[Federal Register: November 3, 2004 (Volume 69, Number 212)]
[Rules and Regulations]
[Page 63922-63934]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr03no04-3]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Parts 603, 613, and 614
RIN 3084-AA94
Related Identity Theft Definitions, Duration of Active Duty
Alerts, and Appropriate Proof of Identity Under the Fair Credit
Reporting Act
AGENCY: Federal Trade Commission (FTC or the Commission).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The recently enacted Fair and Accurate Credit Transactions Act
of 2003 (FACT Act or the Act), amending the Fair Credit Reporting Act
(FCRA), establishes requirements for consumer reporting agencies,
creditors, and others to help remedy identity theft. In this document,
the Commission issues final rules to establish definitions for the
terms ``identity theft'' and ``identity theft report;'' the duration of
an ``active duty alert;'' and the ``appropriate proof of identity'' for
purposes of sections 605A (fraud alerts and active duty alerts), 605B
(consumer report information blocks), and 609(a)(1) (truncation of
Social Security numbers) of the FCRA, as amended by the Act.
DATES: Effective Date: This rule is effective on December 1, 2004.
ADDRESSES: Requests for copies of the Rule and the Statement of Basis
and Purpose should be sent to the Commission's Public Reference Branch,
Room 130, Federal Trade Commission, 600 Pennsylvania Avenue, NW.,
Washington, DC 20580. The complete record of this proceeding is also
available at that address. Relevant portions of the proceeding,
including the Rule and Statement of Basis and Purpose, are also
available at the Commission's Web site, http://www.ftc.gov.
FOR FURTHER INFORMATION CONTACT: Naomi B. Lefkovitz, Attorney, Division
of Planning and Information, Bureau of Consumer Protection, Federal
Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580.
(202) 326-3228.
SUPPLEMENTARY INFORMATION:
Statement of Basis and Purpose
I. Introduction
The FACT Act was signed into law on December 4, 2003. Pub. L. 108-
159, 117 Stat. 1952. Portions of the Act amend the FCRA to enhance
consumers' ability to resolve problems caused by identity theft.
Section 111 of the Act adds several new definitions to the FCRA,
including ``identity theft'' and ``identity theft report.'' The Act
permits the Commission to further define the term ``identity theft,''
and requires the Commission to determine the meaning of the term
``identity theft report,'' although the Act does provide a minimum
definition. Section 112 of the Act requires the Commission to determine
the duration of an ``active duty alert,'' which the Act sets at a
minimum of 12 months. Section 112 also requires the Commission to
determine the ``appropriate proof of identity'' for purposes of
sections 605A (fraud alerts and active duty alerts), 605B (consumer
report information blocks), and 609(a)(1) (truncation of Social
Security numbers) of the FCRA, as amended by the Act.
The Commission published a Notice of Proposed Rulemaking and
request for Public Comment (``NPRM'') in the Federal Register on April
28, 2004,\1\ and the comment period closed on June 15, 2004. The
Commission received forty-nine comments.\2\ The commenters included the
National Association of Attorneys General Executive Committee, consumer
advocacy groups,\3\ industry trade organizations,\4\ three nationwide
consumer reporting agencies,\5\ financial institutions and other
companies,\6\ two
[[Page 63923]]
of the four military service branches,\7\ consumers,\8\ and the
National Notary Association, a professional trade organization. Unless
specifically modified in this document, all of the analysis
accompanying the proposed rules in the NPRM is adopted and incorporated
into this Statement of Basis and Purpose for the final rules.
---------------------------------------------------------------------------
\1\ Related Identity Theft Definitions, Duration of Active Duty
Alerts, and Appropriate Proof of Identity under the Fair Credit
Reporting Act, 69 FR 23370 (proposed April 28, 2004) (to be codified
at 16 CFR. parts 603, 613, and 614).
\2\ The public comments relating to these rulemakings may be
viewed at http://www.ftc.gov/os/comments/factaidt/index.htm. The
Commission considered all comments timely filed, i.e.--those
received on or before the close of the comment period on June 15,
2004. As a matter of discretion, the Commission also considered
comments that were filed after the close of the comment period.
Citations to comments filed in this proceeding are made to the name
of the organization (if any) or the last name of the commenter, and
the comment number of record. Comment number may appear as all
numeric characters--e.g., 000031 (indicating a comment
received by paper or electronic mail), or as numeric characters
preceded by ``EREG''--e.g., ``EREG-000031'' (indicating a comment
received through http://www.regulations.gov).
\3\ Consumers Union submitted a comment on behalf of 11
organizations. Consumer advocacy groups commenting included Consumer
Action, Consumer Federation of America, Consumers Union, Electronic
Privacy Information Center, Identity Theft Resource Center, National
Association of Consumer Advocates, National Consumer Law Center,
National Council of La Raza, Privacy Rights Clearinghouse, Privacy
Times, and U.S. Public Interest Research Group (US-PIRG).
\4\ In addition to Consumer Data Industry Association (CDIA)--
the trade association that represents the nationwide consumer
reporting agencies and a variety of other consumer reporting
agencies--the Commission received comment on the proposed rule on
behalf of a number of trade organizations representing a variety of
industries and concerns. These included ACA International
(representing debt collection agencies and other accounts receivable
professionals), American Bankers Association, American Financial
Services Association (representing companies primarily engaged in
the business of providing consumer credit), America's Community
Bankers, Credit Union National Association (CUNA), Coalition to
Implement the FACT Act (representing trade associations and
companies that furnish, use, collect, and disclose consumer
information), Consumer Bankers Association, Independent Community
Bankers of America, National Automobile Dealers Association,
National Business Coalition on Privacy and E-Commerce (representing
diverse companies interested in national policy on privacy and
electronic commerce issues), Michigan Credit Union League, National
Retail Federation, Pennsylvania Credit Union Association, and the
Financial Services Roundtable.
\5\ Equifax Information Services LLC, Experian Information
Solutions, Inc., and Trans Union LLC.
\6\ These included Bank of America, Bank One Corporation, BMO
Financial Group, Boeing Employees' Credit Union, Capital One
Financial Corporation, Countrywide Home Loans, Fifth Third Bank,
Household International, Inc., Juniper Bank, Keycorp, MasterCard
International, MBNA America Bank, N.A., Navy Federal Credit Union,
Nissan Motor Acceptance Corp., Sprint Corporation, Teachers Federal
Credit Union, Visa U.S.A., Inc., Wells Fargo and Company, and
Wilshire Credit Corporation.
\7\ These were the Office of the Judge Advocate General,
Department of the Navy and the United States Marine Corps.
\8\ These included Beverly Davis, Mike Heinemann, Robert
Pinheiro, Abbi Sexton, and Charles Nichols.
---------------------------------------------------------------------------
II. Analysis of the Comments Received
A. Section 603.2: Identity Theft
The definition of ``identity theft'' triggers important duties for
businesses and important rights for consumers under the FACT Act and
the FCRA. For example, it defines the scope of fraudulent conduct that
businesses must take steps to prevent, and it determines who is a
victim entitled to take advantage of the rights conferred by the Act.
Section 111 of the Act defines the term ``identity theft'' as ``a fraud
committed using the identifying information of another person, subject
to such further definition as the Commission may prescribe, by
regulation.'' In the NPRM, the Commission proposed to further define
the term ``identity theft'' \9\ so it would be sufficiently broad to
cover all bona fide victims and conduct, and also help prevent credit
repair fraud.\10\
---------------------------------------------------------------------------
\9\ 69 FR 23377. In the NPRM, the Commission defined the term
``identity theft'' to mean a fraud committed or attempted using the
identifying information of another person without lawful authority.
(b) The term ``identifying information'' means any name or
number that may be used, alone or in conjunction with any other
information, to identify a specific individual, including any--
(1) Name, social security number, date of birth, official State
or government issued driver's license or identification number,
alien registration number, government passport number, employer or
taxpayer identification number;
(2) Unique biometric data, such as fingerprint, voice print,
retina or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or routing
code; or
(4) Telecommunication identifying information or access device
(as defined in 18 U.S.C. 1029(e)).
\10\ Id. at 23371.
---------------------------------------------------------------------------
1. Attempted Fraud
In the NPRM, the Commission proposed adding ``attempt to commit
fraud'' to the definition. Although identity thieves do not always
succeed in opening new accounts, their attempts to do so may be
recorded as inquiries on victims' consumer reports, which may adversely
affect the victims' credit scores. Victims who learn of attempts by an
identity thief should be entitled to take advantage of the Act to place
extended fraud alerts and block fraudulent inquiries. To block these
inquiries under section 605B of the FCRA and to obtain an extended
fraud alert, victims need to be able to obtain an identity theft report
for which they need to be able to allege an identity theft. For these
reasons, the Commission proposed adding ``attempt to commit fraud'' to
the definition. Although a number of commenters supported this
position,\11\ a number of commenters also opposed including ``attempt''
in the definition of ``identity theft.'' These commenters made three
principal arguments.
---------------------------------------------------------------------------
\11\ See, e.g., Keycorp EREG-000007 (``We support the
inclusion of attempted theft in the definition of `identity theft'
under the Act. Allowing a consumer to file an initial identity theft
report based on an attempted ID theft affords greater protection for
consumers and users of consumer reports.''); Equifax Information
Services, LLC 000023 (``Since an initial fraud alert may be
placed on a consumer's file by a consumer reporting agency when the
consumer has a suspicion that he or she `is about to become' a
victim of fraud, including `attempt' to commit fraud as part of the
definition is a logical and useful extension.''); and Teachers
Federal Credit Union EREG-000009 (``Yes, attempts to commit
frauds should be included in the definition, since fraud attempts
may have an adverse affect on a victim's credit report/score.'').
---------------------------------------------------------------------------
First, some commenters argued that it is not necessary for the
Commission to include ``attempt'' in the definition of ``identity
theft'' to enable consumers to remove fraudulent inquiries from their
consumer reports because these victims can dispute inaccurate
information in consumer reports with section 611 of the FCRA instead of
section 605B.\12\ If the Commission were to eliminate ``attempt'' from
the definition, it would be creating separate processes for handling
fraudulent tradelines and handling fraudulent inquiries under the FCRA.
No commenter indicated why fraudulent inquiries should be treated
differently from fraudulent tradelines. Further, the section 611
dispute process may not provide an adequate means of removing
inquiries. Because section 611 relies on consumers' ability to produce
``relevant documentation,'' \13\ it is best suited to addressing
inaccurate information that results from errors where consumers can
provide records showing that they have, for example, paid their debts.
Victims of identity theft, however, have no records showing that they
did not open an account and therefore, incurred no debts. Section 605B,
however, enables victims to use a law enforcement report as the basis
of their proof of the identity theft to block information specifically
resulting from identity theft from appearing on their consumer reports.
Thus, section 605B is designed specifically to help identity theft
victims correct information in their consumer reports that results from
fraudulent activity, whereas section 611 is not specifically tailored
for identity theft victims. Thus, the Commission sees no reason why
consumers with inquiries resulting from attempted fraud should be
barred from using this process.
---------------------------------------------------------------------------
\12\ See, e.g., MasterCard International 000025 (``We
note that consumers who are victims of attempted identity theft have
the ability to correct their consumer reports using the dispute
process already provided for in the FCRA. Thus, an expanded
definition of `identity theft' is not necessary to provide victims a
remedy to correct data on a consumer report.'').
\13\ Section 611 of the FCRA, 15 U.S.C. 1681i.
---------------------------------------------------------------------------
Second, commenters stated that it was not necessary for the
Commission to include ``attempt'' to assist in the placement of fraud
alerts because consumers do not need to be actual victims of identity
theft to place an initial fraud alert.\14\ The Commission agrees that
consumers will not need to prove identity theft to place an initial
fraud alert. The Commission, however, is concerned that in situations
where the identity thief continues to attempt to perpetrate frauds,
these victims may wish to place an extended fraud alert. Under section
605A of the FCRA, such victims will need an identity theft report
alleging an identity theft to obtain the extended fraud alert. An
extended fraud alert under these circumstances will alert businesses of
the need to take greater precautions and help to prevent losses.
---------------------------------------------------------------------------
\14\ See, e.g., MasterCard International 000025 (``The
Commission also suggests that a broad definition is necessary
because `victims who have learned of attempts by an identity thief
and want to reduce the likelihood that the identity thief will
succeed in opening new accounts may want to place an `initial fraud
alert' on their consumer reports.' We respectfully note that the
statute does not require a consumer to be a victim of `identity
theft' in order to place an initial alert in the consumer's file.
All that is necessary to place an initial alert in the file is for
the consumer to assert `in good faith a suspicion that the consumer
has been or is about to become a victim of fraud or related crime.'
We believe that a consumer who has been a victim of attempted
identity theft could make such an assertion regardless of whether
`identity theft' were to also mean `attempted identity theft.' '').
---------------------------------------------------------------------------
Finally, commenters argued that including ``attempt'' would divert
resources that could be better used to assist victims whose information
has been actually misused.\15\ It is not clear
[[Page 63924]]
how the inclusion of ``attempt'' would create such economic hardship as
to cause private entities to reallocate resources designated for
assisting victims; the provisions of the Act that implicate ``attempt''
either do not affect most private entities or would seem to assist in
the prevention of identity theft. For instance, creditors must take
certain steps to verify consumers' identities when fraud alerts appear
on consumer reports.\16\ Such verification would seem worthwhile to
prevent identity theft for consumers and financial institutions.
Notably, consumer reporting agencies, who will be the only private
entities obligated to place fraud alerts and block inquiries, either
supported the inclusion of ``attempt'' or did not comment.\17\
Similarly, inclusion will not result in increased processing of
identity theft reports by information furnishers because no accounts
will have been opened.
---------------------------------------------------------------------------
\15\ See, e.g., Wells Fargo and Company 000015 (``We
are concerned that defining `identity theft' to include
``attempted'' fraud would greatly expand the scope of conduct that
entities must take steps to prevent and would significantly increase
the number of consumers authorized to take advantage of the rights
that the FCRA confers upon identity theft victims. Expanding the
definition of identity theft beyond the traditional notion of an
individual opening an account or obtaining a loan in another
person's name would divert significant resources away from actual
identity theft and its victims in order to assist those who have
avoided any meaningful harm of identity theft. If a fraud is
attempted but not completed, the system will have averted identity
theft and the consumer will have suffered little, if any, harm. Any
harm that the consumer will have suffered can be, or already will
have been, adequately addressed.'').
\16\ Section 605A of the FCRA, 15 U.S.C. 1681c-1.
\17\ See, e.g., Consumer Data Industry Association
000012 (``CDIA agrees with the Commission that, in order to
trigger the important FCRA rights of potential identity theft
victims and to enable them to avoid being actual identity theft
victims, the definition should cover an attempted fraud, as well as
the actual offense.''); Experian Information Solutions
000009 (``The definition captures the appropriate elements;
it includes (a) a fraud that is attempted or committed, (b) using
`identifying information' of another, and (c) without lawful
authority.''); and Equifax Information Services, LLC 000023
(``Since an initial fraud alert may be placed on a consumer's file
by a consumer reporting agency when the consumer has a suspicion
that he or she `is about to become' a victim of fraud, including
`attempt' to commit fraud as part of the definition is a logical and
useful extension.'').
---------------------------------------------------------------------------
Accordingly, the Commission retains ``attempt'' in the definition
of identity theft.
2. Identifying Information
In the NPRM, the Commission proposed that ``identifying
information'' should have the same meaning as ``means of
identification'' found in the federal criminal code.\18\ This would
ensure that the term ``identity theft'' addressed the potential
permutations of identity fraud that might occur. It would also provide
consistency with the federal criminal law. A number of commenters
supported the Commission's proposal.\19\ However, because ``means of
identification,'' as defined in the criminal statute, includes check
routing, credit card, and debit card numbers, a number of commenters
were concerned that the proposed rule would cover too broad a range of
frauds, in particular, unauthorized use of a consumer's existing
accounts.\20\
---------------------------------------------------------------------------
\18\ ``Identity theft'' is defined in 18 U.S.C. 1028(a)(7) and
``means of identification'' is defined in 18 U.S.C. 1028(d)(7).
\19\ See, e.g., Office of the Judge Advocate General, Department
of the Navy 000011 (``As the Commission points out, the
criminal code's definition of `means of identification' covers the
appropriate range of identifying information and ensures that the
term `identity theft' addresses the relevant permutations of fraud
that might occur. Additionally, [sic] the Commission accurately
states, it ensures consistency with existing Federal law defining
what constitutes identity theft, which promotes clarity and ease of
application.'') and Experian Information Solutions 000012
(``Experian supports this definition as well; it encompasses the
different kinds of information that could be used to commit an
identity theft.'').
\20\ See, e.g., National Retail Federation 000005 (``We
would strongly urge the Commission to limit its definition of an
identity theft to those situations in which the perpetrators have
actually assumed someone else's identity, procured a new line of
credit and used that credit in the individual's name. We urge this
formulation to distinguish true ID Theft from `attempted' identity
theft or from situations involving `unauthorized use.' '').
Consumers themselves, however, consider that unauthorized use of
their accounts is a form of identity theft based on the fact that
they file complaints in the Commission's identity theft complaint
database about such unauthorized use. See http://www.consumer.gov/idtheft/charts/CY2002OverallCharts.pdf
for examples of the
statistical breakdown of consumer identity theft complaints to the
Commission.
---------------------------------------------------------------------------
For example, some commenters argued against including unauthorized
use of accounts in the definition of ``identity theft'' because other
federal laws provide victims with sufficient protection.\21\ While
other federal laws may provide victims with the means to redress
certain aspects of injuries resulting from the unauthorized use of an
account, these other laws do not necessarily address all aspects of
their injuries. For example, under the Fair Credit Billing Act,\22\
victims can dispute unauthorized credit card transactions on their
billing statement, but if the debts resulting from the disputed charges
appear on their consumer reports as delinquent,\23\ or if the victims
need to obtain related transaction records to assist in proving their
claim,\24\ victims may need to apply the rights provided by the FACT
Act. The Commission expects that victims of unauthorized account use
will continue to resolve their problems under other federal laws as
applicable, but they also may need and are entitled to the protections
provided by the Act.
---------------------------------------------------------------------------
\21\ See, e.g., Coalition to Implement the FACT Act
000019 (``Not only are there already provisions in existing
law, such as under the Truth in Lending Act and the Electronic Fund
Transfer Act, to protect consumers who are victims of crimes such as
account fraud, but we do not believe it would benefit victims of
true identity theft to dilute industry's efforts by giving victims
of less debilitating crimes equal priority as identity theft
victims.'').
\22\ 15 U.S.C. 1666-1666j.
\23\ See section 605B of the FCRA for the right to block
information resulting from identity theft from consumer reports. 15
U.S.C. 1681c-2.
\24\ See section 609(e) of the FCRA for the right to obtain
identity theft related transaction records. 15 U.S.C. 1681g.
---------------------------------------------------------------------------
Commenters also were concerned that including unauthorized use of a
consumer's existing accounts would encourage abuse of the credit
reporting system.\25\ The Commission recognizes the concern that the
Act, in creating new tools to assist victims in recovering from
identity theft (e.g., by enabling them to use the ``identity theft
report'' to block the reporting of fraudulent debts in their consumer
reports theft report,'' see infra II.B.), may give unscrupulous
individuals a new, or alternative means to attempt to exploit the
credit reporting system. The Commission, however, finds that the
definition of ``identity theft report'' (see infra II.B.) provides
consumer reporting agencies and information furnishers with adequate
means to distinguish between bona fide identity theft victims and
consumers attempting to defraud the system. The Commission has
concluded, therefore, that the possibility of limiting the potential
for abuse that might arise from narrowing the definition of identity
theft is outweighed by the need to provide bona fide victims of
unauthorized account use with the same rights accorded victims of other
forms of identity theft under the FCRA.
---------------------------------------------------------------------------
\25\ See, e.g., Wells Fargo and Company 000015 (``We
also believe that inclusion of traditional debit and credit card
fraud in the definition of `identity theft' will significantly
increase claims of identity theft, fraud alerts and requests to
block information. A significant increase in claims of this type
(many of which may be marginal or even untrue) could impact the
integrity of the entire information reporting system.'').
---------------------------------------------------------------------------
Accordingly, except for a technical change discussed in paragraph
II.A.4, the Commission defines ``identifying information'' to have the
same meaning as ``means of identification'' found in 18 U.S.C.
1028(d)(7).
3. Lawful Authority
In the NPRM, the Commission proposed that the definition of
identity theft require that a person's identifying information must be
used ``without
[[Page 63925]]
lawful authority.'' This definition was designed to prevent individuals
from colluding to obtain goods or services without paying for them and
then using the rights conferred by the Act to clear their credit
records of the negative, but legitimate, information. Most commenters
supported the Commission's addition, although some asked for additional
clarification.
Some commenters suggested that ``without lawful authority'' might
not fully prevent collusion.\26\ These commenters appear to argue that,
because no one can ``lawfully'' authorize an illegal act, a person
might give another person permission to use his or her identifying
information knowing that the recipient would use such information to
commit fraud, and then later allege ``identity theft'' because he never
gave ``lawful authority'' to use the information to commit fraud.\27\
The Commission doubts that the inability to ``lawfully'' authorize a
fraudulent act would provide a justification for alleging identity
theft in such circumstances. Nevertheless, to avoid any such result,
the Commission is deleting the term ``lawful'' from the final Rule.
Thus, the final Rule states that ``identity theft'' means ``a fraud
committed * * * using the identifying information of another person
without authority.'' The Rule is intended to apply to one person's
using the identifying information of another person without that
person's permission or approval.
---------------------------------------------------------------------------
\26\ See, e.g., Consumer Bankers Association 000007
(``The FTC states that `adding ``without lawful authority'' [to the
definition] prevents individuals from colluding with each other to
obtain goods or services without paying for them, and then'
attempting to allege that it is the result of identity theft. CBA
applauds the FTC for addressing this important issue. We do not
believe that consumers who benefit from a transaction should be able
to claim that the transaction is the result of identity theft.
Therefore, we urge that this concept be retained. However, we also
ask the FTC to clarify this issue in the Final Rule. In particular,
as the definition is drafted, it is not clear whether the modifier
`without lawful authority' would achieve the FTC's objective because
a fraud is already generally an act committed without lawful
authority.'').
\27\ Id.
---------------------------------------------------------------------------
In the NPRM, the Commission had asked for comment on whether the
definition of ``identity theft'' should include a requirement that a
person's identifying information be used without the person's
knowledge, to address concerns with collusion. The Commission received
few responsive comments, and although such a requirement could address
collusion, it would create problems for bona fide victims who may know
that their identifying information is in the process of being used, but
cannot stop the use. Thus, the Commission has determined not to include
``without knowledge'' in the definition of identity theft.
More broadly, some commenters were concerned that adding ``without
lawful authority'' would increase the difficulty of recovery for
certain victims such as minors.\28\ In the NPRM, the Commission stated
that parents who use their minor children's identifying information
purporting to be the minors are not exercising lawful authority. Lawful
authority, or authority alone, allows parents to use their minor
children's identifying information on behalf of the minors, but only
when acting in the capacity as the parent. Minors whose parents have
misused their identifying information by purporting to be the minors
will, therefore, be able to assert that their parents acted without
authority and will be entitled to all of the identity theft protections
under the FCRA.
---------------------------------------------------------------------------
\28\ See, e.g., Consumers Union EREG-000002 (``The
theft of the identities of children by their legal guardians could
pose special issues if the definition includes a requirement of lack
of legal authority. The explanatory language which suggests that a
legal representative never has the power to defraud the other person
is helpful, but adding this kind of requirement is likely to make it
much harder for a newly adult person to remove from his or her
credit record transactions not fairly attributed to that person,
when those transactions were initiated by a legal guardian.'').
---------------------------------------------------------------------------
Some commenters suggested a clarification that presumed authority
if the consumer refused to pursue prosecution.\29\ Although refusal to
prosecute may be a factor in considering whether an unauthorized use of
a person's identifying information has occurred, the Commission does
not believe that it constitutes prima facie evidence of a grant of
authority. Accordingly, the Commission declines to include a person's
refusal to prosecute the user of the person's identifying information
in the final rule.
---------------------------------------------------------------------------
\29\ Consumer Data Industry Association 000009 (``CDIA
agrees that an important element of the definition of identity theft
is that the person's identifying information is used without lawful
authority. As the Commission observes, individuals, such as
guardians and attorneys-in-fact, may have lawful authority to use
another's identifying information and may misuse that information to
commit fraud. CDIA's members have experienced situations where
consumers appear to have colluded with family members or friends to
perpetrate a fraud or attempted fraud using their own identifying
information. In those instances, the consumer refuses to prosecute
the perpetrator of the fraud or attempted fraud. For that reason,
CDIA believes that the final rule should provide that a consumer's
refusal to prosecute the perpetrator of an identity theft is prima
facie evidence that the consumer's identifying information was used
with the consumer's lawful authority and thus does not involve
identity theft.'').
---------------------------------------------------------------------------
4. Additional Changes
One commenter suggested that the Commission amend paragraph (b)(4)
(see n. 9) to clarify that identifying information includes credit card
and other account identification numbers by incorporating the language
referenced in 18 U.S.C. 1029(e) into the final rule.\30\ The Commission
considers that including the specific language of 18 U.S.C. 1029(e)
would add unnecessary verbiage to the rule and that the Commission can
use other means to publicize the concept that credit card account
numbers are included in the definition. For example, the Commission
previously addressed (see, supra II.A.2) the fact that unauthorized
account use is part of the definition of identity theft, and the
Commission will highlight this fact in any educational materials it
develops.
---------------------------------------------------------------------------
\30\ Consumer Data Industry Association 000009 (``As a
result of incorporating the U.S. Code definition into the proposed
rule, the rule's definition of identity theft could include the
authorized [sic] use of a credit card, PIN or similar access device.
CDIA understands that the Commission intends this result. However,
affected industry members may not associate the crime of identity
theft with the fraudulent use of a credit card number without
identifying information. For that reason, in order to facilitate
compliance, CDIA suggests that the final rule's definition of
identifying information incorporate the current U.S. Code definition
of `any telecommunication identifying information or access device.'
The final rule could also provide that the definition would include
the U.S. Code definition as it may be amended, to reflect changes in
technology.'').
---------------------------------------------------------------------------
Finally, the Commission has corrected a drafting error made in
clarifying the term ``identifying information.'' In paragraph (b), the
Commission has replaced the clause ``to identify a specific
individual'' with ``to identify a specific person'' to conform the
elements of ``identifying information'' with the definition of
``identity theft'' in the Act, which uses the term ``person.''
Except for this technical change and the removal of the word
``lawful,'' the Commission adopts the definition of ``identity theft''
without modification.
B. Section 603.3: Identity Theft Report
Under section 111 of the Act, the Commission is required to
determine the meaning of the term ``identity theft report,'' using as
the foundation a minimum definition set forth in the Act.\31\ Consumers
can use the identity
[[Page 63926]]
theft report to block information resulting from identity theft from
their consumer reports \32\ and prevent information furnishers from
refurnishing such information,\33\ as noted in the NPRM. The Commission
is concerned that the identity theft report might be misused by some to
attempt to remove accurate, but negative, information from their
consumer reports, notwithstanding the Act's requirement that the filing
of the report be subject to criminal penalties for the filing of false
information.\34\ Because certain law enforcement agencies, including
most federal agencies, allow consumers to file law enforcement reports
through an automated system (i.e., the report can be filed by mail,
telephone, or via the Internet, instead of in a face-to-face interview
with a law enforcement officer), the Commission is concerned that
consumers using an automated means might have less compunction about
filing a false report. Moreover, because consumer reporting agencies
and information furnishers most likely will receive and be required to
act upon the law enforcement report before the identity theft complaint
is fully investigated by the law enforcement agency, they will be faced
with the initial responsibility for determining the legitimacy of an
identity theft claim.\35\
---------------------------------------------------------------------------
\31\ Under the Act, an identity theft report is, ``at a minimum,
a report--(A) that alleges identity theft; (B) that is a copy of an
official, valid report filed by the consumer with an appropriate
Federal, State, or local law enforcement agency, including the
United States Postal Inspection Service, or such other government
agency deemed appropriate by the Commission; and (C) the filing of
which subjects the person filing the report to criminal penalties
relating to the filing of false information, if, in fact, the
information in the report is false.'' 15 U.S.C. 1681a(q)(4).
\32\ Section 605B of the FCRA, 15 U.S.C. 1681c-2.
\33\ Section 623(a)(6)(B) of the FCRA, 15 U.S.C. 1681s-
2(a)(6)(B).
\34\ 69 FR 23371.
\35\ As further protection against abuse of the credit reporting
system, the Act also provides the consumer reporting agencies and
information furnishers with some ability to reject or reinstate a
block or continue furnishing information (see sections 605B(c) and
623(a)(6)(B) of the FCRA, 15 U.S.C. 1681c-2(c) and 15 U.S.C. 1681s-
2(a)(6)(B)). In practice, it may be difficult for the consumer
reporting agencies or information furnishers to make such
determinations without an investigation of the claim of identity
theft. This investigation may be difficult to conduct without the
cooperation of the consumer making the claim.
---------------------------------------------------------------------------
For these reasons, the Commission's proposal allowed consumer
reporting agencies and information furnishers to investigate identity
theft claims much to the same extent that they could prior to the Act.
At the same time, the Commission wanted to ensure that bona fide
victims could resolve their identity theft problems without undue delay
or burden. The Commission's proposal, with specific limitations, allows
consumer reporting agencies and information furnishers to make requests
for information and documentation in addition to the law enforcement
report to verify the identity theft claim, and to require that
consumers allege the identity theft with as much specificity as
possible.\36\ The Commission also proposed some examples of when it
would or would not be reasonable to request additional information or
documentation. While a few commenters unreservedly supported the
Commission's proposal,\37\ as outlined below, most commenters had
concerns about some aspect of the Commission's proposal.
---------------------------------------------------------------------------
\36\ 69 FR 23372. The definition proposed in the NPRM:
(a) The term `identity theft report' means a report--
(1) That alleges identity theft with as much specificity as the
consumer can provide;
(2) That is a copy of an official, valid report filed by the
consumer with a Federal, State, or local law enforcement agency,
including the United States Postal Inspection Service, the filing of
which subjects the person filing the report to criminal penalties
relating to the filing of false information, if, in fact, the
information in the report is false; and
(3) That may include additional information or documentation
that an information furnisher or consumer reporting agency
reasonably requests for the purpose of determining the validity of
the alleged identity theft, provided that the information furnisher
or consumer reporting agency makes such request not later than five
business days after the date of receipt of the copy of the report
form identified in paragraph (2) or the request by the consumer for
the particular service, whichever shall be the later.
\37\ See, e.g., Independent Community Bankers of America
EREG-000004 (``The ICBA agrees that it is appropriate that
credit reporting agencies and information furnishers have the
authority to require as much specificity as possible when
investigating an allegation of identity theft. To begin with, this
will help discourage fraudulent claims of identity theft and abuse
of the system, a step that is especially important since, as noted
above, Congress created serious remedies for a serious problem.
Second, greater specificity will help information furnishers and
credit reporting agencies better identify the actual fraud that
should be blocked on a credit report.'').
---------------------------------------------------------------------------
Although many commenters were concerned about the possibility of
misuse of the identity theft report, they felt that the Commission's
proposed remedies were not sufficient to deter this potential
problem.\38\ Commenters suggested ways in which the rule could better
address this concern. For example, some commenters wrote that the
Commission should limit the type of law enforcement agency with which a
report about identity theft could be filed by further defining what
constitutes an ``appropriate'' law enforcement agency. Specifically,
some commenters suggested narrowing the term to exclude law enforcement
agencies that enforce laws unrelated to identity theft on the grounds
that they are unlikely to investigate any reports of identity theft
which they receive, thus encouraging the filing of false reports.\39\
Other commenters felt that law enforcement agencies with automated
systems should not be considered ``appropriate.'' \40\ Finally, a
number of commenters thought that the Commission should clarify that
the Commission itself is not an appropriate law enforcement agency in
part because it lacks criminal arrest authority.\41\
---------------------------------------------------------------------------
\38\ See, e.g., American Financial Services Association
000010 (``AFSA appreciates the Commission's effort to
carefully balance the important considerations underlying the FACTA
identity theft provisions * * * as the Commission recognizes in its
Supplementary Information accompanying the Proposed Rule, identity
theft reports `could provide a powerful tool for misuse, allowing
persons to engage in illegal activities in an effort to remove or
block accurate, but negative, information from their consumer
reports.' [Footnote 2: 69 Fed. Reg. 23,371.] AFSA is concerned that
the Proposed Rule has not fully addressed this risk identified by
the Commission and that, as written, the Rule may allow the
unscrupulous to turn a system intended to protect consumers into a
system that could be easily used to deceive and defraud creditors
and other users of consumer report information.'').
\39\ See, e.g., Consumer Bankers Association 000007
(``For example, the statute would appear to prohibit the filing of
an identity theft report with the Federal Communications Commission
(``FCC''), because an agency charged with enforcing several
different laws unrelated to identity theft would clearly not be an
appropriate recipient of a report alleging identity theft. Not only
can the FCC do very little about investigating the identity theft,
but the FCC is unlikely to spend a lot of resources to determine
whether the consumer has lied in the report.'').
\40\ See, e.g., Boeing Employees Credit Union 000002
(``We do not agree with the automated method of reporting identity
theft. Allowing the reporting to be a faceless transaction with zero
law enforcement involvement makes it extremely convenient for
someone to falsify a report. In our opinion, to qualify for these
protections, the consumers must provide adequate proof of fraud in
person.'').
\41\ See, e.g., American Bankers Association EREG-
000034 (``Complaints filed with the Commission's Identity Theft Data
Clearinghouse should be excluded, unless the Commission has
authority to arrest a person filing a false report.'').
By contrast, the National Association of Attorneys General
(000008) suggested that the Commission explicitly include
itself as an agency with which victims can file identity theft
complaints in the final rule. The Commission considers that the
final rule is clear that victims may submit reports to any federal
law enforcement agency which accepts identity theft complaints.
Therefore, although Congress opted to name the United States Postal
Inspection Service in the definition of ``identity theft report,''
it is unnecessary to name the Commission or any other federal agency
specifically.
---------------------------------------------------------------------------
After considering these comments, the Commission has determined
that it is not necessary to limit further the law enforcement agencies
with which identity theft victims can file a report. First, the
Commission does not find that restricting law enforcement agencies to
those that enforce specific identity theft laws would provide
meaningful guidance because identity theft can take many forms and can
be prosecuted under many different laws.\42\ Rather, the
[[Page 63927]]
Commission notes that consumer reporting agencies and information
furnishers may take into account whether the agency with which the law
enforcement report was filed appears to have been chosen for the
purpose of avoiding inquiry into the identity theft when determining
whether to request additional information or documentation to assess
the validity of the identity theft claim.
---------------------------------------------------------------------------
\42\ A law enforcement agency may derive its authority to
investigate identity theft cases not from a specific law
criminalizing identity theft, but from a law criminalizing bank
fraud, for example.
---------------------------------------------------------------------------
Second, the Commission notes that some victims are faced with
police departments that will not take identity theft complaints. This
problem, combined with the fact that most federal and some state law
enforcement agencies use automated systems to take reports means that
excluding law enforcement agencies that take automated reports would
unduly burden victims of identity theft. Finally, the Commission is not
convinced that excluding the Commission's complaint intake system would
diminish the risk of false filings, because the Commission, like any
other law enforcement agency, can take steps to pursue any evidence of
false filings.\43\
---------------------------------------------------------------------------
\43\ See 18 U.S.C. 1001. Although the Commission does not have
criminal authority to arrest a person or to prosecute identity theft
cases directly, based on its Congressional mandate under the 1998
Identity Theft Assumption and Deterrence Act, Pub. L. 105-318, 112
Stat. 3007 (1998) (codified at 18 U.S.C. 1028), it works closely
with criminal law enforcement agencies at all governmental levels to
analyze the complaints in its database and refer out possible leads
for investigation. Thus, complaints made to the Commission may be
subject to criminal law enforcement review in much the same way as
complaints made directly to federal agencies with criminal
authority.
---------------------------------------------------------------------------
On a different issue, certain commenters raised concerns about the
meaning of an ``official, valid report.'' Some requested that the
Commission clarify this concept. In order for the report to be
considered official and valid, others wanted the report form to state
that criminal penalties apply to false statements.\44\ The Commission
does not find the term ``official, valid report'' to be ambiguous.
Further, if the consumer reporting agencies or information furnishers
receive copies of law enforcement reports that contain so little
information or indications of authenticity as to cause them to be
unable to verify that a genuine law enforcement agency issued the
report or accepted the filing, or if they determine that the report was
fraudulent in any material aspect, they may reject the document as not
being a copy of an official, valid law enforcement report.\45\ Finally,
because not all police report forms contain an express notice regarding
criminal penalties for false statements, the Commission considers that
excluding a law enforcement report on such a basis would add
unnecessary consumer confusion and hardship to the process of obtaining
a law enforcement report.
---------------------------------------------------------------------------
\44\ See, e.g., Consumer Data Industry Association
000009 (``* * * the rule should give examples of what
constitutes a `an official, valid report') and Experian Information
Solutions 000012 (``An `official, valid' report is one that
on its face demonstrates that the complainant is subject to criminal
penalties for any false statements in the report.'').
\45\ With respect to reports filed with an automated system, a
consumer reporting agency or information furnisher could expect to
receive some evidence of a filing confirmation receipt along with
the copy of the actual report, thereby allowing it to verify with
the agency that a report was filed.
---------------------------------------------------------------------------
Some commenters were concerned that the Commission's proposal to
allow consumer reporting agencies and information furnishers to make
reasonable requests for additional information or documentation for an
``identity theft report'' may result in consumer confusion by requiring
victims to submit different information or documentation to different
companies.\46\ Commenters also argued that permitting a reasonable
request for additional information or documentation created the
potential for abuse,\47\ and could make recovery more difficult as well
as delay the provision of services.\48\ Permitting a reasonable request
for additional information or documentation may result in victims
having to submit different information or documentation to different
companies. However, the requirement that the request must be reasonable
should limit requests. On balance, the Commission believes that
allowing consumer reporting agencies and information furnishers to make
reasonable requests on a case-by-case basis will help prevent abuse of
the credit reporting system and maintain the viability of the recovery
process for bona fide victims as contemplated by the Act.
---------------------------------------------------------------------------
\46\ See, e.g., Consumers Union EREG-000002 (``* * *
the proposed definition will create a bewildering situation in which
one consumer could be required to augment a single police report in
different ways for different CRAs and different furnishers in order
to meet the basic definition of an identity theft report. It will be
impossible for the Commission, consumer groups, or even CRAs and
creditors to tell consumers what to file to constitute an identity
theft report.'').
The National Association of Attorneys General (000008)
suggested an alternative to allowing variable requests for
additional information or documentation in that, ``* * * the
regulations should provide one form containing all information that
identity theft victims are expected to provide, such as the FTC
affidavit form which is already available on the FTC's website.''
The referenced ID Theft Affidavit was developed by the
Commission in coordination with consumer advocate organizations and
financial institutions. While it was intended to save time for
victims by giving them a uniform means to provide basic information
about their identity theft claim, it never purported to cover all
necessary information, and companies might ask for additional
information. See Instructions for Completing the ID Theft Affidavit
at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf. Given
the variety of forms of identity theft, it is doubtful that a single
form could contain all information that all identity theft victims
could be expected to provide, yet not be overly burdensome to
complete. For example, an information furnisher may need to confirm
passwords or other security measures when unauthorized account use
has occurred.
\47\ Consumers Union (EREG-000002) also was concerned
that requests for additional information or documentation may be
abused by consumer reporting agencies and information furnishers.
The Commission disagrees that it has opened the door to abusive
requests. The Commission carefully crafted the proposed rule to
require that requests for additional information or documentation be
reasonable.
\48\ Finally, Consumers Union (EREG-000002) argued that
allowing requests for additional information would delay the
placement of extended fraud alerts. The Commission stated in the
examples in the final rule that a law enforcement report submitted
for the purpose of obtaining an extended fraud alert, even if filed
using an automated system, should not trigger a request for
additional information or documentation. In developing this example,
it did not appear to the Commission that requests for extended fraud
alerts needed to be subject to special scrutiny as there had been no
evidence that fraud alerts under the voluntary placement system were
requested without cause. No commenters raised any objection to this
example. Thus, the Commission anticipates that victims will obtain
extended fraud alerts without additional delay in accordance with
the placement procedures set forth by the Act.
In any event, consumers who have not already done so may place
an initial alert while their request for an extended alert is being
processed. Thus, consumers who immediately place an initial fraud
alert will receive all of the benefits of this alert.
---------------------------------------------------------------------------
Other comments raised the concern that the Commission's five
business day time limit on the request for additional information or
documentation did not provide a long enough time period to evaluate the
need for and to make an initial request.\49\ The Commission
[[Page 63928]]
recognizes that five business days may not be long enough to fairly
evaluate the law enforcement report for some consumer reporting
agencies or information furnishers. The consequences may be to force
them to choose between accepting the law enforcement report as the
complete identity theft report regardless of whether the identity theft
claim is legitimate, or sending out pro forma requests for additional
information or documentation, which may or may not be reasonable under
the circumstances. The former instance would undermine the Commission's
reasons for allowing reasonable requests of information or
documentation initially--to minimize abuse of the credit reporting
system. The latter instance might result in an increase of consumer
complaints and disputes regarding the reasonableness of the information
or documentation requests, which would not be a beneficial use of
consumers' time and resources. Thus, the Commission considers that
allowing consumer reporting agencies and information furnishers to have
a longer period of time to evaluate the law enforcement report will
better limit fraud and provide a better outcome overall for consumers.
---------------------------------------------------------------------------
\49\ See, e.g., Michigan Credit Union League EREG-
000024 (``We believe that the five-business day window may be
insufficient time to allow credit unions to request the additional
information. This might particularly impact credit unions that are
very large or very small. Large credit unions could potentially be
inundated with identity theft reports and not be able to request
that information within the proposed time frame. Small credit unions
may not have the staffing or be open more than one to two days per
week. This would prevent them from being able to request this
information.'') and Keycorp EREG-000007 (``We believe it is
appropriate to include additional documentation requirements in the
definition of ``Identity Theft Report.'' However, we are greatly
concerned with regard to the timing of the information request by
the furnisher or credit reporting agency. Given the complexity of
the financial transactions that may be involved in the ID theft
claim, coupled with the number of Identity Theft Reports an
institution may receive, we do not believe that five business days
is sufficient time to receive the Identity Theft Report, evaluate
the transaction information contained in the Report, determine what
additional information may be required from the consumer to validate
the claim, and request the information from the consumer. We believe
a minimum of fifteen business days is required to properly evaluate
and react to an Identity Theft Report responsibly.'').
---------------------------------------------------------------------------
Commenters' suggestions on a longer time period ranged from ten to
thirty days (both calendar and business days). The Commission has
determined to modify its proposed rule to allow consumer reporting
agencies and information furnishers to have fifteen calendar days to
make an initial request for additional information or documentation.
Fifteen calendar days is approximately five business days more than the
Commission had originally proposed, which should allow all consumer
reporting agencies and information furnishers sufficient time to
determine whether additional information or documentation is needed,
but should not cause victims undue delay.
Some commenters also requested an opportunity to make further
requests for information or documentation, if necessary.\50\ The
Commission believes that an exchange of communication between consumer
reporting agencies or information furnishers and consumers will allow
for a more thorough investigation of the validity of identity theft
claims. Furthermore, some consumers may make mistakes in what
information or documentation they provide initially and would benefit
from further opportunities to furnish the correct information.
---------------------------------------------------------------------------
\50\ See, e.g., American Bankers Association EREG-
000034 (``* * * the Commission should permit more than a single
request. In many cases, it will be necessary to request additional
information in order to properly handle the claim as it
progresses.'').
---------------------------------------------------------------------------
Commenters generally suggested one time period to cover both
initial and multiple requests or made no specific suggestions. The
Commission believes that additional requests should be permitted.
However, one time period for both initial and multiple requests could
result in the first request of additional information or documentation
being made on the last day of the time period, with subsequent requests
being made at indefinite times thereafter. The Commission believes that
this could unfairly delay the recovery of victims. Therefore, the
Commission has determined to retain a limited time period (fifteen
calendar days) for an initial request to ensure that an investigation
commences promptly, and to set a time limit of fifteen additional days
after the initial request for any further requests for information or
documentation, as well as a final determination on acceptance or
rejection of the ``identity theft report.'' However, in the event that
a consumer should submit the additional information or documentation
too late in this second fifteen day period for a consumer reporting
agency or an information furnisher reasonably to be able to review it,
the Commission will allow the consumer reporting agency or information
furnisher an additional five days to make a final determination on
acceptance or rejection of the ``identity theft report.'' For example,
if the additional information or documentation is received on day
fourteen of this second fifteen day period, the consumer reporting
agency or information furnisher may have five days, if needed, to make
a final determination on acceptance or rejection of the ``identity
theft report.''
Thus, although in many instances it should take much less time to
reach a final determination,\51\ under no circumstances will it take
longer than thirty-five days.\52\ This timing balances the needs of
victims to have a finite process for submitting an identity theft
report, with the needs of consumer reporting agencies and information
furnishers to verify the identity theft. To ensure that victims will
understand the operation of this final rule and to facilitate their
ability to obtain an identity theft report with minimal delay, the
Commission will conduct consumer and business education to advise
victims of their rights. The Commission anticipates that should
consumer reporting agencies and information furnishers make requests
for additional information or documentation, they will inform consumers
about the time frame within which information or documentation should
be submitted and the outcome if the requested information or
documentation is not submitted in a timely manner.
---------------------------------------------------------------------------
\51\ The Commission expects that consumer reporting agencies and
information furnishers will make any requests as expeditiously as
possible. In particular, it expects that any supplemental requests
for information or documentation would be made as soon as
practicable to allow consumers sufficient time to respond. It
further notes that in practice, many victims may make initial
contact with a company by a telephone call as opposed to submission
of a law enforcement report. At that time, many consumer reporting
agencies or information furnishers likely would discuss with the
victim what information or documentation, if any, in addition to the
law enforcement report may be needed to validate the identity theft
claim so that victims can expedite the process by submitting all
necessary documentation together. Thus, the Commission anticipates
that a consumer reporting agency or information furnisher may
develop an even more efficient and accommodating process for
assisting identity theft victims than the minimum standard for
timing set forth under this final rule.
\52\ While not directly on point, the Commission observes that
the section 611 time period for reinvestigation of disputed
information can range from thirty to forty-five days depending on
whether the consumer provides the consumer reporting agency with
additional relevant documentation. 15 U.S.C. 1681i. The maximum
thirty-five day period here is adequate because, unlike under
section 611, the procedures here explicitly contemplate a dialogue,
if needed, within the second fifteen day period, with a possible
additional five days for final review.
---------------------------------------------------------------------------
Additionally, a number of commenters requested that the Commission
develop a procedure by which consumer reporting agencies or information
furnishers could reject identity theft reports. The Commission believes
that consumer reporting agencies and information furnishers already
have a procedure for rejecting identity theft reports. If the document
or documents the consumer presents do not meet the definition set forth
in the final rule, the consumer reporting agencies and information
furnishers can reject them.
A number of commenters also requested that the Commission clarify
the clause ``filed by the consumer'' in paragraph (2) to mean filed
directly by the consumer, and not by someone else on behalf of the
consumer, as a means of preventing illegal credit repair.\53\ The
[[Page 63929]]
Commission believes that there may be a number of legitimate reasons
why a third party (e.g., a guardian or an attorney-in-fact) might file
an identity theft report on behalf of a consumer. The Commission
believes that to the extent a third party is filing false identity
theft reports on behalf of a consumer, the Commission has provided
consumer reporting agencies and information furnishers with sufficient
flexibility within the definition to determine the validity of the
identity theft report just as if the consumers had filed the false
identity theft reports themselves. In fact, to the extent a consumer
reporting agency or information furnisher recognizes the same filer or
a pattern to the filings, it could consider such information as a
factor in determining the validity of the identity theft report.
---------------------------------------------------------------------------
\53\ See, e.g., Consumer Bankers Association 000007
(``We believe an important corollary to the requirement that the
identity theft report be filed with an appropriate law enforcement
agency is that the report must be filed by the consumer, and not by
another entity. CBA is concerned that credit repair clinics and
other unscrupulous individuals should not be permitted to file
identity theft reports on consumers' behalf.'').
---------------------------------------------------------------------------
In the NPRM, the Commission provided examples of when it would or
would not be reasonable to request additional information or
documentation. Commenters asked for clarification on these examples.
With respect to the first example,\54\ a number of commenters wanted to
be able to request additional information or documentation even if the
victim provided a suitable police report. Some commenters pointed to
section 609(e) of the FCRA, which allows a business to ask for a police
report and an affidavit to verify a claim of identity theft before
providing copies of the victim's identity theft related transaction
records, as an example that Congress intended that they should be able
to request additional information or documentation in all cases.\55\
---------------------------------------------------------------------------
\54\ Example 1: A law enforcement report containing detailed
information about the identity theft and the signature, badge number
or other identification information of the individual law
enforcement official taking the report should be sufficient on its
face to support a victim's request. In this case, without an
identifiable concern, such as an indication that the report was
obtained fraudulently, it would not be reasonable for an information
furnisher or consumer reporting agency to request additional
information or documentation. 69 FR 23378.
\55\ See, e.g., Consumer Data Industry Association
000009 (``In addition, the verification element is
consistent with the FACT Act provisions, codified in FCRA section
609(e), with respect to the obligations of a business entity to
disclose information to an identity theft victim. Those provisions
give the entity the discretion always to request the following from
the victim, in order to verify the claim of identity theft: (i) A
copy of a police report evidencing the claim; and (ii) a properly
completed (I) copy of a standardized affidavit of identity theft
developed and made available by the Commission; or (II) an affidavit
of fact that is acceptable to the business entity for that purpose.
[Footnote 12: FCRA 609(e)(2)(B); 15 U.S.C. 1681g(e)(2)(B) (emphasis
added).] However, as discussed below, CDIA is concerned that the
illustrative examples in the Proposed Rule appear to suggest that in
some instances, it would be unreasonable for a consumer reporting
agency to request a fraud affidavit or similar information when the
consumer provides a police report. Such a suggestion would create
unjustified inconsistency, because the FCRA itself permits
furnishers to use their discretion to request such information in
similar circumstances.'').
---------------------------------------------------------------------------
The Commission views the examples as sufficiently clear; they
convey that it is reasonable for a consumer reporting agency or
information furnisher to request additional information or
documentation if the in-person police report is lacking in necessary
information or the consumer reporting agency or information furnisher
can identify some other reasonable concern underlying the request.
Thus, although the examples are intended to demonstrate that victims
should not be required to provide redundant information for no
discernable reason, they make equally clear that consumer reporting
agencies or information furnishers are not prevented from taking
reasonable steps to verify the identity theft.
Moreover, Congress did not include the requirements of section
609(e) in the definition of ``identity theft report.'' Instead, it
granted the Commission rulemaking authority to determine how the
``identity theft report'' should most appropriately be defined. The
Commission believes that it would be overly burdensome to consumers if
consumer reporting agencies and information furnishers could request
additional information or documentation without an underlying
rationale. Further, as discussed above, the Commission believes that it
has provided consumer reporting agencies and information furnishers
with sufficient flexibility to verify identity theft claims.
Some commenters were concerned that specific language in the first
example, that ``the report was fraudulently obtained,'' excluded
reports that were counterfeit or otherwise falsified.\56\ For the sake
of clarity, the Commission has changed this language to ``the report
was fraudulent.'' At least one commenter noted that the fifth example
seemed unclear.\57\ The Commission agrees and considers that the
caution against unreasonable redundancy in example 5 is already covered
by the other examples. Therefore, it has deleted the fifth example. The
remaining examples are unchanged.
---------------------------------------------------------------------------
\56\ See, e.g., Consumer Data Industry Association
000009 (``Although the example would permit requests for
additional information if there is some indication that the report
was obtained fraudulently, the example should also permit additional
information if the report was fraudulently created or altered.'').
\57\ See, e.g., Consumer Data Industry Association
000009 (``(5) If the information the information furnishers
or the consumer reporting agencies are seeking is already found in
the law enforcement report which is otherwise satisfactory, it would
not be reasonable to request that the consumer fill out the same
information on a different form. The point of this example is
unclear.'').
---------------------------------------------------------------------------
C. Section 613.1: Duration of Active Duty Alerts
Under section 112 of the Act, service members who meet the
definition of an active duty military consumer \58\ are permitted to
place an active duty alert in their consumer report maintained by a
nationwide consumer reporting agency covered under the definition of
section 603(p) of the FCRA. The Act sets a minimum period of 12 months
for the duration of the active duty alert, but required the Commission
to determine if this period should be longer. In the NPRM, the
Commission proposed to maintain the duration of the active duty alert
at 12 months because it believed that 12 months would cover adequately
the time period for which the majority of service members would be
deployed. A number of commenters, including the one service branch
commenting directly on the issue, supported the Commission's
proposal.\59\
---------------------------------------------------------------------------
\58\ FACT Act sec. 111, codified at FCRA sec. 603(q)(1), 15
U.S.C. 1681a(q)(1).
The term ``active duty military consumer'' means a consumer in
military service who--
(A) Is on active duty (as defined in section 101(d)(1) of Title
10 U.S.C.) or is a reservist performing duty under a call or order
to active duty under a provision of law referred to in section
01(a)(13) of Title 10 U.S.C.; and
(B) Is assigned to service away from the usual duty station of
the consumer.
The Commission notes that the United States Marine Corps
(000004) requested clarification of this definition due to
concerns that reservists do not have a usual duty station and that
some service assignments may only be temporary. However, with
respect to active duty alerts, Congress charged the Commission
solely with considering whether to lengthen the duration of the
active duty alert.
\59\ See, e.g., Office of the Judge Advocate General, Department
of the Navy 000011 (``The active duty alert should remain
at 12 months. * * * The disadvantage of a longer duration for the
active duty alert is that service members may need to remove the
alert instead of allowing it to expire. For understandable security
reasons it will be more difficult to remove an alert than it is to
place one. Delays experienced in removing an alert can negatively
impact an individual's ability to establish lines of credit or
procure loans. Additionally, a 12-month duration for an alert
strikes the balance of meeting the active duty military member's
needs without being an undue burden on consumers or creditors.'').
---------------------------------------------------------------------------
Opposing commenters generally suggested that service members should
be able to choose their own duration or select among options of pre-
determined lengths.\60\ The Commission has
[[Page 63930]]
understood that a term of deployment is generally 12 months or less.
Deployments may be extended, but service members will not know if their
deployments will be extended before they leave on their initial
deployment. Thus, it would seem, in the majority of cases, that it
would be impossible for service members to accurately select a duration
greater than 12 months.
---------------------------------------------------------------------------
\60\ See, e.g., Navy Federal Credit Union 000022
(``While many tours of active duty may span 12 months, many do not.
We believe that the agency should prescribe flexibility for those
cases where a servicemember's deployment extends beyond the 12-month
duration and broaden the definition of `active duty alert.' We
suggest that the rule be written to allow a servicemember to place
an alert from 12 to 24 months or, in the alternative, allow the
servicemember to place an alert for the expected term of his or her
tour of duty.'').
---------------------------------------------------------------------------
The Commission considers that a better solution would be for
service members whose deployments are greater than 12 months to place a
subsequent active duty alert.\61\ In the NPRM, the Commission asked for
comments on the ability of service members to do so, particularly if
they already are deployed. The Commission received only a few
responsive comments.\62\ The one comment on the issue from a military
service branch indicated that its personnel likely would have access to
email, regular U.S. mail and/or a commercial phone line at least during
a portion of the deployment. The Commission expects that the active
duty alert may be renewed by using at least some of these communication
methods.\63\
---------------------------------------------------------------------------
\61\ The Commission notes that although the Act is silent on the
placement of subsequent alerts, it would be illogical to read the
Act otherwise because service members may go on deployments that
meet the elements of the definition of the term ``active duty
military consumer'' several times during their service careers.
\62\ See, e.g., Office of the Judge Advocate General, Department
of the Navy 000011 (``Navy personnel on extended
deployments will in most circumstances have access to Email, regular
U.S. Mail and/or a commercial phone line at least during a portion
of the deployment. Assuming one of these methods of communication
will be sufficient to establish or extend an active duty alert then
it should not be difficult for a service member to accomplish.
Additionally, deploying units frequently hold pre-deployment
briefings at which deploying personnel can be briefed on the active
duty alert and the option of identifying a personal representative
capable of extending the active duty alert if it becomes
necessary.''); Michigan Credit Union League EREG-000024
(``If necessary, we don't believe that it would be difficult to
extend an active duty alert, since part of the process of being
called to active duty often requires a service person to designate a
person as their power of attorney. If the active duty is going to be
extended, then the service person or a designated power of attorney
could request an extension.''); and Consumers Union EREG-
000002 (``It will be difficult for some. While many service members
do have a personal representative, others, particularly those
without spouses, may not wish to give another person access to their
credit record.'').
\63\ Communication also should be made easier for deployed
service members because they only need to contact one of the
consumer reporting agencies when placing an active duty alert. Under
section 605A of the FCRA, the contacted consumer reporting agency
must refer the request for placement to the other nationwide
consumer reporting agencies. 15 U.S.C. 1681c-1.
---------------------------------------------------------------------------
Accordingly, the Commission adopts the duration of the active duty
alert without modification.
D. Section 614.1: Appropriate Proof of Identity
Subsection 112(b) of the Act requires the Commission to determine
what constitutes appropriate proof of identity for purposes of sections
605A (request by a consumer, or an individual acting on behalf of or as
a personal representative of a consumer, for placing and removing fraud
and active duty alerts), 605B (request by a consumer for blocking
fraudulent information on consumer reports), and 609(a)(1) (request by
a consumer for Social Security number truncation on file disclosures)
of the FCRA, as amended by the Act. The Commission proposed that the
rule would require consumer reporting agencies to develop reasonable
requirements to identify consumers in accordance with the risk of harm
that may arise from a misidentification, but which, at a minimum,
should be sufficient to match consumers with their files. The
Commission also proposed examples of the kind of information that it
might be reasonable to request to match consumers with their files as
well as for additional identification. In developing this proposal, the
Commission determined that the central consideration was the balance
between the harm to the consumer that might arise from inadequate
identification with the harm that might arise from delayed or failed
fulfillment of requested services due to greater levels of scrutiny.
Because the Commission considered that the risk of harm may differ
depending on a variety of factors including the service being
requested,\64\ it sought to develop a standard of proof that had
sufficient flexibility to accommodate these differences. Moreover, the
Commission viewed the consumer reporting agencies as being in the best
position to assess these differences. Commenters were generally
supportive of the Commission's approach,\65\ but many requested
clarifications on various points.
---------------------------------------------------------------------------
\64\ For example, given the function of fraud alerts in
preventing identity theft, they need to be placed without delay, yet
they seem unlikely to be placed by someone other than the consumer
or without authorization from the consumer. Thus, unless these
circumstances were to change, it would not seem necessary to require
more identification than is needed to match the consumer's file.
With respect to requests for removal of fraud alerts, however, there
would seem to be some incentive for someone other than the consumer,
such as an identity thief, to remove them. A delay due to greater
scrutiny of the requester would likely cause less harm than an
improper removal, and would thus justify greater proof of identity.
69 FR 23374.
\65\ See, e.g., Consumer Bankers Association 000007
(``The Proposed Rule requires consumer reporting agencies to
`develop and implement reasonable requirements for what information
consumers shall provide to constitute proof of identity.' We commend
the FTC for determining that the consumer reporting agencies are in
the best position to determine what should suffice as `appropriate
proof of identity' in these circumstances. Like the FTC, we believe
that the consumer reporting agencies are best equipped to evaluate
the risks of misidentifying the consumer as well as the types of
information that would be necessary to identify the consumer
properly. Therefore, we urge the FTC retain this approach in the
Final Rule.'').
---------------------------------------------------------------------------
A few commenters requested clarification that the Commission's rule
did not require that a consumer reporting agency be able to match
consumer-provided information with their file information to a perfect
degree.\66\ This rule is not intended to reach the question of whether
a consumer reporting agency should match information completely, but
rather to set forth the type of information that would allow the agency
to accurately find the right consumer's file in its database, and as
necessary, determine that the requester is in fact the consumer.
---------------------------------------------------------------------------
\66\ See, e.g., Sprint Corporation EREG-000013 (``The
Commission should make clear that when a file match process is used,
it is not requiring that there be a `full match.' For example, a
consumer may provide his address as 143rd. yet other records may
identify the address as 143rd Street or Terrace. Similar variances
or even keystroke errors can occur with street numbers and customer
names. If a 100 percent match were required, a high percentage of
requests would likely be rejected by automated systems and fall out
for manual processing, which would entail length delays and add
significant costs. The Commission should make clear that it is not
requiring reporting agencies and information furnishers to use,
build or modify systems requiring a 100 percent match with no
variance allowed, if they use a file match process.'').
---------------------------------------------------------------------------
Other commenters were concerned that the rule not be used to make
it more difficult for consumers to obtain the requested services.\67\
Because the rule states that consumer reporting agencies ``shall
develop and implement
[[Page 63931]]
reasonable requirements for what information consumers shall provide,''
the Commission believes that this required element of reasonableness,
taken together with the examples of types of reasonable information,
will limit the likelihood that a consumer reporting agency would make
identification unduly difficult for consumers.
---------------------------------------------------------------------------
\67\ See, e.g., Consumers Union EREG-000002 (``Consumer
advocates are concerned that CRAs and, in particular, furnishers may
insist on heightened identification requirements in order to make it
more difficult to access the rights conferred on identity theft
victims by Congress. To prevent this undesirable outcome, while
still preserving flexibility, the rule itself should prohibit
excessive identification standards. For placing an alert, and for
trade line blocking, the rule should prohibit requiring more
information than the level of information sufficient to enable the
consumer reporting agency to match consumers with their files. The
amount of identifying information must not be more than is
reasonably necessary in light of the risk to the consumer of a delay
in the exercise of an identity theft prevention right.'').
---------------------------------------------------------------------------
Commenters also were concerned about the reasonableness of allowing
consumers to be asked to provide their full Social Security
numbers.\68\ The Commission believes it is reasonable for consumer
reporting agencies to request the full Social Security number if they
determine it to be necessary. Consumer reporting agencies already have
the full number so the risk that accompanies a new disclosure is
minimal. Furthermore, because names, addresses, and birth dates are not
always unique to a consumer, full Social Security numbers may be
necessary to ensure that consumer reporting agencies match the consumer
with the correct file. Moreover, the use of partial Social Security
numbers may not provide sufficient accuracy when an agency is working
with a large database.
---------------------------------------------------------------------------
\68\ See, e.g., Consumers Union EREG-000002 (``We are
strongly opposed to the portion of the example which suggests that
it is appropriate to require a consumer who has been a victim of
identity theft to provide the full nine digits of the Social
Security Number. Matching requirements for consumers to exercise
their identity theft prevention rights under FACTA should be no more
stringent than the level of matching which the CRAs require from
users of credit files. Consumers are understandably reluctant to
give their Social Security Numbers. Consumers who have been victims
or who are concerned about becoming victims of identity theft may be
even more concerned about safeguarding this number. If a CRA or
furnisher is permitted to request a Social Security Number at all
(to place an alert or a block), it should be limited to the last
four digits of the Social Security Number, rather than the entire
number.'').
---------------------------------------------------------------------------
Some commenters were concerned that differing standards of
identification would lead to confusion \69\ or delays in service.\70\
Under the voluntary systems of fraud alert placement and fraudulent
information blocking existing prior to the Act, the Commission saw no
evidence of consumer confusion in the standards of identification
different consumer reporting agencies selected. One standard could also
lead to consumers being asked for too much information in order that
every consumer reporting agency satisfy the standard of the one
consumer reporting agency that needed the most information due to its
particular circumstances.
---------------------------------------------------------------------------
\69\ See, e.g., Equifax Information Systems 000023
(``Allowing adjustments commensurate with the risk of harm allows
too much leeway and could result in different standards and risk
evaluations by nationwide consumer reporting agencies and data
furnishers. One data furnisher or nationwide consumer reporting
agency may accept the proof of identity and the others not,
resulting in confusion to consumers and the system.'').
\70\ See, e.g., Consumers Union EREG-000002 (``This
approach may defeat the FACTA goal of permitting consumers to
request an alert from one of the three major credit reporting
agencies, and have that alert forwarded to the additional agencies.
If each agency has a different set of identification requirements,
how will referral of fraud alert requests work? The statutory goal
cannot be served if the request is made, but is not honored, because
of differing identification requirements among CRAs. In that
situation `one call' doesn't `do it all.' '').
The Act requires nationwide consumer reporting agencies to refer
fraud alerts to each other for placement in a consumer's report. The
Commission does not believe that it is necessary for the final rule
to determine how these consumer reporting agencies comply with this
requirement of the Act. The Commission considers that the final rule
provides these consumer reporting agencies with the necessary
flexibility to comply, and expects that they will select the correct
standard of identification to ensure their compliance, or modify the
standard as necessary should they be found to be out of compliance.
---------------------------------------------------------------------------
One commenter requested clarification of ``current methods of
authentication'' in paragraph (b)(2).\71\ The Commission used the term
``current'' to demonstrate that authentication methods may change over
time and the examples should be sufficiently flexible to adapt
accordingly. However, to avoid confusion, the Commission has deleted
the word ``current.''
---------------------------------------------------------------------------
\71\ Consumer Data Industry Association 000009 (``It is
unclear what is meant by `current' methods.'').
---------------------------------------------------------------------------
Some commenters requested that additional types of information be
added to the examples.\72\ It was not the Commission's intention to
specify every form of authentication that a consumer reporting agency
could use. Rather, the intent was to distinguish the type of
information that might be sufficient for finding consumers' files from
the type of information that could prove that the consumers are who
they purport to be. Therefore, the Commission does not deem it
necessary to include additional authentication methods. However, in
paragraph (b)(1), the Commission has added the language ``current and/
or recent'' before ``full address'' to make clear that consumer
reporting agencies may request additional addresses for consumers who
have recently relocated as it may be less apparent that such
information may be necessary to find a consumer's file.
---------------------------------------------------------------------------
\72\ See, e.g., Consumer Data Industry Association
000009 (``CDIA also suggests that the final rule include as
examples of alternative proof of identity copies of pay stubs and W-
2 forms.'') and TransUnion LLC 000018 (``* * * we ask that
a consumer's previous address (if the consumer has resided at the
present address for less than two years) be an example of
appropriate information.'').
---------------------------------------------------------------------------
Except for the changes to the examples referenced above, the
Commission makes no changes to the rule or the examples.
III. Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612,
requires that the Commission provide an Initial Regulatory Flexibility
Analysis (``IRFA'') with a proposed rule and a Final Regulatory
Flexibility Analysis (``FRFA''), if any, with the final rule, unless
the Commission certifies that the rule will not have a significant
economic impact on a substantial number of small entities (i.e., in
general, those with less than $6,000,000 in average annual receipts). 5
U.S.C. 603-605.
The Commission hereby certifies that the final rules will not have
a significant economic impact on a substantial number of small
entities. The final rules apply to consumer reporting agencies,
including agencies that are small entities, if any; persons that
furnish information to consumer reporting agencies (``information
furnishers''), including persons that are small entities, if any; and
to users of consumer reports who are seeking to extend credit to
consumers, including users that are small entities, if any. The
Commission has concluded that currently there are no nationwide
consumer reporting agencies that are small entities (with less than $6
million in average annual receipts). In the NPRM, the Commission stated
that a precise estimate of the number of small entities that are other
consumer reporting agencies (with less than $6 million in average
annual receipts) and users of consumer reports within the meaning of
the proposed rules was not currently feasible. In the NPRM, therefore,
the Commission asked several questions related to the existence, number
and nature of small business entities covered by the proposed rules, as
well as the economic impact of the proposed rules on such entities. The
Commission received no comments responsive to these questions. Thus,
the Commission has been unable to determine precisely how many, if any,
consumer reporting agencies, information furnishers, and users of
consumer reports are small entities within the meaning of the final
rules. Based on its own experience and knowledge of industry practices
and members, however, the Commission believes that although there may
be a number of small entities among the other consumer reporting
agencies,
[[Page 63932]]
information furnishers and the users of consumer reports, and the
economic impact of the final rules on a particular small entity could
be significant, overall the final rules likely will not have a
significant economic impact on a substantial number of small entities.
The Commission believes further that the regulations will have a
minimal impact on small entities because the regulations give these
entities flexibility to adapt their existing requirements to ensure
that they are providing correctly the services requested by consumers.
Accordingly, this document serves as notice to the Small Business
Administration of the agency's certification of no effect. Nonetheless,
the Commission has determined to publish a Final Regulatory Flexibility
Analysis with the final rules. Therefore, the Commission has prepared
the following analysis:
A. Need for and Objectives of the Rule
The Fair and Accurate Credit Transactions Act of 2003, Pub. L. 108-
159, 117 Stat. 1952 (FACT Act or the Act), directs the Commission to
adopt rules to establish: (1) Definitions for the terms ``identity
theft'' and ``identity theft report;'' (2) the duration of an ``active
duty alert;'' and (3) the appropriate proof of identity for purposes of
sections 605A (fraud alerts and active duty alerts), 605B (consumer
report information blocks), and 609(a)(1) (truncation of Social
Security numbers) of the FCRA, as amended by the Act. In this action,
the Commission promulgates final rules to fulfill the statutory
mandate. The rules are authorized by and based upon sections 111 and
112 of the FACT Act.
B. Significant Issues Raised by Public Comment
The Commission received no public comments on the specific impact,
if any, of the rules on small entities. As explained above, the
Commission has been unable to determine precisely how many, if any,
consumer reporting agencies, information users, and users of consumer
reports are small entities within the meaning of the final rules.
Overall, however, the Commission believes that the final rules likely
will not have a significant economic impact on a substantial number of
small entities. Furthermore, as discussed below, the Commission has
determined that with respect to small entities, if any, the final rules
do not include a collection of information requirement subject to the
Paperwork Reduction Act of 1995.
The Commission, however, has considered that Sec. 603.3 of the
rules, which defines the term ``identity theft report'' and establishes
that it may include additional information or documentation to help
information furnishers or consumer reporting agencies determine the
validity of the alleged identity theft, could apply to small entities,
if any. As proposed in the NPRM, the request, if any, for additional
information would have to have been made no later than five business
days after the date of receipt of the report or the request by the
consumer for a particular service, whichever came later. A few
commenters questioned certain aspects of the process for requesting
additional information set forth in Sec. 603.3, and they directly
commented on the potential impact of the process on small entities, if
any. For example, the commenters stated that a small business may need
more than five business days to request additional information from a
consumer, especially in light of the potential increase in the number
of identity theft reports that will be received by small businesses,
which may have limited staffing and hours of operation. Specifically,
the commenters indicated that a small business may need more than five
business days to receive an identity theft report, process it, review
its contents, and search its files to determine whether it needs
additional information from a consumer.\73\ In this Statement of Basis
and Purpose, the Commission has explained its consideration of and
response to those comments. The Commission has made certain changes in
Sec. 603.3 of the final rules that should further minimize its impact
on all information furnishers and consumer reporting agencies, which
would include those, if any, that may be small entities. These changes,
which provide information furnishers or consumer reporting agencies
with additional opportunities, over a longer period of time than
originally proposed (30 days), to request more information from
consumers, are explained above in the discussion of the revisions made
to Sec. 603.3 of the rules.
---------------------------------------------------------------------------
\73\ See, e.g., Coalition to Implement the Fact Act
000019, the Michigan Credit Union League EREG-
000024, America's Community Bankers 000024, and the Juniper
Bank 000026.
---------------------------------------------------------------------------
C. Small Entities to Which the Rules Will Apply
As described above, the final rules apply to consumer reporting
agencies, including agencies that are small entities, if any;
information users, including agencies that are small entities, if any;
and to users of consumer reports, including users that are small
entities, if any. In the NPRM, the Commission stated that a precise
estimate of the number of small entities that are consumer reporting
agencies (with less than $6 million in average annual receipts) and
users of consumer reports within the meaning of the proposed rules was
not currently feasible. The Commission, however, invited comment and
information on this issue. No comments addressed this issue, and no
information with respect to small entities that might be affected by
the rules was provided. Thus, based on the lack of response to its
request for comments, the Commission has been unable to determine
precisely how many, if any, consumer reporting agencies, information
furnishers and users of consumer reports are small entities within the
meaning of the final rules.\74\
---------------------------------------------------------------------------
\74\ In addition, to the extent the rules may indirectly affect
small governmental jurisdictions (e.g., local police departments
that may provide reports about identity theft to consumers), which
are defined as small entities pursuant to the RFA (5 U.S.C. 601(5)),
the U.S. Census Bureau's Governments Integrated Directory as
enumerated for the 2002 Census of Governments, suggests there are
approximately 85,000 such jurisdictions nationwide. It is not
feasible, however, for the Commission to estimate precisely how
many, if any, of these jurisdictions may provide reports about
identity theft to consumers.
---------------------------------------------------------------------------
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
In the NPRM, the Commission tentatively determined that with
respect to small entities, if any, the proposed rules did not include a
collection of information subject to the Paperwork Reduction Act of
1995 (44 U.S.C. 3501; 5 CFR 1320). The rules do contain collections of
information affecting individual consumers and those activities have
been separately approved under the Act, as described in section IV,
infra. The Commission, however, sought comment on any paperwork burden
that the proposed rules may impose on small entities to ensure that no
burden had been overlooked. No comments addressed this issue.
Accordingly, the Commission has determined that with respect to small
entities, if any, the final rules do not include a collection of
information subject to the Paperwork Reduction Act of 1995.
The Commission recognizes, however, that consumer reporting
agencies, information furnishers and users of consumer reports,
including those that might be small entities, if any, may incur some
indirect, incidental expenses associated with the regulatory scheme
established by the rules. Most of these expenses will be in the form of
printing,
[[Page 63933]]
copying, mailing and filing costs associated with processing and
reviewing identity theft reports, validating the information received
from consumers, and requesting additional information from consumers,
if necessary, to determine the validity of the alleged identity theft
or the consumer's proof of identity. It is not feasible for the
Commission to estimate precisely such expenses without information
regarding the volume of the aforementioned activities. It is likely,
however, that some of the aforementioned expenses would be incurred
anyway in the ordinary course of business.
E. Steps Taken To Minimize Significant Economic Impact of the Rules on
Small Entities
The Commission invited comment and information with regard to (1)
the existence of small business entities for which the proposed rules
would have a significant economic impact; and (2) suggested alternative
methods of compliance that, consistent with the statutory requirements,
would reduce the economic impact of the rules on such small entities.
The Commission received no information or suggestions in response
to these questions. As explained above, however, the Commission has
written the final rules, and made certain changes to the final rules,
to minimize their impact on all entities that are subject to the rules,
including small entities, if any, that may be subject to the rules. For
example, the Commission has written the final rules to provide
information furnishers or consumer reporting agencies with additional
opportunities, over a longer period of time than originally proposed
(30 days), to request more information from consumers.
IV. Final Paperwork Reduction Act Analysis
In accordance with the Paperwork Reduction Act, as amended, 44
U.S.C. 3501 et seq., the Commission submitted the proposed rules to the
Office of Management and Budget (``OMB'') for review. The OMB has
approved the rules' information collection requirements through June
30, 2007, and has assigned OMB control number 3084-0129. The Commission
did not receive any comments relating to its original burden estimates
for the rules' information collection requirements.
V. Final Rules
List of Subjects in 16 CFR Parts 603, 613, and 614
Fair Credit Reporting Act, Consumer reports, Consumer reporting
agencies, Credit, Information furnishers, Identity theft, Trade
practices.
0
Accordingly, for the reasons set forth in the preamble, the Commission
amends title 16 of the Code of Federal Regulations as follows:
0
1. Add part 603 to read as follows:
PART 603--DEFINITIONS
Sec.
603.1 [Reserved]
603.2 Identity theft.
603.3 Identity theft report.
Authority: Pub. L. 108-159, sec 111; 15 U.S.C. 1681a.
Sec. 603.1 [Reserved]
Sec. 603.2 Identity theft.
(a) The term ``identity theft'' means a fraud committed or
attempted using the identifying information of another person without
authority.
(b) The term ``identifying information'' means any name or number
that may be used, alone or in conjunction with any other information,
to identify a specific person, including any--
(1) Name, social security number, date of birth, official State or
government issued driver's license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number;
(2) Unique biometric data, such as fingerprint, voice print, retina
or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or routing
code; or
(4) Telecommunication identifying information or access device (as
defined in 18 U.S.C. 1029(e)).
Sec. 603.3 Identity theft report.
(a) The term ``identity theft report'' means a report--
(1) That alleges identity theft with as much specificity as the
consumer can provide;
(2) That is a copy of an official, valid report filed by the
consumer with a Federal, State, or local law enforcement agency,
including the United States Postal Inspection Service, the filing of
which subjects the person filing the report to criminal penalties
relating to the filing of false information, if, in fact, the
information in the report is false; and
(3) That may include additional information or documentation that
an information furnisher or consumer reporting agency reasonably
requests for the purpose of determining the validity of the alleged
identity theft, provided that the information furnisher or consumer
reporting agency:
(i) Makes such request not later than fifteen days after the date
of receipt of the copy of the report form identified in paragraph
(a)(2) of this section or the request by the consumer for the
particular service, whichever shall be the later;
(ii) Makes any supplemental requests for information or
documentation and final determination on the acceptance of the identity
theft report within another fifteen days after its initial request for
information or documentation; and
(iii) Shall have five days to make a final determination on the
acceptance of the identity theft report, in the event that the consumer
reporting agency or information furnisher receives any such additional
information or documentation on the eleventh day or later within the
fifteen day period set forth in paragraph (a)(3)(ii) of this section.
(b) Examples of the specificity referenced in paragraph (a)(1) of
this section are provided for illustrative purposes only, as follows:
(1) Specific dates relating to the identity theft such as when the
loss or theft of personal information occurred or when the fraud(s)
using the personal information occurred, and how the consumer
discovered or otherwise learned of the theft.
(2) Identification information or any other information about the
perpetrator, if known.
(3) Name(s) of information furnisher(s), account numbers, or other
relevant account information related to the identity theft.
(4) Any other information known to the consumer about the identity
theft.
(c) Examples of when it would or would not be reasonable to request
additional information or documentation referenced in paragraph (a)(3)
of this section are provided for illustrative purposes only, as
follows:
(1) A law enforcement report containing detailed information about
the identity theft and the signature, badge number or other
identification information of the individual law enforcement official
taking the report should be sufficient on its face to support a
victim's request. In this case, without an identifiable concern, such
as an indication that the report was fraudulent, it would not be
reasonable for an information furnisher or consumer reporting agency to
request
[[Page 63934]]
additional information or documentation.
(2) A consumer might provide a law enforcement report similar to
the report in paragraph (c)(1) of this section but certain important
information such as the consumer's date of birth or Social Security
number may be missing because the consumer chose not to provide it. The
information furnisher or consumer reporting agency could accept this
report, but it would be reasonable to require that the consumer provide
the missing information.
(3) A consumer might provide a law enforcement report generated by
an automated system with a simple allegation that an identity theft
occurred to support a request for a tradeline block or cessation of
information furnishing. In such a case, it would be reasonable for an
information furnisher or consumer reporting agency to ask that the
consumer fill out and have notarized the Commission's ID Theft
Affidavit or a similar form and provide some form of identification
documentation.
(4) A consumer might provide a law enforcement report generated by
an automated system with a simple allegation that an identity theft
occurred to support a request for an extended fraud alert. In this
case, it would not be reasonable for a consumer reporting agency to
require additional documentation or information, such as a notarized
affidavit.
0
2. Add Part 613 to read as follows:
PART 613--DURATION OF ACTIVE DUTY ALERTS
Sec.
613.1 Duration of active duty alerts.
Authority: Pub. L. 108-159, sec. 112(a); 15 U.S.C. 1681c-1.
Sec. 613.1 Duration of active duty alerts.
The duration of an active duty alert shall be twelve months.
0
3. Add Part 614 to read as follows:
PART 614--APPROPRIATE PROOF OF IDENTITY
Sec.
614.1 Appropriate proof of identity.
Authority: Pub. L. 108-159, sec. 112(b).
Sec. 614.1 Appropriate proof of identity.
(a) Consumer reporting agencies shall develop and implement
reasonable requirements for what information consumers shall provide to
constitute proof of identity for purposes of sections 605A, 605B, and
609(a)(1) of the Fair Credit Reporting Act. In developing these
requirements, the consumer reporting agencies must:
(1) Ensure that the information is sufficient to enable the
consumer reporting agency to match consumers with their files; and
(2) Adjust the information to be commensurate with an identifiable
risk of harm arising from misidentifying the consumer.
(b) Examples of information that might constitute reasonable
information requirements for proof of identity are provided for
illustrative purposes only, as follows:
(1) Consumer file match: The identification information of the
consumer including his or her full name (first, middle initial, last,
suffix), any other or previously used names, current and/or recent full
address (street number and name, apt. no., city, state, and zip code),
full 9 digits of Social Security number, and/or date of birth.
(2) Additional proof of identity: copies of government issued
identification documents, utility bills, and/or other methods of
authentication of a person's identity which may include, but would not
be limited to, answering questions to which only the consumer might be
expected to know the answer.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 04-24589 Filed 11-2-04; 8:45 am]
BILLING CODE 6750-01-P