|Received:||6/14/2004 8:00:00 AM|
|Organization:||Wells Fargo & Company|
|Agency:||Federal Trade Commission|
|Rule:||Identity Theft Proposed Rule|
June 14, 2004
Federal Trade Commission
Office of the Secretary
Room H-159 (Annex J)
600 Pennsylvania Ave., NW
Washington, DC 20580
Re: FACTA Identity Theft Rule, Matter No. R411011
Ladies and Gentlemen:
Wells Fargo & Company and its affiliates (“Wells Fargo”), including Wells Fargo Bank, N.A. and Wells Fargo Financial, Inc., appreciate the opportunity to comment on the notice of proposed rulemaking (“Proposed Rule”) and request for public comment by the Federal Trade Commission (“FTC”), published in the Federal Register on April 28, 2004. Wells Fargo is one of the largest diversified financial services enterprises in the nation; it includes national bank branches in 23 Western and Midwestern states, the nation’s leading retail mortgage lender, and one of the nation’s leading consumer finance companies.
This Proposed Rule, promulgated under the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), would: (1) define the terms “identity theft” and “identity theft report;” (2) determine the appropriate duration of an active duty alert; and (3) define what constitutes “appropriate proof of identity” for the purposes of placing or removing fraud or active duty alerts, blocking fraudulent trade lines or obtaining from a consumer reporting agency (“Agency”) a file disclosure containing a truncated social security number.
1. Definition of “Identity Theft”
The Fair Credit Reporting Act (“FCRA”), as amended by the FACT Act, defines “identity theft” as “a fraud committed using the identifying information of another person, subject to such further definition as the [FTC] may prescribe.” The Proposed Rule would establish a broad FCRA definition of “identity theft.” The Proposed Rule would define “identity theft” as “a fraud committed or attempted using the identifying information of another person without lawful authority.” [Footnote 1: 69 Fed. Reg. 23,370, 23,377 (Apr. 28, 2004).] In addition, the Proposed Rule would define “identifying information” as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.” [Footnote 2: Id.]
Attempted Fraud as “Identity Theft”
One of the primary purposes of the FACT Act amendments to the FCRA is to assist financial institutions and consumers in combating identity theft. To this end, the FACT Act added several provisions to the FCRA that are designed to prevent, and to mitigate the effects of, identity theft. The definition of “identity theft” then determines the scope of the conduct that entities must take steps to prevent, and determines who may take advantage of the rights conferred on victims of identity theft. For example, the FCRA provisions that authorize consumers to file fraud alerts, to block fraudulent trade lines and to prevent furnishers of consumer report information (“furnishers”) from furnishing information that is identified as resulting from identity theft are triggered by the definition of “identity theft.”
We are concerned that defining “identity theft” to include “attempted” fraud would greatly expand the scope of conduct that entities must take steps to prevent and would significantly increase the number of consumers authorized to take advantage of the rights that the FCRA confers upon identity theft victims. Expanding the definition of identity theft beyond the traditional notion of an individual opening an account or obtaining a loan in another person’s name would divert significant resources away from actual identity theft and its victims in order to assist those who have avoided any meaningful harm of identity theft. If a fraud is attempted but not completed, the system will have averted identity theft and the consumer will have suffered little, if any, harm. Any harm that the consumer will have suffered can be, or already will have been, adequately addressed. We strongly urge the FTC to limit the definition of “identity theft,” and specifically to exclude attempted fraud.
The Supplementary Information to the Proposed Rule (“Supplementary Information”) suggests that the definition of identity theft should be expanded to include attempted fraud for two reasons. The Supplementary Information notes that a consumer’s credit score may be lowered if a credit report inquiry is made as a result of an attempted fraud. [Footnote 3: Id. at 23,371.] The Supplementary Information notes that this consumer should be entitled, presumably pursuant to section 605B of the FCRA, to have this fraudulent inquiry removed from his or her credit report file. But the existing FCRA already addresses this issue: if a consumer becomes aware that a credit report inquiry was made as a result of an attempted fraud, the consumer can dispute the accuracy of this inquiry with an Agency under existing FCRA §611. The Agency would be required to conduct a reinvestigation of the accuracy of the disputed information or simply delete it. [Footnote 4: FCRA § 611(a)(1)(A).] If the reinvestigation revealed that the disputed information was inaccurate, incomplete or could not be verified, the Agency would be required to delete it from the consumer’s file. [Footnote 5: FCRA §§ 611(a)(1)(A), 611(a)(5)(A)(ii).] In addition, upon receipt of the dispute, the Agency would be required to inform the furnisher of that information of the dispute, and the furnisher would then bear similar duties as the Agency. [Footnote 6: FCRA § 623(b)(1).] As a result, modification to the term “identity theft” is not necessary for a consumer to remove a fraudulent inquiry from his or her credit report file that resulted from an attempted fraud.
The Supplementary Information also indicates that a consumer who is aware of an attempted fraud may wish to place an initial fraud alert on his or her credit report file. [Footnote 7: 69 Fed. Reg. at 23,371.] The requirements for an initial fraud alert, however, are sufficiently broad to allow the consumer to obtain such an alert without modifying the definition of “identity theft” to include attempted fraud. A consumer must only be able to assert a good faith “suspicion that the consumer ... is about to become a victim of fraud” in order to place an initial fraud alert. [Footnote 8: FCRA § 605A(a)(1).] A consumer aware of an attempted fraud using his or her identifying information clearly would be able to assert in good faith a suspicion that he or she is about to become a victim of identity theft. As a result, such a consumer would be able to place an initial fraud alert on his or her credit report file.
Definition of “Identifying Information”
The Proposed Rule would define the term “identifying information” as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.” [Footnote 9: 69 Fed. Reg. at 23,377.] This definition also describes certain information that would qualify as “identifying information,” including name, social security number, and driver’s license number. These examples are all traditional means used for identification. [Footnote 10: In fact, the Proposed Rule’s definition of “identifying information” is taken from a definition of “means of identification” found in a criminal provision of the U.S. Code concerning the fraudulent use of identification documents. See 18 U.S.C. § 1028(d)(4).]
We believe that the natural predicate for “identity theft” involves the use of information that allows a criminal to assume a victim’s identity. The definition of “identity theft” should reflect situations where a victim’s identity is assumed by the criminal. In contrast, fraud relating to a consumer’s name or account should not be deemed to be per se “identity theft.” Such a broad definition would require a financial institution to diffuse its efforts to assist those whose identities have been stolen in order to assist other victims of fraud in ways that are unnecessarily redundant. For example, current law provides specific and effective remedies consumers may pursue in connection with the unauthorized use of their credit or debit cards, such as the billing error resolution provisions of the Truth in Lending Act and of the Fair Credit Billing Act, and the error resolution provisions of the Electronic Funds Transfer Act. We do not believe that Congress intended to render many of these provisions obsolete as a result of the new, specific relief intended for people who have lost control of their own identities. Indeed, the situation in which a consumer incurs an improper charge to his or her account because of a one-time unauthorized use of that account is markedly different that a situation in which a consumer has his or her identity hijacked.
We also believe that inclusion of traditional debit and credit card fraud in the definition of “identity theft” will significantly increase claims of identity theft, fraud alerts and requests to block information. A significant increase in claims of this type (many of which may be marginal or even untrue) could impact the integrity of the entire information reporting system. The further proliferation of fraud alerts would dilute their effect on users of credit reports and the actions that they take in response to these alerts.
We strongly urge the FTC to reconsider what types of information would qualify as “identifying information.” The types of information involved should be of the type that allows a criminal to masquerade as the victim with respect to new accounts or altering existing accounts. Simple misuse of an existing account should not rise to the level of becoming an “identity theft.”
Use of Identifying Information “Without Lawful Authority”
The Proposed Rule provides that the definition of “identity theft” should include the limitation that the identifying information be used “without lawful authority.” [Footnote 11: 69 Fed. Reg. at 23,377.] If an individual permits another to use his or her identifying information to commit a fraud, this individual should not be entitled the recourse intended for legitimate victims of identity theft by the FCRA. Similarly, “identity theft” should not include fraud situations in which the “victim” colluded with the perpetrator or from which the “victim” obtained a benefit – such as the use of (or an interest in) goods or services purchased. We urge the FTC to address these situations in its final rule.
2. Definition of “Identity Theft Report”
The FCRA requires a consumer to provide an identity theft report in order to obtain an extended fraud alert, to block fraudulent trade lines or to prevent furnishers from furnishing information that resulted from identity theft. Section 603(q)(4) of the FCRA directs the FTC to define the term “identity theft report,” but requires that the term, at a minimum, must mean a report “that alleges an identity theft,” “is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency” and “the filing of which [would subject] the person filing the report to criminal penalties” if the person included false information in the report. The Proposed Rule would elaborate on this definition by requiring the report to allege the identity theft “with as much specificity as the consumer can provide” and may require the report to include information or documentation that a furnisher or a CRA may “reasonably” request for the purpose of determining the validity of the alleged identity theft. [Footnote 12: Id. at 23,377-23,378.]
The requirement that a consumer provide an identity theft report before obtaining an extended fraud alert, blocking a fraudulent trade line or preventing a furnisher from furnishing information that resulted from identity theft, acts as a safeguard against the inappropriate use of these powerful tools. The Supplementary Information accurately notes that a consumer could file a report with a law enforcement agency in an automated manner that does not involve interaction with any law enforcement officer and that includes only a simple allegation of identity theft. [Footnote 13: Id. at 23,372.] The consumer’s unilateral ability to create an identity theft report in this manner raises the specter that consumers may create and use identity theft reports inappropriately. [Footnote 14: In addition, because reports could be completed and filed with no physical or direct contact with a law enforcement officer, a “fraudulent” credit repair clinic, armed with only the consumer’s personal information, could fraudulently file a report in the consumer’s name in order to later use such report to block accurate, but negative, information. Unlike legitimate credit counseling services, “fraudulent” credit repair clinics often attempt to remove accurate, but negative, information from consumer’s credit files by overwhelming CRAs with disputes concerning the accuracy of credit files.]
Requesting Additional Information
The Proposed Rule attempts to address these concerns by requiring that the consumer allege the identity theft with as much specificity as possible and by permitting furnishers and Agencies to request additional information from the consumer. [Footnote 15: 69 Fed. Reg. at 23,377.] We strongly support the goal of the FTC to balance the needs of legitimate victims of identity theft against the risk of the inappropriate use of the rights of identity theft victims; but we believe that the final rule should provide additional guidance concerning the ability of furnishers and Agencies to request additional information. For example, it is unclear whether a furnisher or an Agency must request additional information if the furnisher or the Agency determines that the initial report provided by the consumer is inadequate. In addition, the consequences of the answer (or the lack of answer) to a request for additional information are not addressed in the Proposed Rule. If a consumer does not respond to a request for additional information or provides an inadequate response, it is unclear how the furnisher or Agency is to proceed.
A furnisher or Agency should be permitted to make the necessary requests – in appropriate cases, more than one – to ensure that legitimate concerns are addressed and that only appropriate information is blocked (blocking too much information could inadvertently impair the victim’s established credit history). In addition, we do not believe that the proposed five business days is a sufficient amount of time for a furnisher to determine whether it needs additional information. We believe that 30 days is a more reasonable and appropriate length of time.
Filing the Report with an Appropriate Agency
We urge the FTC to focus on the statutory provisions that pertain to an “official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency” and “the filing of which [would subject] the person filing the report to criminal penalties.” In particular, we urge that the final rule include, specifically, that any report be filed with an “appropriate” law enforcement agency consistent with the statute. This requirement is critical to deter individuals from filing false reports with distant or irrelevant law enforcement agencies with no interest or jurisdiction to investigate the crime. For example, the statute would appear to prohibit the filing of an identity theft report with the Federal Communications Commission (“FCC”), because an agency charged with enforcing several different laws unrelated to identity theft would clearly not be an appropriate recipient of a report alleging identity theft. Not only can the FCC do very little about investigating the identity theft, but the FCC is unlikely to spend any resources to determine whether the consumer has lied in the report. By requiring the report to be filed with a law enforcement agency with an interest in the veracity of the document, such as an agency that can investigate the crime, Congress provided a significant deterrent to those seeking to abuse the system.
The definition of an “identity theft report” must include the notion that the report be filed with an “appropriate” law enforcement agency to deter the filing of fraudulent identity theft reports. Not only will this deter fraud, but it will also benefit consumers by putting them in contact with an agency that can investigate the crimes. In light of the many law enforcement options available to the consumer, which could include the local police department, the Federal Bureau of Investigation, or the U.S. Postal Inspection Service, we do not believe such a requirement poses a legitimate hindrance to identity theft victims.
3. Duration of Active Duty Alert
Section 605A(c) of the FCRA requires a nationwide CRA, upon direct request by an active duty military consumer and after receipt of appropriate proof of the consumer’s identity, to include an active duty alert in his or her credit report file for “a period of not less than 12 months, or such longer period as the [FTC] shall determine, by regulation.” The Proposed Rule would establish the duration of the active duty alert at 12 months. We support the FTC’s determination that the active duty alert should not exceed 12 months. We suggest that the FTC reiterate that if an active duty alert does not sufficiently cover the length of a military consumer’s deployment, the military consumer may place another active duty alert upon expiration of the first alert.
4. Definition of What Constitutes “Appropriate Proof of Identity”
The FCRA requires Agencies to obtain appropriate proof of a consumer’s identity before placing a fraud or active duty alert on the consumer’s credit report file, before blocking fraudulent trade lines and before truncating the consumer’s social security number in a credit file disclosure. Section 112(b) of the FACT Act directs the FTC to define what constitutes “appropriate proof of identity” for these purposes. The Proposed Rule would require Agencies to “develop and implement reasonable requirements for what information consumers shall provide to constitute proof of identity.” [Footnote 16: 69 Fed. Reg. at 23,378.] In addition, the Proposed Rule would require Agencies to “[e]nsure that the information is sufficient to enable the [Agency] to match consumers with their files” and also to “adjust the information to be commensurate with an identifiable risk of harm arising from misidentifying the consumer.” [Footnote 17: Id.]
We support the FTC’s determination that an Agency must develop and implement reasonable requirements for what information constitutes proof of identity. A “reasonable requirements” standard will allow Agencies to develop and implement requirements that are specifically designed for the operations of the Agency. By allowing an Agency to develop its own “reasonable requirements,” an Agency will be able to minimize disruptions to existing business practices and procedures, except where necessary to do so.
Although the Proposed Rule provides examples of information that may constitute reasonable information requirements for proof of identity, the Proposed Rule does not address the identification process itself. The FCRA requires a consumer to make a request to block a fraudulent trade line or to receive a truncated credit file disclosure; however, a “consumer, or an individual acting on behalf of or as a personal representative” of the consumer may request a fraud or active duty alert. [Footnote 18: FCRA §§ 605A(a)(1), 605A(b)(1), 605(A)(c); FCRA § 605B(a) (stating that a CRA must block a trade line in a consumer’s credit report file “that the consumer identifies as information that resulted from an alleged identity theft”); FCRA § 609(a)(1) (stating that a CRA must truncate a credit file disclosure “if the consumer to whom the file relates requests” such truncation).] We believe that the final rule should make it clear that information that is not provided by the consumer, or in the case of fraud or active duty alerts, by an individual acting on behalf of, or as a personal representative of, the consumer, would not constitute appropriate proof of identity. We also believe that the final rule should make it clear that a “fraudulent” credit repair clinic can never qualify as a consumer’s agent or personal representative in the case of fraud alerts.
Thank you for the opportunity to comment on these proposed changes. We would be pleased to supplement our comments or to discuss any of them with you. Please contact me if you have any questions.