ADVISING YOUR CLIENTS ON

IDENTITY THEFT

PREVENTION, DETECTION AND CORRECTION OF IDENTITY THEFT FOR YOUR CLIENTS AND YOURSELF

Identity theft is an emerging and growing crime trend. Beginning in the 1990’s a new breed of criminal emerged…the identity thief. Their target is the data used in everyday transactions. This program will show you how to advise and protect your clients (and yourself) from Identity Theft.

Scope of Identity Theft: The Fastest-Growing White Collar Crime in the United States

Identity theft is currently the fastest growing “white collar crime” in the United States, and it’s one of the fastest growing crimes in the nation, accounting for 43 percent of all complaints received by the Federal Trade Commission in 2002.

Nationally, the FTC reported that it received 161,800 complaints of identity theft (up 88 percent from 86,200 the year before). Many believe that this is just a small fraction of the total number of victims. As early as 2002, Star Systems conducted a telephone survey that they believe indicates that as many as one in 20 adults, or 11.8 million Americans, have been victims of identity theft.

A joint survey by CalPIRG and the Privacy Rights Clearinghouse indicated that an average consumer victim of identity theft will spend 175 hours and $800 resolving their identity theft problems, and that it can take two to four years for a victims to clear up all the resulting problems. The sooner one take action to clear their records after an identity theft, the better

• Within the last twelve months, 9.3 million Americans were victims of identity theft.
• The total U.S. annual identity fraud cost remains essentially unchanged since the FTS’s] 2003 results, at $52.6 Billion, an increase of 2.3% from the 2003 inflation-adjusted level of $51.4 Billion.
• Most thieves still obtain personal information through traditional rather than electronic channels. In the cases where the method was known, 68.2% of information was obtained off-line versus only 11.6% obtained online.

Gartner Survey - July 2003

On July 21, 2003, Gartner released the results of a survey of 2,445 households regarding identity theft.

The Gartner survey found the following:

• Identity theft is up nearly 80 percent from last year.
• 7 million U.S. adults or 3.4 percent of U.S. consumers were identity theft victims in the past 12 months.

Federal Trade Commission Survey - September 2003

On September 3, 2003, the Federal Trade Commission (FTC) issued a survey on identity theft. The survey was conducted in March and April of 2003 with a random sample of over 4,000 households.

Key findings of the FTC Survey include:

How Many Consumers Are Victims of Identity Theft?

• 27.3 million Americans have been victims of identity theft in the last five years, including 9.91 million people or 4.6% of the population in the last year alone.
• In the past 12 months, 3.23 million consumers or 1.5% of the population discovered that new accounts had been opened, and other frauds such as renting an apartment or home, obtaining medical care or employment, had been committed in their name. 6.6 million experienced their existing accounts compromised by an identity theft. A total of almost 10 million individuals were victims of identity theft.
• 52% of all ID theft victims, approximately 5 million people in the last year, discovered that they were victims of identity theft by monitoring their accounts.

Misuse of Personal Information

• On average, 49% of victims did not know how their information was obtained.
• Another 26% - approximately 2.5 million people - reported that they were alerted to suspicious account activity by companies such as credit card issuers or banks.
• 8% reported that they first learned when they applied for credit and were turned down.
• 15% of all victims - almost 1.5 million people in the last year - reported that their personal information was misused in nonfinancial ways, to obtain government documents, for example, or on tax forms.
• 67% of identity theft victims - more than 6.5 million victims in the last year - report that existing credit card accounts were misused.
• 19% reported that checking or savings accounts were misused.
• Nearly one-quarter of all victims - roughly 2.5 million people in the last year - said their information was lost or stolen, including lost or stolen credit cards, checkbooks or social security cards.
• Stolen mail was the source of information for identity thieves in 4 percent of all victims - 400,000 in the last year.

Costs to Businesses and Consumers

• Last year's identity theft losses to businesses and financial institutions totaled $47.6 billion and consumer victims reported $5 billion in out-of-pocket expenses.
• In those cases, the loss to businesses and financial institutions was $10,200 per victim totaling $32.9 billion. Individual victims lost an average of $1,180 for a total of $3.8 billion.

Where the thieves solely used a victim's established accounts, the loss to businesses was $2,100 per victim totaling $14.0 billion. For all forms of identity theft, the loss to business was $4,800 and the loss to consumers.

Identity thieves can steal personal information in an instant, but do damage to a victim's credit and finances that can take years to repair.

This data typically includes information which usually discloses facts about a victim’s personal information, such as their bank and credit card account numbers; their income; their Social Security number (SSN); and typically their name, address, and phone numbers.

Once an identity thief obtains some of these pieces of an individual’s sensitive personal identifying information, it can be used to commit fraud or theft.

In addition to the direct fruits of the crime of identity theft, a victim can spend lots of time…ranging from months to years…and plenty of money in the difficult chore of cleaning up the mess the identity thieves have made of the victim’s good name and credit record. In many cases, victims have lost their jobs, subsequent job opportunities, and have been refused loans including for housing, education, and auto loans. In some cases, the victims have been arrested for crimes committed by the identity thieves, which the victims didn’t commit.

Broadly stated, there are two classifications of identity theft; the first is general identity theft, and the second type is referred to “criminal identity theft” which will be discussed later.

In “General Identity Theft”, the victim may be subject to either an “account takeover” or “application fraud”.

"Account takeover" occurs when the identity thief acquires the victim’s existing credit account information and purchases products and services using either the actual credit card or simply the account number and expiration date.

"Application fraud" is what some experts call "true name fraud." The thief uses the victim’s SSN and other identifying information to open new accounts in the name of the victim. In these latter circumstances, victims are not likely to learn of application fraud for some time, because the monthly account statements are mailed to an address used by the imposter. In contrast, victims learn of account takeover when they receive their monthly account statement

Generally, because of federal statutes limiting liability, victims of credit and banking fraud are generally only liable for the first $50 of the loss. (15 USC sec. 1643) In many cases, the victim will not be required to pay any part of the loss.

But even though victims may not be liable for their imposters' bills, they are often left with a bad credit report and must spend months and even years regaining their financial health. In the meantime, they have difficulty getting credit, obtaining loans, renting apartments, and even getting hired. Victims of identity theft find little help from the authorities as they attempt to untangle the web of deception that has allowed another person to impersonate them.

“Criminal Identity Theft” occurs when the imposter gives another person's name and personal information such as a drivers' license, date of birth, or Social Security number (SSN) to a law enforcement officer upon arrest or during an investigation. In some cases, the imposter may present a counterfeit license containing another person's identifying data to law enforcement.

In some cases of criminal identity theft, the imposter may have fraudulently obtained a driver's license or identification card in the victim's name, which is provided to law enforcement. In other cases, the imposter uses the name of the victim, or a friend or relative without showing any photo identification.

In other cases, the imposter may be cited for a traffic violation or a misdemeanor violation then released without further custody or booking. The imposter generally signs the citation, promising to appear in court, however if the imposter does not appear in court, the judicial officer will typically issue a bench warrant…which will be in the victim's name.

In cases of criminal identity theft where a warrant has issued, typically the victim remains unaware there has been a warrant issued in the victim’s name. The victim may unexpectedly be detained pursuant to a routine traffic stop and then subsequently arrested pursuant to the outstanding.

In other cases, the imposter may actually appear in court for the traffic or misdemeanor violation, them plead guilty without the victim being aware of this event.

Finally, in other cases, the imposter may actually be arrested and booked for a crime, and provide the victim's name and personal information. The victim’s information may then be entered into the local criminal record data base and shared with the State's criminal records data base and possibly to the national data bases, the National Crime Information Center (NCIC)

Because most criminal identity theft victims remain unaware of the criminal activity by an imposter, they may not discover it until they are denied employment or terminated from employment. This may occur in those circumstances where an employer conducts a background investigation and had relied upon the criminal history found under the victim's name. Generally, employers are required to inform the victim of the reason for the rejection of employment.

Anatomy of Identity Theft Crimes:

Identity thieves have become skilled and sophisticated, and use a variety of methods to gain access to a victim’s personal information. Some of their methods can include:

q       Obtaining information from businesses or other institutions by: stealing employer records;

q       bribing an employee who has access to these records, or

q       hacking into an organization’s computers.

• They rummage through individuals’ trash, or the trash of businesses or dumps in a practice known as “dumpster diving.”
• They obtain credit reports through an employer’s authorized access to credit reports or by posing as a creditor, landlord, employer, or impersonating someone who may have a legal right to the information.
• They steal credit and debit card numbers when a card is processed by using a special information storage device in a practice known as “skimming.”
• They steal wallets and purses containing identification, credit and bank cards.
• They steal mail, including bank and credit card statements, pre-approved credit offers, new checks, or tax information.
• Then they complete a “change of address form” to divert your mail to another location.
• They steal personal information from victims’ homes.
• They get sensitive information by “phishing” online, typically by email hoaxes (see the “Important Internet Issues” activity on phishing)
• These identity thieves obtain personal information from victims by posing as a legitimate business person or in some cases, a state, local or even federal government official.

Following an identity thief’s obtaining the personal information of a victim, the scamster can then:

• Go on spending sprees using the victim’s credit and debit card account numbers to buy “big-ticket” items like computers, jewelry, electronics or other items that they can easily sell. Even up to buying cars, taking out an auto loan in the victim’s name.
• Open new credit card accounts, using the victim’s name, date of birth, and SSN. When they don’t pay the bills, the delinquent account is reported on the victim’s credit report.
• They often change the mailing address on a victim’s credit card account. The thief then runs up charges on that account, but because the bills are being sent to the new fake address, it may take some time before a victim realizes there’s a problem.
• Establish utility services, such as phone or wireless phone service in a victim’s name.
• Utter counterfeit checks or debit card charges, thusly draining as victim’s bank account.
• Open a bank account in the victim’s name, then writing bad checks on that account.
• Obtain bogus “duplicate” state identification, driver’s licenses or other “real” identification in the victim’s name.
• Even worse for a victim, these identity thieves may give the victim’s name to police during an arrest. If they are released and don’t show up for their court date, an arrest warrant could issue in the victim’s name. More damaging, there will be pending criminal charges in the police and court records…in the victim’s name (see “criminal i.d. theft”, supra).

A quick check to determine if you or a client may have become a victim of identity theft:

One quick way to see if an individual has become a victim of identity theft is to constantly monitor the balances in one’s financial accounts. Be on the alert for unexplained charges or withdrawals. Some other tell-tale signs of identity theft can include:

• Failure to receive bills or other expected mail, which may indicate that a “change of address” has been filed by an identity thief;
• Receipt of credit cards for which an individual did NOT apply for;

COUNSELING CLIENTS (AND YOURSELF) ON IDENTITY THEFT:

Prompt action is required in the event you or a client suspect identity theft. You can perform these steps yourself, or advise your client to take the following actions:

1.       Credit bureaus. Immediately report the situation to the fraud units of the three credit reporting companies -- Experian (formerly TRW), Equifax and TransUnion. As of April 2003, if a victim notifies one bureau of identity theft, that bureau will notify the other two. Report that the victim’s identifying information is being used by another person to obtain credit fraudulently in the victim’s name. Ask that the file be flagged with a fraud alert. Add a victim's statement to the report. ("My ID has been used to apply for credit fraudulently. Contact me at [your phone number] to verify all applications.").

(Following this section is specific information on how you or your clients can obtain a free credit report from the major credit bureaus under FACT Act if NOT a victim of identity theft.)

Each credit bureau will mail the victim a free credit report once their file has been flagged with a fraud alert. Fraud alerts are usually placed for 90-180 days. Victims will want to extend the time period to seven years. This should be done in writing following the directions sent in the credit report the victim will receive. A victim may cancel fraud alerts at any time. In all communications with the credit bureaus, you will want to refer to the unique number assigned to the individual’s credit report and use certified, return receipt mail. Be sure to save all credit reports as part of your fraud documentation.

Ask the credit bureaus for names and phone numbers of credit grantors with whom fraudulent accounts have been opened if this information is not included on the credit report. Request that the credit bureaus remove inquiries that have been generated due to the fraudulent access.

You and/or your client may also ask the credit bureaus to notify those who have received your credit report in the last six months in order to alert them to the disputed and erroneous information (two years for employers). Under some state statutes, when a victim provides a copy of a police report to the credit bureaus, they must remove the fraudulent accounts from your credit report ( see for example Calif. Civil Code 1785.16(k)).

The preceding will not necessarily completely stop new fraudulent accounts from being opened by an identity thief. Under amendments to FCRA and FACTA, Credit issuers are not required by law to observe fraud alerts. Therefore, an identity theft victim should request a copy of their credit report at several month intervals, in order to monitor them for continuing fraud. Under some state statutes, victims are able to receive one free report each month for the first 12 months upon request. ( see for example California Civil Code 1785.15.3, effective July 1, 2003.) In other states, a victim may be charged after the first report.  Credit reports should be monitored regularly thereafter during the active phase of the crime.

California law now enables individuals to place a "security freeze" on their credit reports. This essentially prevents anyone from accessing the individual’s credit file for any reason, until and unless the credit bureaus are directed to unfreeze or "thaw" the report. It provides more protection than a fraud alert.

If an identity thief is particularly aggressive and gives no indication of ceasing to use a victim’s identity to obtain credit, and if the victim is a resident of California, he/she should consider using the security freeze to curtail access to their credit file. The security freeze is free to victims of identity theft. Non-victims who wish to use the security freeze for prevention purposes are generally required to pay a fee to activate the freeze. The web site of the California Office of Privacy Protection provides information on how to establish a security freeze, www.privacy.ca.gov/sheets/cis10securityfreeze.pdf.

Links to the online sites for identity theft statutes of other states follow at the end of this activity.

2. Creditors - new accounts. Victims should contact all creditors whom the victim’s name has been used with fraudulently immediately, both by phone and in writing. The evidence to spot these accounts typically appears in the victim’s credit reports. Creditors will likely ask that fraud affidavits be completed.

The Federal Trade Commission (FTC) provides a uniform affidavit form that most creditors accept, but are not required to do so,  hence some may require additional information, or their own form. A copy of the FTC’s Uniform Affidavit is included with this activity. You can obtain one online from the FTC’s Web site: www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf).

There are no statutes requiring affidavits to be notarized at a victim’s own expense, hence it appears a victim may choose to substitute witnesses to their signatures if creditors require verification of the victim’s signature.

Ask the credit grantors to furnish you (or your client), and the law enforcement agency investigating the matter with copies of the documentation, such as the application and transaction records, showing the fraudulent transactions.

In California, grantors of credit are required by law to provide these copies (California Penal Code 530.8). The California Office of Privacy Protection provides instructions and sample letters on how to obtain documentation from credit grantors, www.privacy.ca.gov/fair.htm.  You may be able to adopt these samples for use in other jurisdictions.

Under Federal law (15 U.S.C. § 1681g, available at § 609 (e), (see the pdf file accompanying this activity), victims of identity theft in other states can also legally gain access to records from a business where such records relate to fraud based on identity theft (applications for credit, sales receipts, copies of checks, and other records).

A victim of identity theft must typically provide a copy of the FTC affidavit (or other affidavit acceptable to that particular business), government-issued identification, and a copy of a police report. The business must provide copies of these records to the victim within 30 days of the victim's request at no charge. The law also allows a victim of identity theft to designate a law enforcement investigator to get access to these records.

2a. Creditors and a victim’s pre- existing accounts. If a victim’s existing credit accounts have been used fraudulently, replacement cards with new account numbers should be obtained, and the prior accounts be processed as "account closed at consumer's request".

Victims should also monitor their mail and bills for evidence of new fraudulent activity. If any is noted, it should be reported immediately to creditor grantors. In addition, it’s a good practice to add “strong passwords’ differing from those of the older accounts to all accounts. This should be a  combination of numbers and letters that is NOT easily guessed.

3. Debt collectors. If debt collectors attempt to require a victim to pay the unpaid bills on fraudulent credit accounts, ask for the name of the company, the name of the person responsible for the account, and their phone number, and address.

The victim should inform the collector that he/she is a victim of fraud and is not responsible for the account. Ask the collector for the name and contact information for the referring credit issuer, the amount of the debt, account number, and dates of the charges. Ask if they need the victim to complete their fraud affidavit form, or whether you can instead use the Federal Trade Commission form

Negotiations with collectors should be documented, and either your office or the victim should thoroughly explain the situation. Ask that they confirm in writing that the victim is not liable for the alleged debt and that the account has been closed

4. Law enforcement. Victims should report identity theft to their local law enforcement agency, and may also be well advised to also inform the police departments in other jurisdictions where elements of the crime occurred.

When reporting identity theft to law enforcement, the victim should provide as much documentation and/or evidence as possible and available.

Make sure the police report lists the accounts fraudulently opened or used. Victims should obtain a copy of the police report, and keep the phone number of the investigator handling the matter available for use. This can then be provided to creditors and others who require verification of the case.

Credit card companies and banks may require victims to provide a copy of  the police report in order to verify the crime. It is a violation of federal law (18 USC 1028) and the laws of many states (such as Calif. Penal Code 530.5) to assume someone's identity for fraudulent purposes.

Some police departments are disinclined, even loathe to take reports on identity theft crimes, so in such cases, victims may have to be persistent.   The victim should also report the crime to the Federal Trade Commission, and the contact information to do so is provided in this activity.

5. Stolen checks. If the victim has also had their checks stolen, or had one or more bank accounts fraudulently established in their name, these facts should be reported to the appropriate check verification companies. Information is provided at the end of this activity.

A victim’s bank branch should be able to provide a fraud affidavit, and “stop payment orders” should be placed on any outstanding checks from such accounts.

The victim should promptly cancel their current checking and savings accounts at the compromised bank, then open new replacement accounts with new account numbers. The victim should also provide the bank with a secure password for the new accounts (see supra). If the victim’s new checks are rejected at stores where they shop, they should contact the check verification company that the particular merchant uses.

6. ATM cards. When a victim’s ATM or debit card has been stolen or compromised, that fact should be reported immediately, and the victim should contact their bank branch and request a fraud affidavit. Also, the victim should obtain a new card, new account number, and a secure PIN or password…victims should NOT use their old password.

7. Fraudulent change of address.  Victims should notify the local Postal Inspector where they suspect an identity thief has filed a change of address with the post office or has used the mail to commit fraud. (Call the U.S. Post Office to obtain the phone number, (800) 275-8777.) In addition, victims should attempt to determine the new address to which fraudulent credit cards were sent, then notify the local Postmaster for that address to forward all mail in your name to your own address. (Postal Inspector Web address: www.usps.gov/websites/depart/inspect)

8. Secret Service jurisdiction. The Secret Service has jurisdiction over enumerated species of financial fraud. However, in most instances (based on U.S. Department of Justice guidelines), that agency will generally not investigate individual cases of identity theft unless the dollar amount is high or the victim is one of many victims of a fraud ring. A victim may try to have the fraud department of their credit card companies and/or banks, as well as the police investigator handling the victim’s case notify a Secret Service agent they work with in an effort to interest the Secret Service in a particular case.  (The Secret Service’s Web site is: www.treas.gov/usss)

9. Social Security Number (SSN) misuse. Victims should notify the Social Security Administration (SSA) and report fraudulent use of their SSN. Generally, the Social Security Administration does not investigate cases of financial or criminal identity theft.

See the Social Security Administration information provided with this activity for further details about the disfavored practice of obtaining a new social security account number.

10. Passports.  Regardless of whether the victim has a passport or not, they should inform the passport office in writing to alert them, in the event a perpetrator may attempt to obtain a passport in the victim’s name fraudulently. An identity thief may attempt to obtain a passport using the victim’s personal data.

11. Telephone and Utility Services.  Victims should provide utility companies with a password which must be used any time their telephone or other accounts are changed. In California, SBC-Pacific Bell's fraud hotline is (877) 202-4558. If a calling card has been stolen or there are fraudulent charges, the victim should cancel it and open a new account.

12. Driver's license number misuse.  Victims may need to change their driver's license number if someone is using them as ID either for checks or for other types of fraud. Victims should be advised to call their state office of the Department of Motor Vehicles (DMV) to see if another license was issued in their name.

If available, victims should place a fraud alert on their drivers’ license if their state's DMV provides such a process. As required, they should g to their local DMV office to request a new license number, and while there, complete the appropriate forms to begin an investigation. Thereafter, supporting documents can be provided.

13. Victim statements. In some jurisdictions, when an identity thief stands trial, victims may be able to submit statements. Victims can contact the victim-witness assistance program in their area for further information on how to do so.

14. Erroneous legal proceedings against victims.  Sometimes victims of identity theft are wrongfully accused of crimes committed by the imposter (see “Criminal Identity Theft” supra). In other cases, a civil judgment may be entered against them as a result of the imposter's actions.

Some jurisdictions, such as California, have provided for a summary procedure to issue a determination of factual innocence to the victim in such cases.

15. Recalcitrant Creditors, banks and others. In some cases, a victim may require the active intervention by counsel where creditors or credit bureaus are not cooperative in removing fraudulent entries from the victim’s credit report. In such cases, counsel can be of great assistance in resolving these problems.

16. Other forms of identity theft. In some cases, an imposter may use the personal data of a deceased relative or a child to commit identity theft, or the victim may personally know the identity thief. Proper legal action can help address these situations.

17. Victim’s emotional stress resulting from identity theft. In some cases, the stress of identity theft is so pervasive that the appropriate counseling and intervention may be necessary for the victim to deal with the anxiety commonly experienced in these situations. Counsel should be alert to signs of overwhelming stress resulting from identity theft and if observed, make the appropriate suggestions or referrals.

18. Victims should be advised not to surrender to inappropriate demands.  Victims should be advised to not pay any bill which is the result of fraud by an identity thief. Likewise, they should not “cover” any checks that were written or cashed fraudulently.

In the event that a merchant, financial company or collection agency suggests the victim pay the liabilities incurred by the actions of the identity thief, they should be advised the victim is willing to cooperate, but will not be pressured into paying fraudulent bills.

GETTING A FREE CREDIT REPORT FOR YOURSELF & YOUR CLIENTS

How to obtain a free annual credit report for yourself or your clients from the 3 major credit reporting agencies under FACTA:

Under amendments to the FCRA, a free credit report can be obtained once annually by consumers who are not identity theft victims. These reports are available throughout the USA on a “roll out” basis beginning December 2004 and continuing across the country till September 2005. For further details on obtaining a free credit report from the major credit reporting bureaus, see: https://www.annualcreditreport.com .

The above link is a shared website established by congressional mandate to allow easy access to your credit report.

As a general proposition, even for those who are not victims of identity theft, it’s a good idea to check your credit report annually with the three major national credit bureaus, to make sure your accounts are not being misused in addition to verifying that no unauthorized accounts have been opened in your name or that of a client.

You can also check your credit report for errors and mistakes which are not the result of identity theft, which may have a negative effect on your credit rating.

NOTE: The Public Interest Research Group advises: “PIRG Consumer Tip: Watch out. The bureaus will try to convince you to pay $40, $50 or $100 or more for various other credit monitoring services. PIRG thinks these are unnecessary. Get your free report, as provided by law, and consider getting a reasonably priced credit score (likely $5-8 dollars) but don't pay extra to enrich the credit bureaus. See below for ways you can get other free reports.”

The free credit reports available as described supra can also be obtained by phoning 877-322-8228, or you can mail a request to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. When either you or a client orders their report, required information includes, inter alia, the requestor’s name, address, Social Security number, and date of birth. In addition, other identifying information may be required.

The Public Interest Research Group further advises: “The credit bureaus will use your request as an opportunity to collect information about you. Be sure to read their privacy policy and opt out of any sharing of information.”

 them directly (unless you are accessing a free report under different rights). You can only order your free annual (every twelve months) credit reports provided by federal law online at Annualcreditreport.com, or by calling  If you order by mail, it may be best to use the free report request form available at the FTC site here. . To verify your identity, you may need to provide some information that only you would know, like the amount of your monthly mortgage payment.

Other rights to obtain free credit reports:

Free Credit Reports After Credit Denial In Any State:
Under federal law, a consumer is entitled to a free credit report after credit denial. Typically, the consumer will receive an adverse action notice informing them of this.

Free Credit Reports For Unemployed, Low-Income, Or ID Theft Victims:
Individuals are entitled to a free credit report under federal law from each of the Big Three credit bureaus as a victim of identity theft (and in addition, if they receive social welfare benefits, or if they are unemployed).

The three major credit reporting agencies are:

Equifax
www.equifax.com
Report fraud:
1-800-525-6285
Order a credit report:
1-800-685-1111
P.O. Box 740241
Atlanta, GA 30374-0241

Experian
www.experian.com
Report fraud:
1-888-397-3742
Order a credit report:
1-888-EXPERIAN
(1-888-397-3742)
P.O. Box 1017
Allen, TX 75013-0949

TransUnion
www.tuc.com
Report fraud:
1-800-680-7289
Order a credit report:
1-800-916-8800
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834

The Fair and Accurate Credit Transactions Act of 2003

Following is a nutshell overview of the Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159 (2003).

The complete text of the act (including the Fair Credit Reporting Act) is included as a pdf file along with this activity. The following comments are a brief overview of some of the more significant changes resulting from the recent amendments as regard identity theft and related

While commentators fee that a number of provisions in FACTA will benefit consumers, they also feel these changes come at the expense of preempting state law in a number of important areas. Additional problems for both consumers and their attorneys appear in the amendment’s limitations on liability, lack of ability for private enforcement and pre-emption of state regulation in a number of areas as briefly discussed infra.

Other issues raised by the amendments also include significant restrictions on enforcement of many of the new provisions in FACTA by private attorneys, and   whether enforcement is limited to state and federal enforcement agencies.

This brief discussion is not meant to be comprehensive, hence you should refer to the statute accompanying this activity and perform your own research.

The complete text of both the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA) are provided with this activity as an accompanying pdf file.

PRE-EMPTION AND LIMITATIONS ON LIABILITY IN THE NEW FCRA AND FACT ACT (FACTA) AMENDMENTS:

Preemption and Limitation of Liability:

Preemption

Amendments trump preemption sunset provision of prior language. The impetus for FACTA was the expiration of existing subject-matter-specific preemption provisions in the FCRA. The prior version of the FCRA provided that its preemptions of state laws would not apply to state laws that were enacted after January 1, 2004 and that offered consumers greater protections than those of the FCRA. Congress not only eliminated that provision, it added a long list of new preemptions that significantly limit states’ abilities to regulate much of the FCRA’s subject matter and conduct requirements.

Preexisting subject matter preemption provisions. The preemptions of the prior version of the FCRA, listed below, remain:

ü      § 604(c) [furnishing prescreening reports].

ü      § 604(e) [consumer’s right to opt-out of prescreening reports].

ü      § 611 [time period for an agency’s reinvestigation of a consumer’s dispute (but state laws in effect on September 30, 1996 remain effective)].

ü      § 615(a) [duties of users taking adverse actions on the basis of information contained in consumer reports].

ü      § 615(c) [safe harbor for users taking adverse actions on the basis of information contained in consumer reports].

ü      § 615(d) [duties of users making written credit or insurance solicitations on the basis of information contained in consumer files [prescreening offers]].

ü      § 605 [requirements related to information contained in consumer reports (but state laws in effect on September 30, 1996 remain effective)].

ü      § 623 [responsibilities of furnishers of information to consumer reporting agencies (but identified state laws of Massachusetts and California remain effective)].

ü      Affiliate exchange of information (but an identified Vermont law remains effective).

Additions to preexisting preemption provisions added. The subject matter of the following new provisions of FACTA are preempted by virtue of their being amendments or additions to sections already on the preemption list:

ü      § 611(a)(5)(A), requiring agencies that find upon reinvestigation that an item of information is inaccurate or incomplete or unverifiable to notify the furnisher that the agency has modified or deleted the item.

ü      § 605(a)(6), prohibiting agencies from including the identity of medical information furnishers in consumer reports.

ü      The new provisions of § 623 that impose the following new responsibilities on furnishers:

(1) requiring furnishers, including debt collectors, to comply with new “date of delinquency” designations;
(2) requiring furnishers to have reasonable procedures to prevent refurnishing information that an agency has notified the furnisher has been blocked as resulting from identity theft;
(3) requiring financial institutions to notify customers that they are furnishing negative information to agencies about that customer;
(4) allowing customers to dispute information directly with a furnisher; and (5) requiring medical information furnishers to notify agencies of their status.

New subject matter preemptions. FACTA added the following to the list of preempted subjects:

ü      The new provision of § 609(e) requiring business entities that have done business with an identity thief to provide transaction information to the victim.

ü      § 624, regarding the new right to opt-out of certain affiliate marketing solicitations.

ü      The new provisions of § 615(h) requiring creditors to issue new risk-based pricing notices.

Credit score preemption. The revised Act further preempts states from imposing any requirement or prohibition regarding the following disclosures about credit scores:

ü      The summary of a consumer’s rights to dispute information and to obtain credit scores that agencies are to provide consumers under the revised § 609(c).

ü      The summary of identity theft victim’s rights that agencies are to provide under new § 609(d) to consumers who believe they are or might be the victim of fraud or identity theft.

ü      The right to credit scores from agencies and mortgage lenders granted by new §§ 609(f) and (g).

Exceptions from credit score preemption. Identified California and Colorado laws remain effective and state insurance laws regulating the use by insurers of credit-based insurance scores are not preempted.

Preemption of free credit report frequency. States are preempted from regulating the frequency of any disclosure under the revised § 612(a), which allows consumers a free annual disclosure of their credit reports.

Exceptions from free credit report frequency preemption. Identified laws of 7 states: Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont, which remain effective.

Required conduct preemptions. The full nature and extent of the preemption provisions will probably be a hotly debated issue in the future. As regards identity theft, however, Congress added language to the general preemption section of the statute which appears to preserve the right of states to legislate laws to protect consumers from identity theft. The relevant section states:

Except as provided in subsections (b) and (c), this title does not annul, alter, affect, or exempt any person subject to the provisions of this title from complying with the laws of any State with respect to the collection, distribution, or use of any information on consumers or for the prevention or mitigation of identity theft, except to the extent that those laws are inconsistent with any provision of this title, and then only to the extent of the inconsistency.

This appears to be a positive change initially, however on a second look, several exceptions to this general proposition were added to specifically provide that no “requirement or prohibition” may be imposed “with respect to the conduct required by the specific provisions of… ”

ü      § 605(g), requiring businesses to truncate credit/debit card numbers on electronic receipts.

ü      § 605A, requiring nationwide consumer reporting agencies to include fraud alerts and active duty alerts and to refer the alerts to other agencies, requiring resellers to reconvey to a consumer any fraud or active duty alert included in a report it obtains from another agency, requiring non-nationwide consumer reporting agencies to provide contact information for nationwide agencies to consumers, requiring alerts to include specified information, and requiring users to verify the identity of consumers whose reports contain fraud and active duty alert.

ü      § 605B, requiring agencies to block identity-theft related information and to notify the furnisher of such information that it has been blocked.

ü      § 609(a)(1)(A), allowing consumers to request that an agency not disclose the first 5 digits of their SSN’s in a report provided to the consumer.

ü      § 612(a), requiring agencies to provide consumers with a free annual report when requested through a to-be-established centralized source;

ü      § 615(e), requiring agencies to issue red flag guidelines and regulations.

ü      § 615(f), prohibiting the sale or transfer of identity theft debts.

ü      § 615(g), requiring debt collectors to notify creditors of fraudulent debts.

ü      § 621(f), requiring agencies to refer identity theft complaints and fraud alerts to each other.

ü      § 623(a)(6), requiring furnishers to have procedures for responding to identity theft notifications from agencies and prohibiting furnishers from re-submitting fraudulent information.

ü      § 628, requiring agencies to provide regulations that will require proper disposal of consumer information.

State laws targeting identity theft effected by preemptions. State laws with “requirements and prohibitions” with respect to the conduct required by the specific preemptions listed above appear to be preempted. However this limitation, in addition to the language added to the general section of § 625 (formerly § 624) strongly suggest that states may enact other identity theft laws, so long as they are not inconsistent with other provisions of the FCRA, including laws which may be stronger than the provisions found in FACTA and other parts of the FCRA.

By adding the language stating, “or for the prevention or mitigation of identity theft,” to subsection (a) of § 625 [§ 1681t] one could urge that Congress did not intend to preempt the entire field of identity theft, but only those areas specifically addressed. Any other interpretation would render the new language superfluous, which is a conclusion unlikely to be adopted by the courts.

Where a statute expressly preempts some areas, but not others, a reasonable inference can be made that Congress did not intend to preempt others by implication. Thus in the area of identity theft, where FACTA expressly preempts specifically enumerated conduct, but not others, it is reasonable to infer that the other areas are not preempted.

Where preemption is of concern, careful pleading may avoid it. If an identity theft related claim focuses on aspects of the conduct other than those regulated by FACTA, it may be possible to avoid preemption. By way of example, in a negligent enablement claim, if the focus of the conduct relates to a failure to properly identify the identity thief, rather than the fact that a fraud alert was not placed on a consumer file, the claim may not be preempted.

State laws in effect prior to FACTA and not previously preempted by the 1996 amendments to the FCRA should probably not be affected by FACTA, unless they relate to the specific conduct contained in the new FACTA provisions. For example, any state laws that provided for a type of “fraud alert” are likely to be preempted.

Limitations on Liability:

FACTA imposes a limitation on consumers ability to enforce their rights under the FCRA by expanding the limitations on liability for violations of the FCRA in three ways:

              I.      by adding new responsibilities to sections that are covered by the FCRA’s pre-existing qualified immunity provision,

           II.      by adding new responsibilities to sections covered by a pre-existing limitation of liability provision, and

         III.      by adding new limitation of liability provisions.

Finally, FACTA both limits the right of private action by consumers to enforce the FCRA, and also puts newly enacted restraints on the rights of states to bring actions to enforce many of the obligations imposed on furnishers.

Expansion of the preexisting qualified immunity provision. The prior version of the FCRA explicitly provided that consumers could not enforce the provisions of § 623(a), which requires furnishers to provide accurate information to agencies, through the liability provisions of the FCRA, § 616 (willful noncompliance) and § 617 (negligent noncompliance).

In addition, FCRA additionally limited liability for violations of the FCRA with a qualified immunity provision that allowed consumers to bring one of the following state law claims only if the consumer showed that the information was furnished with “malice or willful intent to injure”:

(1) A claim “in the nature of defamation, invasion of privacy, or negligence,”
(2) Brought against any agency, user, or furnisher;
(3) Based in whole or in part on a consumer report; and
(4) Based on any of the following:

(a) Disclosures made pursuant to § 609 [Disclosures to consumers];
(b) Disclosures made pursuant to § 610 [Conditions and form of disclosure to consumers];
(c) Disclosures made pursuant to § 615 [Requirements on users of consumer reports]; or
(d) Disclosures by a user of a consumer report to or for a consumer against whom the user has taken adverse action, where the disclosure is based on the report.

FACTA did not amend that provision; however, by expanding the sections referred to in the provision FACTA provided qualified immunity for disclosures that violate the following new provisions:

q       § 609(a)(1)(A), requiring agencies to withhold the last 5 digits of a consumer’s SSN from the disclosure of the consumer’s file if the consumer so requests.

q       The amendment to § 609(c) that requires agencies to provide certain information with their disclosure of a file to a consumer, including the FTC’s summary of consumers’ rights to obtain and dispute information in consumer reports and to obtain and dispute credit scores.

q       § 609(d), requiring agencies to provide consumers who believe they are or may be the victim of identity theft with an FTC-issued summary of their right to use the FCRA’s new procedures for remedying the fraud.

q       § 609(e), allowing identity theft victims to obtain business transaction information from businesses that have done business with the thief.

q       § 609(f), requiring agencies to disclose credit scores and certain related information.

q       § 609(g), requiring mortgage lenders to disclose credit scores to loan applicants and to provide them with a designated notice.

q       § 615(d)2), requiring that users making credit or insurance solicitations present the required prescreening notice in a format, size, type, and manner to be established by the FTC.

q       § 615(h), requiring creditors to issue risk-based pricing notices.

New incorporations into the existing limitation of liability provision for furnishers. The following new furnisher responsibilities which were added to § 623(a), are protected from enforcement by consumers pursuant to the limitation of liability provision in § 623(c):

• § 623(a)(6), requiring furnishers to have procedures for responding to identity theft notifications from agencies and prohibiting furnishers from re-submitting fraudulent information.
• § 623(a)(7), requiring financial institutions to notify customers that they are furnishing negative information to agencies about that customer.
• § 623(a)(8), allowing consumers to dispute information directly with a furnisher and requiring furnishers to reinvestigate a dispute when it meets certain conditions, to complete the investigation within the designated time, and to notify each agency to whom the furnisher furnished the information if the furnisher finds that it was inaccurate.
• § 623(a)(9), requiring persons in the business of providing medical services, products, or devices and who furnish information to agencies to notify the agencies of their status as medical information furnishers.

New limitation on the liability provisions of the FCRA. FACTA also added the following limitations on liability for new responsibilities under the FCRA.

• § 609(e)(6), providing that identity theft victims may not enforce their new rights to business transaction information from businesses that have done business with the thief.
• § 615(h)(8), providing that consumers may not enforce the new obligations of users to provide risk-based pricing notices.
• § 623(c)(2), providing that consumers may not enforce the obligation of the federal banking agencies, the National Credit Union Administration, and the FTC to establish accuracy and integrity guidelines for furnishers and to prescribe regulations requiring furnishers to establish reasonable policies and procedures for implementing those guidelines.
• § 623(c)(3), providing that consumers may not enforce the obligation of agencies to issue red flag guidelines and regulations.

New restraints on states’ actions. FACTA amends the FCRA’s administrative enforcement section to provide that in the case of a violation of furnishers’ obligations to provide accurate information or to comply with to-be-issued guidelines to protect the accuracy and integrity of consumer information, or of financial institutions’ obligations to comply with the to-be-issued red flag guidelines for detecting identity theft, a state may not simply bring an action for damages on behalf of its residents.

Rather, the state must first obtain an injunction against the violator that prohibits the violator from violating the FCRA, and then the state may only seek damages for violations that occur after the injunction. Given that the FCRA preempts state regulation of these obligations and eliminates the right of consumers’ to enforce them, violators have little to fear from flouting them.

Final Comments on the amendments to FCRA & FACTA:

The titling of the act as “Fair and Accurate Credit Transactions Act of 2003” tends to indicate a re-positioning in emphasis from credit reporting to accuracy of information in credit transactions. In addition to identity theft.

Accuracy in credit transactions appears to have been a significant concern for legislators. The Financial Literacy and Education Improvement Act which is also a part of FACTA, places an emphasis on consumers accurately using financial information to make informed credit decisions. A stated goal is “not simply to improve knowledge, but rather to improve consumers’ financial choices and outcomes.” These are important goals for advocates to refer to when arguing the intent of the FCRA, including FACTA and its contents.

While there are a number of provisions in FACTA will be benefit consumers, some have argued they came at the cost of preempting stronger state law in a number of areas. In addition, “private attorney general” or even enforcement of many of the new provisions in FACTA by private counsel or the consumer him/her self been considerably limited. When reviewing the statute, the various provisions should be read carefully to analyze the extent that private claims can be made, if at all, or even litigated or enforced by private counsel, as opposed to whether enforcement of any provision is limited to either or both the state and federal enforcement agencies.

ONLINE DIRECTORY OF STATE IDENTITY THEFT STATUTES:

Notes on External Hyper Text LINKS in this activity: All external links were working as of the date of publication of this program, however the publisher does not take responsibility for status of third parties' external links.

  While connected to the internet, you can access the various state identity theft statutes by clicking on the links to the right of the named state in the table below. The links in the table below were all working links at the time of publication of this activity.

Notes on External Hyper Text LINKS in this activity: All external links were working as of the date of publication of this program, however the publisher does not take responsibility for status of third parties' external links.

The additional materials are provided with this activity. You can refer to (or print out) these supplemental substantive written materials by clicking on the links below.

 Using the Online version of this program, you can RIGHT CLICK on the links, then select "save target as" to save them to your computer. Using the CD version of this program, simply click on the link to access the materials. These additional materials are also included on the program CD.

Federal Identity Theft & Assumption Deterrence Act (P.L. 105-318)

Identity Theft and the Victim's Social Security Number

Federal Fair Credit Reporting Act Statute

Summary of Rights; Fair Credit Reporting Act

Identity Theft Affidavit (from FTC)

Remeding Identity Theft (FTC)

CLICK HERE TO RETURN TO MAIN MENU / TABLE OF CONTENTS