FINANCIAL
SERVICES
The
FACT Act and Identity Theft: Relief
for State Legislators
December
2003
By Christopher C.
Gallagher*
for Privacy
and Information Law Report (Volume 4 Issue 5)
New Hampshire's
House Commerce Committee has spent the better part of
2003 struggling over conflicting policy issues raised
by a bill (HB 342) to prohibit the inclusion of an individual's
Social Security number (SSN) on any document to be recorded
in a public registry. The issue remains under study.
Driving this ongoing drama is the "identity thief,"
whose supply of victims is now expanded by Internet
access to SSNs formerly buried in the recorded documents
file in public registries. Although banks may still
collect SSNs in connection with mortgages, there is
no need to publicly record them. Their borrower information
is shared with credit bureaus through protected back
channels. Often, however, other relevant data contained
in documents filed by nonparticipants in the credit
reporting system, such as liens, court records, and
probate proceedings, can be collected only through access
to public registry records. Credit behavior reporting
firms strongly objected to the bill's prohibition because
matching data with the right subjects requires the use
of SSNs as individual identifiers. Without such access,
they claimed, credit reports will be less reliable and
mistakes more likely; all to the detriment of consumers.
State-specific limitations on such publication could
cause diminished access to credit, raise its cost, or
both. Nevertheless, with easy Internet access to registry
records a modern reality, illicit use of sensitive data
formerly hidden in musty registry volumes has been enhanced.
Thus, the policy conflict continues, offering legislators
a Hobson's choice...at least until now.
The recently
enacted "Fair and Accurate Credit Transactions
Act of 2003" (FACT Act) permanently reauthorizes
the seven national uniformity provisions of the Fair
Credit Reporting Act (FCRA) scheduled to expire January
1, 2004. These provisions prevent states from enacting
conflicting or competing laws concerning the sharing
of credit information, credit bureau reports, application
information, and transaction and experience data. Significantly,
in an era characterized by borrower mobility, national
competition and a need to encourage investment in new
technology, uniform standards have been confirmed by
Congress as critical to maintaining consumer access
to competitive credit.
Moreover,
FACT has carried its preemptive uniformity approach
into the related arena of identity theft...and for similar
reasons. Directly and indirectly (with mandated regulations
yet to be enacted), FACT has addressed today's epidemic
of identity theft with a balanced mix of prevention,
procedure, mitigation, administrative enforcement, and
continued study. Its comprehensive approach to identity
theft is important, particularly for states where legislative
concern about identity theft has been narrowly directed
at limits on the commercial collection and use of social
security numbers; an objective that clearly confounds
the credit enhancing utilization of SSNs as an identifier
and an authenticator. State policymakers concerned about
identity theft should take notice. FACT's multifaceted
approach to identity theft can help resolve these sensitive
policy conflicts now plaguing them.
Competitive
Credit
LendingTree.com's
TV ad says, "When banks compete, you win."
This pitch reflects an age in which consumers' access
to competitive credit terms is virtually immediate.
Only with nationally based credit standards and continued
granulation utilized to pinpoint the credit histories
and true identities of applicants would this be possible.
Both objectives require access to and the use of SSNs
as individuating identifiers. Leveraging growing concern
over identity theft, privacy hawks at the state level
attempt to limit such disclosures and use. Under the
limited preemption provisions of FACT, such further
limitations may be allowable, but FACT's approach to
the issue strongly suggests that they could take us
in the wrong direction, by curtailing affordable, competitive
access to credit, and by discouraging continuing investment
in technological innovation targeted at providing fraud
free financial services.
Identity
Theft
According
to the Federal Trade Commission (FTC), in the year 2002,
$100 million was stolen through identity theft, a vicious
crime that has come a long way from its early roots
in trash picking and dumpster diving. It now costs consumers
some 300 million hours yearly to repair. But since access
to credit and to the identities of potential victims
both flow from data using SSNs as individuating identifiers,
the same information technology that facilitates consumer
borrowing also increases opportunities for identity
theft.
While SSNs
are not supposed to be used as identifiers , they are
still the only reliable, universal, individual, authenticating
identifiers available at present. In the future, improved
authentication technology (including biometrics) may
reduce the need for SSNs as a reliable identifier, but
for now, accuracy of an individual's credit records
and credit scores continues to require the accurate
aggregation of individual personal information. Indeed,
the resulting personal behavior profiles are regularly
used to protect people from the fraudulent use of their
stolen identities. And while identifying and collecting
individual behavior patterns may annoy privacy purists,
curtailing this process could limit consumer access
to expedited and competitive lending and hamper the
process of fraud detection designed to foil and apprehend
identity thieves, while creating a patchwork of conflicting
state directives.
FACT's approach
to this issue recognizes this policy/technology dynamic.
The Internet is here to stay. Thieves will exploit what
commerce requires. As technology evolves, fraudulent
use will continue to be a moving target to be curbed
only with continually adaptive response. FACT leaves
most of today's uses and publications in place, but
it mitigates the harsh effects of identity theft by
establishing practices and procedures that will reduce
time spent coping with its effects. It requires fraud
alerts and red flag systems to ensure that funds are
not needlessly lost to thievery. It limits the needless
distribution of full credit card numbers. It also orders
the further enactment of agency regulations to contain
the spread of identity theft, all of which is to be
monitored by continuing study. Most importantly, however,
FACT's approach is made nationally uniform by preemption.
Its preemptions are expressly limited to FACT's own
boundaries, but because FACT signals an important new
direction for policymakers dealing with identity theft.
Its new approach should "occupy the field"
for the foreseeable future.
The FACT
Act Approach
In a new section
605A, FACT enacts identity theft prevention and mitigation
provisions that empower consumers to trigger "fraud
alerts" that must be included in their consumer
reports. Report users thus placed on notice are obliged
to authenticate requests for new credit under the consumer's
name. The process begins with an "initial alert"
which will be placed in the report for 90 days (or less
if the consumer asks). It quickly warns key players
that identity theft may have occurred. Following such
an alert, the consumer must be notified of the right
to request a free credit report any time during the
following year. This can be followed by a second "extended
alert" which requires consumers to submit a valid
"identity theft report" and proof of identity.
An extended alert must be left in place for seven years
(unless a consumer asks that it be withdrawn). Two free
credit reports are available for 12 months following
this notice, allowing consumers to be certain the alert
has been posted, and to police "compliance"
with the Act's requirements. On request, available evidence
of credit misuse must also be passed along to the victim.
Consumer reporting agencies are required to establish
policies to comply with alert requests, including procedures
for notifying users. Users must act reasonably based
upon any qualifying notice and their reasonable belief
in its authenticity. For example, having received notice
of such a fraud alert, lenders must check back with
a named borrower at the address in their records.
Retail transaction
receipts that include credit or debit card numbers must
not print more than their last five digits, and must
exclude the expiration date. Moreover, federal banking
agencies are directed by FACT to enact further guidelines
and regulations, including "red flags" used
to spot patterns and behaviors indicating potential
identity theft, to prescribe regulations relative to
address changes for cardholders, including separate
notification of the consumer. Additional provisions
enable consumers to receive free copies of their credit
reports each year and have their SSNs truncated on requested
reports, and requires the federal banking agencies to
prepare a model summary of the new rights conferred
by FACT. Collectively, these measures can curb identity
theft and mitigate its crippling impacts.
Because this
law is both prolific and specific, practitioners should
certainly read its provisions closely before rendering
legal advice, but FACT's general approach to identity
theft is also very important to state legislators who,
like New Hampshire's House Commerce Committee, are still
stymied by the policy conflicts built into their narrow
approach to the issue.
Autos kill
people every day, and while a ban on their use would
cut down on accidents, in today's society people must
drive if they wish to function normally. Reliable
personal identifiers are needed to authenticate the
identities of those who need financial services delivered
to and by strangers, a trend driven by the distance-collapsing
function of the Internet. Competitively available credit
is now the norm. FACT confirms it.
With FACT, the Congress has
attempted to strike the right balance between its good
and bad effects, and through preemption has made its
approach nationally uniform. FACT recognizes that the
best solution requires the adaptive dynamic of innovative
technology. Like auto accidents, identity theft may
never be totally obliterated but, with the right measures
in place and creative response, it may be held in check.
Before the states try their own "approaches"
to this complex conundrum, creating thereby a legal
patchwork that can only defeat the beneficial aspects
of today's credit delivery system and FACT's comprehensive
approach, state legislators should pause long enough
to give FACT a chance.
*Christopher C. Gallagher
is admitted in New Hampshire.
Return to top of page
Return to Financial
Services Articles
Return to Firm Publications
