|Received:||6/15/2004 5:00:00 PM|
|Organization:||National Retail Federation|
|Commenter:||Mallory B. Duncan|
|Agency:||Federal Trade Commission|
|Rule:||Identity Theft Proposed Rule|
FEDERAL TRADE COMMISSION
Washington, D.C. 20580
FACTA Identity Theft Rule
Matter No. R411011
Mallory B. Duncan
Senior Vice President
Elizabeth Treanor Senior Director
Government Relations Counsel
National Retail Federation
325 7th Street, N.W.
Washington, D.C. 20004
June 15, 2004
This letter is submitted on behalf of the members of the National Retail Federation (“NRF”) with respect to the Federal Trade Commission’s (“FTC’s” or “Commission’s”) proposed rule regarding identity theft. These comments supplement the Coalition comments filed with respect to this rule to which NRF is also a signatory.
By way of background, NRF is the world's largest retail trade association, with membership that comprises all retail formats and channels of distribution including department, specialty, discount, catalog, Internet and independent stores as well as the industry's key trading partners of retail goods and services. NRF represents an industry with more than 1.4 million U.S. retail establishments, more than 23 million employees - about one in five American workers - and 2003 sales of $3.8 trillion. As the industry umbrella group, NRF also represents more than 100 state, national and international retail associations. NRF’s credit granting members will be particularly affected by the operation of the proposed rules.
Retailers helped create the nation’s credit reporting system. Its growth was fueled by the growth in retail credit programs, which existed long before there were third party credit cards (such as MasterCard) or before credit reporting extended to products and services such as home mortgages. One of the underpinnings of the system was that it reflect with reasonable accuracy the interaction between retailers and their credit customers. By reasonable accuracy at least two things are meant: one, that the contents of reports are indicative of activity within a reasonable range, even if they were not precisely detailed; and two, that there is no systemic bias such as to cause information to be reported differently among similarly situated consumers.
This means, for example, that it is sufficient to report whether individuals pay their bills within, say, thirty days of the time agreed. It is not essential to know whether individual A pays by the twelfth day while individual B pays within ten. As to point two, the credit reporting system works so long as some individuals are not misreported so as to receive a consistent advantage or disadvantage relative to the majority of individuals who pay their bills. It was for these reasons, in part, that when the credit reporting systems were first being developed, retailers only allowed companies to participate whom they trusted to adhere to the same rules, and to maintain the same standard of care, that they themselves devoted to the system.
As the system has grown, operation has shifted over time from retailers, to their merchant associations, to regional companies and nationwide consumer reporting agencies. The varieties of companies reporting have grown significantly and the categories of reporting have become more systemic. Increasingly standardized formats have allowed more granularity and somewhat more sophisticated decision-making by credit grantors and others. With the growing importance of reports, legislation, such as the Fair Credit Reporting Act, was adopted to ensure that individuals could challenge and correct inaccuracies contained in reports. But by the same token, some individuals and businesses have come to realize that intentional efforts to introduce bias into the system can be quite profitable.
The two most common methods have been for entities to charge individuals significant fees with the promise of “repairing” the consumers’ reports and the efforts of concerted individuals to remove accurate, but undesired, adverse information from their reports so as to obtain credit for which they do not objectively qualify. A third, related category is for individuals to appropriate the favorable credit standings of others in order to obtain credit for which the individuals could not otherwise qualify, or for the purpose of obtaining goods and services for which they do not intend to pay. The first two categories are commonly known as credit repair, the third is known as identity theft. But as can be seen by this description, all three are extremely closely related.
For decades, efforts at credit repair have been the bane of the consumer reporting system. To the extent they are successful and credit grantors cannot trust the information in consumer reports, grantors are less willing to risk whether individuals will repay what they borrow. As a result, individuals who should receive credit do not receive all that they should; individuals who should not receive credit receive more than they should; and everyone who repays their obligations pays more than is optimal. Recognizing this, consumer reporting agencies have fought furiously to keep pace with the efforts of individuals and credit repair businesses to replace accurate information in consumers’ files with more favorable, inaccurate information.
As was noted, some identity theft is actually a form of credit repair. An individual who is unable to obtain credit under his or her true name may adopt the profile of another individual (perhaps someone with a very similar name) in order to obtain credit that he or she then pays as agreed. This crime ultimately might reduce the amount or quality of credit the “victim” subsequently may be able to obtain, but such damage may not be immediately apparent. In such cases the thief commits a fraud, ID Theft, to accomplish a credit repair that might not be discovered for years.
The point of the foregoing is to demonstrate how inextricably linked ID Theft and credit repair can become. Congress recognized in the FACT Act that credit repair activity could undermine the consumer reporting system. Congress also directed the agencies to implement identity theft repair tools, premised on an identity theft report, that could enable those whose credit standing had been appropriated or abused by others to correct ID Theft-based inaccuracies in their files. And, as was noted, unscrupulous individuals will use whatever tools are provided, unless they are very carefully developed and constrained, in order to profit at the expense of others.
Balancing these factors will not be easy. An important consideration is that with these rules, the Commission will be regulating a vast industry. A tool too widely unleashed will cause damage that cannot readily be undone. For example, once individuals have used ID Theft tools to block unfavorable trade lines, it will be extremely difficult (if not impossible) to “recall” subsequent decisions made on the basis of their reformulated reports. This is a blessing to those who have actually been victimized by ID Thieves; but it is also a boon to the potentially millions of individuals who might choose to remove something undesirable from a report if the consequences of doing so do not appear to be too great. And, for the reasons mentioned above, it is a severe disservice to the tens of millions consumers who must now compete in the credit market with “rehabilitated” but secretly uncreditworthy individuals. Yet another consideration is that the consequences of permitting the deliberate introduction of inaccurate data into the credit reporting system are virtually impossible to observe directly, but are potentially costly to the nation’s financial health.
This suggests that the Commission should be very circumspect in establishing the criteria that would allow one to qualify to block trade lines. The methodology should be sufficiently accessible that it improves the lives of those who have been victimized, but it should also contain sufficient disincentives as to discourage those who would abuse the system for their own or others’ profit. In this respect, we would strongly encourage the Commission to define ID Theft sufficiently narrowly so that it does not spill over into other types of fraud; and to establish requirements for obtaining an identity theft report that make sense for most victims but not for other non-victims.
We would strongly urge the Commission to limit its definition of an identity theft to those situations in which the perpetrators have actually assumed someone else’s identity, procured a new line of credit and used that credit in the individual’s name. We urge this formulation to distinguish true ID Theft from “attempted” identity theft or from situations involving “unauthorized use.”
Unauthorized use existed in the credit world long before the crime of ID Theft came into being. It typically involves an individual using another’s credit card or credit line without permission. These cases often arise in familial situations in which a close relative “borrows” the victim’s credit card or is given the card to use, but then uses it for purposes beyond those the cardholder intended. Typically, the circumstances are more akin to a son using his father’s car without permission than they are to unknown parties stealing the father’s car in order to make it their own. While unauthorized use can sometimes result in heated exchanges and difficulties, they generally do not create the same trauma in the “victim’s” life as do true cases of ID Theft.
This is true for a number of reasons. Among them is the fact that powerful remedies for unauthorized use already exist. Because in an unauthorized use subjects typically continue to receive their monthly statements, victims are soon apprised of the problem and may avail themselves of fair credit billing act rights as well as longstanding reinvestigation rights under the FCRA to resolve the issue. This distinguishes those situations from accounts opened in the victims’ names, used without their knowledge, and about which they may not learn until defaults occur many months or years later.
The suspicion of an attempted identity theft may also be addressed with existing FCRA mechanisms or with other tools in the FACT Act that do not rely on an identity theft report. Enforcement resources are not unlimited. Requiring companies to devote considerable efforts to tracking down relatively vague suspicions of an attempted theft (which might be triggered by the temporary misplacing of a purse or a wallet) means that far fewer resources will remain to be devoted to assisting those who have actually been victimized.
In determining what constitutes the basis for an appropriate ID Theft Report, we again urge the Commission to consider the question from the perspective of these two conflicting goals. We would recommend that reports be obtained only from those entities having law enforcement as their primary mission and that also have personal and direct law enforcement authority over the individual filing the report under penalty of perjury.
From the perspective of true victims of ID Theft, presenting themselves before officers of the law is a natural consequence of attempting to prosecute those who have stolen their credit standing and subjected them to the difficulties identity theft can entail. On the other hand, from the perspective of credit repair clinics and other unscrupulous persons, physically presenting themselves to officials who could locally prosecute them for fraudulent statements and activities should be no more palatable to them than a similar presentation would be to those who commit ID Theft. While this formulation may not cover every possible situation, it is far more likely to cover a substantial majority, while discouraging the harm a more expansive interpretation would engender. We can think of no valid substitute for this simple requirement.
In its consideration of these issues, the Commission should recognize that whatever standards it develops in this rulemaking need not be the last word. A narrowly crafted definition, a carefully written rule, can be expanded if it becomes apparent that significant problems are not sufficiently addressed. The Commission’s own tracking mechanisms provide a means for determining whether the FACT Act tools, as implemented, will improve the ability of victims to respond to crimes. If they should fall short in some respects, adjustments can be made.
On the other hand, if the definitions and rules are too loose, if credit repair clinics and unscrupulous individuals are able to take advantage of the FTC’s tools to subvert the credit system, the Commission’s complaint tracking resources will not indicate that a problem exists. Credit will be more costly and less available. The credit granting advantages that this nation has maintained relative to other economies will be blunted. The average standard of living could be somewhat adversely affected. However, none of that will be directly measurable except by implicitly relating it to large numbers of individuals choosing to block one or more trade lines in their consumer reports. It will be extremely difficult to establish the factual predicate necessary to revise the rules and definitions in the proper direction.
Congress has entrusted the Commission with an extremely important task. The views of both the Bureau of Consumer Protection and the Bureau of Economics should weigh heavily on every decision made in this regard. Tools must be developed for true victims of ID Theft with a very careful eye on their broader consequences. We urge the Commission to move with great care and deliberation in pursuing this important piece of the national agenda.
The NRF appreciates the Commission’s consideration of its views and would be pleased to answer specific questions or comments if desired.
Mallory B. Duncan
Senior Vice President
Elizabeth Treanor Senior DirectorGovernment Relations Counsel