|Received:||6/15/2004 8:00:00 AM|
|Organization:||Capital One Financial Corporation|
|Agency:||Federal Trade Commission|
|Rule:||Identity Theft Proposed Rule|
Attached are the comments of Capital One Financial Corporation regarding the proposed rule defining identity theft and identity theft report. If you have any problems with the attachment, please contact Elisabeth Bresee at (703) 720-2254. Thank you very much.
Capital One Financial Corporation
1680 Capital One Drive
McLean, VA 22102
June 15, 2004
Donald Clark, Secretary
Federal Trade Commission
Office of the Secretary
Room H-159 (Annex J)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580
RE: FACTA Identity Theft Rule, Matter No. R411011 – Comments of Capital One Financial Corporation
Capital One Financial Corporation (“Capital One”) appreciates the opportunity to comment on the Proposed Rule issued by the Federal Trade Commission (the “FTC”) that would further define terms contained in the Fair and Accurate Credit Transactions Act (the “FACT Act”), such as “identity theft” and “identity theft report” (the “Proposed Rule”) and would define what constitutes appropriate proof of identity for the purposes of placing and removing fraud alerts.
Capital One had 46.7 million customers and $71.8 billion in managed loans outstanding, as of March 31, 2004. A Fortune 200 company, Capital One is one of the largest providers of MasterCard and Visa credit cards in the world. Capital One generates a large amount of credit information that it reports to the nationwide consumer reporting agencies. The accuracy of that data, and the data supplied by other financial institutions and other lenders, critically affects our ability to price our loans and to offer our customers the products most suitable to their needs.
In support of this business activity and in recognition of the need for consumer protection, we would like to offer the following comments on the Proposed Rule.
A. Public Policy Concerns
Our main policy concern about the Proposed Rule is that the broad definitions of “identity theft” and “valid law enforcement report” would likely lead to a marked increase in inaccurate or fraudulent reporting of identity theft. This increase would divert the resources of consumer reporting agencies (“CRAs”) and furnishers of consumer report information (“furnishers”) from pursuing actual identity theft. Such a broad scope would also allow some persons and/or their representatives, such as less scrupulous credit repair organizations, to repair their credit improperly, and will impair the ability of furnishers and CRAs to protect the legitimate interests of consumers who have been victims of actual identity theft. In addition, procedures would have to be adopted by CRAs and furnishers to handle the increase in false reporting and to investigate the identity theft reports, which would make it more difficult and frustrating for victims of actual identity theft to get through the process.
The public policy concerns outlined above would generate significant practical impacts for furnishers, CRAs, and consumers. In our comments below, we address our concerns about the definitions of “identity theft report,” “identity theft,” and “identifying information,” and we provide factual examples of the problems that are likely to arise as a result of certain elements of the Proposed Rule. We also recommend solutions to deal with certain impacts on furnishers that a significant increase in the reporting of actual, alleged, and potentially fraudulent identity theft would create.
B. The Overly Broad Definitions Contained in the Proposed Rule Will Likely Divert Resources from Preventing and Remedying Actual Identity Theft.
1. The FTC Should Reconsider its Proposed Expansion of “Valid Law Enforcement Report.”
The requirement that a consumer provide an identity theft report before obtaining an extended fraud alert, blocking a fraudulent trade line or preventing a furnisher from furnishing information that resulted from identity theft, acts as a safeguard against the inappropriate use of these powerful tools. In the Supplementary Information to the Proposed Rule (the “Supplementary Information”), the FTC indicates that it “is concerned whether these safeguards provide sufficient protection from misuse.” We share the FTC’s concern and we believe that the Proposed Rule does not strike the correct balance between the needs of legitimate victims of identity theft against the risk of the inappropriate use of a law enforcement report.
The expansion of the definition of a “valid law enforcement report” will permit consumers to file reports with the FTC’s Identity Theft Data Clearinghouse, with a local law enforcement agency, through an automated system operated by a law enforcement agency (with no face-to-face meeting), by mail, over the Internet, or over the phone to staff who are not criminal investigators. The ease of this process will dramatically expand the number of fraudulent Identity Theft reports and place a substantial burden on financial institutions to protect themselves by conducting extensive investigations of these reports.
Given the expanded definition of “valid law enforcement report,” there is an increased likelihood that some consumers will request a block not because they are victims of identity theft, but because they are attempting to clear up their credit file. We believe fraudulent requests for CRA initiated blocks will be common because there is great incentive to try and, as a practical matter, little likelihood of being caught and prosecuted.
We believe that the Final Rule should emphasize the official nature of an identity theft report. The Proposed Rule requires that an “identity theft report” be “an official, valid report.” [Footnote 1: Proposed Rule § 603.3(a)(2).] We support this element of the definition and believe that, given the burdens imposed on consumer report users by the fraud alert provisions, the official nature of the identity theft report is essential to minimize those instances when certain consumers may misuse the fraud alert and identity theft protections to remove accurate, but negative, credit information from their CRA files.
Statements contained in the Proposed Rule support this change. The Supplementary Information states that, under FACTA’s definition of identity theft report, which the Proposed Rule would expand upon, “a consumer could opt to use a copy of a complaint filed with the Commission’s Clearinghouse as an “identity theft report” because such a copy would technically meet the statutory definition. [Footnote 2: See, 69 Fed. Reg. 23372, n. 9.] We do not believe that such complaints are subject to sufficient quality controls to qualify as valid law enforcement reports. For instance, the FTC’s website states that the complaint could be filed with the Clearinghouse anonymously. [Footnote 3: See, http://www.consumer.gov/idtheft/filing_complaintwftc.html.] The Supplementary Information also concedes that this complaint system “is not designed to vouch for the truth of each individual complaint.” [Footnote 4: 69 Fed. Reg. 23372, n. 9.] The FTC’s Clearinghouse is simply designed to provide a central collection point for identity theft data. While FTC staff may consider the information for the purposes of evaluating identity theft trends and may, under certain circumstances, refer the information to law enforcement officials, there appear to be no established procedures for any FTC official to authenticate the information submitted in such a complaint. The consumer is given complete discretion in terms of how much information, including identifying information, the consumer wishes to provide.
To address these concerns, the revised Final Rule should:
· Allow only law enforcement agencies with arrest authority to issue such reports;
· Require that such reports be created through face-to-face or other personal contact;
· Provide examples of what constitutes “an official, valid report” filed with “a Federal, State or local law enforcement agency, including the United States Postal Inspection Service, or such other government agency; and
· Make clear that a complaint filed with the Clearinghouse is not an “identity theft report.”
In conclusion, we believe that the FTC should narrowly define “valid law enforcement report” to ensure the validity of these reports in accordance with the recommendations listed above. Requiring CRAs and furnishers to respond to reports that have been created without quality controls of the sort already contemplated by the Supplementary Information would generate numerous false reports and divert key resources from responding to actual fraud, account takeovers, and systemic theft of a consumer’s personal information.
2. Attempted Fraud Should Not Be Considered “Identity Theft”
We believe that the additional costs of expanding the definition of identity theft beyond the traditional notion of an individual opening an account or obtaining a loan in another person’s name will outweigh the benefits. If a fraud is attempted but not completed, the system will have averted identity theft and the consumer will have suffered little, if any, harm. Any harm that the consumer will have suffered can be, or already will have been, adequately addressed. We urge the FTC to limit the definition of “identity theft” to exclude attempted fraud.
The Supplementary Information suggests that the definition of identity theft should be expanded to include attempted fraud for two reasons. However, existing law addresses each of these concerns. The Supplementary Information notes that a consumer’s credit score may be lowered if a credit report inquiry is made as a result of an attempted fraud. [Footnote 5: Id. at 23,371.] However, the existing FCRA already addresses this issue. If a consumer becomes aware that a credit report inquiry was made as a result of an attempted fraud, the consumer can dispute the accuracy of this inquiry with a CRA, pursuant to existing section 611 of the FCRA. In addition to a number of other requirements, the CRA would be required to conduct a reinvestigation of the accuracy of the disputed information or simply delete it. [Footnote 6: FCRA § 611(a)(1)(A).] As a result, modification to the term “identity theft” is not necessary for a consumer to remove a fraudulent inquiry from his or her credit report file that resulted from an attempted fraud.
The Supplementary Information also indicates that a consumer who is aware of an attempted fraud may wish to place an initial fraud alert on his or her credit report file. [Footnote 7: 69 Fed. Reg. at 23,371.] The requirements for an initial fraud alert, however, are sufficiently broad to allow the consumer to obtain such an alert without modifying the definition of “identity theft” to include attempted fraud. A consumer must only be able to assert a good faith “suspicion that the consumer...is about to become a victim of fraud” in order to place an initial fraud alert. [Footnote 8: FCRA § 605A(a)(1).] A consumer aware of an attempted fraud using his or her identifying information clearly would be able to assert in good faith a suspicion that he or she is about to become a victim of identity theft. As a result, such a consumer would be able to place an initial fraud alert on his or her credit report file. This expansive definition of “identity theft,” combined with the limited quality controls placed on identity theft reports in the Proposed Rule, is likely to create a significant number of false or misleading reports that CRAs and furnishers would have to investigate. The resources spent on these investigations could be more effectively used to pursue true identity theft and to protect consumers who are harmed by financial crimes.
3. Unauthorized Use of a Credit Card that Does Not Involve an Account Takeover Should Not Be Considered Identity Theft.
We are also concerned that the definition of “identity theft” would capture instances of unauthorized credit card use not traditionally considered identity theft. We agree that instances of “account takeover,” where a criminal re-routes a consumer’s credit card and billing information to a different address, constitutes identity theft. However, including traditional credit card fraud in the definition of “identity theft” may significantly increase claims of identity theft, fraud alerts and requests to block information as to individual transactions, rather than entire tradelines, which are already covered by the Truth in Lending Act dispute provisions.
For example, if a child used his or her parent’s credit card to purchase goods that the parent has not authorized or does not want to pay for, the parent should not be able to claim that this act constituted “identity theft,” thereby allowing the parent to, among other things, place an extended fraud alert on their credit report. If the activity was unauthorized, the parent could of course negotiate specific reporting changes with the furnisher or CRA with respect to the affected tradeline. Consumers are also protected from the unauthorized use of a credit card by the liability limitations in Regulation Z and company-specific rules. Our comment in section E also addresses situations involving unauthorized credit card use.
We strongly urge the FTC to limit the definition of “identity theft” to more traditional instances of identity theft such as fraudulent account opening and account takeover. Further proliferation of fraud alerts can only dilute their effect on users of credit reports and the actions that they take in response to these alerts.
4. The Definition of “Identifying Information” Should Be Narrowed.
We strongly urge the FTC to clarify that the definition of “identifying information” in section 603.2(a)(1) of the Proposed Rule does not include credit card numbers or other account numbers. The Proposed Rule would define the term “identifying information” as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.” [Footnote 9: 69 Fed. Reg. at 23,377.] This definition also describes certain information that would qualify as “identifying information,” including name, social security number, driver’s license number and fingerprint. These examples are all traditional means used for identification, and we support their inclusion in the final rule. [Footnote 10: In fact, the Proposed Rule’s definition of “identifying information” is taken from a definition of “means of identification” found in a criminal provision of the U.S. Code concerning the fraudulent use of identification documents. See 18 U.S.C. § 1028(d)(4).] We support these elements of the definition.
However, the Proposed Rule then goes on to include a “(C) unique electronic identification number, address, or routing code….” We are concerned that, similar to the reference to attempted fraud in the definition of “identity theft,” this element of the definition of “identifying information” also could unnecessarily broaden the scope of identity theft. This definition determines the information that must be used in connection with a fraud in order for that fraud to qualify as identity theft under the FCRA. For example, the proposed definition of “identifying information” appears to transform instances of traditional credit card fraud, such as an individual purchasing goods or services with a stolen credit card number, into identity theft because a fraud would have been committed using another person’s identifying card number. We believe that a credit card is not intended as a means of identification standing alone, but only as a method of payment. Because of the extensive fraud procedures that financial institutions follow, a criminal cannot access a consumer’s credit card account using only the account number.
These processes are costly to CRAs as well as to users of credit reports. In addition, this broad definition, together with the broad definition of “identity theft,” and the ease of filing a “valid law enforcement report” will dramatically increase the number of false and fraudulent claims of identity theft and put a lot of pressure on furnishers to implement procedures to investigate and deal with this phenomenon. For these reasons, and the reasons discussed above in connection with attempted fraud, we strongly urge the FTC to limit the definition of “identity theft” by clarifying that the term “identifying information” does not include credit card numbers or account numbers.
C. The FTC Should Grant Exceptions to the FCRA that Would Allow Furnishers More Flexibility to Respond to Inaccurate or Fraudulent Identity Theft Reports.
The Proposed Rule does not allow furnishers sufficient flexibility to respond to inaccurate of fraudulent identity theft reports, particularly given the expansive definitions of “identity theft report” and “identity theft.” When a CRA receives an identity theft report from a consumer that alleges identity theft, the CRA has only four (4) business days to block the file, pursuant to section 605B. As a practical matter, the CRA will not investigate the factual grounds for the identity theft report. Upon receiving notification from the CRA, however, the affected financial institution will investigate the allegation to determine whether the allegation is true or fraudulent. In the case of a fraudulent identity theft report, the financial institution suffers a loss with respect to the value of the goods actually purchased by or on behalf of the consumer (and fraudulently alleged to have been purchased by an identity thief).
It is not clear there is a remedy for a financial institution that finds the consumer’s allegation of identity theft to be fraudulent. The major CRAs have indicated they do not plan to “unblock” the file. It is unlikely the law enforcement agencies will pursue a single consumer who files a fraudulent identity theft report.
A financial institution should have the right to protect itself from loss in this circumstance, either by (i) pursing collection of the consumer’s debt, without violating section 615(f), or (ii) moving the credit debt to a new credit account or loan account that will then be reported to the CRAs as a separate trade line, without violating section 623(a)(6)(A). The FCRA, as amended by the FACT Act, would currently prohibit a furnisher from pursuing each of these solutions. We urge the FTC to grant exceptions to the FCRA that would allow a furnisher to pursue the two solutions mentioned above.
D. The Final Rule Should Provide Furnishers Broader Authority to Request Additional Information or Documentation.
We request that the FTC clarify that a furnisher’s investigation may involve more than a single request for information. The Proposed Rule appears to permit only a single request for additional information within five (5) business days after the Identity Theft Report is filed. See Section 603.3(a)(3) of the Proposed Rule. Even though the victim is required to file an identity theft report “with as much specificity as the consumer can provide,” there will usually be a need to request additional information in order to investigate such report. We propose that if the furnisher still has grounds to request additional information or documentation after the first request, the furnisher may make the request under the same rules as apply to the first request. Otherwise, some consumers would intentionally give insufficient information, knowing that the furnisher would only get one chance to get the truth. Of course, such consumers are even less likely to be prosecuted for ambiguous or incomplete identity theft reports than for false reports.
Another part of section 603.3 also raises this concern. In the first example of reasonable grounds to request additional information, under section 603.3(c), it may often be difficult for the furnisher to demonstrate there is “an indication that the report was obtained fraudulently”; indeed, the reason to ask for additional information could be because our experience demonstrates similar claims in the past have proven to be fraudulent. We request that the FTC provide furnishers with more flexibility than is permissible under the example cited above, using language in the final rule such as “an identifiable concern, or reasonable expectation that the report was obtained fraudulently.”
E. We Support the FTC’s Approach to the Use of Identifying Information “Without Lawful Authority.”
We support the FTC’s determination that the definition of “identity theft” should include the limitation that the identifying information be used “without lawful authority.” If an individual permits another to use his or her identifying information to commit a fraud, this individual should not be entitled the recourse established by the FCRA for legitimate victims of identity theft.
* * *
In conclusion, Capital One believes the breadth of certain definitions in the Proposed Rule will impair the ability of furnishers of credit information to focus on financial crimes that harm consumers. We respectfully request that the FTC make the following changes to the Proposed Rule:
We appreciate the opportunity to comment on the Proposed Rule. If you have any questions about this letter, please contact me at (703) 720-2266.
/s/ Andres L. Navarrete
Andres L. Navarrete
Director and Associate General Counsel
Capital One Financial Corporation