Identity theft victims will have a wide swath of new rights under a federal law passed by Congress over the weekend, including free annual credit reports. But the bill essentially erases a number of state measures that provided even stronger protections for consumers. And questions remain about the ability of federal regulators to enforce some of the new provisions designed to help ID theft victims clean up the financial fallout and paperwork problems that result from the crime.
The White House has indicated it will sign the bill.
“We think that the ID theft provisions in this bill are very strong,” said Joe Rubin, executive director of technology and e-commerce at the U.S. Chamber of Commerce. “We don’t think this is a consumer vs. business issue. We think everybody’s interests are aligned.”
As always, the devil is in the details, and in this case, there’s a lot of them. Both consumer and industry groups spent the short holiday week digesting the impact of last weekend’s last-minute legislative haggling on the bill. By the time the landmark update to the Fair Credit Reporting Act was passed by the Senate on Saturday, some 161 pages of amendments had been inserted.
Consumer advocates said several critical identity theft measures survived the debate, and could provide welcome relief to identity theft victims soon.
It’s not clear when consumers will be able to order their free credit reports. Most of the regulations included in the legislation will not take effect for about 12 months. But since the credit bureaus must already give free reports to residents in several states, they may offer the service on a nationwide basis sooner.
Other consumer-friendly provisions of the bill include:
Home mortgage applicants will automatically receive a copy of their credit score.
Credit reporting agencies must fix erroneous information blamed on identity theft within four business days of receiving a police report, and must inform the creditor who generated the inaccurate information.
The right for victims to get application and transaction data from firms that extended credit to identity imposters. This provision helps victims who often find they must do their own investigations before they can interest law enforcement in their case.
Several measures designed to stop identity thieves from obtaining more credit using a victim’s information once a victim reports the ongoing crime to authorities.
Better fraud alerts
Fraud alerts are an important — and controversial — tool victims have to stop their imposters. Once placed on a credit file at the request of the victim, the alert is supposed to be a simple mechanism that stops imposters from obtaining additional credit after an initial crime is discovered. Credit grantors, such as retail store credit card suppliers, are expected to spot fraud alerts when they process an application and ask for a credit report. The applications are then supposed to receive special treatment to ensure the applicant isn’t an imposter.
But the alerts have so far generated mixed results, much to the frustration of identity theft victims. Often, credit firms simply ignore them. In other situations, the fraud alerts don’t even surface when applications are made. Many instant credit grantors, such as retail stores, forgo credit reports altogether and only screen applications by looking at credit scores, which sometimes don’t mention the presence of a fraud alert.
The law requires grantors to take extra steps to positively identify an applicant if a “fraud alert” has been placed on a consumer’s credit file. It also stipulates that fraud alerts must now be supplied even when the grantors ask only for credit scores.
“It should work,” said Gail Hillebrand, staff attorney for Consumers Union. “Fraud alerts have been out there for a while. ... What has been missing until now is the duty to honor the fraud alert.”
Wiggle room
But the law is not specific on just how credit issuers must confirm the identity of applicants.
That extra step could be as thorough as a store calling a consumer at the phone number listed on their credit report, or as simple as a clerk requesting a driver’s license, said Joe Rubin, executive director of technology and e-commerce at the U.S. Chamber of Commerce. E-mail verification could also be used, Hillebrand said.
Linda Foley, who runs the Identity Theft Resource Center, a victim’s hotline, feared the lack of specifics in the law might mean victims still see many fraud alerts ignored. The legislation left too much “wiggle” room to creditors who don’t want to add cumbersome verification procedures to credit applications, she said.
“Basically, it says that they need to either call or set up reasonable verification procedures. In other words, they still do just what they want,” Foley said.
But Rubin said the industry wanted to make sure the fraud alert procedure wasn’t too cumbersome, lest it end up inadvertently penalizing consumer victims.
“A careful balancing has to be done with regards to stopping ID theft but not strangling the credit system,” he said. “If a consumer applies for credit and can’t get it because of a fraud alert, if they want to get their 10 percent off at Macy’s, but can’t, they will be frustrated with the system. It will be harming them instead of helping them.”
State laws dropped
Many of the consumer-friendly provisions in the final bill were copied from state laws which have been passed in recent years to combat identity theft. The new Fair Credit Reporting Act will largely prevent future experimenting by state legislatures, however. The federal legislation includes a permanent pre-emption of state laws dealing with many areas of identity theft, meaning the states’ laws are nullified by the federal law.
In some cases, that’s not a big deal, since the new federal law guarantees many of the current state protections, and extends them to all 50 states, Hillebrand said. But other state provisions which provide additional consumer rights have now been nullified, said Jerry Flanagan, spokesman for the Foundation for Taxpayer and Consumer Rights.
Among the provisions which will no longer be in force:
A Texas law that allowed consumers to completely freeze credit records, preventing any new credit from being granted.
A California law entitling identity theft victims to one free credit report every month while they sort out their financial paperwork headaches.
A Massachusetts law that banned personal identifiers, such as Social Security Numbers, in credit report headers. The data is a critical source of information for identity thieves.
Another California law that required lenders to tell consumers if a change of address request was made soon after a pre-approved credit card application had been mailed. Thieves routinely steal the applications from mailboxes and apply for cards using a different address.
Credit industry executives had argued against such state provisions, claiming their industry couldn’t operate under a patchwork of laws operating exclusively in certain parts of the country. Among their allies was Federal Reserve Chairman Alan Greenspan, who said earlier this year that a national law was needed to maintain the free flow of credit, essential to the consumer-driven economy.
Norm Magnuson, spokesman for Consumer Data Industry Association, which lobbies on behalf of the credit bureaus, said he thought legislators managed to strike a good balance with the bill.
“You try and implement a system that restricts incidence of fraud without restricting consumer habits,” he said. Stricter provisions, such as some anti-fraud measures tried in states like California, “might be more tedious than consumers originally envision.”