STATEMENT OF STUART K. PRATT

ASSOCIATED CREDIT BUREAUS, INC.

WASHINGTON, D.C.

HEARING ON

H.R. 4311 - THE IDENTITY THEFT PREVENTION ACT OF 2000

 Before the Committee on Banking and Financial Services

of the

United States House of Representatives

Washington, D.C.

Wednesday, September 13, 2000

Mr. Chairmen and members of the Committee, my name is Stuart Pratt and I am vice president, government relations for the Associated Credit Bureaus, headquartered here in Washington, D.C. ACB, as we are commonly known, is the international trade association representing over 500 consumer information companies that provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services, and collection services.

Our members are the information infrastructure that contributes to the safety and soundness of our banking and retail credit systems; which:

• allows for the efficiencies of a secondary mortgage securities market place that saves consumers an average of 200 basis points on the cost of a mortgage.
• helps e-commerce and bricks-and-mortar businesses to authenticate applicant data thus reducing the incidence of fraud.
• gives child support enforcement agencies the information tools necessary to meet their mission.
• allows states to reduce many forms of entitlement fraud.

We want to commend you for choosing to hold this hearing on H.R. 4311 and on the crime of identity theft. Identity theft is an equal-opportunity crime that affects everyone represented at this witness table. It is a particularly invasive form of fraud where consumers, consumer reporting agencies and creditors must untangle the snarl of fraudulent accounts and information resulting from a criminal's actions. This task is often frustrating and time-consuming for all concerned.

Before I discuss our industry's efforts to address the issue of identity theft in general and also the subject matter of the bill, I have found it helpful to provide a short review of what a consumer reporting agency is, what is contained in a consumer report, and the law that governs our industry.

Consumer reporting agencies maintain information on individual consumer payment patterns associated with various types of credit obligations.¹ The data compiled by these agencies is used by creditors and others permitted under the strict prescription of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) to review the consumer's file.

Consumer credit histories are derived from, among other sources, the voluntary provision of information about consumer payments on various types of credit accounts or other debts from thousands of data furnishers such as credit grantors, student loan guarantee and child support enforcement agencies. A consumer's file may also include public record items such as a bankruptcy filing, judgment or lien. Note that these types of data sources often contain SSNs, as well.

For purposes of data accuracy and proper identification, generally our members maintain information such as a consumer's full name, current and previous addresses, Social Security Number (when voluntarily provided by consumers) and places of employment. This data is loaded into the system on a regular basis to ensure the completeness and accuracy of data.²

It is interesting to note that the vast majority of data in our members' systems simply confirms what most of you would expect; that consumers pay their bills on time and are responsible, good credit risks. This contrasts with the majority of systems maintained in other countries, such as Japan or Italy, which store only negative data and do not give consumers recognition for the responsible management of their finances.

As important as knowing what we have in our files is also knowing what types of information our members do not maintain in files used to produce consumer reports. Our members do not know what consumers have purchased using credit (e.g., a refrigerator, clothing, etc.) or where they used a particular bank card (e.g., which stores a consumer frequents). They also don't have a record of when consumers have been declined for credit or another benefit based on the use of a consumer report. Medical treatment data isn't a part of the databases and no bank account information is available in a consumer report.

In addition to our general discussion of the industry, we believe it is important for your Subcommittee to have a baseline understanding of the law which regulates our industry.  Enacted in 1970, the Fair Credit Reporting Act was significantly amended in the 104th Congress with the passage of the Credit Reporting Reform Act.³

Congress, our Association's members, creditors and consumer groups spent over six years working through the modernization of what was the first privacy law enacted in this country (1970). This amendatory process resulted in a complete, current and forwarding-looking statute. The FCRA serves as an example of successfully balancing the rights of the individual with the economic benefits of maintaining a competitive consumer reporting system so necessary to a market-oriented economy.

The FCRA is an effective privacy statute, which protects the consumer by narrowly limiting the appropriate uses of a consumer report (often we call this a credit report) under Section 604 (15 U.S.C. 1681b), entitled "Permissible Purposes of Reports."

Some of the more common uses of a consumer's file are in the issuance of credit, subsequent account review and collection processes. Reports are also, for example, permitted to be used by child support enforcement agencies when establishing levels of support.

Beyond protecting the privacy of the information contained in consumer reports, the FCRA also provides consumers with certain rights such as the right of access; the right to dispute any inaccurate information and have it corrected or removed; and the right to prosecute any person who accesses their information for an impermissible purpose. The law also includes a shared liability for data accuracy between consumer reporting agencies and furnishers of information to the system.

Now let me turn to the issue at hand -- identity theft. As I said at the beginning, it is a crime that affects everyone here today. Our industry has a history of bringing forward initiatives to address fraud. These efforts focus on use of new technologies, and better procedures and education.

Consider the following efforts undertaken during this decade:

• ACB formed a Fraud and Security Task Force in 1993
• A "membership alert form" was developed to be used in notifying other ACB credit bureau members of a customer, which was committing fraud through the misuse of data. Implemented in 1994.
• A "Universal Fraud Information Form" was developed for use by creditors when communicating the incidence of fraud to national consumer reporting systems.
• A generic credit reporting industry presentation on ACB fraud and security initiatives was developed and presented to customer segments during 1995.
• Minimum standards for data access equipment and software were announced to industry suppliers in March 1995.
• ACB members implement company-specific limitations on the availability of account numbers, and truncation of Social Security Numbers on consumer reports sold to certain customer segments.
• Experian, Equifax and Trans Union voluntarily provide toll free access to special fraud or to consumer relations personnel specially trained to work with fraud victims.
• A hardware and software certification program is created by the industry and administered by a third-party certification authority for those access products, which have implemented minimum industry security standards.
• Over 150,000 copies of a new customer educational brochure entitled "We Need Everyone's Help to Protect Consumer Privacy and Reduce Fraud" have been distributed since its first printing in the last Q.1997. An education program was also developed for use by ACB members in presenting the information found in the brochure. 2nd Q. 1998.
• On March 14, 2000, the ACB announced new voluntary initiatives to assist consumers who have been victimized by identity theft. Following is a description of each initiative and also attached is our press release.
• Advocate the use and improve the effectiveness of security alerts through the use of codes transmitted to creditors. These alerts and codes can help creditors avoid opening additional fraudulent accounts.
• Implement victim-assistance best practices to provide a more uniform experience for victims when working with personnel from multiple fraud units.
• Assist identity theft victims by sending a notice to creditors and other report users when the victim does not recognize a recent inquiry on the victim's file.
• Execute a three-step uniform response for victims who call automated telephone systems: automatically adding security alerts to files, opting the victim out of prescreened credit offers, and sending a copy of his or her file within three business days.
• Launch new software systems that will monitor the victim's corrected file for three months, notify the consumer of any activity, and provide fraud unit contact information.
• Fund, through ACB, the development of a series of consumer education initiatives through ACB to help consumers understand how to prevent identity theft and also what steps to take if they are victims.

Having provided background regarding the extent of our industry's efforts to assist victims of identity theft, we also provide the following specific comments on H.R. 4311. You will see that in many cases, our members have developed products or initiatives that are consistent with the goals of the proposals discussed.

However, our members caution that locking in to law tactics for preventing the crime is a dangerous precedent since it also allows the criminals to simply avoid the types of "triggers" that would result in detection.

This amendment to Section 605 of the FCRA proposes that our industry notify creditors where incoming address on an application for credit is different than the address on the file of the consumer maintained by the consumer reporting agency. Today, our members have developed a range of application analysis products that help our customers detect fraud before credit is approved. These often include analyses of addresses in the file of the consumer with that which is on the application. Further, our members do provide customers with services, which notify them of differences between the application and file addresses.

On its own, a difference between a file address and that which is on the application is not necessarily a good indication of fraud. The U.S. Census Bureau estimates that approximately 16% of the population moves each year and this equates to about 42 million consumers. Further, even when consumers do not move, they often end up with more than one address. For example, many consumers have at least one credit card bill sent to work, while the rest are sent to the home address. Both addresses are reported to the consumer reporting agency each month. Further, an extrapolation of U.S. Census data by the National Association of Realtors leads to an estimate of as many as 6 million vacation or second homes in this country. Consumers often switch billing addresses when they stay at such residences for long periods of time, which may lead to yet a third regularly reported address in the consumer's file.

The message here is that addresses variations are more common than many think and we have to be careful to ensure that in writing new law, we don't codify a rigid rule of procedure that is in the end ineffective in preventing identity theft. Our members continue to review internal address management processes, which are part of the intellectual property of each system competing in the market place.

This amendment to Section 605 of the FCRA would require consumer reporting agencies to include fraud alerts in the file of the consumer upon request.

Our largest members have implemented fraud alert systems. These alerts are added when a consumer has been a victim of fraud, including identity theft, or as a preventative measure for a consumer who has, for example, lost a wallet. As we indicated in our new identity theft initiatives, we are committed working now to improve the effectiveness of fraud alerts. For example our industry is standardizing language for fraud alert text messages as well as employing alpha-numeric sequences in these messages to help customers better identify a consumer's request associated with identity theft. Our customers are as motivated as we are to ensure that the consumer's requests are delivered in an effective manner that ensures they can act accordingly. We already ensure that the fraud alert is delivered with every consumer report issued today, whether it is highly codified, or even a risk score analysis.

This proposal requires the Federal Trade Commission to issue regulations regarding changes to address data maintained by consumer reporting agencies.

We believe the current FCRA requires no additional amendments in order to ensure accuracy. Section 607(b) of the FCRA requires that a consumer reporting agency "…shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates." This baseline requirement for accuracy applies to how consumer reporting agencies manage data, including addresses.

The FCRA is administratively enforced by both the Federal Trade Commission and the state attorneys general. The FTC has demonstrated that they have ample influence over the industry via the use of consent orders. In fact under the 1996 amendments to the FCRA, they also received additional enforcement powers to bring actions against any consumer reporting agency with penalties of up to $2,500 per violation. For a high-transaction industry such as ours, this is a very real and forceful component of the FTC's current powers. Beyond administrative enforcement, there are civil remedies for negligent and willful violations of the Act.

In light of the extensive amendments made to the administrative enforcement powers of the FTC, we do not support the extension of additional rulemaking powers.

This amendment to Section 612[c] of the FCRA would allow a consumer to request a disclosure of his or her file once per year at no charge.

In the 1996 amendments to the FCRA, Congress resolved the issue of access to a file disclosure and where it should be offered without charge. Section 612 of the Act was amended extensively to allow consumers to have access to the file without charge in the following circumstances:

• Unemployed and intending to seek employment.
• A recipient of welfare assistance
• Has reason to believe that the file on the consumer at the agency contains inaccurate information due to fraud.

The free disclosure for fraud would cover any victim of identity theft. Consumers also have a right to a free disclosure whenever an adverse action has been taken against them based in whole or in part on the use of a consumer report. Further, where a fee can be charged, Congress capped this at $8, tied to an annual review of the Consumer Price Index. The current fee stands at $8.50, per the Federal Trade Commission's most recent review.

Our industry is made up of large and small businesses. In 1993, we voluntarily capped the cost of disclosure at $8 (tied to a CPI) prior to the passage of the 1996 amendments to the FCRA. We believe that imposing additional free disclosures is inequitable when you consider that most public record disclosures such as a driving record, or marriage certificate are disclosed at a fee which often exceeds the current permissible fee of $8.50. We oppose a general free disclosure in light of the many accommodations made in the 1996 amendments.

This amendment creates a new section of law under the FCRA which extend the definition of "consumer report" to items of identifying information found in a consumer's file, with the exception of name, current address, and generational designation.

Beyond the controls of the Fair Credit Reporting Act, our largest members have proactively restricted their use of identifying information, often called "credit header information", when they committed themselves to a self-regulatory regime developed by the Individual Reference Services Group. Removing the key identification information from fraud prevention products produced outside of the Fair Credit Reporting Act would render these products far less effective. Thus, e-Commerce businesses, for example, will not have tools available to prevent the very type of fraud addressed by this bill. We oppose this limitation being placed on our members.

Section 8 - Individual Reference Services

We believe that information products produced by our members and other individual reference service companies are vitally important for law enforcement, fraud prevention and in fact for a range of societal benefits including child support enforcement, and general location of debtors, to name a few. The continuation of these products produces benefits for society at large and we defer to the IRSG to provide substantive comment on this section of the bill.

This new section of law proposes that the Federal Trade Commission develop a model form and standard procedures to be used by consumers if the issuers of credit and credit reporting agencies have failed to accomplish this goal.

ACB's True Name Fraud Task Force is continuing its efforts to find ways to simplify the victim's experience in working with our industry. This is a core element of our new initiatives. Our efforts to simplify have to be considered in the context of our members' individual duties under the FCRA when a consumer communicates with us. Further, we must contend with the many thousands of fraudulent credit repair claims and falsified creditor documents submitted to our members each year.

Regarding credit repair, the thousands of falsified creditor documents, credit repair file segregation schemes, and outright fraudulent attempts to delete accurate derogatory data from consumer reporting files are an enormous concern to our industry. These data are critical to safety and soundness of the banking industry and many other permitted users.

Thus, in developing a standard victim form, the question continues to be how to accomplish this without creating a system of credit repair where the form is misused to delete accurate derogatory data. The Secret Service has testified in a number of hearings about the ease with which a web site developer can make available software to falsify drivers licenses, checks, and other identification documents. It would be extremely simple to create an additional option for the "standard credit bureau identity theft victim form".

Regardless of credit repair risks, we continue to work on initiatives that help victims and we are the only industry to have issued a definitive set of initiatives to accomplish this goal. The solution however doesn't rest with our industry alone. We must continue to partner with our customers (such as creditors and telecommunications companies) in finding solutions complete solutions for consumers.

In your letter of invitation to participate in this hearing, Mr. Chairman, you requested input on H.R. 4857, "The Privacy and Identity Protection Act of 2000." Included with this testimony is a copy of ACB's letter of comment to Chairman Shaw regarding H.R. 4857 in its current form.

Let me close by emphasizing some important themes.

First, you can see by our actions that our industry is interested in being part of the solution to the issue of identity theft. Finding ways to help simplify the plight of victims is an essential value for our industry.

However, laws that overreach in attempting to prevent the crime through limiting the use of identifying information are likely to merely take fraud prevention tools out of the hands of legitimate businesses at the expense of consumers. Ironically, to prevent fraud you must be able to crosscheck information. To maintain accurate databases, you must be able to maintain a range of identifying elements.

Identity theft is a crime. ACB supported the enactment of the Identity Theft Assumption and Deterrence Act of 1998 as well as over 25 similar state laws. Effective law enforcement is essential to creating a true consequence. ACB has recently contacted the U.S. Postal Inspectors to see how we can assist in their effort to educate the law enforcement community about the nature of the crime and the investigative resources, which are available today.

Our industry will continue to be progressive in dealing with identity theft. Thank you for this opportunity to testify.

___________