The survey was conducted to mark the 30th anniversary of Washington’s aggressive
Public Disclosure
Act
; it was sponsored in part by the Washington Coa-lition for Open Government, an organization dedi-cated to defending the people’s right to access.
Finally, and most disturbingly, some states cut straight to the point and
sell personal information
to private companies.
1 4 6
C H A P T E R 6
California, despite its privacy laws, has sold its
state birth index—containing personal information
on about 24.6 million people—to an online Web company.
Pennsylvania’s Corporation Bureau sells loan-related public records that include SSNs of citizens. Specifically, the state’s Corporation Bureau sells and makes available to the public Uniform Commercial Code financing statements that contain sensitive personal information.
The so-called “UCC” filings often list debtors’ SSNs, addresses and even driver’s license data. The Bureau generated about $100,000 a year through the late 1990s and early 2000s by selling the records to companies— most often direct marketers in the
commercial loan
business
.
In 2002, when the sale caused some controversy, state officials said they were powerless to change their procedures. They cited a state law that required the Bureau to accept filing of a nationally-recognized UCC
form that included a blank for SSNs. The law pre-cluded the Bureau from altering the form, which was a public record.
C O N C L U S I O N
If ID theft could be stamped out by passing a strong law, things would be much easier. But ID theft—and ID thieves—is complex. In many cases, the crooks exploit turf battles between government bureaucra-1 4 7
L A W S A N D A G E N C I E S T H A T P R O T E C T Y O U … O R D O N ’ T
cies. In a few cases, they take advantage of badly-drawn laws that actually help with ID theft.
The ID Theft Clearinghouse managed by the Federal Trade Commission is a tool designed to coordinate law enforcement efforts in the U.S. And the Secret Service is the federal agency that makes the strongest priority of battling ID theft.
But, in the end, local law enforcement—police and district (or state’s) attorney—end up dealing with most ID theft cases. If you’ve been a victim of ID theft, it’s those local agencies that will most likely help.
1 4 8
C H A P T E R 7
7
CREDIT BUREAUS
In 1999, Congress passed the Gramm-Leach-Bliley Act (the GLB Act), legislation that allowed banks, insurance companies, credit bureaus and securities firms to affiliate under a
single corporate structure
. The purpose of this change? To allow financial services companies to “more readily anticipate and meet their customers’ financial needs.”
At least that’s what the head of the Financial Services Roundtable told Congress in March 2001.
The GLB Act also
reformed the system of federal
regulation
and requires greater coordination among the various agencies. This coordination is a challenge.
In all, there are almost 200 different financial services regulators—including the various state banking, insurance and securities regulators and all of the federal banking, thrift and securities agencies.
As
integrated financial services
companies have increased the scope of their business activities—mix-ing banking, investments, insurance and consumer lend-ing—they have become more directly involved in establishment and use of personal financial identities. In
1 4 9
B A N K S A N D C R E D I T B U R E A U S
fact, they’ve
marketed these identities
. As recently as the 1990s, most Americans were only vaguely aware of their credit ratings or “FICO scores.” In the early 2000s, financial institutions have marketed these credit profiles
like soap or soft drinks
. One example: In 2002 and 2003, radio and television ads for new cars started referencing “credit tiers” when describing available financing packages.
As a result, financial identities—credit scores—have
become commodities, with market values. And, as
any economist will tell you, commodities are significant in two ways. First, their value is defined by
marketplace conditions that are usually beyond any
single owner’s control; second, they are vulnerable
to theft, piracy and manipulation.
These are the
economic trends
that have enabled identity theft.
What do the fast-integrating financial services companies think about ID theft? In his March 2001 congressional testimony, Steve Bartlett—President of the Financial Services Roundtable—put the problem in context:
It is estimated that the financial services industry loses more than $100 billion a year in fraud, which includes $85 billion to $120 billion in insurance fraud, $24 billion of which comes from property/casualty fraud; $13
billion in check fraud; $3 billion in identity fraud; and $600 million in credit card fraud.
1 5 0
C H A P T E R 7
So, the financial services companies think that insurance fraud is their biggest problem. But ID theft is, by most accounts, the fastest growing
form of financial fraud
; and, as we’ve seen throughout this book, ID theft often operates in conjunction with other kinds of fraud—including insurance fraud.
C R E D I T B U R E A U S
When most Americans hear the term “financial services,” they think of faceless corporate giants that buy lots of ads during the Super Bowl. Beyond that, they have a vague notion of companies that combine banking, insurance, stock brokerage and various other money-related activities.
One of the key “various other” activities is the setting and tracking of individual consumer’s credit
ratings.
Throughout this book (and any discussion of ID theft) you’ve heard references to the “big three” U.S. credit bureaus—Equifax, Experian and TransUnion. These companies—along with a fourth, slightly different credit rating company called Fair, Isaac & Co.—control the U.S.
consumer credit rating industry
. Their importance to the financial services industry is large…and growing. And their role in the growth of ID theft is worth some consideration.
Like most credit bureaus, the big three keep files that include personal information like SSNs and account information of individual consumers. But their cli-1 5 1
B A N K S A N D C R E D I T B U R E A U S
ents are not the people whose information they keep; their clients are the
banks and consumer finance
companies
who decide whether…and on what terms…to lend money to those individuals.
Many people make the mistake of assuming that credit bureaus exist to serve individual consumers—and get frustrated with the lack of responsiveness and customer service that the credit bureaus have traditionally offered. (If you have a problem with a credit report, it’s virtually impossible to contact anyone at Equifax, Experian or TransUnion directly. The best you can usually manage is to leave a telephone message or fax a letter to a generic recipient.)
If you remember that you’re not the credit bureau’s
primary customer, you may understand the cool re-ception the credit bureaus give you.
The problem with this approach to the handling of credit information is that it accepts a
higher level of
inefficiency
than most consumers would like. In this way, the credit industry is something like the health insurance industry—in both cases, the primary customers (lenders, in the case of credit bureaus; employers, in the case of health insurance) are not the end-users of the services being sold. So, it’s logical that the services treat the end-users roughly.
An economist looking at these industries would likely conclude that the unusual structure of primary customer/end user is not intended for efficiency—if efficiency means the timely and accurate delivery of ser-1 5 2
C H A P T E R 7
vices to the greatest number of users. No, the unusual structure is likely intended for some other purpose.
Cost control
would be a good guess.
In health insurance, the cost controls provided by
the traditional (at least in the U.S.) employer-provided model are gradually eroding. Despite the bad
impression that some people have of it, the managed care model of health coverage is moving more
control of that marketplace to end-users.
Is there any equivalent movement in the credit rating industry?
The Fair Credit Reporting Act (FCRA) is an attempt by the U.S. government to
restore some balance
and accountability
to the credit rating industry. According to the Federal Trade Commission: The FCRA is designed to promote accuracy, fairness and privacy of information in the files of every “consumer reporting agency”
(CRA). Most CRAs are credit bureaus that gather and sell information about you—such as if you pay your bills on time or have filed bankruptcy—to creditors, employers, landlords and other businesses.
You must be told if information in your file has been used against you. Anyone who uses information from a CRA to take action against you—such as denying an application for credit, insurance or employment—must tell you, and give you the name, address and
1 5 3
B A N K S A N D C R E D I T B U R E A U S
phone number of the CRA that provided the consumer report.
You can find out what is in your file. At your request, a CRA must give you the information in your file, and a list of everyone who has requested it recently.
There is no charge for the report if a person has taken action against you because of information supplied by the CRA, if you request the report within 60 days of receiving notice of the action. You also are entitled to
one free report
every 12 months upon request if you certify that: 1)
you are unemployed and plan to seek employment within 60 days; 2)
you are on welfare; or 3)
your report is inaccurate due to ID theft or other fraud.
Otherwise, a CRA may charge you for a copy of your credit report.
You can
dispute inaccurate information
with the CRA. If you tell a CRA that your file contains inaccurate information, the CRA must investigate the items—usually within 30 days—by presenting to its information source all relevant evidence you submit (unless your dispute is deemed frivolous by the CRA).
After that, the FCRA sets the rules for how correc-tions are made: •
The source must review your evidence and report its findings to the CRA. The source also must advise other CRAs to which it has provided the data of any error. The CRA must give you a
written
1 5 4
C H A P T E R 7
report of the investigation
and a copy of your report if the investigation results in any change.
•
Inaccurate information must be
corrected or deleted
. A CRA must remove or correct inaccurate or unverified information from its files, usually within 30
days after you dispute it. However, the CRA is not required to remove accurate data from your file unless it is outdated or cannot be verified.
•
If the CRA’s investigation does not resolve the dispute, you may add a
brief
statement
to your file. The CRA must normally include a summary of your statement in future reports. If an item is deleted or a dispute statement is filed, you may ask that anyone who has recently received your report be notified of the change.
•
You can dispute inaccurate items with the
source of the information
. If you tell anyone—such as a creditor who reports to a CRA—that you dispute an item, they may not then report the information to a CRA without including a notice of your dispute.
Outdated information may not be reported. In most cases, a CRA may not report negative information that is more than
seven years old
; 10 years for bankruptcies.
Access to your file is limited. A CRA may provide information about you only to people with a need
1 5 5
B A N K S A N D C R E D I T B U R E A U S
recognized by the FCRA—usually to consider an application with a creditor, insurer, employer, landlord or other business.
Your
consent is required
for reports that are provided to employers or reports that contain medical information. A CRA may not give out information about you to your employer, or prospective employer, without your written consent. A CRA may not report medical information about you to creditors, insurers or employers without your permission.
You may choose to exclude your name from CRA lists
for unsolicited credit and insurance offers. Creditors and insurers may use file information as the
basis for sending you unsolicited offers of credit or
insurance.
Such offers must include a toll-free phone number for you to call if you want your name and address removed from future lists. If you call, you must be
kept off the lists for two years
. If you request, complete and return the CRA form provided for this purpose, you must be taken off the lists indefinitely.
You may seek damages from violators. If a CRA, a
user or (in some cases) a provider of CRA data violates the FCRA, you may sue them in state or federal
court.
1 5 6
C H A P T E R 7