Federal Deposit
Insurance Corporation

Office of the Comptroller of the Currency
12CFR Part 21
Docket No. 02-11

Office of Thrift Supervision
12 CFR 563
No. 2002-27

Federal Reserve System
12 CFR Parts 208 and 211

Customer Identification Programs for Banks, Savings Associations and Credit Unions

The National Consumer Law Center ("NCLC")¹ submits the following comments on behalf of its low income clients regarding the proposed rules on Customer Identification Programs for financial institutions. NCLC makes this comment for two reasons. First, we present comments regarding the potential effect of the proposed regulations on addressing the serious problem to consumers of identity theft. Second, we want to ensure that Customer Identification Programs contain a reasonable method for new immigrants to this country to have access to basic financial services. We believe that these distinct issues do not require contradictory results.

We share the concern about security issues which precipitated these regulations, and our comments do not advocate minimizing those concerns. Indeed, we are advocating stronger protections against identity theft. However, the regulations should strike a balance between addressing identification theft (as well as the associated security issues) and ensuring that all consumers, including immigrants and others with limited documentation, maintain access to financial services and products. Immigration status should not be the basis for excluding a consumer from such services. We are proposing that Customer Identification Programs be required to use more stringent evaluation of existing information -- more logical verification -- which should have the effect of protecting against identity theft while not making it more difficult for new immigrants to access banking services.

Protection Against Identity Theft. We recognize that the motivating factor for these regulations is Section 326 of the USA Patriot Act, which requires regulations for reasons of national security and anti-terrorism efforts. However, as the agencies note in the Supplementary Information, the Customer Identification Programs required for financial institutions can also be useful in protecting against identity theft. Unfortunately we think that the protections currently proposed in these regulations that financial institutions would be required to employ against identity theft are so minimal as to be basically useless.

There are a series of problems with these proposed regulations. First, very few specific requirements are actually imposed on financial institutions. Essentially, financial institutions are required simply to have a program identified as a Customer Identification Program. This program must have separate requirements for initial identification and later verification of the identity of individuals; however, the regulatory current proposal fails to include any specific mandates, nor does it have requirements for notice to consumers about the program. Furthermore, the proposal relies upon very weak record keeping requirements.

The few specific requirements in the regulations are generally vague and lacking in meaningful demands on financial institutions. Even more alarming, the essence of the regulations is to allow the financial institutions to follow "risk based" procedures to authenticate identities, while the bottom line question of whose risk is unanswered. Some assumptions on this issue can be conjectured - accounts involving large amounts of money, either in deposits or in credit will be subjected to a higher degree of identity authentication than smaller accounts. One problem with this analysis is that the determination of what is a significant amount of money is very different for a financial institution than it is for an individual consumer. Yet, the risk of loss to an individual consumer from identity theft can be significant, even devastating.²

We note that the definition of "account" in the regulation includes both deposit accounts and credit accounts. Our concerns about identity theft focused mostly on credit accounts. The consequences to consumers of identity theft from losses to established deposit accounts is quite different from the consequences of a person using another consumer's "identity" to establish a fraudulent credit account. The financial institution generally bears the burden of a fraudulent transfer from an existing deposit account.³ However, if a consumer has had a new loan taken out in the consumer's name, the consumer has the burden of proving that the loan was not made to them, and that they did not benefit from it. The burden and difficulty of proving of negative is a considerable reason why consumers are suffering so much from identity theft.

As is well known, identity theft is the "fastest growing type of crime in the United States."⁴ The federal agencies regulating financial institutions in this nation now have an unprecedented opportunity to impose some meaningful requirements on these institutions which could significantly reduce a substantial amount of identity theft - without considerable expense, invasion of privacy to consumers, or even increased difficulty to new immigrants seeking low cost banking accounts. We propose that this magic bullet can be accomplished by adding more specific and substantive requirements for financial institutions to verify the identity of some new customers through increased requirements for logical verification.

First of all, the issue of "whose risk" should be specifically addressed in the regulations. When the financial institution will suffer the loss from making a mistake in verifying the identity, it would be appropriate to allow the institutions more latitude in devising their own standards of identity verification. However, when individual consumers would suffer the consequences of these mistakes the standards should be more specific and more stringent.⁵

It is important to note here that the importance of verifying the identity of a particular applicant for an account is different depending upon whether the individual is trying to show that he or she is actually a person who is already known to the credit system versus a person who is establishing a new credit identity. New immigrants to this country need to be able to establish that they really have a particular name and live at a particular address - but they are not attempting to show that they have an identity that is already known to the financial services system. This is a significant distinction, because there is very little risk of identity theft from mis-identifying a person who has no history in the financial services system.

However, the issue of risk is entirely different for individuals who are attempting to prove that they are a particular person already known to the system. In other words, when an adult person seeks to show that he or she is a person who already has a credit report or has had bank accounts in the past, then this person should be evaluated to determine whether they can authenticate themselves.

We are very concerned with the privacy implications of requiring or encouraging private or public agencies to gather new information in an attempt to verify identity. In fact, this proposal does not suggest that any new information be gathered about individuals. Instead, we propose that the financial institutions involved with establishing accounts be required to engage in a system of logical verification whenever individuals apply to establish or to access accounts in the name of a person who is already known to the financial institution system.⁶

A review of any of the vast amount of literature accumulating about identity theft⁷ shows that not only is it the crime which is increasing at the fastest rate, but that far and away most instances of the crime are "low-tech." Generally, the perpetrator has access to a limited amount of information about one or more individuals and using that data, the perpetrator applies for new accounts in the name of the victims. A review of every one of the examples cited in the recent GAO report on Identity Theft⁸ indicate that the criminals had access to a limited amount of information about the victims - generally no more than name, address, Social Security number, occasionally a driver's license, and possibly some existing credit card account information.⁹

Identity theft has been a persistent and growing problem in connection with credit reports due, in part, to minimal and general accuracy standards that exist for credit reporting agencies. As with the current proposed regulations, the FCRA requires credit reporting agencies to "maintain reasonable procedures to assure maximum possible accuracy." This general standard thus places the burden on the consumer when credit reporting errors occur due to identity theft, forcing consumers to spend considerable time and financial resources to clear their name and credit. To be effective, the proposed regulations must have clear and meaningful standards for identification of consumers, yet these standards need not require more documentary proof of identity.

We do not think requiring more documentary proof is necessarily the best way to address the diverse issues presented. As has been noted in the Supplementary Comments, requiring documents only works in face to face transactions -- leaving transactions over the telephone or the Internet without equivalent degrees of protections. Documents also can easily be forged or stolen. Furthermore, requiring more documents simply makes it more difficult for new immigrants to gain access to banking accounts without providing meaningful protections from identity theft because of the holes in the system left by electronic access (telephone and Internet). Many immigrants, especially refugees, cannot obtain such documents because they arrive from war-torn countries with literally only the clothes on their backs. Instead, banks should require that customers show that they know their own history, and can respond to basic questions about themselves -- information that is available to the financial institution from other sources, such as the credit report or the passport issued by the foreign country. This is simply requiring logical verification of the customer's own information.

Logical verification would require that before an account could be established, a consumer would be required to answer a few questions from a large and revolving list of potential questions which requires the consumer to show that he or she knows some of the information that the financial institution already has access to from existing and used data bases. For example, a creditor taking an application for credit would always access the consumer's credit report, so the consumer might be required to answer one or more questions about other outstanding credit evident on the credit report:

  · name another outstanding credit account that you have,
  · name the bank at which you have your car loan,
  · name the amount of your last payment.¹⁰

In addition, the consumer might be required to show some knowledge that would be logically verifiable, but not readily known, such as -

  · If the consumer has a drivers license - what is the height listed on the drivers license.
  · If the consumer had moved in the past few years - information which is apparent on the credit report -      the consumer might be required to name the city and state from which he or she had moved.
  · If the customer is a new immigrant - one might ask the immigrant the name of the city in which the      foreign document provided by the immigrant was issued, or the capital of the nation from which the
    immigrant came.

If financial institutions were required to engage in a system of logical verification of existing data before establishing an account for a person who is known to the system, a huge percentage of identity theft would be stopped. The proposed regulations endorse - but do not require - checks for logical consistency and logical verification only in the limited situations where other documentary verification of individuals is not possible.¹¹ Certainly the initial reliance suggested on comparing a government issued picture identification with the individual is a good first step for identity verification, but it by no means should be the final step when a bank is seeking to verify that a person has the identity of a person who is known to the credit system.

We suggest that some degree of logical verification be required whenever a customer is applying for the first time to open a credit account with the financial institution, unless that the financial institution is reasonably certain that this customer owns the identity asserted. Logical verification is a relatively inexpensive, non-invasive, but efficient method of establishing identity.

In order to prevent excluding immigrants and others who are new to the banking system, it is important that the level of logical verification be dependent on the risk of identity theft, which in turn will depend on whether or not the person is known to the system. Many immigrants, as well as other non-immigrant consumers such as young adults, will not have credit histories available to provide information to be used for logical verification. However, in those cases the level of verification should be low because there is little risk of identity theft -- an identity thief is unlikely to want to steal the credit identity of someone with no credit history. Also note that the situation which requires the least verification - face-to-face opening a deposit account -- is the one with which immigrants new to the financial services system are most likely to be involved.

Having the level of logical verification depend on whether the person is known to the system is important because having the same level for all consumers would deter some immigrants from accessing financial services. If the level of logical verification is the same, a financial institution might compensate for a lack of credit history by asking other potentially invasive questions that may needlessly alarm immigrant, many of whom are already have a distrust of mainstream institutions.

Access for New Immigrants to Bank Accounts and Loan Programs.

We applaud the fact that the proposed regulations permit financial institutions to use Individual Taxpayer Identification Numbers and documents issued by foreign governments, such as the matricula issued by Mexican consulates, in their Customer Identification Programs. We believe it is very important that financial institutions do not use immigration status to deny financial services, especially for deposit accounts. We hope Treasury will encourage banks to allow immigrants to open bank accounts with ITINs and documents such as matriculas.

_______________________________

¹ The National Consumer Law Center, Inc. (NCLC) is a non-profit Massachusetts Corporation, founded in 1969, specializing in low-income consumer issues, with an emphasis on consumer credit. On a daily basis, NCLC provides legal and technical consulting and assistance on consumer law issues to legal services, government, and private attorneys representing low-income consumers across the country. NCLC has a special project promoting the consumer rights of immigrants, including immigrant access to bank accounts and financial services. NCLC publishes a series of sixteen practice treatises and annual supplements on consumer credit laws, including Fair Credit Reporting Act (4th ed. 1998), Consumer Banking and Payments Law (2nd ed. 2002) and Cost of Credit (2nd ed. 2000), as well as bimonthly newsletters on a range of topics related to consumer credit issues and low-income consumers. These comments are authored by NCLC attorneys Margot Saunders and Chi Chi Wu.

² For example, a financial institution might make a business decision that engaging in comprehensive identity verification procedures for new depositors of amounts less than $1,000 is not cost effective. Yet, once this depositor has established an account, he becomes a known customer to the financial institution, and when two weeks later he seeks to process a loan for $10,000, the identity verification requirements would be met because he is a known customer. Yet, if this customer is using another person’s identity, the potential consequences to the victim of a fraudulent $10,000 loan in his name can be devastating. See § 103.121(b)(2)(ii) ". . .A bank need not verify the information about an existing customer seeking to open a new account, . . . if the bank previously verified the customer’s identity in accordance with procedures consistent with this section, . . . ."