|Received:||6/15/2004 8:00:00 AM|
|Organization:||Michigan Credit Union League|
|Agency:||Federal Trade Commission|
|Rule:||Identity Theft Proposed Rule|
We thank you for the opportunity to comment.
Naomi B. Lefkovitz, Attorney,
Bureau of Consumer Protection
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, DC 20580.
RE: FACTA Identity Theft Rule, Matter No. R411011
Dear Ms. Lefkovitz,
The Michigan Credit Union League (MCUL) appreciates the opportunity to provide comments to the Federal Trade Commission (FTC) concerning the proposed implementation of the FACT Act’s identity theft rule. The MCUL is a trade association representing over 90% of state and federally chartered credit unions in the state of Michigan. This comment letter was drafted in consultation with the MCUL Government Affairs Committee, which is comprised of Michigan credit union staff and officials.
The MCUL supports the overall intent of the FTC’s effort to implement the identity theft rule mandated by the FACT Act. The MCUL believes that there are a number of areas in this proposal, which leave too much variance for interpretation. We believe that there need to be significant changes and clarification in order to make this proposal beneficial to consumers and acceptable to businesses.
· MCUL is concerned that consumers may choose to file identity theft reports to force companies to not provide credit information even though there are penalties attached.
· MCUL feels in a situation where there has not been significant identity theft, an option allowing an extended alert to be placed in the consumer’s credit file for seven years that requires users of the file to contact the consumer to verify identity before extending credit, is excessive.
· MCUL believes that the five-business day window may be insufficient time to allow credit unions to request the additional information in relation to requesting additional information to determine identity theft claims.
· MCUL would like clarification on the proposed methodology for credit bureaus to decline or remove information blocks on an identity theft report if it is determined that there is an error, misrepresentation by the consumer, or if the consumer receives goods, services, or money as a result of the blocked transaction.
· MCUL believes that the 12-month duration of an active duty alert is sufficient and should be easy enough to extend if necessary.
· MCUL believes that while the FTC is responsible for instituting rules regarding appropriate proof of identity, they may use credit bureaus and the technology they have developed as a tool for creating identity verification systems. We do not believe that information that can be intercepted through the mail, or may be available to another resident of the home, such as utility bills should be an acceptable form of alternate identification.
Identity Theft. According to the proposal, the term “identifying information” used in the definition will have the same meaning as the term “means of identification” as used in the U.S. Criminal Code. This includes names and numbers, used alone or in connection with other information, that identifies an individual. Examples include name, date of birth, government or official identification numbers (such as Social Security, drivers license, or passport), biometric data (such as fingerprints or retina images), unique electronic identification numbers, or numbers and signals that identifies specific telecommunications or instruments. Identity theft will include frauds attempted, in addition to frauds committed, since attempts may adversely affect the victim’s credit reports and credit scores.
MCUL believes that there should be greater examples of combinations provided of the above information that would clarify what would be considered identity theft or attempted identity theft. If someone calls into a consumer’s financial institution and has the consumer’s name and date of birth and tries to access their account, but is not permitted, are they afforded the protections under this identity theft rule? Under this definition every attempt affords the consumer the protection spelled out under this act, even if the attempt is not reasonable to actually create an identity theft situation. If this is the case, there is an abundance of publicly available information that, if used, will allow consumers the ability to claim protection under the provisions of this act, even though they are not in any serious jeopardy of having their identity stolen.
This would also pertain to a parent who provides a child with a credit card to use only in case of emergency. If the child decided to use the card for a situation that the parent didn’t agree with, then the parent could claim that it was unauthorized and a case of identity theft. While the child may ultimately be responsible for the debt, the parent could avoid the charge showing up on their credit report. A possible way to address this would be to include the requirement that the person’s identifying information must be used without lawful authority and without the person’s knowledge. In this case, the parent granted the child the authority to use the card at the child’s discretion and even though the child used it for a purpose the parent did not agree with, they could not claim it was identity theft.
Identity Theft Reports. In the situation of identity theft reports, the act stipulates that to qualify as a identity theft report, the report must:
· Allege identity theft.
· Include a copy of an official, valid report filed with the appropriate law enforcement agency, including the United States Postal Inspection Service.
· Subject the filer to criminal penalties if false information is filed.
There are situations where an identity theft could take place that does not impact the financial well being of the consumer. The MCUL believes there should be some clarification that identity theft in this situation should actually pertain to the use of the information for financial gain. There have been situations in the past where a person is pulled over by the police, does not have appropriate identification and gives the name and social security number of a relative in order to avoid receiving a ticket on their record. By definition of this proposal, that relative could file an identity theft report and the provisions of this act would protect them even though this example does not constitute an economic hardship. We do not believe that the intent of the act is to protect consumers in situations where their financial status is not in peril.
Consumer Abuse. We are concerned that consumers may choose to file these reports to force companies to not provide credit information. According to the proposal, victims may file the report with the credit bureaus to have the information resulting from identity theft blocked from their credit report. Those that furnish information to the credit bureaus, such as creditors, must then, after being notified that the information is blocked, use reasonable procedures to prevent further reporting of this information and cannot sell, transfer, or place in collection the debt resulting from the identity theft. While in theory, there are penalties built in to discourage consumers from filing false claims, we are concerned that the benefits of doing so, to prevent having to pay bills incurred or to try to find a way to prevent negative credit information from appearing on their credit report, may be of greater significance.
Extended Alerts. We also feel in a situation where there has not been significant identity theft, an option allowing an extended alert to be placed in the consumer’s credit file for seven years that requires users of the file to contact the consumer to verify identity before extending credit, is excessive. This length of time may be appropriate in certain situations, but it is not clear enough what situations would allow a consumer to file for an extended alert. We would like clarification on this issue along with additional guidance as to the procedures that financial institutions should use when filing information that they do not believe to be of an identity theft nature.
Additional Information Requests. The MCUL is concerned about another potential clause in relation to requesting additional information to determine identity theft claims. The proposal allows creditors to request additional information to help them determine the validity of the identity theft claim, if the request is reasonable and made no more than five business days after receipt of the report from law enforcement or the request for a particular service (such as a fraud alert or blocking of information), whichever is later. We believe that the five-business day window may be insufficient time to allow credit unions to request the additional information. This might particularly impact credit unions that are very large or very small. Large credit unions could potentially be inundated with identity theft reports and not be able to request that information within the proposed time frame. Small credit unions may not have the staffing or be open more than one to two days per week. This would prevent them from being able to request this information. Our recommendation is that the time frame for requesting additional information to validate an identity theft claim would be 30 days from the receipt of the report from law enforcement or the request for a particular service (such as a fraud alert or blocking of information), whichever is later.
MCUL recognizes that a credit bureau may decline or remove the information block if it reasonably determines that there is an error, misrepresentation by the consumer, or if the consumer receives goods, services, or money as a result of the blocked transaction. However, we are not sure how credit bureaus will be responsible to find this kind of information. Will they rely on the appropriate law enforcement agency to make that determination? What kind of system will be in place for the credit bureau to be able to make this decision? We believe that if consumers are going to dispute the transactions on their credit report that, until it is resolved, they should continue to show up on the credit report with a notation listing there is a likelihood of identity theft involved. This way credit unions will be able to keep reporting information and yet the consumer will have documentation on the credit report that there is a likely occurrence of identity theft.
Active Duty Alerts. The MCUL believes that the active duty alert should be placed on file with the credit bureau for the time determined by the service person. As long as the service man or woman notifies the credit-reporting agency of when their service begins and ends, this should be sufficient to cover an active duty alert. If necessary, we don’t believe that it would be difficult to extend an active duty alert, since part of the process of being called to active duty often requires a service person to designate a person as their power of attorney. If the active duty is going to be extended, then the service person or a designated power of attorney could request an extension. Since this provision can only protect the service person, then there should not be any difficulty in extending the active duty alert.
Appropriate Proof of Identity. The MCUL believes that while the FTC is responsible for instituting rules regarding appropriate proof of identity, they may use credit bureaus and the technology they have developed as a tool for creating identity verification systems. We believe that while the FTC should ultimately decide the standards, they should use information that is not widely available publicly. The information that is required by credit bureaus to do a consumer file match are acceptable, but most emphasis should be placed on the additional proof of identity including government issued documents, and other authentication measures, such as consumers providing answers to questions that only they would know. We do not believe that information that can be intercepted through the mail, or may be available to another resident of the home, such as utility bills should be an acceptable form of identification. It is difficult to know in these situations if the appropriate balance has been struck between ease of consumer access and consumer protection, however in the event of identity theft it makes more sense to fall on the side of caution.
We thank you for the opportunity to comment.
Michigan Credit Union League
cc: Credit Union National Association, Inc.