Comments:

June 15, 2004

Federal Trade Commission/Office of the Secretary

Room H-159 (Annex J)

600 Pennsylvania Avenue, N.W.

Washington, DC  20580

Re:       FACTA Identity Theft Rule, Matter No. R411011

Ladies and Gentlemen:

This comment letter is submitted on behalf of Bank One Corporation (“Bank One”) in response to the proposed rule issued by the Federal Trade Commission (the “FTC”) regarding the identity theft definitions (the “Proposed Rule”).  Bank One appreciates the opportunity to comment on this important issue.

Bank One is the nation’s sixth-largest bank holding company, with assets of more than $275 billion.  Bank One conducts its banking business through Bank One, N.A., Bank One, Delaware, N.A., and other affiliated national banks and operating subsidiaries.  Bank One currently serves 53 million credit card customers and over 7 million retail households.  Bank One also operates numerous non-bank subsidiaries that engage in credit card and merchant processing, consumer finance, mortgage banking, insurance, trust and investment management, brokerage, investment and merchant banking, venture capital, equipment leasing and data processing.

Definitions of “Identity Theft” and “Identifying Information”

The Definitions Include Other Types of Fraud that are not Identity Theft

Bank One believes that the proposed definitions of “identity theft” and “identifying information” are too broad, and include many types of fraudulent activity with very different causes and profoundly different remedies than identity theft fraud.  These broad definitions would cause financial institutions to divert resources from assisting actual victims of identity theft and preventing future instances of identity theft.  We do not believe that the FTC intended this result, and urge that the definitions of “identity theft” and “identifying information” be revised so that they apply only to those people who have had their identities stolen.   

Congress passed the Fair and Accurate Credit Transactions Act (“FACT Act”), which amends the Fair Credit Reporting Act (the “FCRA”), to provide significant new protections to victims of identity theft.  The FACT Act provides that a victim of identity theft has the right to, among other things:

• place an extended fraud alert on his credit file,

• block the furnishing of information resulting from the identity theft,

• obtain copies of transaction records resulting from the identity theft, and

• obtain two free copies of his credit report.

These measures are appropriate and helpful for a victim whose identity has been assumed by a criminal, either by opening an account in the name of the victim or by taking over an existing account of the victim.  They are not appropriate or necessary for a consumer whose credit or debit card has been used by an unauthorized person, or a consumer who has had forged checks drawn on his checking account, yet these fraudulent transactions would be included in the proposed definition of “identity theft”.      

The proposed definition of “identity theft” is a fraud “committed or attempted using the identifying information of another person without lawful authority”.  “Identifying information” is defined as:

“any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any-

(A)   name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;

(B)   unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;

(C)   unique electronic identification number, address, or routing code; and

(D)   telecommunications identifying information or access device (as defined in 18 USC 1029(e)).”

Under these definitions, a forged maker’s signature or a forged endorsement on a check would constitute “identity theft”, because it is a fraud committed with the use of an individual’s name without lawful authority.  In addition, unauthorized use of a credit card or a debit card would also fall under the definition, because it is a fraud committed with the use of an access device. 

Consumers who have had a forged check drawn on their checking account are well protected under current law.  Under Section 4-401 of the Uniform Commercial Code, banks are strictly liable for any check drawn on a checking account that was not signed by the accountholder, as long as the accountholder reviews his account statements and informs the bank of any unauthorized transactions.   Forged checks drawn on an account are easily discovered because they are noted on the consumer’s account statement.

Consumers who have had unauthorized transactions on credit card accounts or debit card accounts are also well protected under current law.  Under Regulation Z (Truth in Lending), a credit card accountholder is liable for not more than $50 for an unauthorized transaction on his credit card account.  12 CFR 226.12.  Similarly, under Regulation E (Electronic Fund Transfers), the liability of a debit card customer is limited to not more than $50 if the cardholder examines his checking account statement and promptly notifies the bank of any unauthorized transactions.  12 CFR 205.6.  

A consumer who has experienced forged checks drawn on his account or unauthorized use of a credit or debit card does not need to place a fraud alert on his credit file, block account information or check his credit score.  A victim of such fraud can avoid additional fraudulent transactions on his credit card or checking account by closing the account and opening a new one.  It is easy to determine the extent of this type of fraudulent activity because it appears on the consumer’s account statement.  This fraudulent activity is not identity theft and should not be covered by these FACT Act provisions, which would create inappropriate rights and obligations with respect to these transactions.   

Bank One suggests that the definition of “identity theft” be changed to “a fraud committed or attempted using the identifying information of another person without lawful authority to open an account in the name of another person or take over an existing account.” 

Attempted Identity Theft Should Not be Included in the Definition

The proposed definition of “identity theft” also includes identity thefts that have been avoided, or attempted identity thefts.  An impact of this greatly expanded definition of identity theft would be that financial institutions would need to dedicate scarce resources to comply with the requirements pertaining to the “red flags” programs, identity theft reports, and the requirements of Section 609(e) of the FCRA.  Bank One believes that financial institutions should focus on preventing identity theft and on mitigating the harm to actual victims of identity theft, rather than devoting resources to assist those who have avoided the harms of identity theft.  We do not believe that the FTC intends this result, and urge that the definition of “identity theft” apply only to those people who have suffered identity theft by having accounts opened in their names or existing accounts taken over.

In the Supplementary Information released with the Proposed Rule, the FTC implies that an expanded definition of “identity theft” is necessary in order to allow consumers to remove fraudulent inquiries from their credit files.  Although the FACT Act provides a new mechanism under Section 605B of the FCRA to block the reporting of an inquiry, the consumer has other viable alternatives to remove such inquiries by using the dispute process under Section 611 of the FCRA.  We do not believe that the extremely modest benefits provided in Section 605B of the FCRA in the context of removing false inquiries justifies the harm associated with an unnecessarily broad definition of identity theft.

The FTC also indicates that an expanded definition of “identity theft” would be helpful for consumers “who have learned of attempts by an identity thief and want to…place an ‘initial fraud alert’” in their consumer files.  While we believe it would be appropriate for a consumer to place an initial alert in a consumer’s credit file if he or she is the subject of an attempted identity theft, it is not necessary to expand the definition of “identity theft” in order to achieve this goal.  The FCRA permits a consumer who “asserts in good faith a suspicion that the consumer has been or is about to become a victim of fraud or related crime” to place an initial alert in his or her file—there is no requirement that the consumer be a victim of identity theft.  Therefore, an expanded definition of “identity theft” is not necessary to achieve the FTC’s policy goal in this respect.

Definition of “Identity Theft Report”

The FCRA provides a victim of identity theft the ability to block false information resulting from the identity theft from his credit history, upon the submission of an identity theft report.  The victim can also use a similar process to block an entity from furnishing such information.  Congress deemed the need to provide identity theft victims with such powerful tools as necessary to mitigate the effects of identity theft.  Bank One agrees with this approach as a meaningful tool to help identity theft victims and to preserve the integrity of consumer report data.

Congress was also aware that an identity theft report could be misused by those seeking to abuse the system and block the reporting of negative, but accurate, information.  Congress provided for specific minimum requirements with respect to identity theft reports in order to lessen the likelihood of fraud associated with misuse of the reports.  The FCRA defines an “identity theft report” to be, at a minimum, a report:

“(A) that alleges an identity theft;

“(B) that is a copy of an official, valid report filed by the consumer with an appropriate Federal, State or local law enforcement agency, including the United States Postal Inspection Service, or such other government agency deemed appropriate by the [FTC]; and

“(C) the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false.”

The FTC noted in the Supplementary Information that an identity theft report “could provide a powerful tool for misuse, allowing persons to engage in illegal activities in an effort to remove or block accurate, but negative, information in their consumer reports.”  The FTC further asserts that it “is concerned whether [the] safeguards [in the FCRA] provide sufficient protection from misuse.”  Therefore, to address these concerns, the FTC has included two additional elements to the definition of an identity theft report.  First, the report must allege identity theft “with as much specificity as the consumer can provide.”  Second, the consumer reporting agency or the furnisher receiving the report is permitted a limited opportunity to request additional information.

Although we believe the FTC has provided for some beneficial concepts in the definition of an “identity theft report,” we do not believe that they will address the concerns identified by the FTC.  Bank One does not believe that a requirement to provide details about the identity theft “with as much specificity as the consumer can provide” will deter credit repair clinics and other fraudsters from filing identity theft reports for fraudulent purposes.  Bank One suggests that consumers should be required to provide “reasonably specific details” about the alleged identity theft, and that an identity theft report that does not meet this basic standard should not qualify the consumer for the protections accorded to an identity theft victim under the FACT Act. 

Identity Theft Report Should be Filed with an Appropriate Law Enforcement Agency

We believe it would be more appropriate for the FTC to focus on the statutory requirement for  an identity theft report to be a document that is filed with an “appropriate” law enforcement agency.  This concept was left out of the Proposed Rule.  The requirement is meant to deter people from filing false reports with law enforcement or other government agencies with no interest or authority to investigate the crime.  By requiring the report to be filed with a law enforcement agency with an interest in the veracity of the document and that can investigate the crime, Congress provided a significant deterrent to those seeking to abuse the system.

In the Supplementary Information, the FTC identifies its own identity theft reporting system as an example that “illustrates the possibility for abuse” if it were to be used as a foundation for an identity theft report.  In this regard, the FTC states that the system “is not designed to vouch for the truth of each individual complaint.  It is simply designed to provide a central collection point for identity theft data.  Victims who have filed complaints with the [FTC] have done so…with no guarantee of obtaining any immediate, direct benefit such as the investigation of their cases.”  While the FTC notes that a consumer could be prosecuted for filing a false identity theft report with the FTC, the FTC website does not mention this fact and the FTC Complaint Input Form is not in the form of an affidavit, and makes no mention of penalties for filing false statements.  In addition, because the FTC does not investigate these reports, there is no opportunity to discover or deter those who seek to abuse the system by filing false reports.       

For the reasons the FTC has provided, Bank One agrees that the FTC would not be an appropriate law enforcement agency with which to file an allegation of identity theft for purposes of the allegation becoming an “identity theft report.”  We believe that if an effective deterrent to fraudulent identity theft reports is to be provided, the definition of an “identity theft report” must include the notion that the report be filed with an appropriate law enforcement agency.  Not only will this deter fraud, but it will also benefit consumers by putting them in contact with an agency that can investigate the crimes.  In light of the many law enforcement options available to the consumer, which could include the local police department, the Federal Bureau of Investigation, or the U.S. Postal Inspection Service, we do not believe such a requirement poses a hindrance to identity theft victims.

Obtaining Additional Information

The proposed definition of “identity theft report” would allow a furnisher or a consumer reporting agency to request additional information from the victim in connection with the submission of a report.  Specifically, the furnisher or agency may request additional information “for the purpose of determining the validity of the alleged identity theft” not later than five business days after the receipt of the report.  We commend the FTC for allowing furnishers and consumer reporting agencies to request additional information.  We are concerned, however, that this opportunity is limited to a single request for limited purposes, and it does not make clear the outcome if the requested information is not supplied.  A furnisher or agency should be permitted to make the requests necessary for legitimate purposes, such as to ensure the appropriate information is blocked or to investigate the crime itself, and the consumer’s failure to supply the requested information should disqualify the report as an “identity theft report”.  In addition, we do not believe that five business days is sufficient for a furnisher to determine whether it needs additional information.  We believe that thirty days would be more appropriate.

Bank One appreciates the opportunity to comment on this Proposed Rule.  If you have any questions or comments, please do not hesitate to contact the undersigned (at 312-732-5345) or Richard Parry (at 312-732-4887). 

Sincerely,

Andrea J. Beggs