CUNA Regulatory Comment Call
May 4, 2004
FTC Proposal on Definition of ID Theft, ID Theft Report, Appropriate Proof of Identity, and Duration of Active Duty Alerts
(Major Rule Applies to All Credit Unions)
- The Fair and Accurate Credit Transactions (FACT) Act was enacted this past December and permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). It also enhances the ability of consumers to combat identity theft, increases accuracy of credit reports, and allows consumers to exercise greater control regarding the marketing solicitations they receive. The FACT Act also restricts the use and disclosure of medical information.
- With regard to identity theft, the FACT Act provides victims new rights to place fraud alerts on their credit reports and to work with creditors and credit bureaus to block negative information on their credit reports that results from identity theft. Military personnel are now able to place a fraud alert, called an active duty alert, when they are deployed. Consumers will need to use identity theft reports and appropriate proof of identity in order to place fraud alerts and to block information. The proposed rule provides definitions beyond those in the FACT Act for identity theft, identity theft reports, and appropriate proof of identity, and sets the duration of the active duty alerts at 12 months, which may be extended.
- Identity theft will be defined as a fraud, or attempted fraud, using a consumers identifying information without legal authorization. For identity theft reports, consumers must allege the identity theft with as much detail as possible. Creditors and credit bureaus will be able to request, within reason, additional information. Under the proposed rule, credit bureaus will develop reasonable requirements to be used to establish the appropriate proof of identity.
- Comments on the FTC proposed rule are due by June 15, 2004. Please submit your comments to CUNA by June 7, 2004. If you provide comments directly to the FTC, please refer to the FACTA Identity Theft Rule, Matter No. R411011
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org and to Assistant General Counsel Jeff Bloch at email@example.com; or mail them to Mary and Jeff in c/o CUNAs Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule, or you may access it on the Internet at the following address: http://www.ftc.gov/os/2004/04/factafrn0421.pdf.
President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the FCRA. The new law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.
The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act: http://www.cuna.org/reg_advocacy/member/regwatch/regwatch.html.
DESCRIPTION OF THE PROPOSED RULE
Definition of Identity Theft
The FACT Act gives victims of identity theft certain rights and creates requirements that creditors and others must follow to reduce the occurrence of this crime. The FACT Act defines identity theft as a fraud committed using the identifying information of another person and allows the FTC to enhance the definition of this term.
The proposed rule will enhance this definition as follows:
- The term identifying information used in the definition will have the same meaning as the term means of identification as used in the U.S. Criminal Code. This includes names and numbers, used alone or in connection with other information, that identifies an individual. Examples include name, date of birth, government or official identification numbers (such as Social Security, drivers license, or passport), biometric data (such as fingerprints or retina images), unique electronic identification numbers, or numbers and signals that identifies specific telecommunications or instruments.
- Identity theft will include frauds attempted, in addition to frauds committed, since attempts may adversely affect the victims credit reports and credit scores.
- Identifying information must be used without legal authorization. This is intended to prevent individuals from conspiring with others to obtain goods and services without paying for them and then claiming the rights available under the FACT Act.
Definition of Identity Theft Report
The FACT Act defines identity theft report as a report that:
- alleges identity theft.
- includes a copy of an official, valid report filed with the appropriate law enforcement agency, including the United States Postal Inspection Service.
- subjects the filer to criminal penalties if false information is filed.
Under the FACT Act, the identity theft report may be used to mitigate identity theft as follows:
- Victims may obtain an extended fraud alert if they file the report with the credit bureaus. This is an alert that is placed in the consumers credit file for seven years and requires users of the file to contact the consumer to verify identity before extending credit.
- Victims may file the report with the credit bureaus to have the information resulting from identity theft blocked from their credit report. Those that furnish information to the credit bureaus, such as creditors, must then, after being notified that the information is blocked, use reasonable procedures to prevent further reporting of this information and cannot sell, transfer, or place in collection the debt resulting from the identity theft.
- Victims may submit this information directly to information furnishers, such as creditors, to prevent them from providing information resulting from identity theft to the credit bureaus.
A credit bureau may decline or remove the information block if it reasonably determines that there is an error, misrepresentation by the consumer, or if the consumer receives goods, services, or money as a result of the blocked transaction. Information furnishers, such as creditors, may continue to furnish information if it knows or is informed by the consumer that the information is correct.
The proposed rule will add the following to the definition of identity theft report that is intended to prevent abuse without creating undue burden for victims:
- Consumers must allege identity theft with as much specificity as possible. The rule provides
the following examples as guidance:
- Dates relating to the identity theft, such as when the loss or fraud occurred, and how the consumer discovered or learned of the theft.
- Identification or other information about the perpetrator.
- Names of information furnishers, account numbers, or other relevant account information related to the theft.
- Any other information known to the consumer about the identity theft.
- Information furnishers, such as creditors, and credit bureaus will be allowed to request additional
documentation or information to help them determine the validity of the identity theft claim. The request
must be reasonable and must be made no more than five business days after receipt of the report from law
enforcement or the request for a particular service (such as a fraud alert or blocking of information),
whichever is later. The rule provides the following examples of when a request may or may not be reasonable:
- A request would generally not be reasonable if the identity theft report includes a law enforcement report with detailed information about the theft, along with a badge number or other identification information of the law enforcement official responsible for the report.
- A request would be reasonable if the law enforcement report did not include certain important information, such as the victims date of birth or Social Security number.
- If a request is made to a credit bureau or creditor to block information or to stop the furnishing of information, it would be reasonable to request that the victim complete and have notarized the FTCs ID Theft Affidavit if the law enforcement report was generated by an automated system with only a simple allegation that an identity theft had occurred. The requirement of a notarized affidavit would not be reasonable if the request is for an extended fraud alert.
Duration of the Active Duty Alert
Military personnel who are on active duty or assigned to service away from their usual duty station may request an active duty alert on their credit reports, which will require creditors using these reports to use reasonable means to determine the identity of the consumer. This alert is not designed to respond to a specific threat of identity theft. It is a preventive measure for service members who are unlikely to be able to apply for credit or monitor their financial accounts while they are away from home.
Under the FACT Act, the duration of the active duty alert is at least 12 months, but the FTC has the authority to extend the time period. The proposed rule will not extend the time period, although active duty personnel may place another 12-month alert after the first alert expires.
Appropriate Proof of Identity
The FACT Act requires the FTC to determine the appropriate proof of identity for the following requests from consumers:
- to place or remove an active duty or fraud alert. (There are two types of fraud alerts that consumers may place on their credit report. An initial alert lasts for at least 90 days and is placed when the consumer in good faith believes he or she may become a victim or fraud or identity theft. An extended alert lasts for seven years for consumers who allege they are victims of identity theft. Users of reports, such as creditors, with these alerts must take measures to verify the consumers identity.)
- to block information on their credit report.
- to truncate the Social Security number on a credit file.
The proposed rule will require credit bureaus to develop reasonable requirements to identify consumers, balancing the risks of misidentification with the harm to consumers if protections under the FACT Act are delayed. These requirements should be sufficient, at a minimum, to match consumers with their credit file. The proposed rule provides the following examples of reasonable information requirements:
- For a consumer file match identification information of the victim, such as full name, previously used names, full address, Social Security number, and/or date of birth.
- Additional proof of identity copies of government issued identification documents, utility bills, and/or other authentication methods, such as consumers providing answers to questions that only they would know.
QUESTIONS TO CONSIDER REGARDING THE FTCS PROPOSAL (The FTC has specifically requested comment on the issues raised in these questions.)
- Questions regarding the definition of identity theft:
- Does the term need further definition?
- Should the phrase identifying information have the same meaning as means of identification as used in the U.S. Criminal Code?
- Should attempted identity theft be included in the definition?
- Should the term include the requirement that the persons identifying information must be used without lawful authority? Should the term also include information used without the persons knowledge?
- Questions regarding the definition of identity theft report:
- Does the term need further definition?
- Should there be further definition of appropriate law enforcement agency?
- To deter abuse, criminal penalties are imposed for false filings of these reports. Credit bureaus and information furnishers may also reject the request to block information and continue to furnish information. Will these safeguards deter abuse? Will they be less likely to deter abuse when automated systems generate these reports? Are there other ways to deter abuse?
- Questions regarding the duration of active duty alerts:
- Should the duration be 12 months as proposed?
- Should there be an alternative duration? What should that be?
- What proportion of military personnel will find the 12-month duration too short?
- How difficult will it be for military personnel, or their representatives, to extend their active duty alerts if that becomes necessary?
- Questions regarding the appropriate proof of identity:
- Should the FTC set the specific standards, as opposed to the credit bureaus? What should those standards be?
- Are the examples of information that may be required by credit bureaus appropriate or are they not appropriate? What, if any, alternative information should be used as examples?
- Has the FTC adequately balanced the harm of consumer misidentification with the harm arising from delays or failure to fulfill consumers requests that may result from the higher level of scrutiny? What other factors should the FTC consider?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com