Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations |
|||
FDIC Federal Register Citations |
COMMENTS of the National Consumer Law Center to the Department of the Treasury 31 CFR 103 RIN 1506-AA31 Office of the Comptroller of the Currency Office of Thrift Supervision Federal Reserve System Customer Identification Programs for Banks, Savings Associations and Credit Unions We share the concern about security issues which precipitated these regulations, and
our comments do not advocate minimizing those concerns. Indeed, we are advocating stronger
protections against identity theft. However, the regulations should strike a balance
between addressing identification theft (as well as the associated security issues) and
ensuring that all consumers, including immigrants and others with limited documentation,
maintain access to financial services and products. Immigration status should not be the
basis for excluding a consumer from such services. We are proposing that Customer
Identification Programs be required to use more stringent evaluation of existing
information -- more logical verification -- which should have the effect of protecting
against identity theft while not making it more difficult for new immigrants to access
banking services. There are a series of problems with these proposed regulations. First, very few specific requirements are actually imposed on financial institutions. Essentially, financial institutions are required simply to have a program identified as a Customer Identification Program. This program must have separate requirements for initial identification and later verification of the identity of individuals; however, the regulatory current proposal fails to include any specific mandates, nor does it have requirements for notice to consumers about the program. Furthermore, the proposal relies upon very weak record keeping requirements. The few specific requirements in the regulations are generally vague and lacking in meaningful demands on financial institutions. Even more alarming, the essence of the regulations is to allow the financial institutions to follow "risk based" procedures to authenticate identities, while the bottom line question of whose risk is unanswered. Some assumptions on this issue can be conjectured - accounts involving large amounts of money, either in deposits or in credit will be subjected to a higher degree of identity authentication than smaller accounts. One problem with this analysis is that the determination of what is a significant amount of money is very different for a financial institution than it is for an individual consumer. Yet, the risk of loss to an individual consumer from identity theft can be significant, even devastating.2 We note that the definition of "account" in the regulation includes both deposit accounts and credit accounts. Our concerns about identity theft focused mostly on credit accounts. The consequences to consumers of identity theft from losses to established deposit accounts is quite different from the consequences of a person using another consumer's "identity" to establish a fraudulent credit account. The financial institution generally bears the burden of a fraudulent transfer from an existing deposit account.3 However, if a consumer has had a new loan taken out in the consumer's name, the consumer has the burden of proving that the loan was not made to them, and that they did not benefit from it. The burden and difficulty of proving of negative is a considerable reason why consumers are suffering so much from identity theft. As is well known, identity theft is the "fastest growing type of crime in the United States."4 The federal agencies regulating financial institutions in this nation now have an unprecedented opportunity to impose some meaningful requirements on these institutions which could significantly reduce a substantial amount of identity theft - without considerable expense, invasion of privacy to consumers, or even increased difficulty to new immigrants seeking low cost banking accounts. We propose that this magic bullet can be accomplished by adding more specific and substantive requirements for financial institutions to verify the identity of some new customers through increased requirements for logical verification. First of all, the issue of "whose risk" should be specifically addressed in the regulations. When the financial institution will suffer the loss from making a mistake in verifying the identity, it would be appropriate to allow the institutions more latitude in devising their own standards of identity verification. However, when individual consumers would suffer the consequences of these mistakes the standards should be more specific and more stringent.5 It is important to note here that the importance of verifying the identity of a particular applicant for an account is different depending upon whether the individual is trying to show that he or she is actually a person who is already known to the credit system versus a person who is establishing a new credit identity. New immigrants to this country need to be able to establish that they really have a particular name and live at a particular address - but they are not attempting to show that they have an identity that is already known to the financial services system. This is a significant distinction, because there is very little risk of identity theft from mis-identifying a person who has no history in the financial services system. However, the issue of risk is entirely different for individuals who are attempting to prove that they are a particular person already known to the system. In other words, when an adult person seeks to show that he or she is a person who already has a credit report or has had bank accounts in the past, then this person should be evaluated to determine whether they can authenticate themselves. We are very concerned with the privacy implications of requiring or encouraging private or public agencies to gather new information in an attempt to verify identity. In fact, this proposal does not suggest that any new information be gathered about individuals. Instead, we propose that the financial institutions involved with establishing accounts be required to engage in a system of logical verification whenever individuals apply to establish or to access accounts in the name of a person who is already known to the financial institution system.6 A review of any of the vast amount of literature accumulating about identity theft7 shows that not only is it the crime which is increasing at the fastest rate, but that far and away most instances of the crime are "low-tech." Generally, the perpetrator has access to a limited amount of information about one or more individuals and using that data, the perpetrator applies for new accounts in the name of the victims. A review of every one of the examples cited in the recent GAO report on Identity Theft8 indicate that the criminals had access to a limited amount of information about the victims - generally no more than name, address, Social Security number, occasionally a driver's license, and possibly some existing credit card account information.9 Identity theft has been a persistent and growing problem in connection with credit reports due, in part, to minimal and general accuracy standards that exist for credit reporting agencies. As with the current proposed regulations, the FCRA requires credit reporting agencies to "maintain reasonable procedures to assure maximum possible accuracy." This general standard thus places the burden on the consumer when credit reporting errors occur due to identity theft, forcing consumers to spend considerable time and financial resources to clear their name and credit. To be effective, the proposed regulations must have clear and meaningful standards for identification of consumers, yet these standards need not require more documentary proof of identity. We do not think requiring more documentary proof is necessarily the best way to address the diverse issues presented. As has been noted in the Supplementary Comments, requiring documents only works in face to face transactions -- leaving transactions over the telephone or the Internet without equivalent degrees of protections. Documents also can easily be forged or stolen. Furthermore, requiring more documents simply makes it more difficult for new immigrants to gain access to banking accounts without providing meaningful protections from identity theft because of the holes in the system left by electronic access (telephone and Internet). Many immigrants, especially refugees, cannot obtain such documents because they arrive from war-torn countries with literally only the clothes on their backs. Instead, banks should require that customers show that they know their own history, and can respond to basic questions about themselves -- information that is available to the financial institution from other sources, such as the credit report or the passport issued by the foreign country. This is simply requiring logical verification of the customer's own information. Logical verification would require that before an account could be established, a consumer would be required to answer a few questions from a large and revolving list of potential questions which requires the consumer to show that he or she knows some of the information that the financial institution already has access to from existing and used data bases. For example, a creditor taking an application for credit would always access the consumer's credit report, so the consumer might be required to answer one or more questions about other outstanding credit evident on the credit report: · name another outstanding credit account that you have, In addition, the consumer might be required to show some knowledge that would be logically verifiable, but not readily known, such as - · If the consumer has a drivers license - what is the height listed on the
drivers license. We suggest that some degree of logical verification be required whenever a customer is applying for the first time to open a credit account with the financial institution, unless that the financial institution is reasonably certain that this customer owns the identity asserted. Logical verification is a relatively inexpensive, non-invasive, but efficient method of establishing identity. In order to prevent excluding immigrants and others who are new to the banking system, it is important that the level of logical verification be dependent on the risk of identity theft, which in turn will depend on whether or not the person is known to the system. Many immigrants, as well as other non-immigrant consumers such as young adults, will not have credit histories available to provide information to be used for logical verification. However, in those cases the level of verification should be low because there is little risk of identity theft -- an identity thief is unlikely to want to steal the credit identity of someone with no credit history. Also note that the situation which requires the least verification - face-to-face opening a deposit account -- is the one with which immigrants new to the financial services system are most likely to be involved. Having the level of logical verification depend on whether the person is known to the
system is important because having the same level for all consumers would deter some
immigrants from accessing financial services. If the level of logical verification is the
same, a financial institution might compensate for a lack of credit history by asking
other potentially invasive questions that may needlessly alarm immigrant, many of whom are
already have a distrust of mainstream institutions. We applaud the fact that the proposed regulations permit financial institutions to use
Individual Taxpayer Identification Numbers and documents issued by foreign governments,
such as the matricula issued by Mexican consulates, in their Customer Identification
Programs. We believe it is very important that financial institutions do not use
immigration status to deny financial services, especially for deposit accounts. We hope
Treasury will encourage banks to allow immigrants to open bank accounts with ITINs and
documents such as matriculas. 5 On the other hand, we believe that it would make more sense to place the burden of loss from mistakes in authenticating identity for financial transactions on financial institutions just as is done currently in the Uniform Commercial Code, the Electronic Fund Transfer Act and the Fair Credit Billing Act. That way, the business risk of measuring cost versus benefit can be carried out in a more meaningful way the party evaluating the risk versus the cost will suffer the consequences of a mistake in the analysis. See note 3, supra. 6 People are "known" to the system of financial institutions through a overlapping web of credit reporting agencies, check reporting agencies, and public and private data bases.7 See generally, Federal Trade Commission (http://www.consumer.gov/idtheft/reportstestimony_0203.html)
and National Consumers League (http://www.nclnet.org/privacy/index.htm).
Amy Marshall Mix |
Last Updated 09/09/2002 | regs@fdic.gov |