|Received:||6/15/2004 8:00:00 AM|
|Organization:||Bank of America|
|Agency:||Federal Trade Commission|
|Rule:||Identity Theft Proposed Rule|
See attachment for comment letter
Bank of America
101 South Tryon Street
Charlotte, NC 28255
June 15, 2004
Federal Trade Commission
Office of the Secretary
Room 159-H (Annex H)
600 Pennsylvania Ave., NW
Washington, DC 20580
Re: The Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) Identity Theft Rule, Matter No. R411011
Ladies and Gentlemen:
Bank of America Corporation (“Bank of America”) welcomes the opportunity to comment on the notice of proposed rulemaking (“Proposed Rule”) and request for public comment by the Federal Trade Commission (“FTC”), published in the Federal Register on April 28, 2004 in regard to establishing definitions for various identity theft terms and establishing the duration of “active duty alerts” under the FACT Act. Bank of America is one of the world's largest financial institutions, serving individual consumers, small businesses and large corporations with a full range of banking, investing, asset management and other financial and risk-management products and services. The company provides unmatched convenience in the United States, serving 33 million consumer relationships with 5,700 retail banking offices, more than 16,000 ATMs and award-winning online banking with more than ten million active users.
Many of the new provisions added to the Fair Credit Reporting Act (“FCRA”) by the FACT Act were designed to assist consumers and grantors of credit in preventing or mitigating the effects of identity theft. The Proposed Rule sets forth definitions for “identity theft” and “identity theft report,” each of which is critical in its impact on other obligations set forth in the FACT Act. These terms trigger various obligations to be defined under the pending “Red Flag” guidelines as well as establishing when and how “extended alerts” may be placed, when information will be blocked on credit files, when furnishers must take action to avoid repollution of credit files and when users of consumer reports must provide victims with information and documents related to identity thefts. Therefore, it is important that these critical terms be appropriately defined to cover the instances of true identity theft for which Congress meant to provide protections while ensuring that these protections are not abused.
The Proposed Rule would establish a broad FCRA definition of “identity theft.” The Proposed Rule would define “identity theft” as “a fraud committed or attempted using the identifying information of another person without lawful authority.” [Footnote 1: 69 Fed. Reg. 23,370, 23,377 (Apr. 28, 2004).] In addition, the Proposed Rule would define “identifying information” as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.” [Footnote 2: Id.]
Bank of America believes that including “attempted” fraud within the definition of “identity theft” would greatly expand the scope of coverage of the protections provided in the FACT Act and thus would greatly increase the activities required of credit grantors and others to combat this problem. Financial institutions would be required to use their resources to take actions under the “red flag” guidelines with respect to frauds that did not actually occur. This could potentially include incidents of “pretext calling” which are not always identified (and for which penalties and regulatory guidance already exist). In addition, typically cases of “attempted” identity theft are unlikely to be reported to law enforcement and even if reported, given limited resources, are unlikely to be investigated. Thus, it would be difficult to prove a case of “attempted” identity theft.
The FTC has set forth two reasons why it believes expanding the scope of “identity theft” to include attempted frauds is justified. First, the FTC points to the fact that even if credit is not granted in connection with an attempt to obtain credit in the victim’s name, a credit inquiry will appear on the victim’s credit file which could adversely affect the victim’s ability to obtain additional credit. The FTC believes that including attempted frauds in the definition of “identity theft” will allow the victim to have such credit inquiries removed. However, the current FCRA permits consumers to challenge the validity of information, including credit inquiries, shown on their credit files. Thus, if they believe that there was an attempt to obtain credit in their name, victims already have the ability to challenge those inquiries and have them removed.
The second reason cited by the FTC to expanding the definition of “identity theft” to include attempts is to allow a victim of such an attempt to request an initial fraud alert on his or her credit file. While Bank of America agrees that filing an initial fraud alert would be appropriate in such a circumstance, a consumer would be able to do so without expanding the definition of “identity theft.” The FCRA as amended by the FACT Act permits consumers who have a good faith “suspicion that the consumer . . . is about to become a victim of fraud” to place an initial fraud alert. [Footnote 3: FCRA § 605A(a)(1).] A consumer aware of an attempted fraud using his or her identifying information clearly would be able to assert in good faith a suspicion that he or she is about to become a victim of identity theft. As a result, such a consumer would be able to place an initial fraud alert on his or her credit report file.
We believe that this expansion is not necessary to accomplish the goals of the FACT Act and unnecessarily utilizes resources where there are already protections set forth in existing FCRA. Bank of America strongly urges the FTC not to include attempted frauds in the definition of “identity theft.”
The Proposed Rule would define the term “identifying information” as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.” [Footnote 4: 69 Fed. Reg. at 23,377.] This definition also describes certain information that would qualify as “identifying information,” including name, social security number, driver’s license number and fingerprint. These examples are all traditional means used for identification. [Footnote 5: In fact, the Proposed Rule’s definition of “identifying information” is taken from a definition of “means of identification” found in a criminal provision of the U.S. Code concerning the fraudulent use of identification documents. See 18 U.S.C. § 1028(d)(4).]
Bank of America, however, is concerned that this definition will significantly broaden the scope of identity theft covered by the FACT Act and all of the resulting obligations. For example, we believe that this definition of “identifying information” will include within the definition of “identity theft” instances of fraud where an individual uses a stolen credit card number on an existing credit card account to purchase goods and services. The credit card number could constitute “identifying information” under the Proposed Rule. There are already in place many statutory, regulatory and industry protections for this type of fraud and they should not be covered under the definition of “identity theft.” These new protections for “identity theft,” we believe, were intended to apply to situations where the identifying information was used to open new credit accounts or to completely take over or modify existing credit accounts, rather than the more traditional credit card fraud. Therefore, Bank of America strongly urges the FTC to limit the definition of “identity theft.”
Bank of America supports the FTC’s proposal to make it clear that to be “identity theft” that activities must be conducted “without lawful authority.” Clearly, consumers should not be able to collude with others to gain the benefits of the credit and then claim the benefits of laws designed to protect consumers from true identity theft. However, Bank of America does not believe that the term should require that it be “without the consumer’s knowledge” because other types of fraud also often occur without the consumer’s knowledge and there could be situations where elderly consumers may know that another individual is using their information, but not understand that it is being used fraudulently.
The FCRA as amended by the FACT Act requires a consumer to provide an identity theft report in order to obtain an extended fraud alert, to block fraudulent trade lines or to prevent furnishers from furnishing information that resulted from identity theft. Section 603(q)(4) of the FCRA directs the FTC to define the term, but indicates that at a minimum it must (1) be a report that alleges an identity theft; (2) is a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency; and (3) the filing of which would subject the person filing the report to criminal penalties if the report includes false information.
The requirement that a consumer provide an identity theft report before obtaining an extended fraud alert, blocking a fraudulent trade line or preventing a furnisher from furnishing information that resulted from identity theft, acts as a safeguard against the inappropriate use of these powerful tools. The FTC notes in the supplementary material in the Proposed Rule that consumers can unilaterally file reports online in many instances where there is little if any interaction that often serves as a deterrent to inappropriately filing reports. The Proposed Rule attempts to address these concerns by requiring that the consumer allege the identity theft with as much specificity as possible and by permitting furnishers and consumer reporting agencies to request additional information from the consumer. [Footnote 6: 69 Fed. Reg. at 23,377.] Bank of America strongly supports the FTC’s goal to balance the needs of legitimate victims of identity theft against the risk of the inappropriate use of the rights of identity theft victims.
Nevertheless, Bank of America believes that the final rule should provide additional guidance about the ability of furnishers and consumer reporting agencies to request additional information. Although the Proposed Rule includes examples of when requests for additional information would be “reasonable,” there is still significant uncertainty. In addition, it is unclear whether the initial report continues to be effective where additional information is reasonably requested but not received. In addition, what is required if a furnisher or consumer reporting agency determines that a report filed is inadequate or false? Must they provide notice to the consumer? We believe that a furnisher or consumer reporting agency should not be required to act on a report if it reasonably requests additional information or documentation and that additional information or documentation is not provided or is inadequate. The definition of “identity theft report” should clarify that a report does not constitute an “identity theft report” if the consumer has not provided the information reasonably requested or if the information provided or contained in the report is reasonably determined to be false. We also believe that the furnisher or consumer reporting agency’s only obligation in such a case should be to notify the consumer of that determination.
We are also concerned that the lack of clarity on the procedures that must be employed by a furnisher or consumer reporting agency when it determines that an “identity theft report” is inaccurate or a material misrepresentation. This lack of clarity is likely to result in blocking of credit information, prohibition on furnishing of information so reported and the inability to transfer, sell or send for collection of many debts that are legitimate. This could lead to large numbers of debts for which no collection can take place and which will effectively become worthless, allowing many consumers to utilize this method to obtain free credit. The definition of “identity theft report” should clarify the procedures required to be employed by the furnisher or consumer reporting agency where information reasonably requested was either not provided or was not sufficient to respond to the request in order to effectively “cancel” the filing of that report and restore the debt to an active status.
We are also concerned that the report should only be filed with a law enforcement agency that will take action to investigate and is in a position to prosecute perpetrators of the identity theft. Unless a report is filed with such an “appropriate” law enforcement agency where the consumer has a belief that action will be taken on the report (as opposed to one filed online with an agency not charged with investigating or prosecuting such crimes), there will not be adequate deterrence to filing of inappropriate reports. Again, the filing of such a report will trigger many actions, including the institution’s inability to sell or transfer a debt for collection. As such, there must be a strong control over filing of inaccurate or false reports.
In addition, we believe that the FTC should clarify that an identity theft report can only result from a law enforcement report filed by a consumer. The minimum FCRA requirements for the definition of “identity theft report” and the Proposed Rule’s definition of “identity theft report” both state that an identity theft report is a copy of a report “filed by a consumer.” [Footnote 7: FCRA § 603(q)(4)(B); 69 Fed. Reg. at 23,377.] Neither indicates that an identity theft report can be a report filed by a consumer’s personal representative or agent.
We also ask for clarification that credit repair organizations may not file “identity theft reports” on behalf of victims. This will ensure that individual consumers must file the report and be subject to the potential criminal penalties for filing false reports.
Duration of Active Duty Alert
The FCRA, as amended by the FACT Act, requires consumer reporting agencies to accept, upon request by an active duty military consumer an active duty alert in his or her credit file for a period of not less than 12 months, or such longer period as the FTC shall determine by regulation. The Proposed Rule would establish 12 months as the term for the active duty alert. Bank of America supports this determination. We suggest that the FTC make it clear that if the term for an active duty alert does not cover the military consumer’s term of active duty deployment, the military consumer may place another active duty alert upon the expiration of the initial alert.
Definition of “Appropriate Proof of Identity”
We support the FTC’s determination in the Proposed Rule that a consumer reporting agency must develop and implement reasonable requirements for what information constitutes proof of identity in the context of submitting fraud alerts, blocking fraudulent trade lines and truncating social security numbers. This standard allows the consumer reporting agencies to continually update their procedures in light of new technology and new methods of conducting fraud and is appropriate.
Bank of America appreciates the opportunity to comment on the Agency’s proposal. If you have any questions regarding our comments, please contact Kathryn D. Kohler, Assistant General Counsel, at (704) 386-9644.
Very truly yours,
Kathryn D. KohlerAssistant General Counsel