The views express by Howard Beales do not necessarily reflect the views of the Commission, or any individual Commissioner.
It is a pleasure to be here today to discuss the FTC's privacy initiatives for the coming year and beyond.
As many of you know, Chairman Muris and I were both at the FTC in the 1980's. Although there has been a great deal of continuity in the basic direction of the FTC's consumer protection program over the past two decades, the agency's current focus on consumer privacy was new to us. Indeed, with the notable exception of the Fair Credit Reporting Act, there was relatively little in the way of privacy-related issues on the FTC's plate during the 1980s. In contrast, privacy has now become, and will likely remain, a central part of the agency's consumer protection mission.
I'd like to talk today about our privacy agenda. In particular, I'd like to focus on the aspects of that agenda that may be of most relevance to you - our current and future initiatives involving the Fair Credit Reporting Act and identity theft. And I especially want to talk to you about steps your industry can take to help us address consumer concerns about privacy. Please note that the views I express here are my own, and don't necessarily reflect those of the Commission or any individual Commissioner.
When the Chairman and I returned to the FTC this past summer, we had no predetermined views on privacy and the FTC's role in its protection. So, we spent four months immersing ourselves in the issue - reviewing, analyzing, discussing, prioritizing, and planning. A key part of this process was weekly meetings with the agency's staff, but we also had dozens of meetings with a variety of outside parties who have diverse perspectives on privacy issues - business leaders, trade associations, consumer advocates, and academics. In fact, we met with representatives of the consumer reporting agencies and their trade association, way back when it was know as ACB!
The end result of this process was our privacy agenda, announced in October.(1) Our new agenda builds on the past work of the agency on privacy. However, based on our review, we have also changed the focus of the program.
For example, in the past the Commission's privacy program was focused primarily on information collection.(2) In contrast, we believe that the focus should be on misuse of information.
Certainly, when surveys ask consumers if they are troubled by the extent to which their information is collected, they usually say yes. However, we believe that the reason consumers worry is concern about the potential adverse consequences of various uses of that information. These consequences include a variety of very real risks. There can be physical consequences. That is why parents do not want information on the whereabouts of their children to be out there - freely available to anyone, and why many people list their telephone numbers using just a first initial and last name. There are also economic consequences, ranging from identity theft to erroneous denial of credit, insurance, or employment based on inaccurate or incomplete information. And there are unwanted intrusions - phone calls that disrupt the dinner hour or computers littered with "spam."
Similarly, although the Commission's past focus was primarily directed to online privacy,(3) our focus on consequences leads us to view privacy through a broader lens. Adverse consequences can occur whether the information was originally collected online or off. The risk of identity theft is real, and the consequences are the same, whether the thief steals your credit card number from an online website or from your mailbox. Thus, many of our initiatives focus on the misuse of personal information collected offline as well as information collected online.
Similarly, although the Commission's past focus was primarily directed to online privacy,(3) our focus on consequences leads us to view privacy through a broader lens. Adverse consequences can occur whether the information was originally collected online or off. The risk of identity theft is real, and the consequences are the same, whether the thief steals your credit card number from an online website or from your mailbox. Thus, many of our initiatives focus on the misuse of personal information collected offline as well as information collected online.
Finally, our approach is built on an explicit recognition of the trade-offs involved in privacy regulation. The events of September 11 make it clear that privacy is not, and cannot be, an absolute right. We are all willing to make practical compromises between privacy and other desirable goals such as greater security. The same is true in the commercial arena. The free flow of information that powers the information age produces tremendous benefits that should not be sacrificed needlessly.
In fact, there is probably no better illustration of the benefits of information collection than the consumer reporting industry and what the Chairman calls the "miracle of instant credit." Although it is now so commonplace that many consumers take it for granted, it is really quite extraordinary that, if consumers have good credit, they can borrow $10,000 or more from a complete stranger and drive away in a new car - in less than an hour. It may take longer to negotiate the price than it does to arrange the financing! Instant credit and the credit reporting system make extraordinary events routine. Your industry makes this possible. At the same time, we must all recognize that this information is extremely sensitive. It should be carefully protected, and it is under the Fair Credit Reporting Act.
As a result of this new focus, the FTC's 2002 privacy agenda includes a number of major law enforcement and education initiatives that focus on reducing the adverse consequences to consumers.
- We want to create a simple, one stop, national Do-Not-Call List for consumers who do not want telemarketing calls.
- We are proposing restrictions on the use of pre-acquired account information to reduce the risk of unauthorized billing, and beefing up enforcement against deceptive spam to help avoid unwanted intrusions.
- We are targeting pretexting -- in which so-called "information brokers" misrepresent themselves to financial institutions to obtain confidential personal information.
- We are enforcing privacy promises so that consumers get what they bargained for.
- We are pursuing violations of existing privacy statutes.
- And, most importantly for our discussion today, our agenda aims to encourage accuracy in credit reporting and to combat identity theft.
We've already had a number of accomplishments. For example, during the roll-out of the privacy agenda, we announced that we would attack the misuse of pre-acquired credit card account information to bill consumers for goods or services they do not want.
Recently we announced settlements with a group of telemarketers that used pre-acquired credit card account information to "upsell" buying club memberships to consumers when the consumers were making other purchases on the phone.(4) In this case, we alleged that the defendants' sales practices led many consumers to believe that they were simply agreeing to a free trial, when, in fact, they were agreeing to be billed $96 a year for buying club memberships if they did not cancel in 30 days. It was easy, because the company already had everything it needed to bill the consumers' account.
Our settlements, announced with a group of more than 40 State Attorneys General, required the defendants to pay more than $9 million, including $8.3 million for consumer restitution. The Order also prohibits the unauthorized use of consumers' billing information. To address this problem more systematically, we will also propose amendments to our Telemarketing Sales Rule to stop the misuse of these numbers.(5)
We are also developing enforcement actions on a number of other fronts, and you can expect to hear of further developments on these throughout the coming year. But for the remainder of my time today, I want to focus on the credit reporting system and its role in our privacy agenda.
Both the Chairman and I recognize the vital role of the credit reporting industry in today's economy. To fulfill that role, for both business and privacy reasons, the industry must provide accurate data. For that reason we believe that it is essential that the FTC take appropriate steps to ensure high levels of compliance with the Fair Credit Reporting Act.
Assuring accuracy requires that all who participate in the credit reporting system - users, furnishers, and credit reporting agencies - abide by their obligations. As part of our privacy agenda, we want to address all three components.
Adverse Action Notices
First, we believe that one key to the successful operation of the statute is compliance with Section 615, the adverse action notification provision, which will be our focal point.(6) One of our efforts here has been to monitor compliance with the 1996 amendments which, among other things, brought residential landlords within Section 615(a) for the first time.(7)
Recently, we completed a project to check landlords' compliance with this provision. What we found was encouraging. All of the 15 landlords from five major cities that we checked had procedures in place for providing adverse action notices to consumers. Mind you, some of these procedures were imperfect. For example, some of the landlords did not realize that using information in a credit report to change rental conditions - and not just denying a rental - triggers the Section 615 notice. And some did not understand that the term "consumer report" encompasses more than traditional credit reports and includes, for example, information from tenant screening services. The landlords we contacted all took prompt action to improve their procedures to assure full compliance. As a result, we decided that voluntary compliance, combined with business education, is a better way to address the kind of problems we found here. Law enforcement is an essential backstop, but, in an important sense, it represents a failure to achieve our true goal - timely notices in the hands of consumers who need them.
We hope to find equally high levels of compliance in other industries we check. If not, we will take prompt steps, including law enforcement actions, to increase compliance.
Credit Report Accuracy
Compliance with the adverse action notification provisions are a key statutory mechanism for ensuring accurate credit reports. After all, it is consumers who are most likely to recognize errors and take the necessary steps to bring the mistake to the credit bureau's attention. They also bring problems to our attention. Complaints about alleged inaccurate credit reports are by far the most common FCRA-related complaints we receive and are near the top in numbers of all consumer complaints we get at the Commission.
We understand that all the players in the credit reporting industry have a role to play in ensuring the accuracy of credit reports. Consumer reporting agencies, affiliates, resellers, furnishers, users, and even consumers all must do their part to promote data accuracy. And we understand that assuring accuracy doesn't mean simply removing derogatory information. Indeed, the ability to share accurate but derogatory information is essential to achieving the benefits of the credit reporting system. But because of the central role credit reporting agencies play, you are in a unique position to protect consumers and have unique obligations under the law.
As you know, the FCRA places specific duties on the consumer reporting agencies with respect to the accuracy of consumer reports. First, there are the "up-front" duties - the consumer reporting agencies must "follow reasonable procedures to assure maximum possible accuracy of the information."(8) Congress recognized that not every consumer report would be 100% accurate, and so the law does not require perfection. But, the law is clear that when errors do occur, the consumer must be able to correct them.
In the 1996 amendments, Congress added very specific duties on the credit reporting agencies with respect to the dispute process:(9)
- they must resolve the dispute in 30-45 days;(10)
- they must review and consider all relevant information;(11)
- they must forward that relevant information on to furnishers;(12) and
- they must not reinsert a previously deleted item without notice to the consumer.(13)
We recognize that the consumer reporting agencies' dispute process works well for most consumers. Yet, we still get enough complaints to suggest that the process does not work well for all of them. Some of the common themes we see in the complaints inslude:
- failing to correct inaccuracies acknowledged by the furnisher or otherwise demonstrated by the consumer;
- failing to forward critical information to the furnisher, resulting in an improper verification of the debt;
- improper reinsertion of inaccurate information in the consumer's file, a particular concern for identity theft victims; and
- failing to address disputes within the statutorily-mandated deadline.
We understand that, in some of these situations, other players may share responsibility for the difficulties experienced by consumers. Where appropriate, we intend to hold those other players accountable. We also understand that no system that processes the volume of data that the consumer reporting industry processes every day will be error-free. Still, the volume of complaints we are receiving suggests that improvements are possible.
The question is: Where do we go from here? Over the years, the credit reporting industry and the FTC have worked cooperatively on many fronts, and I firmly believe that much can be accomplished to address accuracy issues through cooperation. Over the past few months, my staff has talked with some of you about a possible complaint referral system, by which the Commission could forward accuracy complaints we receive to the consumer reporting agencies for resolution.
I see many benefits from such a system. Consumers and the Commission would benefit from getting individual complaints addressed quickly. And, credit reporting agencies would benefit by getting information they need to respond to consumers, and to spot trends or systematic problems in their dispute resolution procedures. Finally, given the compatibility between the proposal and the credit reporting agencies' existing duties to resolve consumer disputes, the proposal seems like a particularly appropriate way to make real progress in addressing data accuracy.
We think that complaints, and particularly patterns of complaints, can reveal problems in processes and procedures that are otherwise very difficult to detect. Complaint-driven law enforcement strategies have been an extremely productive tool for the Commission in attacking fraud in general and internet fraud in particular. Now, fraud artists are not noted for their willingness to cooperate, and law enforcement and consumer education are the key approaches we employ in that arena. But in dealing with a legitimate and important industry, a cooperative effort such as the one I am proposing can be an important and useful tool to protect consumers, and one that I believe could work well here.
Developing a complaint referral system would of course not guarantee that there would not be future FTC law enforcement actions. We can't, for obvious reasons, promise immunity to you or anyone else. But we can promise this - we are not interested in playing a game of "gotcha." We recognize that some complaints, and some problems, are inevitable. We want to identify problems as the first step to developing reasonable, practical ways to reduce those problems wherever possible, and we believe that you share that objective.
Both the Chairman and I are extremely hopeful that a system can be established. I hope that you continue to work with us to develop a system that meets our common goal of ensuring that our nation's credit reporting system works as well as possible.
Another area of ongoing cooperation between your industry and the FTC is credit repair frauds. Fraudulent and deceptive credit repair schemes can be especially pernicious. Almost by definition they focus on people that are down on their luck financially and who can least afford to be victimized. Moreover, if successful they have the potential to degrade the accuracy of the credit reporting system. For years now your members have been helping us in several ways, including forwarding us information about these scams. Our Midwest Region gathers, maintains, and analyzes the information you send in. The enforcement sweeps we have led in the last several years have resulted in over eighty cases against these scams. I think this is an excellent example of a place where we have a common interest in protecting consumers and maintaining the integrity of the credit reporting system. I look forward to continuing to work with you in this area.
The problem of identity theft is another area where greater cooperation between the government and the credit reporting industry is already producing benefits for consumers and where we hope more can be done. We have seen the number of complaints in our clearinghouse database steadily increase: at the end of March 2001, there were 52,000 complaints; by the end of December 2001, only eight months later, that figure had more than doubled to over 120,000. We have actively, and clearly successfully, encouraged consumers to call us with ID theft problems. Thus, we cannot conclude from the growth of complaints that the problem is actually growing.
But we do know that in this day of remote transactions and greater access to publicly available information on each of us, identity theft has never been easier to commit.
Given the magnitude of the identity theft problem, we realize that we must address it on many fronts - by coordinating victim assistance and outreach efforts, building a strong partnership with law enforcement, and developing creative solutions with the private sector. We are working to do all that: attacking identity theft is an important part of our privacy agenda.
In a sense the credit reporting industry and the FTC are in a similar position on identity theft issues: although we do not have direct responsibility for it, we both deal on a daily basis with assisting its victims.(14) We are both middle men with roles that are important but with limited ability to address the central law enforcement problem. Our goal as a consumer protection agency is to try to make the recovery process for victims of identity theft as efficient as possible. Just as victims of muggings must replace their lost wallets, so too victims of electronic mugging must refurbish their damaged identities. We have been continuously looking for cooperative efforts that will ease this task, recognizing of course that the system must itself guard against fraud.
One highly successfully example of the value of collaboration between consumers, industry and government is the ID Theft Affidavit. With the development and implementation of this single form, a large burden has been lifted for victims of ID theft. Victims can use one affidavit to report fraudulent accounts opened up in their name by an identity thief, instead of having to fill out a separate, distinct form for each creditor.
Another collaborative effort with tremendous promise is your new police report initiative. Through this program, the three agencies have agreed to block any credit line when they receive from the consumer a copy of the police report documenting the identity theft. And, last year the IACP passed a resolution encouraging local law enforcement to issue police reports to ID theft victims.(15) We're doing our part too, developing a training video with IACP to encourage the police to issue the reports. I appreciate that certain consumer-based initiatives require you to balance accuracy issues - knowing that the consumer's report contains all relevant credit information, including derogatory reports - against customer service. From my perspective, your police report initiative strikes just the right balance. You have an assurance of the consumer's good faith, evidenced through the official police report, and the consumer will be untouched by the false negative information. I encourage the ACB and its members to continue developing programs and systems that ease the burden on identity theft victims.
One such effort we should continue to explore is the concept of a one-call fraud alert. This is another effort to streamline the reporting process for victims, and would allow an ID theft victim, through their call to the FTC's identity theft hotline, to request a security alert on their file and a copy of their report. The goal here is to reduce the number of calls required of the victim. So, instead of calling our identity theft hotline plus the 3 major consumer reporting agencies, the consumer could get the security alert and request a copy of their report through their one call to our hotline. This single step is one with tremendous appeal to those concerned about the victims of ID theft. We need to continue working together to work out the details of the one call initiative. We will do whatever we can to make this initiative succeed, including supporting statutory changes if that proves to be necessary. We are encouraged by the positive response so far and hope ultimately to have full participation.
Conclusion
I want to thank you for the opportunity to appear before you today. As discussed, both I and the Chairman recognize the important role your industry has played in providing American consumers with unparalleled access to credit, as well as the challenges your industry faces in maintaining this role. Similarly, we believe the FCRA is a good example of legislation that protects consumer privacy while recognizing the value that accurate credit reporting information plays in our society. We are committed, as I know your industry is, to ensuring high levels of compliance with the FCRA. We also believe that there is now a unique opportunity for the government and the industry to work together to address the concerns that have arisen in the area of FCRA complaints and to decrease the burden of ID theft on its victims. We look forward to working closely with you over the coming months to capitalize on the opportunities in a way that will benefit consumers, government and your industry.
1. See Protecting Consumers' Privacy: 2002 and Beyond, Remarks of FTC Chairman Timothy J. Muris at the Privacy 2001 Conference, Cleveland, Ohio (October 4, 2001), available at /speeches/muris/privisp1002.htm.
2. See Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000), available at /reports/privacy2000/privacy2000text.pdf.
3. See id.
4. Federal Trade Commission v. Smolev, et al, No. 01-CV-8922 (S.D. Fla. final order entered Nov. 27, 2001).
5. Telemarketing Sales Rule, 67 Fed. Reg. 4491 (2002).
6. Fair Credit Reporting Act §615, 15 U.S.C. §1681m (2001).
7. Consumer Credit Reporting Reform Act of 1996 §2411, 15 U.S.C. §1681m(a) (2001).
8. FCRA §607(b), 15 U.S.C. §1681e(b) (2001).
9. FCRA §611, 15 U.S.C. §1681i (2001).
10. FCRA §611(a)(1)(B), 15 U.S.C. 1681i(a)(1)(B) (2001).
11. FCRA §611(a)(4), 15 U.S.C. 1681i(a)(4) (2001).
12. FCRA §611(a)(2)(B), 15 U.S.C. §1681i(a)(2)(B) (2001).
13. FCRA §611(a)(5)(B)(ii), 15 U.S.C. §1681(a)(5)(B)(ii) (2001).
14. Identity Theft Assumption Deterrence Act of 1998, 18 U.S.C. §1028 (2001).
15. International Association of Chiefs of Police, Curbing Identity Theft, (Nov. 15, 2000) available athttp://www.theiacp.org/leg_policy/Resolutions/resolutions2000.htm#idtheft