends that the final definition include a provision defining identity theft as the fraudulent use of another's identifying information to open or establish a new account.
Since inquiries can adversely impact a person's credit report, the proposed definition would include attempted instances of identity theft. The ICBA is concerned that this may be too broad and could dilute the true meaning of identity theft, especially since other more appropriate mechanisms are available to address the problem of excessive inquiries without incorporating that under the rubric of identity theft. Therefore, we do not agree that attempts should be included as identity theft without further evidence.
Finally, the ICBA agrees that the definition of identity theft should incorporate provisions that specify identity theft as something done without the person's knowledge or without lawful purpose, since these elements help focus the definition on instances of true identity theft.
Definition of Identity Theft Report
FACTA allows victims of identity theft to use an identity theft report to take a number of steps to protect themselves and correct problems caused by identity theft: (1) request credit bureaus to post an extended fraud alert in their credit files; (2) have information resulting from identity theft blocked from credit reports; and (3) provide the identity theft report to lenders and other furnishers of information to prevent them from continuing to report the false information to the credit bureau.
Since it is possible there are consumers who might abuse the system and try to use identity theft reports to avoid legitimate debts, the statute also provides protections: an identity theft report must be filed subject to criminal penalties for filing a false report and credit bureaus have some ability to decline or rescind a block, such as when there is a material error or a misrepresentation of fact. However, new automated reporting systems, such as the FTC's own identity theft report system, provide consumers an automated mechanism for reporting identity theft, thereby removing some of the traditional protections present when a consumer must file a traditional police report.
To further protect against abuse, the FTC proposes two additional elements for an identity theft report: (1) the consumer must allege the identity theft with as much specificity as possible and (2) credit bureaus and information providers will be allowed to ask for additional information or documentation to determine the validity of the identity theft claim. The FTC does not define what steps credit bureaus or information providers may request, only requiring they be "reasonable."
The ICBA agrees that it is appropriate that credit reporting agencies and information furnishers have the authority to require as much specificity as possible when investigating an allegation of identity theft. To begin with, this will help discourage fraudulent claims of identity theft and abuse of the system, a step that is especially important since, as noted above, Congress created serious remedies for a serious problem. Second, greater specificity will help information furnishers and credit reporting agencies better identify the actual fraud that should be blocked on a credit report.
The ICBA also agrees that credit reporting agencies and information furnishers should be able to require additional information and documentation to determine the validity of an identity theft claim, steps that are important to ensure the integrity of the entire system. The proposal would provide that these steps might be taken as long as they are "reasonable," but since reasonableness is a highly subjective standard, the ICBA also believes that it may be necessary for the FTC, working in conjunction with other regulatory agencies, especially the banking agencies, to offer further guidance in the form of best practices or questions-and-answers on what is reasonable in the near future. The ICBA also strongly recommends that these be published in draft form and made available for public comment.
As noted above, new mechanisms have been created to facilitate identity theft reporting, such as the FTC's readily available uniform affidavit of identity theft. These new mechanisms are helpful, but the easy ability to claim identity theft also means that some of the same protections that exist when a police report must be filed in person are lacking or severely diminished. Therefore, the ICBA also believes that it is important that the final rule allow credit reporting agencies and information furnishers sufficient latitude to refuse claims of identity theft that are not sufficiently supported, much as banks are given the ability to deny claims of error on billing statements under the Federal Reserve's Regulation E, Electronic Fund Transfers Act.2 The ability to deny a claim of identity theft after investigation should be incorporated in the final rule in order to ensure the continued integrity of the credit reporting system.
Active Duty Alert
FACTA allows military personnel called to active duty to place an alert in their credit file affirming their active duty status since they might not be able to take the same steps as other consumers to protect themselves from identity theft. The alert is intended to act as a red flag for credit report users. The statute requires the alert to be in place for a minimum of twelve (12) months, a length of time the FTC has deemed appropriate after careful consideration. Although the proposed rule does not specifically state it, the FTC indicates that military personnel could place a new 12-month alert in place when the previous one expires.
The ICBA agrees that a 12-month active duty alert is appropriate. To further refine the use of the active duty alert and to address some of the concerns raised by the FTC, the ICBA also recommends that two additional provisions be incorporated in the final rule. First, the final rule should allow an individual consumer to cancel an active duty alert on his or her credit file at any time when his or her status changes, especially since an active duty alert might delay access to credit. Second, since it is possible that deployments may last longer than 12 months, the final rule should make allowances for extensions of the active duty alert. It would seem logical to provide for six-month extensions, but if the final rule includes a provision to allow cancellation of an existing active duty alert at any time, the term of an extension would be less significant than the ability to extend an active duty alert. At this point, the ICBA does not believe that there is a need to limit the number of extensions.
Appropriate Proof of Identity
In order to ensure that credit bureaus act appropriately when placing alerts in a consumer's file, FACTA requires the FTC to define what constitutes "appropriate proof of identity." The FTC believes that this requires a balancing between the potential harm that could occur if the requirement is too lax against the possibility that available services, e.g., loans, could be delayed if the requirement is too stringent. The FTC proposes to take a risk-based approach, with increased scrutiny required depending on the service requested and the delivery mechanism.
The FTC expects credit bureaus will develop reasonable procedures. For example, placing a fraud alert may only need a simple name match, since the harm from not placing the alert would outweigh the possible harm from placing an incorrect alert. Similarly, the requirements for blocking fraudulent information should be low, since the risk that wrong information will be blocked or that a person other than the affected consumer would block the information are small. And, allowing a consumer to truncate his or her Social Security number presents minimal risk and so would not require extensive proof of identity.
The ICBA agrees with the FTC that the credit reporting agencies are in the best position to develop appropriate and reasonable procedures to define appropriate proof of identity and that the degree of proof should be tailored to the potential for harm that is involved in a particular situation. Allowing the credit bureaus to establish these guidelines should provide flexibility and allow quick and accurate customer service for all consumers. However, it is equally important that the FTC ensures that there is consistency among credit reporting agencies and information furnishers in order to avoid confusion. Therefore, additional guidance may be needed, but should only be issued after an opportunity for public comment.
Thank you for the opportunity to comment. The ICBA looks forward to continuing to work with the FTC and the other regulatory agencies as additional rules are developed under FACTA. Should you have any questions or need any additional information, please feel free to contact me at 202-659-8111 or by e-mail at firstname.lastname@example.org.
Robert G. Rowe, III
1 ICBA is the nation's leading voice for community banks and the only national trade association dedicated exclusively to protecting the interests of the community banking industry. ICBA has nearly 4,600 members with branches in more than 17,000 locations nationwide. Our members hold more than $526 billion in insured deposits, $728 billion in assets and more than $405 billion in loans for consumers, small businesses, and farms. They employ more than 231,000 people in the communities they serve.
2 See 12 CFR 205.11, Procedures for Resolving Errors. The Federal Reserve has clearly established steps for investigating and resolving allegations of errors.