Fair and Accurate Credit Transactions Act; implementation: Identity theft provisions,
[Federal Register: November 3, 2004 (Volume 69, Number 212)]
[Rules and Regulations]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
FEDERAL TRADE COMMISSION
16 CFR Parts 603, 613, and 614
Related Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity Under the Fair Credit Reporting Act
AGENCY: Federal Trade Commission (FTC or the Commission).
ACTION: Final rule.
SUMMARY: The recently enacted Fair and Accurate Credit Transactions Act of 2003 (FACT Act or the Act), amending the Fair Credit Reporting Act (FCRA), establishes requirements for consumer reporting agencies, creditors, and others to help remedy identity theft. In this document, the Commission issues final rules to establish definitions for the terms ``identity theft'' and ``identity theft report;'' the duration of an ``active duty alert;'' and the ``appropriate proof of identity'' for purposes of sections 605A (fraud alerts and active duty alerts), 605B (consumer report information blocks), and 609(a)(1) (truncation of Social Security numbers) of the FCRA, as amended by the Act.
DATES: Effective Date: This rule is effective on December 1, 2004.
ADDRESSES: Requests for copies of the Rule and the Statement of Basis and Purpose should be sent to the Commission's Public Reference Branch, Room 130, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580. The complete record of this proceeding is also available at that address. Relevant portions of the proceeding, including the Rule and Statement of Basis and Purpose, are also available at the Commission's Web site, http://www.ftc.gov.
FOR FURTHER INFORMATION CONTACT: Naomi B. Lefkovitz, Attorney, Division of Planning and Information, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580. (202) 326-3228.
Statement of Basis and Purpose
The FACT Act was signed into law on December 4, 2003. Pub. L. 108- 159, 117 Stat. 1952. Portions of the Act amend the FCRA to enhance consumers' ability to resolve problems caused by identity theft. Section 111 of the Act adds several new definitions to the FCRA, including ``identity theft'' and ``identity theft report.'' The Act permits the Commission to further define the term ``identity theft,'' and requires the Commission to determine the meaning of the term ``identity theft report,'' although the Act does provide a minimum definition. Section 112 of the Act requires the Commission to determine the duration of an ``active duty alert,'' which the Act sets at a minimum of 12 months. Section 112 also requires the Commission to determine the ``appropriate proof of identity'' for purposes of sections 605A (fraud alerts and active duty alerts), 605B (consumer report information blocks), and 609(a)(1) (truncation of Social Security numbers) of the FCRA, as amended by the Act.
The Commission published a Notice of Proposed Rulemaking and request for Public Comment (``NPRM'') in the Federal Register on April 28, 2004,\1\ and the comment period closed on June 15, 2004. The Commission received forty-nine comments.\2\ The commenters included the National Association of Attorneys General Executive Committee, consumer advocacy groups,\3\ industry trade organizations,\4\ three nationwide consumer reporting agencies,\5\ financial institutions and other companies,\6\ two
of the four military service branches,\7\ consumers,\8\ and the National Notary Association, a professional trade organization. Unless specifically modified in this document, all of the analysis accompanying the proposed rules in the NPRM is adopted and incorporated into this Statement of Basis and Purpose for the final rules.
\1\ Related Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity under the Fair Credit Reporting Act, 69 FR 23370 (proposed April 28, 2004) (to be codified at 16 CFR. parts 603, 613, and 614).
\2\ The public comments relating to these rulemakings may be viewed at http://www.ftc.gov/os/comments/factaidt/index.htm. The
Commission considered all comments timely filed, i.e.--those received on or before the close of the comment period on June 15, 2004. As a matter of discretion, the Commission also considered comments that were filed after the close of the comment period. Citations to comments filed in this proceeding are made to the name of the organization (if any) or the last name of the commenter, and the comment number of record. Comment number may appear as all numeric characters--e.g., 000031 (indicating a comment received by paper or electronic mail), or as numeric characters preceded by ``EREG''--e.g., ``EREG-000031'' (indicating a comment received through http://www.regulations.gov).
\3\ Consumers Union submitted a comment on behalf of 11 organizations. Consumer advocacy groups commenting included Consumer Action, Consumer Federation of America, Consumers Union, Electronic Privacy Information Center, Identity Theft Resource Center, National Association of Consumer Advocates, National Consumer Law Center, National Council of La Raza, Privacy Rights Clearinghouse, Privacy Times, and U.S. Public Interest Research Group (US-PIRG).
\4\ In addition to Consumer Data Industry Association (CDIA)-- the trade association that represents the nationwide consumer reporting agencies and a variety of other consumer reporting agencies--the Commission received comment on the proposed rule on behalf of a number of trade organizations representing a variety of industries and concerns. These included ACA International (representing debt collection agencies and other accounts receivable professionals), American Bankers Association, American Financial Services Association (representing companies primarily engaged in the business of providing consumer credit), America's Community Bankers, Credit Union National Association (CUNA), Coalition to Implement the FACT Act (representing trade associations and companies that furnish, use, collect, and disclose consumer information), Consumer Bankers Association, Independent Community Bankers of America, National Automobile Dealers Association, National Business Coalition on Privacy and E-Commerce (representing diverse companies interested in national policy on privacy and electronic commerce issues), Michigan Credit Union League, National Retail Federation, Pennsylvania Credit Union Association, and the Financial Services Roundtable.
\5\ Equifax Information Services LLC, Experian Information Solutions, Inc., and Trans Union LLC.
\6\ These included Bank of America, Bank One Corporation, BMO Financial Group, Boeing Employees' Credit Union, Capital One Financial Corporation, Countrywide Home Loans, Fifth Third Bank, Household International, Inc., Juniper Bank, Keycorp, MasterCard International, MBNA America Bank, N.A., Navy Federal Credit Union, Nissan Motor Acceptance Corp., Sprint Corporation, Teachers Federal Credit Union, Visa U.S.A., Inc., Wells Fargo and Company, and Wilshire Credit Corporation.
\7\ These were the Office of the Judge Advocate General, Department of the Navy and the United States Marine Corps.
\8\ These included Beverly Davis, Mike Heinemann, Robert Pinheiro, Abbi Sexton, and Charles Nichols.
Analysis of the Comments Received
Section 603.2: Identity Theft
The definition of ``identity theft'' triggers important duties for businesses and important rights for consumers under the FACT Act and the FCRA. For example, it defines the scope of fraudulent conduct that businesses must take steps to prevent, and it determines who is a victim entitled to take advantage of the rights conferred by the Act. Section 111 of the Act defines the term ``identity theft'' as ``a fraud committed using the identifying information of another person, subject to such further definition as the Commission may prescribe, by regulation.'' In the NPRM, the Commission proposed to further define the term ``identity theft'' \9\ so it would be sufficiently broad to cover all bona fide victims and conduct, and also help prevent credit repair fraud.\10\
\9\ 69 FR 23377. In the NPRM, the Commission defined the term ``identity theft'' to mean a fraud committed or attempted using the identifying information of another person without lawful authority.
(b) The term ``identifying information'' means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any--
(1) Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or routing code; or
(4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).
\10\ Id. at 23371.
1. Attempted Fraud
In the NPRM, the Commission proposed adding ``attempt to commit fraud'' to the definition. Although identity thieves do not always succeed in opening new accounts, their attempts to do so may be recorded as inquiries on victims' consumer reports, which may adversely affect the victims' credit scores. Victims who learn of attempts by an identity thief should be entitled to take advantage of the Act to place extended fraud alerts and block fraudulent inquiries. To block these inquiries under section 605B of the FCRA and to obtain an extended fraud alert, victims need to be able to obtain an identity theft report for which they need to be able to allege an identity theft. For these reasons, the Commission proposed adding ``attempt to commit fraud'' to the definition. Although a number of commenters supported this position,\11\ a number of commenters also opposed including ``attempt'' in the definition of ``identity theft.'' These commenters made three principal arguments.
\11\ See, e.g., Keycorp EREG-000007 (``We support the inclusion of attempted theft in the definition of `identity theft' under the Act. Allowing a consumer to file an initial identity theft report based on an attempted ID theft affords greater protection for consumers and users of consumer reports.''); Equifax Information Services, LLC 000023 (``Since an initial fraud alert may be placed on a consumer's file by a consumer reporting agency when the consumer has a suspicion that he or she `is about to become' a victim of fraud, including `attempt' to commit fraud as part of the definition is a logical and useful extension.''); and Teachers Federal Credit Union EREG-000009 (``Yes, attempts to commit frauds should be included in the definition, since fraud attempts may have an adverse affect on a victim's credit report/score.'').
First, some commenters argued that it is not necessary for the Commission to include ``attempt'' in the definition of ``identity theft'' to enable consumers to remove fraudulent inquiries from their consumer reports because these victims can dispute inaccurate information in consumer reports with section 611 of the FCRA instead of section 605B.\12\ If the Commission were to eliminate ``attempt'' from the definition, it would be creating separate processes for handling fraudulent tradelines and handling fraudulent inquiries under the FCRA. No commenter indicated why fraudulent inquiries should be treated differently from fraudulent tradelines. Further, the section 611 dispute process may not provide an adequate means of removing inquiries. Because section 611 relies on consumers' ability to produce ``relevant documentation,'' \13\ it is best suited to addressing inaccurate information that results from errors where consumers can provide records showing that they have, for example, paid their debts. Victims of identity theft, however, have no records showing that they did not open an account and therefore, incurred no debts. Section 605B, however, enables victims to use a law enforcement report as the basis of their proof of the identity theft to block information specifically resulting from identity theft from appearing on their consumer reports. Thus, section 605B is designed specifically to help identity theft victims correct information in their consumer reports that results from fraudulent activity, whereas section 611 is not specifically tailored for identity theft victims. Thus, the Commission sees no reason why consumers with inquiries resulting from attempted fraud should be barred from using this process.
\12\ See, e.g., MasterCard International 000025 (``We note that consumers who are victims of attempted identity theft have the ability to correct their consumer reports using the dispute process already provided for in the FCRA. Thus, an expanded definition of `identity theft' is not necessary to provide victims a remedy to correct data on a consumer report.'').
\13\ Section 611 of the FCRA, 15 U.S.C. 1681i.
Second, commenters stated that it was not necessary for the Commission to include ``attempt'' to assist in the placement of fraud alerts because consumers do not need to be actual victims of identity theft to place an initial fraud alert.\14\ The Commission agrees that consumers will not need to prove identity theft to place an initial fraud alert. The Commission, however, is concerned that in situations where the identity thief continues to attempt to perpetrate frauds, these victims may wish to place an extended fraud alert. Under section 605A of the FCRA, such victims will need an identity theft report alleging an identity theft to obtain the extended fraud alert. An extended fraud alert under these circumstances will alert businesses of the need to take greater precautions and help to prevent losses.
\14\ See, e.g., MasterCard International 000025 (``The Commission also suggests that a broad definition is necessary because `victims who have learned of attempts by an identity thief and want to reduce the likelihood that the identity thief will succeed in opening new accounts may want to place an `initial fraud alert' on their consumer reports.' We respectfully note that the statute does not require a consumer to be a victim of `identity theft' in order to place an initial alert in the consumer's file. All that is necessary to place an initial alert in the file is for the consumer to assert `in good faith a suspicion that the consumer has been or is about to become a victim of fraud or related crime.' We believe that a consumer who has been a victim of attempted identity theft could make such an assertion regardless of whether `identity theft' were to also mean `attempted identity theft.' '').
Finally, commenters argued that including ``attempt'' would divert resources that could be better used to assist victims whose information has been actually misused.\15\ It is not clear
how the inclusion of ``attempt'' would create such economic hardship as to cause private entities to reallocate resources designated for assisting victims; the provisions of the Act that implicate ``attempt'' either do not affect most private entities or would seem to assist in the prevention of identity theft. For instance, creditors must take certain steps to verify consumers' identities when fraud alerts appear on consumer reports.\16\ Such verification would seem worthwhile to prevent identity theft for consumers and financial institutions. Notably, consumer reporting agencies, who will be the only private entities obligated to place fraud alerts and block inquiries, either supported the inclusion of ``attempt'' or did not comment.\17\ Similarly, inclusion will not result in increased processing of identity theft reports by information furnishers because no accounts will have been opened.
\15\ See, e.g., Wells Fargo and Company 000015 (``We are concerned that defining `identity theft' to include ``attempted'' fraud would greatly expand the scope of conduct that entities must take steps to prevent and would significantly increase the number of consumers authorized to take advantage of the rights that the FCRA confers upon identity theft victims. Expanding the definition of identity theft beyond the traditional notion of an individual opening an account or obtaining a loan in another person's name would divert significant resources away from actual identity theft and its victims in order to assist those who have avoided any meaningful harm of identity theft. If a fraud is attempted but not completed, the system will have averted identity theft and the consumer will have suffered little, if any, harm. Any harm that the consumer will have suffered can be, or already will have been, adequately addressed.'').
\16\ Section 605A of the FCRA, 15 U.S.C. 1681c-1.
\17\ See, e.g., Consumer Data Industry Association 000012 (``CDIA agrees with the Commission that, in order to trigger the important FCRA rights of potential identity theft victims and to enable them to avoid being actual identity theft victims, the definition should cover an attempted fraud, as well as the actual offense.''); Experian Information Solutions 000009 (``The definition captures the appropriate elements; it includes (a) a fraud that is attempted or committed, (b) using `identifying information' of another, and (c) without lawful authority.''); and Equifax Information Services, LLC 000023 (``Since an initial fraud alert may be placed on a consumer's file by a consumer reporting agency when the consumer has a suspicion that he or she `is about to become' a victim of fraud, including `attempt' to commit fraud as part of the definition is a logical and useful extension.'').
Accordingly, the Commission retains ``attempt'' in the definition of identity theft. 2. Identifying Information
In the NPRM, the Commission proposed that ``identifying information'' should have the same meaning as ``means of identification'' found in the federal criminal code.\18\ This would ensure that the term ``identity theft'' addressed the potential permutations of identity fraud that might occur. It would also provide consistency with the federal criminal law. A number of commenters supported the Commission's proposal.\19\ However, because ``means of identification,'' as defined in the criminal statute, includes check routing, credit card, and debit card numbers, a number of commenters were concerned that the proposed rule would cover too broad a range of frauds, in particular, unauthorized use of a consumer's existing accounts.\20\
\19\ See, e.g., Office of the Judge Advocate General, Department of the Navy 000011 (``As the Commission points out, the criminal code's definition of `means of identification' covers the appropriate range of identifying information and ensures that the term `identity theft' addresses the relevant permutations of fraud that might occur. Additionally, [sic] the Commission accurately states, it ensures consistency with existing Federal law defining what constitutes identity theft, which promotes clarity and ease of application.'') and Experian Information Solutions 000012 (``Experian supports this definition as well; it encompasses the different kinds of information that could be used to commit an identity theft.'').
\20\ See, e.g., National Retail Federation 000005 (``We would strongly urge the Commission to limit its definition of an identity theft to those situations in which the perpetrators have actually assumed someone else's identity, procured a new line of credit and used that credit in the individual's name. We urge this formulation to distinguish true ID Theft from `attempted' identity theft or from situations involving `unauthorized use.' '').
Consumers themselves, however, consider that unauthorized use of their accounts is a form of identity theft based on the fact that they file complaints in the Commission's identity theft complaint database about such unauthorized use. See http://www.consumer.gov/idtheft/charts/CY2002OverallCharts.pdf for examples of the
statistical breakdown of consumer identity theft complaints to the Commission.
For example, some commenters argued against including unauthorized use of accounts in the definition of ``identity theft'' because other federal laws provide victims with sufficient protection.\21\ While other federal laws may provide victims with the means to redress certain aspects of injuries resulting from the unauthorized use of an account, these other laws do not necessarily address all aspects of their injuries. For example, under the Fair Credit Billing Act,\22\ victims can dispute unauthorized credit card transactions on their billing statement, but if the debts resulting from the disputed charges appear on their consumer reports as delinquent,\23\ or if the victims need to obtain related transaction records to assist in proving their claim,\24\ victims may need to apply the rights provided by the FACT Act. The Commission expects that victims of unauthorized account use will continue to resolve their problems under other federal laws as applicable, but they also may need and are entitled to the protections provided by the Act.
\21\ See, e.g., Coalition to Implement the FACT Act 000019 (``Not only are there already provisions in existing law, such as under the Truth in Lending Act and the Electronic Fund Transfer Act, to protect consumers who are victims of crimes such as account fraud, but we do not believe it would benefit victims of true identity theft to dilute industry's efforts by giving victims of less debilitating crimes equal priority as identity theft victims.'').
\22\ 15 U.S.C. 1666-1666j.
\23\ See section 605B of the FCRA for the right to block information resulting from identity theft from consumer reports. 15 U.S.C. 1681c-2.
\24\ See section 609(e) of the FCRA for the right to obtain identity theft related transaction records. 15 U.S.C. 1681g.
Commenters also were concerned that including unauthorized use of a consumer's existing accounts would encourage abuse of the credit reporting system.\25\ The Commission recognizes the concern that the Act, in creating new tools to assist victims in recovering from identity theft (e.g., by enabling them to use the ``identity theft report'' to block the reporting of fraudulent debts in their consumer reports theft report,'' see infra II.B.), may give unscrupulous individuals a new, or alternative means to attempt to exploit the credit reporting system. The Commission, however, finds that the definition of ``identity theft report'' (see infra II.B.) provides consumer reporting agencies and information furnishers with adequate means to distinguish between bona fide identity theft victims and consumers attempting to defraud the system. The Commission has concluded, therefore, that the possibility of limiting the potential for abuse that might arise from narrowing the definition of identity theft is outweighed by the need to provide bona fide victims of unauthorized account use with the same rights accorded victims of other forms of identity theft under the FCRA.
\25\ See, e.g., Wells Fargo and Company 000015 (``We also believe that inclusion of traditional debit and credit card fraud in the definition of `identity theft' will significantly increase claims of identity theft, fraud alerts and requests to block information. A significant increase in claims of this type (many of which may be marginal or even untrue) could impact the integrity of the entire information reporting system.'').
Accordingly, except for a technical change discussed in paragraph II.A.4, the Commission defines ``identifying information'' to have the same meaning as ``means of identification'' found in 18 U.S.C. 1028(d)(7). 3. Lawful Authority
In the NPRM, the Commission proposed that the definition of identity theft require that a person's identifying information must be used ``without
lawful authority.'' This definition was designed to prevent individuals from colluding to obtain goods or services without paying for them and then using the rights conferred by the Act to clear their credit records of the negative, but legitimate, information. Most commenters supported the Commission's addition, although some asked for additional clarification.
Some commenters suggested that ``without lawful authority'' might not fully prevent collusion.\26\ These commenters appear to argue that, because no one can ``lawfully'' authorize an illegal act, a person might give another person permission to use his or her identifying information knowing that the recipient would use such information to commit fraud, and then later allege ``identity theft'' because he never gave ``lawful authority'' to use the information to commit fraud.\27\ The Commission doubts that the inability to ``lawfully'' authorize a fraudulent act would provide a justification for alleging identity theft in such circumstances. Nevertheless, to avoid any such result, the Commission is deleting the term ``lawful'' from the final Rule. Thus, the final Rule states that ``identity theft'' means ``a fraud committed * * * using the identifying information of another person without authority.'' The Rule is intended to apply to one person's using the identifying information of another person without that person's permission or approval.
\26\ See, e.g., Consumer Bankers Association 000007 (``The FTC states that `adding ``without lawful authority'' [to the definition] prevents individuals from colluding with each other to obtain goods or services without paying for them, and then' attempting to allege that it is the result of identity theft. CBA applauds the FTC for addressing this important issue. We do not believe that consumers who benefit from a transaction should be able to claim that the transaction is the result of identity theft. Therefore, we urge that this concept be retained. However, we also ask the FTC to clarify this issue in the Final Rule. In particular, as the definition is drafted, it is not clear whether the modifier `without lawful authority' would achieve the FTC's objective because a fraud is already generally an act committed without lawful authority.'').
In the NPRM, the Commission had asked for comment on whether the definition of ``identity theft'' should include a requirement that a person's identifying information be used without the person's knowledge, to address concerns with collusion. The Commission received few responsive comments, and although such a requirement could address collusion, it would create problems for bona fide victims who may know that their identifying information is in the process of being used, but cannot stop the use. Thus, the Commission has determined not to include ``without knowledge'' in the definition of identity theft.
More broadly, some commenters were concerned that adding ``without lawful authority'' would increase the difficulty of recovery for certain victims such as minors.\28\ In the NPRM, the Commission stated that parents who use their minor children's identifying information purporting to be the minors are not exercising lawful authority. Lawful authority, or authority alone, allows parents to use their minor children's identifying information on behalf of the minors, but only when acting in the capacity as the parent. Minors whose parents have misused their identifying information by purporting to be the minors will, therefore, be able to assert that their parents acted without authority and will be entitled to all of the identity theft protections under the FCRA.
\28\ See, e.g., Consumers Union EREG-000002 (``The theft of the identities of children by their legal guardians could pose special issues if the definition includes a requirement of lack of legal authority. The explanatory language which suggests that a legal representative never has the power to defraud the other person is helpful, but adding this kind of requirement is likely to make it much harder for a newly adult person to remove from his or her credit record transactions not fairly attributed to that person, when those transactions were initiated by a legal guardian.'').
Some commenters suggested a clarification that presumed authority if the consumer refused to pursue prosecution.\29\ Although refusal to prosecute may be a factor in considering whether an unauthorized use of a person's identifying information has occurred, the Commission does not believe that it constitutes prima facie evidence of a grant of authority. Accordingly, the Commission declines to include a person's refusal to prosecute the user of the person's identifying information in the final rule.
\29\ Consumer Data Industry Association 000009 (``CDIA agrees that an important element of the definition of identity theft is that the person's identifying information is used without lawful authority. As the Commission observes, individuals, such as guardians and attorneys-in-fact, may have lawful authority to use another's identifying information and may misuse that information to commit fraud. CDIA's members have experienced situations where consumers appear to have colluded with family members or friends to perpetrate a fraud or attempted fraud using their own identifying information. In those instances, the consumer refuses to prosecute the perpetrator of the fraud or attempted fraud. For that reason, CDIA believes that the final rule should provide that a consumer's refusal to prosecute the perpetrator of an identity theft is prima facie evidence that the consumer's identifying information was used with the consumer's lawful authority and thus does not involve identity theft.'').
4. Additional Changes
One commenter suggested that the Commission amend paragraph (b)(4) (see n. 9) to clarify that identifying information includes credit card and other account identification numbers by incorporating the language referenced in 18 U.S.C. 1029(e) into the final rule.\30\ The Commission considers that including the specific language of 18 U.S.C. 1029(e) would add unnecessary verbiage to the rule and that the Commission can use other means to publicize the concept that credit card account numbers are included in the definition. For example, the Commission previously addressed (see, supra II.A.2) the fact that unauthorized account use is part of the definition of identity theft, and the Commission will highlight this fact in any educational materials it develops.
\30\ Consumer Data Industry Association 000009 (``As a result of incorporating the U.S. Code definition into the proposed rule, the rule's definition of identity theft could include the authorized [sic] use of a credit card, PIN or similar access device. CDIA understands that the Commission intends this result. However, affected industry members may not associate the crime of identity theft with the fraudulent use of a credit card number without identifying information. For that reason, in order to facilitate compliance, CDIA suggests that the final rule's definition of identifying information incorporate the current U.S. Code definition of `any telecommunication identifying information or access device.' The final rule could also provide that the definition would include the U.S. Code definition as it may be amended, to reflect changes in technology.'').
Finally, the Commission has corrected a drafting error made in clarifying the term ``identifying information.'' In paragraph (b), the Commission has replaced the clause ``to identify a specific individual'' with ``to identify a specific person'' to conform the elements of ``identifying information'' with the definition of ``identity theft'' in the Act, which uses the term ``person.''
Except for this technical change and the removal of the word ``lawful,'' the Commission adopts the definition of ``identity theft'' without modification.
Section 603.3: Identity Theft Report
Under section 111 of the Act, the Commission is required to determine the meaning of the term ``identity theft report,'' using as the foundation a minimum definition set forth in the Act.\31\ Consumers can use the identity
theft report to block information resulting from identity theft from their consumer reports \32\ and prevent information furnishers from refurnishing such information,\33\ as noted in the NPRM. The Commission is concerned that the identity theft report might be misused by some to attempt to remove accurate, but negative, information from their consumer reports, notwithstanding the Act's requirement that the filing of the report be subject to criminal penalties for the filing of false information.\34\ Because certain law enforcement agencies, including most federal agencies, allow consumers to file law enforcement reports through an automated system (i.e., the report can be filed by mail, telephone, or via the Internet, instead of in a face-to-face interview with a law enforcement officer), the Commission is concerned that consumers using an automated means might have less compunction about filing a false report. Moreover, because consumer reporting agencies and information furnishers most likely will receive and be required to act upon the law enforcement report before the identity theft complaint is fully investigated by the law enforcement agency, they will be faced with the initial responsibility for determining the legitimacy of an identity theft claim.\35\
\31\ Under the Act, an identity theft report is, ``at a minimum, a report--(A) that alleges identity theft; (B) that is a copy of an official, valid report filed by the consumer with an appropriate Federal, State, or local law enforcement agency, including the United States Postal Inspection Service, or such other government agency deemed appropriate by the Commission; and (C) the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information, if, in fact, the information in the report is false.'' 15 U.S.C. 1681a(q)(4).
\32\ Section 605B of the FCRA, 15 U.S.C. 1681c-2.
\33\ Section 623(a)(6)(B) of the FCRA, 15 U.S.C. 1681s- 2(a)(6)(B).
\34\ 69 FR 23371.
\35\ As further protection against abuse of the credit reporting system, the Act also provides the consumer reporting agencies and information furnishers with some ability to reject or reinstate a block or continue furnishing information (see sections 605B(c) and 623(a)(6)(B) of the FCRA, 15 U.S.C. 1681c-2(c) and 15 U.S.C. 1681s- 2(a)(6)(B)). In practice, it may be difficult for the consumer reporting agencies or information furnishers to make such determinations without an investigation of the claim of identity theft. This investigation may be difficult to conduct without the cooperation of the consumer making the claim.
For these reasons, the Commission's proposal allowed consumer reporting agencies and information furnishers to investigate identity theft claims much to the same extent that they could prior to the Act. At the same time, the Commission wanted to ensure that bona fide victims could resolve their identity theft problems without undue delay or burden. The Commission's proposal, with specific limitations, allows consumer reporting agencies and information furnishers to make requests for information and documentation in addition to the law enforcement report to verify the identity theft claim, and to require that consumers allege the identity theft with as much specificity as possible.\36\ The Commission also proposed some examples of when it would or would not be reasonable to request additional information or documentation. While a few commenters unreservedly supported the Commission's proposal,\37\ as outlined below, most commenters had concerns about some aspect of the Commission's proposal.
\36\ 69 FR 23372. The definition proposed in the NPRM:
(a) The term `identity theft report' means a report--
(1) That alleges identity theft with as much specificity as the consumer can provide;
(2) That is a copy of an official, valid report filed by the consumer with a Federal, State, or local law enforcement agency, including the United States Postal Inspection Service, the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information, if, in fact, the information in the report is false; and
(3) That may include additional information or documentation that an information furnisher or consumer reporting agency reasonably requests for the purpose of determining the validity of the alleged identity theft, provided that the information furnisher or consumer reporting agency makes such request not later than five business days after the date of receipt of the copy of the report form identified in paragraph (2) or the request by the consumer for the particular service, whichever shall be the later.
\37\ See, e.g., Independent Community Bankers of America EREG-000004 (``The ICBA agrees that it is appropriate that credit reporting agencies and information furnishers have the authority to require as much specificity as possible when investigating an allegation of identity theft. To begin with, this will help discourage fraudulent claims of identity theft and abuse of the system, a step that is especially important since, as noted above, Congress created serious remedies for a serious problem. Second, greater specificity will help information furnishers and credit reporting agencies better identify the actual fraud that should be blocked on a credit report.'').
Although many commenters were concerned about the possibility of misuse of the identity theft report, they felt that the Commission's proposed remedies were not sufficient to deter this potential problem.\38\ Commenters suggested ways in which the rule could better address this concern. For example, some commenters wrote that the Commission should limit the type of law enforcement agency with which a report about identity theft could be filed by further defining what constitutes an ``appropriate'' law enforcement agency. Specifically, some commenters suggested narrowing the term to exclude law enforcement agencies that enforce laws unrelated to identity theft on the grounds that they are unlikely to investigate any reports of identity theft which they receive, thus encouraging the filing of false reports.\39\ Other commenters felt that law enforcement agencies with automated systems should not be considered ``appropriate.'' \40\ Finally, a number of commenters thought that the Commission should clarify that the Commission itself is not an appropriate law enforcement agency in part because it lacks criminal arrest authority.\41\
\38\ See, e.g., American Financial Services Association 000010 (``AFSA appreciates the Commission's effort to carefully balance the important considerations underlying the FACTA identity theft provisions * * * as the Commission recognizes in its Supplementary Information accompanying the Proposed Rule, identity theft reports `could provide a powerful tool for misuse, allowing persons to engage in illegal activities in an effort to remove or block accurate, but negative, information from their consumer reports.' [Footnote 2: 69 Fed. Reg. 23,371.] AFSA is concerned that the Proposed Rule has not fully addressed this risk identified by the Commission and that, as written, the Rule may allow the unscrupulous to turn a system intended to protect consumers into a system that could be easily used to deceive and defraud creditors and other users of consumer report information.'').
\39\ See, e.g., Consumer Bankers Association 000007 (``For example, the statute would appear to prohibit the filing of an identity theft report with the Federal Communications Commission (``FCC''), because an agency charged with enforcing several different laws unrelated to identity theft would clearly not be an appropriate recipient of a report alleging identity theft. Not only can the FCC do very little about investigating the identity theft, but the FCC is unlikely to spend a lot of resources to determine whether the consumer has lied in the report.'').
\40\ See, e.g., Boeing Employees Credit Union 000002 (``We do not agree with the automated method of reporting identity theft. Allowing the reporting to be a faceless transaction with zero law enforcement involvement makes it extremely convenient for someone to falsify a report. In our opinion, to qualify for these protections, the consumers must provide adequate proof of fraud in person.'').
\41\ See, e.g., American Bankers Association EREG- 000034 (``Complaints filed with the Commission's Identity Theft Data Clearinghouse should be excluded, unless the Commission has authority to arrest a person filing a false report.'').
By contrast, the National Association of Attorneys General (000008) suggested that the Commission explicitly include itself as an agency with which victims can file identity theft complaints in the final rule. The Commission considers that the final rule is clear that victims may submit reports to any federal law enforcement agency which accepts identity theft complaints. Therefore, although Congress opted to name the United States Postal Inspection Service in the definition of ``identity theft report,'' it is unnecessary to name the Commission or any other federal agency specifically.
After considering these comments, the Commission has determined that it is not necessary to limit further the law enforcement agencies with which identity theft victims can file a report. First, the Commission does not find that restricting law enforcement agencies to those that enforce specific identity theft laws would provide meaningful guidance because identity theft can take many forms and can be prosecuted under many different laws.\42\ Rather, the
Commission notes that consumer reporting agencies and information furnishers may take into account whether the agency with which the law enforcement report was filed appears to have been chosen for the purpose of avoiding inquiry into the identity theft when determining whether to request additional information or documentation to assess the validity of the identity theft claim.
\42\ A law enforcement agency may derive its authority to investigate identity theft cases not from a specific law criminalizing identity theft, but from a law criminalizing bank fraud, for example.
Second, the Commission notes that some victims are faced with police departments that will not take identity theft complaints. This problem, combined with the fact that most federal and some state law enforcement agencies use automated systems to take reports means that excluding law enforcement agencies that take automated reports would unduly burden victims of identity theft. Finally, the Commission is not convinced that excluding the Commission's complaint intake system would diminish the risk of false filings, because the Commission, like any other law enforcement agency, can take steps to pursue any evidence of false filings.\43\
\43\ See 18 U.S.C. 1001. Although the Commission does not have criminal authority to arrest a person or to prosecute identity theft cases directly, based on its Congressional mandate under the 1998 Identity Theft Assumption and Deterrence Act, Pub. L. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C. 1028), it works closely with criminal law enforcement agencies at all governmental levels to analyze the complaints in its database and refer out possible leads for investigation. Thus, complaints made to the Commission may be subject to criminal law enforcement review in much the same way as complaints made directly to federal agencies with criminal authority.
On a different issue, certain commenters raised concerns about the meaning of an ``official, valid report.'' Some requested that the Commission clarify this concept. In order for the report to be considered official and valid, others wanted the report form to state that criminal penalties apply to false statements.\44\ The Commission does not find the term ``official, valid report'' to be ambiguous. Further, if the consumer reporting agencies or information furnishers receive copies of law enforcement reports that contain so little information or indications of authenticity as to cause them to be unable to verify that a genuine law enforcement agency issued the report or accepted the filing, or if they determine that the report was fraudulent in any material aspect, they may reject the document as not being a copy of an official, valid law enforcement report.\45\ Finally, because not all police report forms contain an express notice regarding criminal penalties for false statements, the Commission considers that excluding a law enforcement report on such a basis would add unnecessary consumer confusion and hardship to the process of obtaining a law enforcement report.
\44\ See, e.g., Consumer Data Industry Association 000009 (``* * * the rule should give examples of what constitutes a `an official, valid report') and Experian Information Solutions 000012 (``An `official, valid' report is one that on its face demonstrates that the complainant is subject to criminal penalties for any false statements in the report.'').
\45\ With respect to reports filed with an automated system, a consumer reporting agency or information furnisher could expect to receive some evidence of a filing confirmation receipt along with the copy of the actual report, thereby allowing it to verify with the agency that a report was filed.
Some commenters were concerned that the Commission's proposal to allow consumer reporting agencies and information furnishers to make reasonable requests for additional information or documentation for an ``identity theft report'' may result in consumer confusion by requiring victims to submit different information or documentation to different companies.\46\ Commenters also argued that permitting a reasonable request for additional information or documentation created the potential for abuse,\47\ and could make recovery more difficult as well as delay the provision of services.\48\ Permitting a reasonable request for additional information or documentation may result in victims having to submit different information or documentation to different companies. However, the requirement that the request must be reasonable should limit requests. On balance, the Commission believes that allowing consumer reporting agencies and information furnishers to make reasonable requests on a case-by-case basis will help prevent abuse of the credit reporting system and maintain the viability of the recovery process for bona fide victims as contemplated by the Act.
\46\ See, e.g., Consumers Union EREG-000002 (``* * * the proposed definition will create a bewildering situation in which one consumer could be required to augment a single police report in different ways for different CRAs and different furnishers in order to meet the basic definition of an identity theft report. It will be impossible for the Commission, consumer groups, or even CRAs and creditors to tell consumers what to file to constitute an identity theft report.'').
The National Association of Attorneys General (000008) suggested an alternative to allowing variable requests for additional information or documentation in that, ``* * * the regulations should provide one form containing all information that identity theft victims are expected to provide, such as the FTC affidavit form which is already available on the FTC's website.''
The referenced ID Theft Affidavit was developed by the Commission in coordination with consumer advocate organizations and financial institutions. While it was intended to save time for victims by giving them a uniform means to provide basic information about their identity theft claim, it never purported to cover all necessary information, and companies might ask for additional information. See Instructions for Completing the ID Theft Affidavit at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf. Given
the variety of forms of identity theft, it is doubtful that a single form could contain all information that all identity theft victims could be expected to provide, yet not be overly burdensome to complete. For example, an information furnisher may need to confirm passwords or other security measures when unauthorized account use has occurred.
\47\ Consumers Union (EREG-000002) also was concerned that requests for additional information or documentation may be abused by consumer reporting agencies and information furnishers. The Commission disagrees that it has opened the door to abusive requests. The Commission carefully crafted the proposed rule to require that requests for additional information or documentation be reasonable.
\48\ Finally, Consumers Union (EREG-000002) argued that allowing requests for additional information would delay the placement of extended fraud alerts. The Commission stated in the examples in the final rule that a law enforcement report submitted for the purpose of obtaining an extended fraud alert, even if filed using an automated system, should not trigger a request for additional information or documentation. In developing this example, it did not appear to the Commission that requests for extended fraud alerts needed to be subject to special scrutiny as there had been no evidence that fraud alerts under the voluntary placement system were requested without cause. No commenters raised any objection to this example. Thus, the Commission anticipates that victims will obtain extended fraud alerts without additional delay in accordance with the placement procedures set forth by the Act.
In any event, consumers who have not already done so may place an initial alert while their request for an extended alert is being processed. Thus, consumers who immediately place an initial fraud alert will receive all of the benefits of this alert.
Other comments raised the concern that the Commission's five business day time limit on the request for additional information or documentation did not provide a long enough time period to evaluate the need for and to make an initial request.\49\ The Commission
recognizes that five business days may not be long enough to fairly evaluate the law enforcement report for some consumer reporting agencies or information furnishers. The consequences may be to force them to choose between accepting the law enforcement report as the complete identity theft report regardless of whether the identity theft claim is legitimate, or sending out pro forma requests for additional information or documentation, which may or may not be reasonable under the circumstances. The former instance would undermine the Commission's reasons for allowing reasonable requests of information or documentation initially--to minimize abuse of the credit reporting system. The latter instance might result in an increase of consumer complaints and disputes regarding the reasonableness of the information or documentation requests, which would not be a beneficial use of consumers' time and resources. Thus, the Commission considers that allowing consumer reporting agencies and information furnishers to have a longer period of time to evaluate the law enforcement report will better limit fraud and provide a better outcome overall for consumers.
\49\ See, e.g., Michigan Credit Union League EREG- 000024 (``We believe that the five-business day window may be insufficient time to allow credit unions to request the additional information. This might particularly impact credit unions that are very large or very small. Large credit unions could potentially be inundated with identity theft reports and not be able to request that information within the proposed time frame. Small credit unions may not have the staffing or be open more than one to two days per week. This would prevent them from being able to request this information.'') and Keycorp EREG-000007 (``We believe it is appropriate to include additional documentation requirements in the definition of ``Identity Theft Report.'' However, we are greatly concerned with regard to the timing of the information request by the furnisher or credit reporting agency. Given the complexity of the financial transactions that may be involved in the ID theft claim, coupled with the number of Identity Theft Reports an institution may receive, we do not believe that five business days is sufficient time to receive the Identity Theft Report, evaluate the transaction information contained in the Report, determine what additional information may be required from the consumer to validate the claim, and request the information from the consumer. We believe a minimum of fifteen business days is required to properly evaluate and react to an Identity Theft Report responsibly.'').
Commenters' suggestions on a longer time period ranged from ten to thirty days (both calendar and business days). The Commission has determined to modify its proposed rule to allow consumer reporting agencies and information furnishers to have fifteen calendar days to make an initial request for additional information or documentation. Fifteen calendar days is approximately five business days more than the Commission had originally proposed, which should allow all consumer reporting agencies and information furnishers sufficient time to determine whether additional information or documentation is needed, but should not cause victims undue delay.
Some commenters also requested an opportunity to make further requests for information or documentation, if necessary.\50\ The Commission believes that an exchange of communication between consumer reporting agencies or information furnishers and consumers will allow for a more thorough investigation of the validity of identity theft claims. Furthermore, some consumers may make mistakes in what information or documentation they provide initially and would benefit from further opportunities to furnish the correct information.
\50\ See, e.g., American Bankers Association EREG- 000034 (``* * * the Commission should permit more than a single request. In many cases, it will be necessary to request additional information in order to properly handle the claim as it progresses.'').
Commenters generally suggested one time period to cover both initial and multiple requests or made no specific suggestions. The Commission believes that additional requests should be permitted. However, one time period for both initial and multiple requests could result in the first request of additional information or documentation being made on the last day of the time period, with subsequent requests being made at indefinite times thereafter. The Commission believes that this could unfairly delay the recovery of victims. Therefore, the Commission has determined to retain a limited time period (fifteen calendar days) for an initial request to ensure that an investigation commences promptly, and to set a time limit of fifteen additional days after the initial request for any further requests for information or documentation, as well as a final determination on acceptance or rejection of the ``identity theft report.'' However, in the event that a consumer should submit the additional information or documentation too late in this second fifteen day period for a consumer reporting agency or an information furnisher reasonably to be able to review it, the Commission will allow the consumer reporting agency or information furnisher an additional five days to make a final determination on acceptance or rejection of the ``identity theft report.'' For example, if the additional information or documentation is received on day fourteen of this second fifteen day period, the consumer reporting agency or information furnisher may have five days, if needed, to make a final determination on acceptance or rejection of the ``identity theft report.''
Thus, although in many instances it should take much less time to reach a final determination,\51\ under no circumstances will it take longer than thirty-five days.\52\ This timing balances the needs of victims to have a finite process for submitting an identity theft report, with the needs of consumer reporting agencies and information furnishers to verify the identity theft. To ensure that victims will understand the operation of this final rule and to facilitate their ability to obtain an identity theft report with minimal delay, the Commission will conduct consumer and business education to advise victims of their rights. The Commission anticipates that should consumer reporting agencies and information furnishers make requests for additional information or documentation, they will inform consumers about the time frame within which information or documentation should be submitted and the outcome if the requested information or documentation is not submitted in a timely manner.
\51\ The Commission expects that consumer reporting agencies and information furnishers will make any requests as expeditiously as possible. In particular, it expects that any supplemental requests for information or documentation would be made as soon as practicable to allow consumers sufficient time to respond. It further notes that in practice, many victims may make initial contact with a company by a telephone call as opposed to submission of a law enforcement report. At that time, many consumer reporting agencies or information furnishers likely would discuss with the victim what information or documentation, if any, in addition to the law enforcement report may be needed to validate the identity theft claim so that victims can expedite the process by submitting all necessary documentation together. Thus, the Commission anticipates that a consumer reporting agency or information furnisher may develop an even more efficient and accommodating process for assisting identity theft victims than the minimum standard for timing set forth under this final rule.
\52\ While not directly on point, the Commission observes that the section 611 time period for reinvestigation of disputed information can range from thirty to forty-five days depending on whether the consumer provides the consumer reporting agency with additional relevant documentation. 15 U.S.C. 1681i. The maximum thirty-five day period here is adequate because, unlike under section 611, the procedures here explicitly contemplate a dialogue, if needed, within the second fifteen day period, with a possible additional five days for final review.
Additionally, a number of commenters requested that the Commission develop a procedure by which consumer reporting agencies or information furnishers could reject identity theft reports. The Commission believes that consumer reporting agencies and information furnishers already have a procedure for rejecting identity theft reports. If the document or documents the consumer presents do not meet the definition set forth in the final rule, the consumer reporting agencies and information furnishers can reject them.
A number of commenters also requested that the Commission clarify the clause ``filed by the consumer'' in paragraph (2) to mean filed directly by the consumer, and not by someone else on behalf of the consumer, as a means of preventing illegal credit repair.\53\ The
Commission believes that there may be a number of legitimate reasons why a third party (e.g., a guardian or an attorney-in-fact) might file an identity theft report on behalf of a consumer. The Commission believes that to the extent a third party is filing false identity theft reports on behalf of a consumer, the Commission has provided consumer reporting agencies and information furnishers with sufficient flexibility within the definition to determine the validity of the identity theft report just as if the consumers had filed the false identity theft reports themselves. In fact, to the extent a consumer reporting agency or information furnisher recognizes the same filer or a pattern to the filings, it could consider such information as a factor in determining the validity of the identity theft report.
\53\ See, e.g., Consumer Bankers Association 000007 (``We believe an important corollary to the requirement that the identity theft report be filed with an appropriate law enforcement agency is that the report must be filed by the consumer, and not by another entity. CBA is concerned that credit repair clinics and other unscrupulous individuals should not be permitted to file identity theft reports on consumers' behalf.'').
In the NPRM, the Commission provided examples of when it would or would not be reasonable to request additional information or documentation. Commenters asked for clarification on these examples. With respect to the first example,\54\ a number of commenters wanted to be able to request additional information or documentation even if the victim provided a suitable police report. Some commenters pointed to section 609(e) of the FCRA, which allows a business to ask for a police report and an affidavit to verify a claim of identity theft before providing copies of the victim's identity theft related transaction records, as an example that Congress intended that they should be able to request additional information or documentation in all cases.\55\
\54\ Example 1: A law enforcement report containing detailed information about the identity theft and the signature, badge number or other identification information of the individual law enforcement official taking the report should be sufficient on its face to support a victim's request. In this case, without an identifiable concern, such as an indication that the report was obtained fraudulently, it would not be reasonable for an information furnisher or consumer reporting agency to request additional information or documentation. 69 FR 23378.
\55\ See, e.g., Consumer Data Industry Association 000009 (``In addition, the verification element is consistent with the FACT Act provisions, codified in FCRA section 609(e), with respect to the obligations of a business entity to disclose information to an identity theft victim. Those provisions give the entity the discretion always to request the following from the victim, in order to verify the claim of identity theft: (i) A copy of a police report evidencing the claim; and (ii) a properly completed (I) copy of a standardized affidavit of identity theft developed and made available by the Commission; or (II) an affidavit of fact that is acceptable to the business entity for that purpose.
[Footnote 12: FCRA 609(e)(2)(B); 15 U.S.C. 1681g(e)(2)(B) (emphasis added).] However, as discussed below, CDIA is concerned that the illustrative examples in the Proposed Rule appear to suggest that in some instances, it would be unreasonable for a consumer reporting agency to request a fraud affidavit or similar information when the consumer provides a police report. Such a suggestion would create unjustified inconsistency, because the FCRA itself permits furnishers to use their discretion to request such information in similar circumstances.'').
The Commission views the examples as sufficiently clear; they convey that it is reasonable for a consumer reporting agency or information furnisher to request additional information or documentation if the in-person police report is lacking in necessary information or the consumer reporting agency or information furnisher can identify some other reasonable concern underlying the request. Thus, although the examples are intended to demonstrate that victims should not be required to provide redundant information for no discernable reason, they make equally clear that consumer reporting agencies or information furnishers are not prevented from taking reasonable steps to verify the identity theft.
Moreover, Congress did not include the requirements of section 609(e) in the definition of ``identity theft report.'' Instead, it granted the Commission rulemaking authority to determine how the ``identity theft report'' should most appropriately be defined. The Commission believes that it would be overly burdensome to consumers if consumer reporting agencies and information furnishers could request additional information or documentation without an underlying rationale. Further, as discussed above, the Commission believes that it has provided consumer reporting agencies and information furnishers with sufficient flexibility to verify identity theft claims.
Some commenters were concerned that specific language in the first example, that ``the report was fraudulently obtained,'' excluded reports that were counterfeit or otherwise falsified.\56\ For the sake of clarity, the Commission has changed this language to ``the report was fraudulent.'' At least one commenter noted that the fifth example seemed unclear.\57\ The Commission agrees and considers that the caution against unreasonable redundancy in example 5 is already covered by the other examples. Therefore, it has deleted the fifth example. The remaining examples are unchanged.
\56\ See, e.g., Consumer Data Industry Association 000009 (``Although the example would permit requests for additional information if there is some indication that the report was obtained fraudulently, the example should also permit additional information if the report was fraudulently created or altered.'').
\57\ See, e.g., Consumer Data Industry Association 000009 (``(5) If the information the information furnishers or the consumer reporting agencies are seeking is already found in the law enforcement report which is otherwise satisfactory, it would not be reasonable to request that the consumer fill out the same information on a different form. The point of this example is unclear.'').
Section 613.1: Duration of Active Duty Alerts
Under section 112 of the Act, service members who meet the definition of an active duty military consumer \58\ are permitted to place an active duty alert in their consumer report maintained by a nationwide consumer reporting agency covered under the definition of section 603(p) of the FCRA. The Act sets a minimum period of 12 months for the duration of the active duty alert, but required the Commission to determine if this period should be longer. In the NPRM, the Commission proposed to maintain the duration of the active duty alert at 12 months because it believed that 12 months would cover adequately the time period for which the majority of service members would be deployed. A number of commenters, including the one service branch commenting directly on the issue, supported the Commission's proposal.\59\
\58\ FACT Act sec. 111, codified at FCRA sec. 603(q)(1), 15 U.S.C. 1681a(q)(1).
The term ``active duty military consumer'' means a consumer in military service who--
(A) Is on active duty (as defined in section 101(d)(1) of Title 10 U.S.C.) or is a reservist performing duty under a call or order to active duty under a provision of law referred to in section 01(a)(13) of Title 10 U.S.C.; and
(B) Is assigned to service away from the usual duty station of the consumer.
The Commission notes that the United States Marine Corps (000004) requested clarification of this definition due to concerns that reservists do not have a usual duty station and that some service assignments may only be temporary. However, with respect to active duty alerts, Congress charged the Commission solely with considering whether to lengthen the duration of the active duty alert.
\59\ See, e.g., Office of the Judge Advocate General, Department of the Navy 000011 (``The active duty alert should remain at 12 months. * * * The disadvantage of a longer duration for the active duty alert is that service members may need to remove the alert instead of allowing it to expire. For understandable security reasons it will be more difficult to remove an alert than it is to place one. Delays experienced in removing an alert can negatively impact an individual's ability to establish lines of credit or procure loans. Additionally, a 12-month duration for an alert strikes the balance of meeting the active duty military member's needs without being an undue burden on consumers or creditors.'').
Opposing commenters generally suggested that service members should be able to choose their own duration or select among options of pre- determined lengths.\60\ The Commission has
understood that a term of deployment is generally 12 months or less. Deployments may be extended, but service members will not know if their deployments will be extended before they leave on their initial deployment. Thus, it would seem, in the majority of cases, that it would be impossible for service members to accurately select a duration greater than 12 months.
\60\ See, e.g., Navy Federal Credit Union 000022 (``While many tours of active duty may span 12 months, many do not. We believe that the agency should prescribe flexibility for those cases where a servicemember's deployment extends beyond the 12-month duration and broaden the definition of `active duty alert.' We suggest that the rule be written to allow a servicemember to place an alert from 12 to 24 months or, in the alternative, allow the servicemember to place an alert for the expected term of his or her tour of duty.'').
The Commission considers that a better solution would be for service members whose deployments are greater than 12 months to place a subsequent active duty alert.\61\ In the NPRM, the Commission asked for comments on the ability of service members to do so, particularly if they already are deployed. The Commission received only a few responsive comments.\62\ The one comment on the issue from a military service branch indicated that its personnel likely would have access to email, regular U.S. mail and/or a commercial phone line at least during a portion of the deployment. The Commission expects that the active duty alert may be renewed by using at least some of these communication methods.\63\
\61\ The Commission notes that although the Act is silent on the placement of subsequent alerts, it would be illogical to read the Act otherwise because service members may go on deployments that meet the elements of the definition of the term ``active duty military consumer'' several times during their service careers.
\62\ See, e.g., Office of the Judge Advocate General, Department of the Navy 000011 (``Navy personnel on extended deployments will in most circumstances have access to Email, regular U.S. Mail and/or a commercial phone line at least during a portion of the deployment. Assuming one of these methods of communication will be sufficient to establish or extend an active duty alert then it should not be difficult for a service member to accomplish. Additionally, deploying units frequently hold pre-deployment briefings at which deploying personnel can be briefed on the active duty alert and the option of identifying a personal representative capable of extending the active duty alert if it becomes necessary.''); Michigan Credit Union League EREG-000024 (``If necessary, we don't believe that it would be difficult to extend an active duty alert, since part of the process of being called to active duty often requires a service person to designate a person as their power of attorney. If the active duty is going to be extended, then the service person or a designated power of attorney could request an extension.''); and Consumers Union EREG- 000002 (``It will be difficult for some. While many service members do have a personal representative, others, particularly those without spouses, may not wish to give another person access to their credit record.'').
\63\ Communication also should be made easier for deployed service members because they only need to contact one of the consumer reporting agencies when placing an active duty alert. Under section 605A of the FCRA, the contacted consumer reporting agency must refer the request for placement to the other nationwide consumer reporting agencies. 15 U.S.C. 1681c-1.
Accordingly, the Commission adopts the duration of the active duty alert without modification.
Section 614.1: Appropriate Proof of Identity
Subsection 112(b) of the Act requires the Commission to determine what constitutes appropriate proof of identity for purposes of sections 605A (request by a consumer, or an individual acting on behalf of or as a personal representative of a consumer, for placing and removing fraud and active duty alerts), 605B (request by a consumer for blocking fraudulent information on consumer reports), and 609(a)(1) (request by a consumer for Social Security number truncation on file disclosures) of the FCRA, as amended by the Act. The Commission proposed that the rule would require consumer reporting agencies to develop reasonable requirements to identify consumers in accordance with the risk of harm that may arise from a misidentification, but which, at a minimum, should be sufficient to match consumers with their files. The Commission also proposed examples of the kind of information that it might be reasonable to request to match consumers with their files as well as for additional identification. In developing this proposal, the Commission determined that the central consideration was the balance between the harm to the consumer that might arise from inadequate identification with the harm that might arise from delayed or failed fulfillment of requested services due to greater levels of scrutiny. Because the Commission considered that the risk of harm may differ depending on a variety of factors including the service being requested,\64\ it sought to develop a standard of proof that had sufficient flexibility to accommodate these differences. Moreover, the Commission viewed the consumer reporting agencies as being in the best position to assess these differences. Commenters were generally supportive of the Commission's approach,\65\ but many requested clarifications on various points.
\64\ For example, given the function of fraud alerts in preventing identity theft, they need to be placed without delay, yet they seem unlikely to be placed by someone other than the consumer or without authorization from the consumer. Thus, unless these circumstances were to change, it would not seem necessary to require more identification than is needed to match the consumer's file. With respect to requests for removal of fraud alerts, however, there would seem to be some incentive for someone other than the consumer, such as an identity thief, to remove them. A delay due to greater scrutiny of the requester would likely cause less harm than an improper removal, and would thus justify greater proof of identity. 69 FR 23374.
\65\ See, e.g., Consumer Bankers Association 000007 (``The Proposed Rule requires consumer reporting agencies to `develop and implement reasonable requirements for what information consumers shall provide to constitute proof of identity.' We commend the FTC for determining that the consumer reporting agencies are in the best position to determine what should suffice as `appropriate proof of identity' in these circumstances. Like the FTC, we believe that the consumer reporting agencies are best equipped to evaluate the risks of misidentifying the consumer as well as the types of information that would be necessary to identify the consumer properly. Therefore, we urge the FTC retain this approach in the Final Rule.'').
A few commenters requested clarification that the Commission's rule did not require that a consumer reporting agency be able to match consumer-provided information with their file information to a perfect degree.\66\ This rule is not intended to reach the question of whether a consumer reporting agency should match information completely, but rather to set forth the type of information that would allow the agency to accurately find the right consumer's file in its database, and as necessary, determine that the requester is in fact the consumer.
\66\ See, e.g., Sprint Corporation EREG-000013 (``The Commission should make clear that when a file match process is used, it is not requiring that there be a `full match.' For example, a consumer may provide his address as 143rd. yet other records may identify the address as 143rd Street or Terrace. Similar variances or even keystroke errors can occur with street numbers and customer names. If a 100 percent match were required, a high percentage of requests would likely be rejected by automated systems and fall out for manual processing, which would entail length delays and add significant costs. The Commission should make clear that it is not requiring reporting agencies and information furnishers to use, build or modify systems requiring a 100 percent match with no variance allowed, if they use a file match process.'').
Other commenters were concerned that the rule not be used to make it more difficult for consumers to obtain the requested services.\67\ Because the rule states that consumer reporting agencies ``shall develop and implement
reasonable requirements for what information consumers shall provide,'' the Commission believes that this required element of reasonableness, taken together with the examples of types of reasonable information, will limit the likelihood that a consumer reporting agency would make identification unduly difficult for consumers.
\67\ See, e.g., Consumers Union EREG-000002 (``Consumer advocates are concerned that CRAs and, in particular, furnishers may insist on heightened identification requirements in order to make it more difficult to access the rights conferred on identity theft victims by Congress. To prevent this undesirable outcome, while still preserving flexibility, the rule itself should prohibit excessive identification standards. For placing an alert, and for trade line blocking, the rule should prohibit requiring more information than the level of information sufficient to enable the consumer reporting agency to match consumers with their files. The amount of identifying information must not be more than is reasonably necessary in light of the risk to the consumer of a delay in the exercise of an identity theft prevention right.'').
Commenters also were concerned about the reasonableness of allowing consumers to be asked to provide their full Social Security numbers.\68\ The Commission believes it is reasonable for consumer reporting agencies to request the full Social Security number if they determine it to be necessary. Consumer reporting agencies already have the full number so the risk that accompanies a new disclosure is minimal. Furthermore, because names, addresses, and birth dates are not always unique to a consumer, full Social Security numbers may be necessary to ensure that consumer reporting agencies match the consumer with the correct file. Moreover, the use of partial Social Security numbers may not provide sufficient accuracy when an agency is working with a large database.
\68\ See, e.g., Consumers Union EREG-000002 (``We are strongly opposed to the portion of the example which suggests that it is appropriate to require a consumer who has been a victim of identity theft to provide the full nine digits of the Social Security Number. Matching requirements for consumers to exercise their identity theft prevention rights under FACTA should be no more stringent than the level of matching which the CRAs require from users of credit files. Consumers are understandably reluctant to give their Social Security Numbers. Consumers who have been victims or who are concerned about becoming victims of identity theft may be even more concerned about safeguarding this number. If a CRA or furnisher is permitted to request a Social Security Number at all (to place an alert or a block), it should be limited to the last four digits of the Social Security Number, rather than the entire number.'').
Some commenters were concerned that differing standards of identification would lead to confusion \69\ or delays in service.\70\ Under the voluntary systems of fraud alert placement and fraudulent information blocking existing prior to the Act, the Commission saw no evidence of consumer confusion in the standards of identification different consumer reporting agencies selected. One standard could also lead to consumers being asked for too much information in order that every consumer reporting agency satisfy the standard of the one consumer reporting agency that needed the most information due to its particular circumstances.
\69\ See, e.g., Equifax Information Systems 000023 (``Allowing adjustments commensurate with the risk of harm allows too much leeway and could result in different standards and risk evaluations by nationwide consumer reporting agencies and data furnishers. One data furnisher or nationwide consumer reporting agency may accept the proof of identity and the others not, resulting in confusion to consumers and the system.'').
\70\ See, e.g., Consumers Union EREG-000002 (``This approach may defeat the FACTA goal of permitting consumers to request an alert from one of the three major credit reporting agencies, and have that alert forwarded to the additional agencies. If each agency has a different set of identification requirements, how will referral of fraud alert requests work? The statutory goal cannot be served if the request is made, but is not honored, because of differing identification requirements among CRAs. In that situation `one call' doesn't `do it all.' '').
The Act requires nationwide consumer reporting agencies to refer fraud alerts to each other for placement in a consumer's report. The Commission does not believe that it is necessary for the final rule to determine how these consumer reporting agencies comply with this requirement of the Act. The Commission considers that the final rule provides these consumer reporting agencies with the necessary flexibility to comply, and expects that they will select the correct standard of identification to ensure their compliance, or modify the standard as necessary should they be found to be out of compliance.
One commenter requested clarification of ``current methods of authentication'' in paragraph (b)(2).\71\ The Commission used the term ``current'' to demonstrate that authentication methods may change over time and the examples should be sufficiently flexible to adapt accordingly. However, to avoid confusion, the Commission has deleted the word ``current.''
\71\ Consumer Data Industry Association 000009 (``It is unclear what is meant by `current' methods.'').
Some commenters requested that additional types of information be added to the examples.\72\ It was not the Commission's intention to specify every form of authentication that a consumer reporting agency could use. Rather, the intent was to distinguish the type of information that might be sufficient for finding consumers' files from the type of information that could prove that the consumers are who they purport to be. Therefore, the Commission does not deem it necessary to include additional authentication methods. However, in paragraph (b)(1), the Commission has added the language ``current and/ or recent'' before ``full address'' to make clear that consumer reporting agencies may request additional addresses for consumers who have recently relocated as it may be less apparent that such information may be necessary to find a consumer's file.
\72\ See, e.g., Consumer Data Industry Association 000009 (``CDIA also suggests that the final rule include as examples of alternative proof of identity copies of pay stubs and W- 2 forms.'') and TransUnion LLC 000018 (``* * * we ask that a consumer's previous address (if the consumer has resided at the present address for less than two years) be an example of appropriate information.'').
Except for the changes to the examples referenced above, the Commission makes no changes to the rule or the examples.
Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612, requires that the Commission provide an Initial Regulatory Flexibility Analysis (``IRFA'') with a proposed rule and a Final Regulatory Flexibility Analysis (``FRFA''), if any, with the final rule, unless the Commission certifies that the rule will not have a significant economic impact on a substantial number of small entities (i.e., in general, those with less than $6,000,000 in average annual receipts). 5 U.S.C. 603-605.
The Commission hereby certifies that the final rules will not have a significant economic impact on a substantial number of small entities. The final rules apply to consumer reporting agencies, including agencies that are small entities, if any; persons that furnish information to consumer reporting agencies (``information furnishers''), including persons that are small entities, if any; and to users of consumer reports who are seeking to extend credit to consumers, including users that are small entities, if any. The Commission has concluded that currently there are no nationwide consumer reporting agencies that are small entities (with less than $6 million in average annual receipts). In the NPRM, the Commission stated that a precise estimate of the number of small entities that are other consumer reporting agencies (with less than $6 million in average annual receipts) and users of consumer reports within the meaning of the proposed rules was not currently feasible. In the NPRM, therefore, the Commission asked several questions related to the existence, number and nature of small business entities covered by the proposed rules, as well as the economic impact of the proposed rules on such entities. The Commission received no comments responsive to these questions. Thus, the Commission has been unable to determine precisely how many, if any, consumer reporting agencies, information furnishers, and users of consumer reports are small entities within the meaning of the final rules. Based on its own experience and knowledge of industry practices and members, however, the Commission believes that although there may be a number of small entities among the other consumer reporting agencies,
information furnishers and the users of consumer reports, and the economic impact of the final rules on a particular small entity could be significant, overall the final rules likely will not have a significant economic impact on a substantial number of small entities. The Commission believes further that the regulations will have a minimal impact on small entities because the regulations give these entities flexibility to adapt their existing requirements to ensure that they are providing correctly the services requested by consumers.
Accordingly, this document serves as notice to the Small Business Administration of the agency's certification of no effect. Nonetheless, the Commission has determined to publish a Final Regulatory Flexibility Analysis with the final rules. Therefore, the Commission has prepared the following analysis:
Need for and Objectives of the Rule
The Fair and Accurate Credit Transactions Act of 2003, Pub. L. 108- 159, 117 Stat. 1952 (FACT Act or the Act), directs the Commission to adopt rules to establish: (1) Definitions for the terms ``identity theft'' and ``identity theft report;'' (2) the duration of an ``active duty alert;'' and (3) the appropriate proof of identity for purposes of sections 605A (fraud alerts and active duty alerts), 605B (consumer report information blocks), and 609(a)(1) (truncation of Social Security numbers) of the FCRA, as amended by the Act. In this action, the Commission promulgates final rules to fulfill the statutory mandate. The rules are authorized by and based upon sections 111 and 112 of the FACT Act.
Significant Issues Raised by Public Comment
The Commission received no public comments on the specific impact, if any, of the rules on small entities. As explained above, the Commission has been unable to determine precisely how many, if any, consumer reporting agencies, information users, and users of consumer reports are small entities within the meaning of the final rules. Overall, however, the Commission believes that the final rules likely will not have a significant economic impact on a substantial number of small entities. Furthermore, as discussed below, the Commission has determined that with respect to small entities, if any, the final rules do not include a collection of information requirement subject to the Paperwork Reduction Act of 1995.
The Commission, however, has considered that Sec. 603.3 of the rules, which defines the term ``identity theft report'' and establishes that it may include additional information or documentation to help information furnishers or consumer reporting agencies determine the validity of the alleged identity theft, could apply to small entities, if any. As proposed in the NPRM, the request, if any, for additional information would have to have been made no later than five business days after the date of receipt of the report or the request by the consumer for a particular service, whichever came later. A few commenters questioned certain aspects of the process for requesting additional information set forth in Sec. 603.3, and they directly commented on the potential impact of the process on small entities, if any. For example, the commenters stated that a small business may need more than five business days to request additional information from a consumer, especially in light of the potential increase in the number of identity theft reports that will be received by small businesses, which may have limited staffing and hours of operation. Specifically, the commenters indicated that a small business may need more than five business days to receive an identity theft report, process it, review its contents, and search its files to determine whether it needs additional information from a consumer.\73\ In this Statement of Basis and Purpose, the Commission has explained its consideration of and response to those comments. The Commission has made certain changes in Sec. 603.3 of the final rules that should further minimize its impact on all information furnishers and consumer reporting agencies, which would include those, if any, that may be small entities. These changes, which provide information furnishers or consumer reporting agencies with additional opportunities, over a longer period of time than originally proposed (30 days), to request more information from consumers, are explained above in the discussion of the revisions made to Sec. 603.3 of the rules.
\73\ See, e.g., Coalition to Implement the Fact Act 000019, the Michigan Credit Union League EREG- 000024, America's Community Bankers 000024, and the Juniper Bank 000026.
Small Entities to Which the Rules Will Apply
As described above, the final rules apply to consumer reporting agencies, including agencies that are small entities, if any; information users, including agencies that are small entities, if any; and to users of consumer reports, including users that are small entities, if any. In the NPRM, the Commission stated that a precise estimate of the number of small entities that are consumer reporting agencies (with less than $6 million in average annual receipts) and users of consumer reports within the meaning of the proposed rules was not currently feasible. The Commission, however, invited comment and information on this issue. No comments addressed this issue, and no information with respect to small entities that might be affected by the rules was provided. Thus, based on the lack of response to its request for comments, the Commission has been unable to determine precisely how many, if any, consumer reporting agencies, information furnishers and users of consumer reports are small entities within the meaning of the final rules.\74\
\74\ In addition, to the extent the rules may indirectly affect small governmental jurisdictions (e.g., local police departments that may provide reports about identity theft to consumers), which are defined as small entities pursuant to the RFA (5 U.S.C. 601(5)), the U.S. Census Bureau's Governments Integrated Directory as enumerated for the 2002 Census of Governments, suggests there are approximately 85,000 such jurisdictions nationwide. It is not feasible, however, for the Commission to estimate precisely how many, if any, of these jurisdictions may provide reports about identity theft to consumers.
Projected Reporting, Recordkeeping and Other Compliance Requirements
In the NPRM, the Commission tentatively determined that with respect to small entities, if any, the proposed rules did not include a collection of information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501; 5 CFR 1320). The rules do contain collections of information affecting individual consumers and those activities have been separately approved under the Act, as described in section IV, infra. The Commission, however, sought comment on any paperwork burden that the proposed rules may impose on small entities to ensure that no burden had been overlooked. No comments addressed this issue. Accordingly, the Commission has determined that with respect to small entities, if any, the final rules do not include a collection of information subject to the Paperwork Reduction Act of 1995.
The Commission recognizes, however, that consumer reporting agencies, information furnishers and users of consumer reports, including those that might be small entities, if any, may incur some indirect, incidental expenses associated with the regulatory scheme established by the rules. Most of these expenses will be in the form of printing,
copying, mailing and filing costs associated with processing and reviewing identity theft reports, validating the information received from consumers, and requesting additional information from consumers, if necessary, to determine the validity of the alleged identity theft or the consumer's proof of identity. It is not feasible for the Commission to estimate precisely such expenses without information regarding the volume of the aforementioned activities. It is likely, however, that some of the aforementioned expenses would be incurred anyway in the ordinary course of business.
Steps Taken To Minimize Significant Economic Impact of the Rules on Small Entities
The Commission invited comment and information with regard to (1) the existence of small business entities for which the proposed rules would have a significant economic impact; and (2) suggested alternative methods of compliance that, consistent with the statutory requirements, would reduce the economic impact of the rules on such small entities.
The Commission received no information or suggestions in response to these questions. As explained above, however, the Commission has written the final rules, and made certain changes to the final rules, to minimize their impact on all entities that are subject to the rules, including small entities, if any, that may be subject to the rules. For example, the Commission has written the final rules to provide information furnishers or consumer reporting agencies with additional opportunities, over a longer period of time than originally proposed (30 days), to request more information from consumers.
Final Paperwork Reduction Act Analysis
In accordance with the Paperwork Reduction Act, as amended, 44 U.S.C. 3501 et seq., the Commission submitted the proposed rules to the Office of Management and Budget (``OMB'') for review. The OMB has approved the rules' information collection requirements through June 30, 2007, and has assigned OMB control number 3084-0129. The Commission did not receive any comments relating to its original burden estimates for the rules' information collection requirements.
List of Subjects in 16 CFR Parts 603, 613, and 614
Fair Credit Reporting Act, Consumer reports, Consumer reporting agencies, Credit, Information furnishers, Identity theft, Trade practices.
0 Accordingly, for the reasons set forth in the preamble, the Commission amends title 16 of the Code of Federal Regulations as follows: 0 1. Add part 603 to read as follows:
Sec. 603.1 [Reserved] 603.2 Identity theft. 603.3 Identity theft report.
Authority: Pub. L. 108-159, sec 111; 15 U.S.C. 1681a.
Sec. 603.1 [Reserved]
Sec. 603.2 Identity theft.
(a) The term ``identity theft'' means a fraud committed or attempted using the identifying information of another person without authority.
(b) The term ``identifying information'' means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any--
(3) Unique electronic identification number, address, or routing code; or
(4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).
Sec. 603.3 Identity theft report.
(a) The term ``identity theft report'' means a report--
(1) That alleges identity theft with as much specificity as the consumer can provide;
(2) That is a copy of an official, valid report filed by the consumer with a Federal, State, or local law enforcement agency, including the United States Postal Inspection Service, the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information, if, in fact, the information in the report is false; and
(3) That may include additional information or documentation that an information furnisher or consumer reporting agency reasonably requests for the purpose of determining the validity of the alleged identity theft, provided that the information furnisher or consumer reporting agency:
(i) Makes such request not later than fifteen days after the date of receipt of the copy of the report form identified in paragraph (a)(2) of this section or the request by the consumer for the particular service, whichever shall be the later;
(ii) Makes any supplemental requests for information or documentation and final determination on the acceptance of the identity theft report within another fifteen days after its initial request for information or documentation; and
(iii) Shall have five days to make a final determination on the acceptance of the identity theft report, in the event that the consumer reporting agency or information furnisher receives any such additional information or documentation on the eleventh day or later within the fifteen day period set forth in paragraph (a)(3)(ii) of this section.
(b) Examples of the specificity referenced in paragraph (a)(1) of this section are provided for illustrative purposes only, as follows:
(1) Specific dates relating to the identity theft such as when the loss or theft of personal information occurred or when the fraud(s) using the personal information occurred, and how the consumer discovered or otherwise learned of the theft.
(2) Identification information or any other information about the perpetrator, if known.
(3) Name(s) of information furnisher(s), account numbers, or other relevant account information related to the identity theft.
(4) Any other information known to the consumer about the identity theft.
(c) Examples of when it would or would not be reasonable to request additional information or documentation referenced in paragraph (a)(3) of this section are provided for illustrative purposes only, as follows:
(1) A law enforcement report containing detailed information about the identity theft and the signature, badge number or other identification information of the individual law enforcement official taking the report should be sufficient on its face to support a victim's request. In this case, without an identifiable concern, such as an indication that the report was fraudulent, it would not be reasonable for an information furnisher or consumer reporting agency to request
additional information or documentation.
(2) A consumer might provide a law enforcement report similar to the report in paragraph (c)(1) of this section but certain important information such as the consumer's date of birth or Social Security number may be missing because the consumer chose not to provide it. The information furnisher or consumer reporting agency could accept this report, but it would be reasonable to require that the consumer provide the missing information.
(3) A consumer might provide a law enforcement report generated by an automated system with a simple allegation that an identity theft occurred to support a request for a tradeline block or cessation of information furnishing. In such a case, it would be reasonable for an information furnisher or consumer reporting agency to ask that the consumer fill out and have notarized the Commission's ID Theft Affidavit or a similar form and provide some form of identification documentation.
(4) A consumer might provide a law enforcement report generated by an automated system with a simple allegation that an identity theft occurred to support a request for an extended fraud alert. In this case, it would not be reasonable for a consumer reporting agency to require additional documentation or information, such as a notarized affidavit.
0 2. Add Part 613 to read as follows:
PART 613--DURATION OF ACTIVE DUTY ALERTS
Sec. 613.1 Duration of active duty alerts.
Authority: Pub. L. 108-159, sec. 112(a); 15 U.S.C. 1681c-1.
Sec. 613.1 Duration of active duty alerts.
The duration of an active duty alert shall be twelve months.
0 3. Add Part 614 to read as follows:
PART 614--APPROPRIATE PROOF OF IDENTITY
Sec. 614.1 Appropriate proof of identity.
Authority: Pub. L. 108-159, sec. 112(b).
Sec. 614.1 Appropriate proof of identity.
(a) Consumer reporting agencies shall develop and implement reasonable requirements for what information consumers shall provide to constitute proof of identity for purposes of sections 605A, 605B, and 609(a)(1) of the Fair Credit Reporting Act. In developing these requirements, the consumer reporting agencies must:
(1) Ensure that the information is sufficient to enable the consumer reporting agency to match consumers with their files; and
(2) Adjust the information to be commensurate with an identifiable risk of harm arising from misidentifying the consumer.
(b) Examples of information that might constitute reasonable information requirements for proof of identity are provided for illustrative purposes only, as follows:
(1) Consumer file match: The identification information of the consumer including his or her full name (first, middle initial, last, suffix), any other or previously used names, current and/or recent full address (street number and name, apt. no., city, state, and zip code), full 9 digits of Social Security number, and/or date of birth.
(2) Additional proof of identity: copies of government issued identification documents, utility bills, and/or other methods of authentication of a person's identity which may include, but would not be limited to, answering questions to which only the consumer might be expected to know the answer.
By direction of the Commission. Donald S. Clark, Secretary.
[FR Doc. 04-24589 Filed 11-2-04; 8:45 am]
BILLING CODE 6750-01-P