Copyright 2000 Federal News Service, Inc.
Federal News Service
September 13, 2000, Wednesday
SECTION: CAPITOL HILL HEARING
LENGTH: 36265 words
HEADLINE:
HEARING OF THE HOUSE BANKING AND FINANCIAL SERVICES COMMITTEE
SUBJECT: IDENTITY THEFT
CHAIRED BY: REPRESENTATIVE
JAMES LEACH (R-IA)
LOCATION: 2128 RAYBURN HOUSE
OFFICE BUILDING, WASHINGTON, D.C.
WITNESSES:
BETSY BRODER, ASSISTANT DIRECTOR, DIVISION OF PLANNING AND INFORMATION,
FEDERAL TRADE COMMISSION;
BRUCE TOWNSEND, SPECIAL AGENT IN
CHARGE, FINANCIAL CRIMES DIVISION, U.S. SECRET SERVICE;
ROBERT
DOUGLAS, CEO, AMERICAN PRIVACY CONSULTANTS;
SHON BOULDEN,
IDENTITY THEFT VICTIM;
STUART PRATT, VICE PRESIDENT, ASSOCIATED
CREDIT BUREAUS;
RONALD PLESSER, COORDINATOR, INDIVIDUAL REFERENCE
SERVICES GROUP;
JANINE BENNER, CONSUMER ASSOCIATE, CALIFORNIA
PUBLIC INTEREST RESEARCH GROUP;
BODY:
REP. JAMES LEACH (R-IA): The committee will come to order.
The
committee meets this morning to examine the threat to financial services
consumers from persons using illegal means to obtain private bank account
balances and other financial information, of persons to consider the merits of a
particular legislative proposal to combat identity theft put forward by two
respected members of this committee.
At the dawn of the 21st century,
America's financial privacy -- indeed, the very financial identities -- are at
risk as never before. Whether the threat involves cyber intrusions of large
corporate databases by hackers seeking to download credit card numbers or other
account information, or less technology sophisticated techniques such a dumpster
diving to retrieve credit card receipts or bank statements, or the most
confidential pieces of a consumer's financial profile appear to be easily
available for the growing number of financial scam artists. The Federal Trade
Commission, which will testify later this morning, reports that calls since the
recently established identify theft hotline are now averaging over a thousand a
month, one of several indications that the identity theft problem is fast
reaching epidemic proportions. In such an environment, the importance of
vigilance by financial services providers and their customers in deterring and
detecting unauthorized access to confidential financial data cannot be
overemphasized.
Complicating the job of the FTC and other enforcement
agencies is increasingly international character of identify theft, underscored
by several recent episodes of intrusions into U.S. corporate databases by
hackers operating in Eastern Europe and elsewhere around the world.
Secret Service, which is also represented in today's hearing, testified
before the committee several years ago about the growing presence in this
country of organized criminal groups, many with Russian or Nigerian origins,
that have engaged in large scale identity theft schemes targeting United States
citizens.
What steps are being taken to protect consumers from these
crimes which reek havoc on individual credit rating and result in a profound
sense of violations of those who are its victims. Is there a need for additional
laws or a matter of stronger law enforcement of existing laws? These are among
the questions the committee has before it.
This is the latest in the
series of hearings the committee has held on this issue of financial fraud and
identity in this and prior congresses. In 1998, the committee was the first to
focus congressional and public attention on the problem of "pretext calling," a
practice closely related to identify theft that involves the use of false and
deceptive methods to obtain personal financial information.
We welcome
back before the committee today one of the witnesses at that earlier hearing,
Robert Douglas, a private citizen in Alexandria, Virginia who was instrumental
in first making the committee aware of the threat to financial privacy posed by
practitioners of pretext calling.
Prompted in large part by the
information shared by Mr. Douglas and other witnesses of the committee's '98
hearing, I introduced legislation making it a federal crime to obtain, or
attempt to obtain, consumer information of a financial institution by false
pretenses, such as by misrepresenting the identity of the person requesting the
information, or otherwise tricking an institution or its consumer into making
unwitting disclosures of such information. These provisions were incorporated in
last year's Gramm-Leach-Bliley Financial Modernization legislation, and went
into effect upon the signing of that law on November 12, 1999.
In the 10
months since, the committee's received sporadic reports that since passage
federal regulators have not paid adequate heed to the strictures of the
legislation. To determine in an unscientific way whether it remains possible to
find someone willing to break the law to obtain private financial information of
an individual, an informal survey was conducted by committee's staff over the
recently concluded August recess assisted by Mr. Douglas.
Staff
identified and contacted businesses advertising their ability to locate bank
accounts, determine bank account balances, and find other financial assets
assumed by most consumers to be confidential. Subjects were selected at random
based upon searches of Internet, telephone book, Yellow Pages, and classified
advertisements and legal trade journals.
Posing as a potential customer,
a member of the committee staff, Ms. Alison (sp) Watson, placed a series of
calls in which she purported to be someone whose live-in boyfriend had recently
disappeared, cleaning out their joint bank account and absconding with other
assets in the process. The staff member asked each firm whether it could assist
her in locating her ex-boyfriend and any bank accounts in which he might have
placed the funds removed from their joint account.
Of 26 calls placed in
an uninterrupted 3-hour period, 11 were completed. Of the 11 companies reached,
every one of them confirmed their ability and their willingness, for a fee, to
obtain bank account and other financial information. Put another way, three
hours of calling to randomly selected vendors yielded the names of 11 firms
willing, and in all cases eager to sell bank account information on a private
citizen with few, if any, questions asked. Although 2 of the 11 firms made vague
references to privacy laws that they said would complicate their efforts to
locate assets, none mentioned the existence of statutory prohibitions on the
services they were offering to provide.
Based upon this survey, it
appears that the fraudulent practices first highlighted by the committee in
mid-1998 are continuing largely unabated.
In short, bank account
information and other aspects of consumers financial profiles apparently remain
freely available to anybody willing to pay for them.
What we have are
outfits unafraid to break the law; in fact, even continuing to advertise their
law-breaking talents. The victims are those individuals whose account
information is obtained, but it is also our civil society that is based upon
trust and respect for the privacy of one another. While no money may instantly
be changing hands, and no one's life is immediately at risk from gun-toting
thieves, these are cases of robbery of bank information and potentially of bank
accounts.
For many Americans, account information may be almost as
valuable as their actual balance, and the impact of knowing that our private
financial records are so readily available is frightening. Law enforcement
agencies need to take these crimes more seriously. Mr. Douglas will expand on
the survey later doing his testimony.
Our first witness this morning
will be two distinguished members of the committee, Ms. Hooley and Mr.
LaTourette, who are the primary sponsors of H.R. 4311, the Identity Theft
Prevention Act of 2000. This legislation, co-sponsored by 37 other members of
the House, reflects a very thoughtful approach to the identity theft problem,
and deserve serious consideration by this committee.
We will hear later
from several witnesses with different perspectives in some of the bill's
specific provisions. But I want at the outset to commend Ms. Hooley and Mr.
LaTourette for their work in developing this very important piece of
pro-consumer legislation.
At this point, let me ask Mr. Sherman if he
has any opening comments.
REP. BRAD SHERMAN (D-CA): Thank you, Mr.
Chairman. Thank you for holding these hearings on an important matter. Several
constituents of mine have had problems with identify theft. We need not only
strict criminal laws; we also need perhaps some national clearing agency so that
a person can identify themselves as potentially a victim of identity theft, and
make it at least more difficult for those stealing their identity to in effect
steal thousands and tens of thousands of dollars from the lenders that they're
then approaching and trying to bilk or make the withdrawals from bank accounts.
I'd like, without objection, to place in the record a report by the
Federal Trade Commission issued just last month, August 22nd, titled Information
on Identity Theft for Consumers in California, November 1999 through July 2000,
where the FTC indicates that just it -- and frankly, it is not the first agency
I would have thought of -- has had over 2,700 contacts from California in a
one-year period about identity theft; 62 percent of those were complaining that
their identify had been the subject of such theft.
I'd also like to
place in the record the suggestions of Sheriff Lee Bacca (sp) of Los Angeles
County giving consumer tips as to how to avoid being victims of such identity
theft.
REP. LEACH: If the gentleman will yield. Without objection, both
of those will be placed in the record.
REP. SHERMAN: Thank you, Mr.
Chairman.
I have a friend, who I'll identify only as Karen, who has been
pushed through the ringer on this. And without objection, I'd like permission to
add to the record a statement that she might provide, Mr. Chairman.
How
many days is traditional to submit additional material?
REP. LEACH:
Usually several, but we'll do our best.
REP. SHERMAN: Okay. Whatever
number of days we have.
REP. LEACH: And without objection, the statement
of Ms. Karen will be placed in the record if it's presented on a timely basis.
REP. SHERMAN: Thank you.
So I want to compliment those who will
be making presentations to us, and who have taken the time to draft legislation
in this area. This is not only loss money and loss sense of security for those
who are victims of identity theft; it is a tremendous drain on their time and
also a drain on our business and banking system which is bilked into making
loans to people who are not who they say they are, or allowing the withdrawal of
funds from a bank by a person who is not the depositor.
Thank you, Mr.
Chairman.
REP. LEACH: Thank you very much, Mr. Sherman.
At this
point, the committee would welcome Ms. Hooley and Mr. LaTourette. And we thank
you for the bill that you've presented to us. And we thank you for your long and
thoughtful service to this committee in general.
Shall we begin with
you, Ms. Hooley?
REP. DARLENE HOOLEY (D-OR): Mr. Chair, either one is
fine.
REP. LEACH: Fine.
REP. HOOLEY: First of all, I would like
to thank you for your willingness to hold this meeting, and I'd like to thank
you for all the work you've done in this area, both on making it a criminal act
and for your pretext calling. Those are both really important pieces of this
issue. So thank you for doing that.
Mr. LaTourette and I introduce this
bill because identity theft occurs when someone uses your name, social security
number, mother's maiden name, or any personal identifiable information to
purchase goods or services. While credit issuers have been willing to refund
fraudulent charges, victims are still faced with problems of ruined or destroyed
credit, the time commitment of redeeming their name with multiple credit bureaus
and credit issuers, and the fear and anxiety associated with knowing that
someone is using all of their personal information to charge any manner of
goods.
As a result of identity theft, victims have been turned down for
jobs, turned down for mortgages, and other important extensions of credit.
Identity theft is becoming a growing concern for millions of Americans.
Now, this is an equal opportunity crime with victims of all ages,
incomes and races. Regardless, the effects can be devastating on the victim.
Take for example, Shon Boulden from Hillsboro, Oregon, who you will be
hearing from today. Shon has dozens of accounts opened under his social security
number. As a result, Shon has spent countless hours battling to clear up his
good name. Now at the age of 23, Shon is unable to get the kind of credit a
young person needs to start off in life, including credit card loans, business
loans, or student loans.
While the consequences can be dire for the
young, this crime can be devastating to the elderly who are especially
vulnerable. A few months ago, I spoke to a constituent whose 96-year-old mother
had her checks, credit cards, and drivers license stolen. Now, I was surprised
she still had a drivers license at 96. With her drivers license and account
number, the thieves were able to cash multiple checks in her name.
She
and her son along with her bank investigated this issue, and they opened up a
new account for her. But it didn't end there. Even though she canceled her
credit card, the thieves were able to transfer $12,000 from her
Visa card to a bank in Ann Arbor, Michigan. Now, I should note that this woman
has never been to Ann Arbor, nor has she ever had anything close to that kind of
a balance on her card.
This constituent was lucky enough to have a son
to help her navigate through the maze of opening and closing accounts, dealing
with banks and credit card companies and credit bureaus. But many elderly people
don't have children near by. They're in poor health, financially unstable.
Therefore, these crimes don't just aggravate; they cause tremendous fear. People
fear not only the criminals, but the harassing phone calls and threatening
letters from collection agencies.
And introducing the Identity Theft
Protection Act we are asking credit issuers and credit reporters to do their
part in making sure that credit is extended to the right person. And in the case
of fraud, we are asking for procedures to be put in place to assure the
consumers can clear up their good names quickly.
For instance, the
legislation requires that any time a creditor receives a change of address form,
the creditor sends back the confirmation to both the old and new address. That
way, if a thief attempts to change a victim's address, the victim will know
about it-- a very simple but important piece of prevention. It asks credit
bureaus to investigate discrepancies in the names and addresses they have on
found with names and addresses provided by a credit issuer.
H.R. 4311
codifies a process of placing fraud alerts on consumer credit files and allows
the consumer to require verification before credit is extended. This bill gives
the FTC the authority to impose fines against credit issuers that ignore that
fraud alert.
This legislation also gives consumers more access to the
personal information collected about them, which is a critical tool in
combatting identity theft by requiring that every consumer that asks for it
across the nation have access to one free credit report annually.
This
bill restricts the sale of social security numbers by credit bureaus.
Increasingly, the social security number is becoming a national identity and the
key to identity theft. I want to reiterate that I fully understand that in most
cases of identity theft the victims recoup most of their financial losses. And I
applaud the credit issuers for now further punishing victims. However, I believe
that credit issuers and credit bureaus must recognize the problem this creates
for consumers.
The son of the 96-year-old victim told me that his
mother's bank just didn't see to care, as they thought, she didn't lose money,
so she shouldn't be upset.
Well, Mr. Chairman, I don't see it that way.
In closing, our bill has common sense reforms; it asks credit bureaus to honor
fraud alerts; forces credit issuers to observe those alerts; gives customers a
notice when their billing addresses are changed; and asks credit bureaus to at
least look into discrepancies. In my mind, this is the least we can ask of those
companies, who profit in extending credit and trading in on our credit
histories, to do to protect us. Thank you.
REP. LEACH: Well, thank you
very much, Ms. Hooley.
Mr. LaTourette.
REP. STEVEN LaTOURETTE
(R-OH): Thank you very much, Mr. Chairman. And I want to thank you for
conducting this hearing, and for your continued efforts in finding ways to
protect the consumers in this country on this very important issue. I also want
to congratulate my colleague, Darlene Hooley from Oregon. This bill is
affectionately known by the acronym the HOOLA (sp) bill in our two offices, and
that was why it immediately became attractive to us.
I thought I would,
by way of illustration, share with the committee a story as to how I became
intimately involved with the issue of identity theft.
Last year, a
couple from my home town, Ray and Maureen Mitchell, came into my district
office. And I have a special affection for the Mitchells because when I was
first running in 1974, their son who goes to Madison High School with my
daughter Sarah was the only boy who would show up to be in my television
commercials. So the Mitchells have been long time favorites of mine.
They told me a numbing story of how they became involved in identity
theft, and how they have been involved now in identity theft. There are a half a
million people a year out there just like them, the victims of crime, their
lives that go unreported, and widely misunderstood.
In many ways, being
the victim of crime can be far more devastating than being a victim of a typical
crime. Once you are exposed to this crime, you never feel totally safe. As a
matter of fact, now the Mitchells drive around with a signed affidavit in their
car, fearing that when they make a purchase they will be confused for the bogus
Mitchells, and this isn't a way for innocent people to live.
The
Mitchells' daughter just graduated from high school this year, and like a lot of
parents, they wanted to buy her car. They purchased the car with cash, however,
because they were afraid they couldn't get a loan as a result of their once
perfect credit now being shattered.
It started about a year ago. The
Mitchells' bank noticed $2,100 worth of unusual charges on
their credit card, and it's been down hill ever since. The thieves used the
Mitchells' personal information to open new credit cards, buy cell phones, take
out two huge personal loans, and purchase not one, but two
$40,000 SUVs. Now, one was a Ford Expedition -- they're
probably having some problems with their tires there -- and the other was a
Lincoln Navigator. All told, Ray and Maureen has been victimized to the tune of
$110,000. The Secret Service is involved, the postal
inspector's involved, the Illinois authorities are involved.
But last
November 19th, Mr. Chairman, three days after the fraud alerts were placed on
their credit report, a man went into three different Chicago banks, and in a
two-hour period applied for $45,000 worth of personal loans in
Ray Mitchell's name. Each time the bogus Ray Mitchell presented a valid Illinois
drivers license and Illinois state identification card, and all of the real Ray
Mitchell's personal information.
The Mitchells never engaged in
so-called risky behavior, or behavior that is, quite frankly, typical for
millions of American families. They didn't put shopping receipts and
pre-approved credit card offers in the trash. They didn't buy things on line.
They didn't do catalog shopping or pay for credit card purchases over the
telephone. There was no stolen wallet or credit cards. Still someone was able to
re-create Ray Mitchell's identity with ease. Because the Mitchells had a history
of always paying their bills on time and had a blemish free credit report, they
were a perfect target.
The good news, Mr. Chairman, is the guy that
applied for the loans was arrested the same afternoon. Police arrested him as he
tried to leave Bank One in Chicago after securing a $15,000
loan. He had $5,000 in cash and $10,000 in
bank checks payable to Raymond Mitchell. The bad news is that the judge freed
him two days later on a personal recognizance bond, even though he has a
criminal record dating back to 1977 and has used 17 different aliases.
Suffice it to say that the guys not shaking in his boots. When he was
arrested he told the detective, "I didn't use a gun. I didn't use a knife. Call
my lawyer, and I will plead guilty. And they will put me on probation."
The Mitchells are angry, Mr. Chairman. They agree with the purposes of
this bill. They were red flagged. It should have been noticed by someone, like
the 30 inquiries in the Mitchells' credit card report in just 60 days, or the
numerous change of address request. Almost every other day the bogus Ray
Mitchell was applying for car loans and personal loans. The Mitchells haven't
had that much activity on their credit report in two decades. They average just
1.5 inquiries on their credit report per year.
It's disheartening to me
that this legislation is opposed by some folks. I understand that it may
increase some cost, and it may require more paperwork. But the Mitchells, and
people who find themselves like the Mitchells, deserve the attention and the
protection of this Congress. And I would just ask unanimous consent to include
the rest of my statement in the record so you can move on with your hearing.
REP. LEACH: Well, without objection. And let me thank both of you for
your very thoughtful testimony, more importantly for re- alerting the committee
again to a very profound area of concern.
We just have one or two
minutes for a vote. Does anyone seek to ask our witnesses any questions?
If not, I'd like to recess the committee, pending the votes on the
floor. The committee's in recess.
(Recess.)
REP. LEACH: The
committee will reconvene.
Our second panel is represented by Ms. Betsy
Broder, who's the assistant director of the Division of Planning and Information
in the Federal Trade Commission, and Mr. Bruce Townsend, who's special agent in
charge of the National Crimes Division of the United States Secret Service.
We'll begin with you, Ms. Broder, unless you have a differing agreement.
MS. BRODER: No, that's fine.
REP. LEACH: If I could ask you to
hold for a second. If you put the microphone very up close, I think it's an
easier way you'll find to speak, and you don't strain as much.
MS.
BRODER: Thank you. As you said, my name is Betsy Broder, and I assistant
director for Planning and Information at the Federal Trade Commission's Bureau
of Consumer Protection. I'm very pleased to have the opportunity this morning to
present the commission's testimony describing our efforts to help victims, alert
industry, and equip law enforcement to deal with this pernicious crime of
identity theft.
I'd like first to discuss the measures that the
commission has taken to meet the goals of the Identity Theft Assumption and
Deterrence Act of 1998, and then describe what we see as the challenges of the
future.
The FTC has launched a comprehensive response to ID fraud. Under
the '98 act, the agency was charged with establishing a central repository for
identity theft complaints, to refer appropriate complaints to law enforcement
and private sector entities, and to provide support for identity theft victims.
This is how we've met these goals.
We've established a toll free
hotline, 877-IDTheft for consumers to call and report incidents of identity
theft. Callers who call our toll free line are connected to specially trained
telephone counselors, one of whom actually was Ms. Mitchell, referred to earlier
by LaTourette. These counselors provide information to assist the consumers who
find themselves to be victims of identity theft. Our approach is to give
consumers the information that's necessary to help them resolve problems
typically associated with identity theft.
While we receive many calls
from victims, about 40 percent of our callers are people seeking information to
try to prevent this type of crime. Some of these people find themselves
especially vulnerable to identity theft perhaps because they've had their wallet
stolen, and they want to find out what they can do to prevent identity theft
from happening to them.
With these callers, we provide practical tips on
identity theft prevention, including ways to protect the type of personal
financial information that's frequently exploited by identity crooks. We also
refer these callers to our consumer education publication.
Our toll free
number has been up less than a year. We set it up in November of '99, and so far
we've answered almost 30,000 calls. Our call volume has tripled in the last six
months, and we believe that this steep growth will continue. We now receive
about 1,000 calls a week to our hotline. When we first set this up, we were
receiving 100 calls a week. We're now up to 1,000 calls every week.
Consumer education is a key component of our efforts. Our publication,
which I show you here -- ID Theft: When Bad Things Happen to Your Good Name --
has been a tremendous hit and an asset to consumers. We've distributed more than
100,000 copies of this publication. The Social Security Administration itself
has printed and distributed over 140,000 copies. And about an equal number have
been accessed through our identity theft website. The website links the state
statutes, publications and other information that assist consumers and law
enforcement, and it has received about 160,000 visits.
Finally, we're
using the --
REP. LEACH: If the gentle lady would yield for a second.
With regard to your publication, we're going to put that on our website
as well. And I think it's a very appropriate one. And I want to congratulate you
on putting it together.
MS. BRODER: Thank you, sir. In fact, it's been
an enormously successful campaign. And we know that if we can give some of this
information to consumers, they may not be able to prevent consumer ID theft, but
they can limit their exposure.
I talked earlier about our hotline, what
we do with the people who call in. Well, we provide assistance, but we also get
information from them. We use the complaint information provided by these
victims to help law enforcement efforts. We enter consumers' complaints into our
ID theft data clearinghouse. This clearinghouse is part of our larger consumer
fraud network called Consumer Sentinel, which is used currently by more than 260
law enforcement agencies around this country and Canada.
Using a
password and special security software, law enforcers use their desktop PC to
access Sentinel and through the identity theft clearinghouse. They search for
identity theft perpetrators and victims in their backyard, and they're able to
uncover trends through this collection of data that wouldn't be apparent by
looking at individual complaints.
We're also developing ways, in
accordance with the act, to provide limited and appropriate access to financial
institutions and the three national consumer reporting agencies to allow them to
track complaints and trends related to themselves.
I would just add, we
receive complaint data from consumers themselves, but we are also receiving data
from other agencies and entities to add to our database. Just today, we're
receiving complaint data from the Social Security Administration, representing
the last two weeks of complaints that they have to include in our database to
make it as rich a repository of data as possible to assist in law enforcement in
this area.
Our database has given us some very interesting statistics
about identity theft and financial institutions. About 55 percent of the victims
who contact our hotline report that a ID thief either opened or took over a
credit card account; 18 percent report that a bank or a checking account had
been opened in their name and/or that checks had been fraudulently written in
their name; and 11 percent report that loans were obtained in their name. Of
course, you realize that each of these violations may have occurred to the same
person. They may have had a bank account opened in their name, a credit card
takeover; people suffer numerous types of harm.
Our clearinghouse also
collects complaints about the ways in which banks and other financial
institutions handle ID theft. That is, have their business practices
unnecessarily exposed people to this crime, or have they been responsive to
their customers' needs as ID theft. Again, as we build out our system, we'll
make this information directly available to those institutions through limited
access to the clearinghouse.
Private sector and legislative proposals
have also emerged to help protect against identity theft. 4311 from this
committee is one such response. The Senate version of this, 2328, contains many
of the same provisions. And the commission has come out strongly supporting
these proposals; giving consumers access to information when there are changes
of address; providing them with free credit reports every year from each of the
major credit reporting agencies. All of these measures give consumers access to
information about themselves that could reveal vulnerability or actual
victimization of identity theft. We think these are very positive and helpful
measures, and we support them.
Finally, we're working closely with many
private sector groups to uncover ways to help improve prevention and victim
assistance. In late October, we'll be hosting a workshop on victim assistance
and identity theft. We've invited all interested parties -- the consumer
reporting agencies, consumer groups, government agencies, financial institutions
-- to help us set up the agenda. We hope to be able to use this forum as an
opportunity to start developing a standardized complaint affidavit -- something
that's also referred to in 4311 -- so that consumers will only have to fill out
one form when they've been a victim of identity theft. And this form will be
accepted by all financial institutions.
We will also be pursuing with
our sleeves rolled up other practical ways to assist consumers who have been
victims of identity theft.
Thank you, Mr. Chairman, and members of the
committee. And I'd be happy to answer any questions you may have.
REP.
LEACH: Thank you very much, Ms. Broder.
Mr. Townsend.
MR.
TOWNSEND: Good morning. Mr. Chairman, members of the committee, thank you for
the opportunity to address the committee on the subject of identity theft and
the Secret Service's efforts to combat this problem. I have prepared a
comprehensive statement which will be submitted for the record, and with the
committee's permission, I will summarize it at this time.
REP. LEACH:
Without objection. Both of the statements will be fully in the record if they
haven't been fully presented.
MR. TOWNSEND: In addition to providing the
highest level of physical protection to our nation's leaders, the Secret Service
exercises broad investigative jurisdiction over a wide variety of financial
crimes. As the original guardian of our nation's financial payment systems, the
Secret Service has a long history of pursuing those who had victimized our
financial institutions and our law- abiding citizens.
In recent years,
the combination of the information technology revolution and the effects of
globalization have caused the investigative mission of the Secret Service to
evolve in a manner which cannot be overstated.
Today we are faced with a
new challenge, that of identity theft. We in the Secret Service view identity
theft as a disturbing combination of old schemes and abuse of the emerging
technologies. However, it should be clear. This crime is about more than the
theft of money or property. This crime is about the theft of things that cannot
be so easily replaced-- a person's good name, a reputation in the community,
years of hard work, and commitment to goals. Make no mistake about it. This
crime is a particularly invasive crime that can leave victims picking up the
pieces of their lives for months or years afterwards.
Mr. Chairman, we
in the Secret Service applaud your efforts in convening this hearing today. We
stand ready to work with you and all the members of the committee in attacking
the crime of identity theft. It is our belief that hearings such as this will be
the catalyst to bring together the resources of both the state and federal
governments in a unified response to the identity theft problem.
As we
enter the next century, the strength of the financial industry has never been
greater. A strong economy, burgeoning use of the Internet and advanced
technology, coupled with increased spending has led to fierce competition within
the financial sector. Although this provides benefits to the consumer through
readily available credit and consumer oriented financial services, it also
creates a rich environment for today's sophisticated criminals, many of whom are
organized and operate across international borders.
In addition,
information collection has become a common by- product of the newly emerging
e-commerce. Internet purchases, credit card sales, and other forms of electronic
transactions are being captured, stored, and analyzed by entrepreneurs intent on
increasing their market share. This has led to an entirely new business sector
being created which promotes the buying and selling of personal information.
With the advent of the Internet, companies have been created for the
sole purpose of data mining, data warehousing and brokering of this information.
These companies collect a wealth of information about consumers, including
information as confidential as their medical histories. Data collection
companies, like all businesses, are profit motivated, and as such, may be more
concerned with generating potential customers rather than the misuse of
information by unscrupulous individuals. This readily available personal
information in conjunction with customer-friendly marketing environment has
presented ample opportunities for criminals intent on exploiting the situation
for economic gain.
The Secret Service has investigated cases where
criminals have used other people's identities to purchase everything from
computers to houses. Financial institutions must continually practice due
diligence, unless they fall victim to the criminal who attempts to obtain a loan
or cash account of the check using someone else's identity.
As financial
institutions and merchants become more cautious in their approach to
hand-to-hand transactions, the criminals are looking for other venues to
compromise. Today criminals need look no further than the Internet. For example,
an Internet fraud investigation conducted by the Secret Service, the Department
of Defense, the Postal Inspection Service and the Social Security
Administration, Office of the Inspector General highlighted the ease with which
criminals can obtain personal information through public sources.
These
defendants access a website that publish the promotion list of high-ranking
military officers. This site further documented personal information on these
officers that was used to fraudulently obtain credit, merchandise and services.
In this particular case, the financial institution in an effort to operate in a
customer-friendly manner issued credit over the Internet in less than a minute.
Approval for credit was granted after conducting a credit check for the
applicant who provided a true name and matching true social security number. All
other information provided, such as the date of birth, the address, and
telephone number that could have been used for further verification was
fraudulent.
The failure of this bank to conduct a more comprehensive
verification process resulted in substantial losses, and more importantly, a
long list of high-ranking military officers who became the victim of identity
fraud.
The Internet provides the anonymity that criminals desire. In the
past, fraud schemes required false identification documents and necessitated a
face-to-face exchange of information in identity verification. Now with just a
laptop and modem, criminals are capable of perpetrating a variety of financial
crimes without identity documents through the use of stolen personal
information.
The Secret Service has investigated several cases where
cyber criminals have hacked into Internet merchant sites and stolen the personal
information and credit card account numbers of their customers. These account
numbers are then used with supporting personal information to order merchandise
which is then transhipped throughout the world. Most account holders are not
aware that their credit card account has been compromised until they receive
their billing statement.
The Secret Service continues to attack identity
theft by aggressively pursuing our core violations. It is by the successful
investigation of criminals involved in financial and computer fraud that we have
been able to identify and suppress cases of identity theft. The Secret Service's
investigative program focuses on three areas of criminal schemes within our core
expertise.
First, the Secret Service emphasizes the investigation of
counterfeit instruments. By counterfeit instruments, I refer to counterfeit
currency, counterfeit checks -- both commercial and government -- counterfeit
credit cards, counterfeit stocks or bonds, and virtually any negotiable
instrument that can be counterfeited. Many of these schemes would not be
possible without the compromise of innocent victims' financial identities.
Second, the Secret Service targets organized criminal groups which are
engaged in financial crimes on both the national and international scale. Again,
we see many of these groups, most notably the West African and Asian organized
criminal groups, prolific in their use of stolen financial and personal
information to further their financial crime activity.
Finally, we focus
our resources on community impact cases. The Secret Service works in concert
with the state, county and local police departments to ensure our resources are
being targeted to those criminal areas that are of a high concern to the local
citizenry. Further, we work very closely with both federal and local prosecutors
to ensure that are investigations are relevant, topical and prosecutable under
existing guidelines.
No area today is more relevant or topical than that
of identity theft. The Secret Service acknowledges that identity theft is a very
real problem, and pledges its support in the federal government's efforts to
eliminate it.
Mr. Chairman, this concludes my prepared statement. I'd be
happy to answer any question that you or other members of the committee have.
Thank you.
REP. LEACH: Thank you very much, and I thank both witnesses.
We have a very, very large problem. One element -- and I stress it's
only one element of the problem -- is a professional class of facilitators who
are law breakers. And I remain absolutely astonished that after passage of a law
that says that identity theft is by national statute illegal, subject to fine
and imprisonment, that it is wantonly advertised. I've never known any behavior
of criminal behavior in which one advertises that they're going to do a criminal
misdeed. And bizarrely, advertised in legal publications; that is, advertised to
officers of the court that a company is prepared to do illegal acts, for a fee.
And I would like to introduce -- or re-introduce because the FTC once
did a sting -- the word "sting" to law enforcement in this area. It is
inconceivable to me that anybody should be advertising to do these things. And
when our committee staff hit 11 of 11, through public advertisements, of people
willing to steal someone's identity, or get information based upon false
identity presentations, there's something that isn't being met in an active way.
And I turn to the FTC. Have you brought any enforcement actions against
these companies?
MS. BRODER: Mr. Chairman, pretexting is not new to the
Federal Trade Commission. We have in fact brought a case against a pretexter --
REP. LEACH: This is the one in Colorado?
MS. BRODER: Yes, the
Touchtone case. And this was prior to the passage Gramm-Leach-Bliley. And in
that case, the information broker -- a company called Touchtone -- posed as the
consumer, asked the bank for that consumer's private financial information. And
then they sold that information to a third party, of course, without the
knowledge or consent of the account holder.
We've obtained judgment
against Touchtone and its principles, which prohibits them from pretexting,
except for those exceptions allowed by Gramm-Leach-Bliley. And we've extracted a
$200,000 suspended judgment.
Since the passage of
Gramm-Leach-Bliley 10 months ago, and in addition the Identity Theft Act, we
have further stops -- further tools -- to track down and prevent the pretexting.
But we too are aware, Mr. Chairman, that not withstanding the passage of
Gramm-Leach- Bliley, pretexting persists. And while today I'm not able to
discuss ongoing investigations, we are mindful of this problem. And we will use
our Gramm-Leach-Bliley enforcement authority under 521 to target appropriate
cases in keeping with our resources as an agency.
REP. LEACH: Well, I
would, first of all, suggest that the FTC listen very carefully to one of our
following witnesses and what he has to say. And I would also ask the FTC to be
in contact after this hearing with my committee staff about what they did, how
they did it, and the simplicity of receiving affirmations of people who are
willing to do illegal activities.
MS. BRODER: We will certainly follow
up, Mr. Chairman.
REP. LEACH: I mean, it is inconceivable to me that you
can't simply look at advertisements and reach some conclusions and actions that
can follow.
In addition, it has struck me that there has been an
inadequate education effort to the legal community. I mean, the people advertise
in legal communications. That's an invitation for a lawyer to use services. And
I think it should be clear that a lawyer can be accountable under the law if he
or she knowingly uses a service that itself uses illegal methodologies. I don't
know what outreach you have to the various bars in the country, but I would
certainly think that strong advisements would be in order.
With regard
to the Secret Service, Mr. Townsend, I'm very impressed with one of your
premises that the Secret Service is a guardian of our financial payment system,
which I think is a very profound obligation. And my own view is, of all the
criminal activity that's rising in the world today, it relates to this. And I'm
not convinced that you have all the adequate resources you need, and I'm
wondering if you would like opine on this. As I look at the year-end budgeting
circumstance in Congress, I've directed my staff to look at this issue because I
think that the assumption of the Secret Service's jurisdiction, of one nature in
the popular mind, doesn't relate to some of the activities and areas of concern
in other areas.
I'm wondering if you'd be willing to indicate whether
you think the Secret Service needs more resources with regard to payment system
issues.
MR. TOWNSEND: With regard to payment system issues, and more
broadly our evolving investigative jurisdiction, clearly resources are stretched
thin.
I mentioned earlier that the lay of the land with regard to
identity theft and the broader issue of financial crimes has really changed in
the last five years with this concept we refer to as globalization. We have had
to go global to stay up with the criminals. Today, the Secret Service has
special agents deployed on a permanent basis to 18 United States embassies
around the world. In years past when we worried about our identities being
compromised, we had to worry about perhaps our mail being stolen out of our
mailbox or our wallet being stolen. Today, with computer technology, information
technology generally, a hacker in a country can literally steal from our
technological boxes around the world. And in order to be responsive, we in the
Secret Service have deployed our personnel in a global fashion. This, of course,
does stretch existing resources.
REP. LEACH: Can you give us some order
of magnitude? The Secret Service today, how many people are in it?
MR.
TOWNSEND: The Secret Service today is at about 2,800 special agents. And we are
an agency that is changing. Over the last two years, the Congress, with the
support of many of you on this committee, has supported additional special agent
positions, which as I mentioned, we have deployed around the world.
Additionally, we're deploying them to our major field offices domestically in
order that we can be more effective to attack issues like this.
REP.
LEACH: Thank you very much.
MR. TOWNSEND: Yes, sir.
REP. LaFALCE
(D-NY): Thank you very much, Mr. Chairman.
Mr. Chairman, by your
comments, I appreciate the gravity with which you take this issue, and I think
that gravity is extremely warranted. I share it, as do many other members, both
sides of the aisle-- Ms. Hooley, Mr. LaTourette and many others. And I know it's
very, very late in the session, and it would be very difficult to pass
legislation. But I would hope that we could mark this legislation up at least
and attempt to get it to the House floor. And then who knows what would happen
during the omnibus bill because this is an extremely serious problem, as has
been testified, of epidemic proportions.
Ms. Broder, you indicated that
FTC supports the preventive measures proposed in H.R. 4311, correct?
MS.
BRODER: Correct, sir.
REP. LaFALCE: Okay, fine.
I think we're
going to hear from trade associations that the measures are unnecessary, and the
problems you've identified can be addressed through voluntary self-regulatory
measures.
How would you respond to those arguments?
MS. BRODER:
We believe that the measures in 4311, and its companion bill, 2328 in the
Senate, are necessary because we have not seen a great response on the
self-regulatory front, quite frankly. And while initiatives have been announced,
we haven't seen any changes implemented, for example, among the consumer
reporting agencies.
Now, we know that fraud alerts are placed on a
consumer's credit file when they call into their credit reporting agency, but we
also know that in many cases those fraud alerts are neither clear nor
conspicuous. One of the provisions in 4311 is to make certain that those fraud
alerts do what they're supposed to do.
So there are many measures within
this bill that we think are very practical and would, in fact, assist consumers,
and have not been undertaken by private industry itself.
REP. LaFALCE:
Both Mr. Townsend and Ms. Broder, if you were on this committee, or a member of
Congress, and could initiate and pass legislation to deal with the problem of
identity theft, what do you think might be either necessary or desirable
legislatively?
Let's start with you, Mr. Townsend.
MR. TOWNSEND:
Sir, clearly, the data that we are getting and the trends that we are seeing
indicate that the criminal suspects we need to be most concerned about are
operating on line. They're operating in a cyber world. And I would submit
respectfully to the committee, legislation that would be drafted address
specifically the cyber issues. Frequently, as we've seen in the last two or
three years, the amendment of 18 USC 1028, to move away from a certain number of
false identification documents; that you address the fact that information can
be downloaded now from the Internet.
So I would submit respectfully that
legislation address crimes that are committed via the use of the Internet and
computers.
REP. LaFALCE: Ms. Broder.
MS. BRODER: And I would
agree with everything Mr. Townsend said. I would also suggest at this time that
we have some fairly young legislation out there. We have certainly, as Congress
says, criminalized identity theft. We have established the central repository of
identity theft complaints. And we believe that this will provide tremendous
incentive for prosecutors to be able to go after identity theft. Not only do
they have the data; now they can see the big picture, rather than individual
complaints.
So I would suggest perhaps it's time to see how the system
is working with what we have in place, and should 4311 be enacted into law, with
those provisions too to help prevent identity theft as opposed to the
prosecution.
REP. LaFALCE: We're talking about both prevention, which is
necessary, and prosecution which is necessary.
Forget about legislation,
what could you do to enhance the prosecution of identity theft? Who can
prosecute? Is it a local county district attorney? Is it a state attorney
general? Is it the U.S. attorney? Or is it all of the above, depending? And to
what extent are prosecutors equipped to handle the growing epidemic? And how can
you engage in an outreach effort to enlist them to prosecute these cases as a
priority item, which might turn out to be the best preventive measure we can
take?
MS. BRODER: It is a priority item.
REP. LaFALCE: For whom?
And can we make it a priority item for all the prosecutors?
MS. BRODER:
You've asked a series of questions. Let me first tell you who it is that
prosecutes these cases.
It's now a federal crime to engage in identity
theft, so any U.S. attorney's office can prosecute these crimes. Seventy-five
percent of the states have statutes prohibiting identity theft. So there can be
state, and, in some cases, local prosecution of these crimes.
REP.
LaFALCE: You say in some cases. Is most every local county attorney or
prosecutor able to prosecute violations of state laws?
MS. BRODER: I
think generally that's so.
REP. LaFALCE: And with respect to the 25
percent of the states that don't have laws, is there any effort that we could
make to get them to pass laws in those states to enable their prosecutors to
also prosecute this crime?
MS. BRODER: I think this is the trends that
we're going to see, sir.
REP. LaFALCE: Under the federal law that exist
making it a federal crime, do the local prosecutors have the capacity to
prosecute the violations of federal law?
MS. BRODER: No, they do not.
REP. LaFALCE: Can we enable them to do that? I'm just asking questions.
MS. BRODER: We know that under certain civil statutes -- for example,
the Home Equity Protection Act, the Telemarketing Sales Rule, the 900 Number Act
-- the Federal Trade Commission and state attorneys general have enforcement
authority. So there is this joint jurisdiction and enforcement authority on a
civil level. I'm ont aware, Mr. LaFalce, on the criminal side of whether that is
a common measure.
MR. TOWNSEND: If I could respond, sir, to your first
issue regarding prosecution. Clearly, as you've mentioned, it's a federal crime.
And in the case of the Secret Service, we aggressively pursue those for
presentation to the various United States attorneys offices. But more
importantly, I mentioned in my opening statement, one of the critical components
of the Secret Service investigative strategy is community impact cases. And that
varies widely across this country, from judicial district, to state, to various
counties.
We regularly present for prosecution identity theft cases to
state and local authorities if, in fact, in that area that is a community impact
issue. It may not meet the federal threshold for prosecution. But we in the
Secret Service regularly submit, testify in open court. All of the resources of
the Secret Service, in terms of expert testimony, forensic service analysis, are
available to the state and local prosecutors. If in fact that's deemed to be a
community impact case -- that's an important issue wherever it may be -- we
would then go into the state court, if, for whatever reason, the federal system
were unavailable to us through thresholds or other reasons.
You also
asked a question about resources. Clearly, prosecutors, like many in the
criminal justice system, feel besieged by a competing number of priorities. I
can report to you that on November 27th, the Secret Service, along with the
Treasury Department, will host an identity theft workshop focused on enforcement
efforts. And we hope to host local prosecutors and their local police and state
counterparts in order that we can move this issue along.
Clearly,
there's work to be done. But in the Secret Service we view partnerships with
state and local governments as critical to our --
REP. LaFALCE: Is there
a committee of the National District Attorneys Association that deals
specifically with the issue of identity theft? At the state or national
conventions of the District Attorneys Association, do you attempt to put
seminars before them at their meetings or make presentations on the issue of
identity theft?
Because of the proliferation of the uses of the Internet
and the availability of so much personal data, if it's an epidemic now, it's
going to be geometrically increasing epidemically in the future. And so we have
to wage war.
MR. TOWNSEND: If I could respond. Public education is also
a key regarding this variety of financial crimes that we investigate. I find
myself sometimes having to make difficult decisions because of the demand for
our special agents to make public presentations versus actually working the
cases we need to be working.
But we have such a demand for
presentations, and we have long list and regular. We have people literally today
in Mexico City making presentations on this topic and deployed elsewhere around
the country speaking to these kind of groups.
So your point is well
taken. Public education is a key component, and it's one that we try to pursue.
REP. LEACH: Ms. Biggert.
REP. JUDY BIGGERT (R-IL): Thank you,
Mr. Chairman.
I was amazed going on the Internet and the amount of
information that could be gathered from one of the investigative companies that
was found. They no longer will provide social security numbers, but in location
searches they can locate by social security number the name of a person for
$43. They can locate a current address from the phone number.
For $25, you can have the date of birth of somebody. For
financial searches, bank account balance for $45. Bank account
search-- that will cost you quite a bit of money, $249 to find
out what somebody's bank account is. Bank account activity detail for
$99. More information is, the property records by name for
$37, property records by address for $32.
I'm astounded by the personal information that can be garnered just from
the Internet. Now, apparently the social security number is now a little bit
harder to find. But couldn't you then make up a social security number until you
find somebody that you think you want to assume their identity, even if they
don't have that social security number? Or they could have a hacker find their
social security number, and then proceed from there.
MS. BRODER:
Identity thieves are tremendously resourceful. And they can obtain this type of
information legally and illicitly. And generally they have many ways of doing
so. We know that there's legislation being considered now to prohibit the
offering for sale and purchase of social security numbers. So there are measures
being undertaken.
Certainly with the Internet, information that had been
publicly available before is available on such a widespread basis, and can be
disseminated so broadly that it's causing all of us concern. It's time to stop
and look at these practices in this cyber world, and determine the balance
between access to information and privacy entrance.
REP. BIGGERT: I
think people would be absolutely amazed if they knew that people had access to
their bank account balance and their activity every month. It's amazing.
But several other proposals, including the H.R. 4311, deal with the
issue of removing the social security number from the header of credit reports.
I know that there's been some opposition to that in saying that it would
actually detract from the accuracy of the credit reporting system, as well as
consequences of not being able to locate errors, deadbeat debtors, or others who
they have an interest in identifying.
Do you think this is a valid
concern? And if so, how would you address it?
MS. BRODER: We don't think
it's a valid concern. They will have access to the information if they have a
permissible purpose under the FCRA. Entities who obtain a consumer's consent can
get access to this information. So that we don't find a compelling argument.
REP. BIGGERT: Thank you. And then, Mr. Townsend, I think that there was
a U.S. News and World report recently that reported the indictment of two
government employees for allegedly using information from the FDIC and the
Department of Health and Human Services to commit identity theft. And in
addition, there was a report issued by Congressman Horn of the Government
Management and Information Committee, which gave very low marks to computer
security systems in the government agencies.
Do you think that the
federal government has adequate procedures in place to protect employees and
citizens whose personal information is on there in centralized databases from
identity theft?
MR. TOWNSEND: Well, I can tell you that the Secret
Service is a law enforcement bureau within the Treasury Department, and as such,
we are charged with looking at intrusion and so forth within the Treasury
system. Although I have not read the report in detail, as I recall, the Treasury
was not listed, fortunately, as one of those which was having problems.
I really have to tell you though that I'm not intimately familiar with
the other systems. I can tell you that with regard to the Treasury system, we
have not investigated intrusions during my tenure there. But clearly, your point
-- and you refer to the U.S. News report article from I believe August 31st --
clearly, this is an area in which we in the government need to get our houses in
order also. It's an area that's highly topical, it's discussed daily, and it's
one that certainly we are going to be pursuing in the days to come.
REP.
BIGGERT: Thank you.
Thank you, Mr. Chairman.
REP. LEACH: Thank
you very much.
Ms. Maloney.
REP. CAROLYN MALONEY (D-NY): Thank
you, Mr. Chairman, for calling this meeting. And I applaud my colleague, Darlene
Hooley, for her bill.
It's been pointed out in Ms. Biggert's statement
and others that the societal changes of the information age have really improved
our lives, they've helped the economy; but in the area of
privacy and protecting the personal
information of individuals, I believe this Congress has really fallen
far behind in providing legal protection for our constituents.
I know
that identity theft is a growing problem. I am getting more and more calls in my
office about. And I think by giving one example that helps illustrate what we
are hearing in our offices, one such victim is a Mr. Ahmed (sp) who lives and
works in Queens. And he is been battling credit reporting agencies for five
years.
Five years ago, he discovered that someone had stolen his social
security number in order to obtain 14 credit cards. When he ordered copies of
his credit report, he was astounded to find two names with two different
occupations and two different birthdates on the report. Even with such glaring
errors on his credit report, and after obtaining a police report to back up his
claim, the credit reporting agencies were largely, totally unresponsive in
assisting him in clearing his name.
The agencies informed him that they
had contacted the credit issuing banks, and having received confirmation that
the social security number that the banks were using matched, would continue to
include the information from both names on his credit report.
The credit
issuing banks were also of little help. After writing to all 14, only 4
responded over a 3-year period. And even some of the account information from
the 4 remained on Mr. Ahmed's credit report.
In all, the identity theft
defaulted on over $20,000 in charges for which he received
collection notices. Despite the fraud alert that has been on his credit report
since 1995, and the terrible credit record, he continues to receive credit card
solicitations. He and his wife continue to monitor his credit report. And every
time they think that the problem is completed, they find a new fraudulent
account on this report. And this has been going on for five stressful years. And
they have invested literally hundreds of hours trying to clear his name.
Just last week, they were initially denied a mortgage until the
situation was again explained to the bank. Now they face an even more stringent
review. In this coming week, they have to appear before a New York co-op board
and explain, once again, why their credit history has had such a turbulent past.
And I really want to let the representatives of the credit reporting
agencies in the audience today know that I will continue to follow his case and
other constituents' cases. And I really feel, Mr. Chairman, that all of our
constituents deserve the extra protections of sensitive information that is
provided in the Hooley bill; and I feel that we need to adopt it in this
Congress.
I would like to, first of all, ask Ms. Broder, in your
testimony, you indicated that the FTC is receiving a thousand calls a week
regarding identity theft.
First of all, how many other FTC hotlines
receive anywhere near this many consumer contacts?
Secondly, when
consumers call the FTC hotline, they're advised to contact the credit reporting
agencies. From my own experience that is illustrated in the case that I just
gave you, many of my constituents are totally frustrated with the response from
the agency. The constituent whose case that I just spoke about indicated, of the
three that he contacted, the TransUnion fraud department was by far the most
helpful.
And how does the FTC monitor what is happening to our
constituents when our constituents call and relay these problems? Specifically,
do you make sure that the credit reporting agencies are answering their fraud
lines with real people and not just computers that never follow up? Have you, or
do you, test the credit reporting agencies' ability to actually resolve an
identity theft case? Or are more people than my constituents, and Mr. Ahmed who
is just running around in circles, really not receiving help from anyone in his
particular case?
So I look forward to your answer.
MS. BRODER:
One of the measures that we hope to enter into with the consumer reporting
agencies is one-stop shopping. If there's one constant that we hear from
victims, it's that they have to call each of the three major consumer reporting
agencies, and the Federal Trade Commission, and all of their creditors to take
care of things.
One measure that we would like to enter into with the
three major credit reporting agencies is one-stop shopping. That is, they either
call the FTC at our hotline or call one of the three major reporting agencies to
place a fraud alert on their files, and that it goes to all three offices.
We haven't made much progress toward pursuing that. We think that would
be a great help to consumers that are so burdened with --
REP. BIGGERT:
But do you ever monitor? Do you ever go in and take a case, and see if they're
actually solving it? I've got about five cases that are very similar to his,
where they say they call everyone, and no one ever does anything. And it's now
five years, four years, three years; and they're running in circles.
MS.
BRODER: Well, I would offer to you, Ms. Maloney, first our toll free hotline for
you to provide to your constituents so they can talk to our specially trained
telephone counselors and be given the information. Many consumers know they have
to call the consumer reporting agencies for fraud alert.
Do they know
they should also call the Department of Motor Vehicles to find out if someone
obtained a drivers license in their name? Do they know they should also contact
the Social Security Administration to see if there's other misuse, if people are
making money, earning wages in their name and incurring tax liability? So there
are many steps and a lot of information that our phone counselors can provide.
We do follow this data. We collect data in our data base that shows how
responsive the financial institutions are and the consumer reporting agencies--
all of those associated entities that consumers have to deal with when they're
victims of ID theft. And we look forward to putting a little pressure on them to
get them more responsive.
Is there a legal responsibility? They are
suppose to correct erroneous reports on a consumer's file. But we know that in
many cases, after consumers have gone in and gotten a correction on their
report, that same debt pops up again, which is why in our testimony we make the
rather dire, but perhaps at this time appropriate statement that often identity
theft is unavoidable, undetectable and unstoppable, unstoppable because it keeps
rising up just when the consumer believes that he or she has settled out all of
these problems. They keep coming up.
We're working very, very hard, both
with individual consumers and with the financial industry to try to approach
this. But I share your frustration.
REP. BIGGERT: My time is up. Thank
you.
REP. LEACH: Thank you very much.
Mr. LaTourette.
REP. LaTOURETTE: Thank you, Mr. Chairman.
Agent Townsend, I want
to follow up with the excellent questions that Mr. LaFalce was asking.
You talked about the federal threshold a couple of times. What is the
federal threshold?
MR. TOWNSEND: When we discuss federal thresholds,
what we are referring to are prosecutive guidelines, if you will. Those are set
by the individually United States attorneys in their respective judicial
districts. So as you can imagine, the prosecutive guidelines are different in
the central district of California as opposed to the central district of
Illinois.
REP. LaTOURETTE: And that's an excellent point. And that's
what I thought you were talking about. Because in my testimony when I was
talking about the family from Lake County, Ohio, the Mitchells, they had the
misfortune at the time they reported to the federal authorities of only having
lost $80,000; they hadn't crested $100,000.
And so their fondest hope was that the thieves would take another
$20,000 from them so they could get the attention of the U.S.
attorney in Cleveland.
And that seems to be a problem. And then what
happens is -- before this job, I was a district attorney in Ohio. And what
happens is that what you have available down there is the federal prosecution
isn't initiated. The miscreant is arrested in Chicago. The full panoply of
charges available to a federal prosecutor isn't available to the prosecutor in
Chicago because the crime committed in Chicago was going to get one
$15,000 loan; that becomes something -- in most states it's a
felony punishable by 18 months. And I made the observation when the fellow was
arrested. He said, "I didn't use a gun. I'm going to get probation," even though
he had a record going back to 1977.
So it really seems to be that we
have not given prosecutors anything. If the federal threshold is going to be a
certain amount, identity theft isn't a crime. Identity theft when you steal a
lot of money is a crime. And it seems to me that one of the things that we can
do is to somehow massage those federal thresholds; otherwise, we're going to
have despaired prosecutions.
And prosecutors all over the country are
busy. The guy in Chicago who's worried about the murderers, the rapists and the
burglars doesn't care about some lady in Madison, Ohio that lost
$100,000 to a guy that got a loan. And I would be interested,
one, in any thought that you have on that.
And then two, one of the
things that concerns the victims of identity theft that I've talked to is not
only what Ms. Broder was talking about. And that is, it seems you have to do all
the work. You've got to call everybody in town, and it doesn't get on the file.
As a matter of fact, some of these loans that were made to the crooks, were made
after the phone calls had been made. And so, one-stop shopping would be a
wonderful addition to what it is you're doing.
But what they're also
concerned about -- and any knowledge that you have about the market or this
information. We have three guys now in jail in Chicago. They're concerned that
they sold it to three more guys in Colorado, and that there's a move to traffic
this information-- not only to steal it and use it once, but then also to sell
it to other people that want to engage in similar criminal activity. And any
information that you have on that, I'd ben interested in hearing.
MR.
TOWNSEND: Sir, you've hit on two key issues. We share your frustration at times
with regard to federal prosecutive thresholds or guidelines. As you know, the
United States attorneys have wide prosecutorial discretion as to what they do
prosecute. And you make the point, federally we can bring people much more
easily back and forth across judicial lines as opposed to extraditing under the
state courts.
REP. LaTOURETTE: If I could interrupt you for just a
second. You also have jurisdictional problems. The reason that it's a smaller
crime in Chicago, especially if it's on the Internet, is that these crimes could
have been committed all over the country. And all the guy in Chicago gets to do
is what happened in Chicago.
MR. TOWNSEND: You make a very good point
which relates to this issue of globalization. If the hacker in Moscow hacks into
a system in Chicago, sends the identity to a co-conspirator in Buenos Aires, who
buys property and tranships it to Miami, and sells it to unsuspecting people,
where does the crime occur? And it takes about that long to transact that
transaction. So your point is well taken.
Secondly, with regard to the
marketing of this information, there's no question that we have seen a migration
of organized criminal groups, who formerly dealt in crack cocaine, weapons and
so forth, into this very lucrative area. And within the Chicago area that you
mentioned, well known street gangs are now moving into this area because, as you
said, the sentencing guidelines are not perhaps what we would all like them to
be. They know that violent crime is a priority. And additionally, they are able
to traffic second, and third, and fourth times among other members of the gangs
these identification documents and full identities.
REP. LaTOURETTE:
Thank you very much.
Thank you, Mr. Chairman.
REP. LEACH: Ms.
Hooley.
REP. HOOLEY: Thank you for your testimony. I have a question for
Ms. Broder.
First of all, thank you for all the work that you have done.
And I know you haven't very much time to get this up and running. When I have
constituents call, you are very good at helping victims help themselves.
However, as far as law enforcement goes, it seems that your hands are still
somewhat tied. And what types of authority do you think you need to further
combat this problem?
MS. BRODER: Well, as you know, we have civil
enforcement, not criminal enforcement authority. And we have used that in cases
of identity theft. We've just recently got a judgment against a company based in
California. We have a judgment for $37 million for a company
that was billing consumers' credit cards for purchases they did not make. They
were cramming charges onto their credit cards. That's violation of the Identity
Theft Act of '98 because they were using consumers' identities -- their name and
their credit card numbers -- to commit a crime.
And so, we will continue
vigorously to exercise our authority under Section 5, for unfair and deceptive
acts and practices that involve identity theft. We believe that that is a very
full granting of jurisdiction for us to address many issues civilly. But we do
know that we rely upon our criminal enforcement colleagues to add a little more
muscle there, for criminal enforcement and for serious jail times under the
Identity Theft Act.
REP. HOOLEY: You talked about one-stop shopping in
that you hadn't found people to cooperative to make that happen. And we've
talked to a number of victims of identity theft, and that is the problem. I
mean, there's a lot of problems with it. I mean, people just feel so violated
with this, and it comes up. Something like 55 percent of the cases have gone
over 4 years. So it is just constant. I mean, it's there all the time with them.
So it's much more than just money being taken. And they don't have to pay the
money, so it's just feeling of violation that somebody's out there impersonating
them all the time.
But what would it take to motivate other
organizations to join with you in this one-stop, "how do we let everyone know,"
Motor Vehicles, the credit bureaus; what would that take?
MS. BRODER: We
are working very closely -- we are trying to work very closely with all of the
affected entities, public and private, consumer groups. To answer that question
specifically, if you ask me what will it take to get the credit reporting
agencies to step up and engage in one-stop shopping, I guess I would have to
address that to one of the later witnesses on a later panel today. But we are
always available to discuss these initiatives with any other entities. And in
fact, that we hope that our workshop later in October will be just such an
opportunity.
REP. HOOLEY: Mr. Townsend, thank you again for all that
you're doing and for your testimony. This piece of legislation that we've
introduced, 4311, is really trying to deal with the prevention. Fraud alerts
have to be put on, that we're trying to codify that so that they actually have
to use those. Again, this is a prevention piece, not necessarily the enforcement
that we've dealt with in other pieces of legislation.
But since you're
in enforcement, what can Congress do to help law enforcement help victims and
put these criminals behind bars? What do we need to do, both nationally and to
help local law enforcement?
MR. TOWNSEND: I think some of the points
that Mr. LaTourette raised are interesting with regard to your question. One
area that we've not touched a great deal on today is sentencing guidelines.
Clearly, the effect that this crime of identity theft is having in our
community, I believe that Congress could support looking once again at where the
sentencing guidelines put identity theft. And perhaps this joint effort between
the FTC, Congress, the Secret Service and our other partners might institute a
new look at where the sentencing guidelines could go.
REP. HOOLEY: Thank
you.
REP. LEACH: Mr. LaFalce.
REP. LaFALCE: I'll only take a
minute for one question.
Is the advertising of what is criminal intent
to steal an identity, is the advertising in and of itself criminally
prosecutable?
MR. TOWNSEND: My understanding is that it is not. And of
course, let me once again say that what may be prosecutable in one particular
district is not the case in another.
REP. LaFALCE: Well, I'm thinking
now with respect to not thresholds, but just the law itself. If we had a U.S.
attorney who wanted to prosecute advertising, that clearly advertises with a
criminal intent, could it be done under existing law? That's the first question.
The second question. If it couldn't be done under criminal law, could we
pass a law that would be both constitutional and practically enforceable? In
other words, I'm thinking of the ability -- you say people are advertising. Can
we go in there and stop them by prosecuting them criminally before they do the
injury? Because they've done enough injury to the public in some way by
advertising.
If somebody intends to murder you, is there a conspiracy
law that is applicable? And they're into a conspiracy with the millions of
people who use the Internet?
MR. TOWNSEND: You've asked obviously a very
complex issue, which a team of lawyers would --
REP. LaFALCE: Well, I
would like a team of lawyers to huddle together and respond to me.
MR.
TOWNSEND: Yes, sir.
REP. LEACH: Will the gentleman yield?
REP.
LaFALCE: Yes.
REP. LEACH: There's a further point. Are there enforcement
actions against advertising criminal intent? I mean, the FTC brings enforcement
actions against misleading advertising. Is there such a thing as an enforcement
action against truthful advertising and an illegal act?
MS. BRODER: Yes,
there is, under various theories on fairness jurisdiction. We could pursue a
civil case under that type of theory.
REP. LEACH: Have you ever done
that?
MS. BRODER: Not since the 1950s.
REP. LEACH: Let me go a
step further, again, following the logic of Mr. LaFalce.
Have you
considered informing newspapers, yellow books, et cetera, that a given type of
advertising is for an illegal act, and do companies want to have a policy
accepting advertising for illegal acts?
MS. BRODER: We have done that.
REP. LEACH: Is that a first amendment problem?
MS. BRODER: Well,
we have met with the directors of classified sections of newspapers before to
talk about the offering of fraudulent franchises and business opportunities with
which Mr. LaFalce is very familiar. And we've spoken to them about what the
warning signs are, what are the indicia of fraud. So that they can then
institute a policy to screen out those. And I think that you raise a very
interesting point which I will bring back to the commission to discuss.
REP. LEACH: Fair enough.
REP. HOOLEY: Mr. Chairman, just one
real quick question for Ms. Broder.
With your hotline and your
educational pieces, what have we done to educate just the agencies within the
federal government on having their social security numbers on pieces of
information, or on documents, that may not be necessary because so much of
identity theft really deals with the social security number. And one of the
reasons I bring it up is I look at my voting card that has our social security
numbers on it. And if you lose this card, somebody has your social security
number.
So my question is, what kind of job have we done in educating
our other federal agencies?
MS. BRODER: Well, the Department of Treasury
just, obviously, made changes in the way that they send out checks. They no
longer reveal the social security number in the mailing window. There is growing
sensitivity.
When we began our effort on identity theft, we met with
over a dozen other federal agencies to talk about initiatives that we could
take, but also about cleaning up our own houses and our own information
practices. This is a very important point that we make whenever we speak to the
public, the private agencies, as well as public governmental units.
REP.
LEACH: Apologies. It's still the time of Mr. LaFalce.
REP. LaFALCE:
Nothing.
REP. LEACH: Thank you.
If there are no further
questions, I would just like to ask Mr. Townsend if he'd return to his agency
and think through some of the resource questions. And I would like to meet with
your agency by the end of the week with regard to that question.
MR.
TOWNSEND: Yes, sir.
REP. LEACH: Thank you.
Thank you all very
much.
Our third panel is composed of Mr. Robert Douglas, who is the CEO
of American Privacy Consultants, Inc. of Alexandria, Virginia; and Shon Boulden,
who is an identity theft victim from Hillsboro, Oregon.
And let me say,
both of your statements will be placed fully in the record. And you may proceed
as you see fit.
Mr. Douglas, you're welcomed back to the committee. And
we appreciate very much the assistance over the last several years you've given
to the committee on this specific issue.
MR. DOUGLAS: Thank you, Mr.
Chairman.
REP. LEACH: Mr. Douglas.
MR. DOUGLAS: My name is
Robert Douglas, and I'm with American Privacy Consultants. I appreciate the
opportunity to appear before this committee once again to address the issue of
identity theft, pretext calling, and other deceptive practices. Unfortunately,
in spite of the enactment of legislation drafted by this committee to outlaw
such practices, these methods not only survive, but also continue to grow in
volume, scope and methodology.
Chairman Leach --
REP. LEACH:
Excuse me. If you could withhold for one second.
Is anyone still here
from the FTC? And you're taking notes? Thank you.
MR. DOUGLAS: -- I'd
like to personally thank you and Ranking Member LaFalce and the committee for
your continued willingness and desire to address this serious issue.
On
July 28, 1998, while appearing before this committee, I stated "all across the
United States, information brokers and private investigators are stealing and
selling for profit our fellow citizens personal financial information. The
problem is so extensive that no citizen should have confidence that his or her
financial holdings are safe." Sadly, I return today to inform this committee
that my statement of 1998 remains true to this day.
The good news is
progress has been made. In 1998, four steps were required. First, the financial
services industry needed to understand and combat the threat. Second, tough
federal legislation was needed. Third, appropriate federal regulatory agencies
needed to create standards and regulations designed to assist institutions. And
finally, aggressive prosecution was required.
The financial services
industry has made significant progress in beginning to combat identity theft and
pretext. This committee in Congress moved quickly to pass legislation designed
to punish over who would impersonate others in order to gain access to
confidential financial records. The federal regulatory agencies moved quickly in
1998 by means of advisory letter and other steps to alert all institutions to
the practices of identity thieves and information brokers. With the first three
sides of the box, either erected or under construction, it's now time to build
the final wall through aggressive enforcement action.
In the invitation
letter I received from the committee to testify today, I was asked to
specifically address three issues. First, the extent to which the use of pretext
and other deceptive means continue in spite the passage of Gramm-Leach-Bliley;
two, the effectiveness of efforts by the financial services industry to deter
and detect fraudulent attempts to obtain confidential account information; and
third, other threats to financial privacy emerging today.
The use of
pretext and other means of deception that's hurt financial institution employees
and customers continue unabated. Advertisements ont he World Wide Web have
doubled in the past two years. We have several exhibit boards to my right in the
hearing room today, and I'd be happy to discuss those in detail if the committee
so desires.
I would hope that members of this committee would find that
services offered in language of the advertisement disturbing. Members of this
committee might wonder why these firms are allowed to operate. The excuse might
be offered that these companies fly so far below the horizon as to be
undetectable. That excuse would have a hollow ring.
Docu-Search is the
company that sold personal information concerning Amy Boyer to a stalker that
resulted in the murder of Ms. Boyer and the suicide of the stalker. Amy's
parents have testified before Congress and have been widely covered in the
media. Docu- Search was the cover story for Forbes magazine on November 29,
1999, just 17 days after Gramm-Leach-Bliley was signed into law.
In the
article, Dan Cohen (sp) of Docu-Search bragged about his abilities to obtain
personal information about a subject. Amazingly, Cohen arguably admits to the
use of fraud of bribery.
And should there be any questions to the
ability of a determined criminal to gain access to confidential information,
including, Mr. Chairman, financial information, the Forbes' article evidences
Cohen doing it with apparent ease.
Cohen is willing to lead officials to
believe he is a law enforcement officer. If you read the Forbes' piece and my
analysis of it in my written statement, there can be only one question. Why are
Dan Cohen, Docu-Search and thousands of others offering these same services
still in business?
To be sure Docu-Search is not alone, there are now
more information brokers and private investigators openly advertising their
ability to obtain and sell financial information as they were in 1998. One phone
call to a company advertised in the D.C. area's Legal Times determined that they
offer for $200 to supply the name of the bank, the type of
account maintained, and the balance in the account for any individual specified.
And I would note that that is a trade paper that is in the U.S. Attorney's
Office, the Department of Justice, and I dare say at the FTC.
The
scenario presented to the company fell squarely within the four corners of
Gramm-Leach-Bliley, that would make the request and provision of the banking
information illegal if accomplished by pretext.
The company was informed
that a woman was trying to locate a current address for a live-in boyfriend who
had skipped town with money from her checking account. There was nothing in the
scenario presented that even began to come close to the exceptions enacted as
part of Gramm-Leach-Bliley. In fact, as Mr. Chairman's aware, on August 30th,
senior counsel Jim Klinger (sp) and other of your staff members and I called
numerous private investigators and information brokers in an effort to determine
how many would sell bank account information and under what circumstances.
We surveyed the first 10 companies we could reach by phone. And Mr.
Chairman, you referred to 11. There were 11, and I'd give them a push because of
some of their answers. But I'll talk about that later.
The companies
were selected randomly. The companies were presented with the scenario outlined
above. And with the committee's permission, I would like to detail some of the
results we obtained.
In less than 3 hours, the first 10 companies we
reached were all willing to sell us personal bank account information detailed
enough to raise the educated belief that the information would be obtained by
pretext or other deceptive means. Not a single company we reached turned us
down, not one. More to the point, two of the companies' representatives made
specific mention of privacy laws and federal statutes being a hindrance to their
ability to provide the information. However, we were told, they could still
succeed, but just, "don't tell anybody," that we had obtained the information.
One individual referred to the fact that he had banking experience, and
guaranteed he could find the bank, and 80 percent of the time he could get the
account number and balance. Several of the companies stated they could get us
individual transaction records, including individual deposit transactions. One
offered to teach us how to determine the amount in the account once he located
the bank and account number. He wouldn't do it; he'd teach us how.
One
company stated they would check the federal reserve section for the part of the
country where the individual is located. This same company claimed to work for
hundreds -- and this is a quote -- "hundreds and hundreds of attorneys and
collection agencies." Further, they stated they had found $1.2
million in an account just the previous day for an attorney. They advised us to
wait for the banking information before going to court, in direct contravention
of Gramm-Leach-Bliley I might add.
Another company stated that we would
locate the information if we had a court filing judgment, or a letter from an
attorney, giving the name of the person the account information was being sought
for, and the reason. This company stated they could find local bank information
for $200 and state-wide information for $500,
including account numbers and balances.
Several of the companies offered
to locate safety deposit box locations and securities related information. One
company charges $175 to locate the name and address of the
bank, if you have a judgment. However, the same company for
$250 -- slightly more -- would locate all accounts, account
numbers, balances, mutual funds, names on the accounts, dates of closure if an
account was closed, safety deposit box information, if we didn't have a
judgment.
Here is just one example of the type of advertising we found.
And I believe we have an exhibit board for this. Actually, we don't; it's in my
testimony. But they have a disclaimer at the bottom, and I'll just read a couple
of quick sentences. And I know my time is short.
"We limit retrieval of
documents or information available from a public entity or public utility, which
are intended for public use only. We neither utilize, reveal, nor attempt to
access any confidential information concerning the parties involved." And the ad
is specifically referring to bank account information.
The disclaimer's
amazing, in light of the fact that this company offered to sell us the amount
located in a checking account and the deposit history to the account for
$275. I can't fathom a single way that account balance and
deposit transaction records could be intended for "public use." Indeed, this
would be a direct revelation of confidential information.
Mr. Chairman,
no company reached asked any question that would logically follow from the
passage of Gramm-Leach-Bliley, even when they had disclaimers in the
advertisements suggesting there were restrictions. Further, in addition to the
overt remarks made by several companies, to the minor obstacles presented by
federal statutes and privacy laws, the advertisement from telephonic
presentations bore all the classic signs of pretext operations. And I could
detailed those later, if you would like.
The financial services industry
has for many years utilized various methods of combatting fraud and protecting
the confidentiality of customer information. The industry is traditionally
between a rock and a hard place when it comes to information security. Customers
want their information to remain confidential. At the same time, they want easy
access 24 hours a day for that same confidential information. It is this very
dilemma that criminals exploit.
The financial services industry is
moving aggressively to combat the methods and deceptive practices used by
identity thieves and info brokers that seek to illegally gain access to
information.
I believe the committee will hear from Richard Harvey,
chief privacy officer and chief compliance officer for Chevy Chase Bank later
today, who will document and detail the steps the industry has taken both
historically and recently. But as an interested and active observer of the
industry over the last several years, I'd like to commend the efforts and
initiatives they've undertaken.
I've worked directly with institutions
and professional associations to educate them on the issue of pretext and other
deceptive practices used to penetrate security systems. In each instance I've
found that the privacy, administrative and security leaders in the institutions
and at associations are genuinely concerned about solving the problem, and are
moving to do so.
This concern has led in one instance to the American
Bankers Association distributing to the entire membership an educational, basic
training program on pretext calling I was asked to author at the association's
initiative. The portion I authored was just a small part of a comprehensive
three-part series the ABA has distributed to the membership.
I've been
asked to speak on a number of occasions to groups of bankers to demonstrate how
to spot pretext calls, how to educate financial services' employees, and what
steps to take at the institutional level. Indeed, you'd be hard pressed to find
a gathering of bankers anywhere today where the subject of privacy is not
addressed as a major topic of discussion. In fact, I flew overnight last night
to be here this morning from just such a gathering, where I made two major
presentations on this issue.
But, Mr. Chairman, the financial services
industry needs a helping hand from law enforcement. These criminals must be
prosecuted. The message needs to be sent that federal law enforcement is serious
about protecting financial institution customers.
It is time to act.
My last area is emerging threats to financial privacy. And this is all
new material that has not been covered in the last two years, Mr. Chairman.
The fastest growing method used, to skip trace for the current address
and other personal information of an individual is to obtain the information
from the phone company. Most United States citizens believe that their phone
records are private unless obtained by subpoena or other form of court order.
This is especially true for the millions of Americans who pay extra to have a
non-published or unlisted phone number. Most citizens would further think that
who they call and how long they talk is also a private matter. Most Americans
would be wrong.
Currently, there are presentations of closed, highly
secure classes for private investigators and information brokers -- and we have
an ad of one on these exhibit boards -- teaching the interworkings of the
telecommunications industry. We have exhibits in the room today that I just
mentioned.
Why am I discussing the access of confidential phone
information before the banking committee? One of the most common financial
pretexts begins with either a pretext call to the consumer, impersonating
someone from the phone company, or a pretext call to the phone company to
develop enough personal information from their databases to be used as part of a
further pretext against either the consumer or a financial institution.
Another method becoming more common is the use of a trojan check. I
cover this method in my written statement, and will be happy to address any
questions the committee may have. I suffice it to say there's great debate in
the investigative broker, and might add, legal communities as to the legality of
this practice given GLB and the deceptive trade practice statutes. While the
debate continues, so does the practice.
Informal networks of
investigators, info brokers, judgment collectors and collection professionals
are found all over the Internet. It is common to see requests for contacts in
financial service institutions. Some collection professionals openly advertise
their ability to provide information maintained within their files. Routinely,
are an account and file numbers, along with the names of targets, placed on the
Internet for inspection by others to determine if information can be traded or
obtained.
And I would add that I have close to 2,000 such references of
the methods that I'm discussing cataloged at home on my computer that I've
collected over the last two years.
Vehicle tracking devices are being
offered for sale in order to follow or record the travels of citizens. While not
directly relevant to the pretext of financial information, it demonstrates the
lengths that some will go to in order to obtain information on citizens in the
United States today.
If law enforcement agencies of state and federal
governments were caught doing these practices, absent a constitutionally
permissible purpose and/or court order, there would be rioting in the streets.
Yet, everyday these events are carried out by private investigators, information
brokers and judgment collectors who have no authority above that of a private
citizen, and no one seems to blame you. From where I sit, my privacy is just as
violated, whether the intrusion comes from a person with a badge or not.
I would like to make some suggestions concerning what needs to be done
to continue the battle.
First and foremost, we need swift, aggressive
nationwide action by law enforcement to begin criminal investigations and
prosecution of those who are thumbing their nose at the provisions of
Gramm-Leach- Bliley and other appropriate statutes. I hope the information I
provided in 1998 and today supports this conclusion.
Second, GLB needs
to be amended. The narrowly-crafted child support exemption for the use of
pretext is being used as an advertising shield by private investigators to hide
behind while continuing the covert sale of financial information that falls
outside of the GLB exemption.
I've prepared a lengthy analysis for the
committee's consideration in my written testimony. Simply put, there's no
legitimate reason to continue the child support exemption to Gramm-
Leach-Bliley.
Third. Financial institutions must continue to work. They
have started to take every precaution necessary to teach all banking employees
about the methods associated with identity theft.
Fourth. The federal
regulatory agencies must continue their efforts to stay abreast of information,
security threats, and implement appropriate standards and regulations.
Finally, this committee must continue on a regular basis to exercise the
appropriate oversight functions necessary to ensure that the agencies of the
federal government continue to take every step available to stop illegal access
of confidential information.
In closing, when I appeared before this
committee in 1998, I recited a long laundry list of the dangers posed by the
deceptive methods in use by some private investigators and information brokers
to gain illegal access to confidential and protective information. There were
some who found it hard to believe that what I claimed was true or serious as I
presented the problem. However, those in the investigative and information
broker industries who were practicing these techniques knew that I had spoken
honestly, and were not pleased to have sunshine illuminating their practices.
These practices continue to this day, and threaten the soundness of our
financial system and the rule of law. These very techniques used indeed put more
than information and money in jeopardy. And here, I might part company with you,
Mr. Chairman, in your opening statement about threats to lives.
One look
no further than the case of Touchtone services, which we heard referred to
earlier. While I've described in detail the activities of Touchtone in my
written statement, I'd like to point out that by using the means of pretext,
that I've been discussing for several years now with this committee and others
within the United States Congress, Touchtone endangered the lives of many
undercover police officers in Los Angeles in a case involving organized crime.
Mr. Chairman, one of my best friends, the father of my godchildren, is a
police officer serving within sight of the Capitol steps. On his behalf, and on
the behalf of the American people, I ask that federal law enforcement begin to
take this problem seriously before disaster strikes, and we all return to this
room to do a postmortem.
Mr. Chairman and members of the committee, as I
leave you today, I hope that the time and effort I have placed in this testimony
will serve as a blueprint for further examination by this Congress of matters
deserving attention. Thank you.
REP. LEACH: Well, thank you very much,
Mr. Douglas.
Mr. Boulden.
MR. BOULDEN: Thank you, Mr. Chairman.
And thank you for allowing me to tell my story today.
About eight months
ago, I decided to switch my checking account from U.S. Bank to Washington
Mutual. To my amazement, I was denied an account there. Upon getting denied, I
asked to see my credit report to see what had caused the denial. What I found
was incredible.
Washington Mutual told me that when they ran my social
security number 12 different names showed up. Twelve different people were using
my social security number to obtain credit. Despite the fact these people were
using their own personal identifying information, including names and addresses,
all of the information about credit inquiries and accounts had been tied to my
credit report in some way or another.
It appears that the identity
thieves used my social security number to open accounts with AT&T Wireless,
Bank of America, Citibank, Capital One, Gastalks, Macy's, Oscar Supply Hardware,
Payless, Home Depot, Associates Corner, Household Credit, Dayton Hudson,
Montgomery Wards, GMAC, People's Bank, and perhaps others.
At one bank,
three people opened accounts using the same social security number, mine. But
the bank didn't seem to notice.
They opened two car loans through GMAC.
I sent the bank a letter requesting help in March. They haven't replied.
In many of these cases, I'm not sure who has bought what and for how
much because the creditors won't give me the information without a subpoena.
It's obvious to me that the banks and credit bureaus aren't doing any checking.
I'm frustrated that the credit bureaus didn't notice me when the multiple people
were using the same social security number. In this age of computer technology,
that should have raised a huge red flag.
I noticed that 4311 requires
credit bureaus to investigate discrepancies between information they have on
file and information being given to them by banks and stores. Perhaps such a law
should, and would, have triggered further investigation in my case.
As a
result of this problem, I can't obtain credit anywhere. I have been denied my
Meier & Frank, U.S. Bank, and Capital One. Interestingly enough, one credit
card company which approved an account for someone else who is using my social
security number denied me credit.
I have been denied a car loan, so I'm
still driving my '83 Oldsmobile which is on its last legs, and have been denied
a personal loan. I am very lucky that I did not have a credit check done to get
my apartment, or I might not have a place to live.
Dealing with this
situation has been very difficult. I have had to take several days off of work,
spend hours on the phone trying to speak with live representatives of creditors
and credit bureaus so I could fix these problems, but the problems haven't
gotten worked out yet.
The credit bureaus have not been particularly
helpful in solving these problems, partly because they say they haven't never
seen anything like it and don't know how to deal with it. Although the credit
bureaus have put fraud alerts on my account, they haven't done much to help me
get rid of my bad credit. Transunion has removed several names from my credit
report. But recently I found that new people have been opening accounts using my
social security number, even after I had put a fraud alert on. This has shown me
that creditors should be required to honor the fraud alert, as it's called by
H.R. 4311.
Further adding insult to injury, Experian won't give me the
names of the people using my social security number, nor will they tell me what
accounts are open under my social security number. Even though the other names
have easily been put on my credit report, the credit bureaus have required proof
from me that I am really Shon Boulden before they help me at all. I even tried
to apply for a new social security number which would prevent continued fraud,
but I am afraid that won't help me get my credit straightened out.
I
fear everyday that I won't be able to get this fixed, and I'll have bad credit
for my whole life. As a young person, I need credit to get started in life. In
the coming years, I will want to buy a car, a home, finance my education, and
maybe even start a business. Without good credit, I won't be able to do any of
these things.
In addition to working with someone from the Secret
Service in Portland, and the Federal Trade Commission, I have filed a police
report with the Hillsboro Police Department, which is working with the Los
Angeles Police Department, since most of the fraud has taken place in Southern
California. However, it is clear to me that scarce resources limit what law
enforcement can do to help victims like myself.
I would like to mention
that through this ordeal, the Federal Trade Commission has been extremely
helpful, especially Kathleen Laundi (sp), who has spent hours on the phone with
me gathering information on my case, telling me what I need to do to clear it
up, and checking up on me periodically.
In closing, I would like to
thank Representatives Hooley and LaTourette for introducing the Identity Theft
Protection Act. It is my hope that this committee will seriously consider
passing H.R. 4311, or other legislation that will help victims like me to not
only restore our good names, but prevent identity fraud from happening in the
first place.
REP. LEACH: Well, thank you very much, Mr. Boulden. Several
years ago we had a doctor from the Mayo Clinic who had her theft stolen. And I
remember thinking at the time -- and I think of it in your instance -- part of
the repair may be psychological assistance. I mean, to have this great an
intrusion on your life is extraordinary, the hours that she and you have gone
through to try to straighten things out, and in most instances neither fully
achieved it. It's got to be a dilemma of extraordinary proportions.
We're going to have to break because of a vote. But let me just say that
this is an identity issue that's extraordinary for the individual. And another
way of looking at it -- and one reason I'm a little concern with some of the
opposition to our approach -- this is, from the banking industry's perspective,
a theft of bank information. It's a bank robbery. And I think all banks in
America ought to be as alarmed as the individual who is so vehemently injured,
with difficulty. There's nothing like a personal example to make clear what the
dilemma is.
In any regard, at this point I apologize. We have not only a
vote on the floor, we have a series of votes. I'm told six. And so, what I would
like to do is recess pending the votes. And we'll do it to a time certain.
There's a snack bar below, et cetera.
We will recess until 1:15, at
which point I'd like to be able to ask the panelists questions, for the both of
you, and then we'll go to the next panel. Thank you very much.
(Recess.)
REP. LEACH: The committee will reconvene.
Let me begin the
question to you, Mr. Douglas. And it's about the concept of intervention through
sting. Do you think that's an appropriate law enforcement technique? The modest
effort that the committee went through with your assistance seemed to reveal a
wide range of problems.
Do you think this is an appropriate circumstance
for such techniques?
MR. DOUGLAS: Absolutely, Mr. Chairman. And I think
you'll probably recall from my testimony two years ago, I believe in the
conclusion I said that -- somewhat perhaps in a minimalist approach -- one
federal law enforcement officer with a fax machine, computer and telephone could
catch these criminals and get things underway. Well, I think we proved that in
the survey that we conducted out of your offices on August 30th. None of us are
exactly the most seasoned of criminal investigators; and yet, it's very easy to
catch these folks, and that the exhibits and other documents that I've provided
to your staff over the last three years I think adequately demonstrate it's
right in front of our noses.
I heard the discussion between you and Mr.
LaFalce and the FTC representative trying to thrash out a little bit about
whether there could be criminal prosecution for advertisements. I can certainly
see some constitutional issues there. But on the civil side, the state of
Massachusetts, who was represented in this hearing two years ago, both prior to
that hearing and subsequently, was extremely effective within their state to the
point of many information brokers specifically advertising in their ads that
they will not take cases in the state of Massachusetts.
So that tells
you that if you crack the whip a little bit, they do pay attention. But the way
that they often went after them was just in the wording of the advertisement
alone, under Massachusetts state provisions, very similar to the federal
provisions, dealing with unfair and accepted trade practices, bringing the ads
themselves and the questions.
So when you see ads that claim a 90
percent hit ratio; when you see ads, such as one we have today -- the print is
so fine, you can't see it from the podium, I'm sure, but talks about accessing
proprietary databases. That's Docu-Search's ad, who until just recently was
saying that they were accessing federal databases, Mr. Chairman. And many of
these ads reference that they access the Federal Reserve's databases.
Well, you and I both know that that's not the truth. They know it's not
the truth. And I've spoken publicly so much about Docu- Search, that he changed
that portion of his ad to say a proprietary database.
So I think the
FTC, just on the ads alone, could send cease and desist letters very similar to
what we've seen them do just in the past two to three months in other scan type
operations that have gotten a lot of publicity in the news.
REP. LEACH:
If I could interrupt for a second.
I asked earlier, is there a
representative of the FTC still here? Good. And you're taking notes? Thank you
MR. DOUGLAS: And if I could say, I'd be more than willing to share my
database with them. I've got over 2,000 emails documenting where this is going
on, in what chat rooms it takes place, where trick information is traded. And
without saying much more, I have shared some of that with the FTC before.
REP. LEACH: Why, thank you. I will tell you, I've never known of a
citizen taking on an issue with such an interesting way. And I think public
sector and the public is in your debt. And I'm certainly appreciative of your
efforts.
MR. DOUGLAS: Thank you.
Shon, I'm intrigued at two
aspects of your dilemma. One is that you thought through the prospect of
changing your social security number. Has the government been cooperative in
helping in that regard? And is this an easy thing to do?
MR. BOULDEN:
No, it's not because if you change your social security number -- well, the
first point, if you try to change your social security number, they want me to
have a substantial amount of evidence that there is fraud going on, which I need
to contact individual creditors and get the actual applications of where these
identity thieves have actually put in my social security number.
REP.
LEACH: And they may consider that to be a privacy invasion of a crook.
MR. BOULDEN: And I can't get any of that information without a subpoena
from a law enforcement agency.
REP. LEACH: Well, this is a dilemma that
we might want to think through, and talk to the Social Security Administration
about.
The second aspect that has been discussed in other environments,
and a little bit earlier in the committee before -- that is today -- what
happens when an individual identifies that he's been misrepresented, how does
one clear one's name? And whether the methodologies are in place. In this
regard, if we think in terms of the FTC, whether there are standardized
procedures that credit agencies can be expected to follow, and whether these
procedures are reviewed so that credibly someone can take the appropriate steps
in the appropriate way.
I know from the testimony several years ago of
the doctor from the Mayo Clinic, this issue persisted, and persisted, and
persisted. And in her case almost destroyed her medical practice; she had to
spend so much time trying to figure out how to put her life together in terms of
finances.
I can think of a young guy -- and I don't know if you're
single or married. But I can visualize walking into a jewelry store and saying,
I want to get an engagement ring, and how difficult that might be if it were to
be on credit, and just so many different episodes that can occur.
And so
it's conceivable in aspect of this to shift social security numbers. I don't
know just how ready those facilities are. And I'm just thinking in terms of
common practices that, for example, the FTC or the banking regulators might be
interested in. I can see where a bank would be hesitant to give out information
data on somebody else, even though that person is a criminal, but they certainly
can give out affirmations that such exists. And that that might be part of a
process by which one can go forward with either new social security numbers of
new credit arrangements with other institutions.
I will tell you, this
committee is going to write you a letter of appreciation for your testimony that
might be used by you as evidence to indicate improper circumstances that
occurred in your life.
MR. BOULDEN: Thank you.
REP. LEACH: Ms.
Hooley.
REP. HOOLEY: Thank you, Mr. Chair.
Mr. Douglas, thank
you for testimony. It was terrific.
Let me ask you a little bit about
the credit header. How do I get information from a credit report, and how is
that information sold, and who is it sold to, and by whom? And do you think it's
important to eliminate social security numbers from the credit header? Just talk
to me a little bit about how it's used, what happens to it, who it's sold to--
all of those things.
MR. DOUGLAS: Sure.
The process essentially
works like this. The credit reporting agencies -- I think for the most part, the
big three -- resell the credit header information. And for those that aren't
aware of what that is, that's classically been considered the biographical,
sometimes I think with the misperception believed to be commonly and publicly
available information. In fact, I've often heard it referred to as the publicly
available biographical information, that is literally above the break line on a
credit report, where the credit reporting data begins. And that's why it's
called the header.
It is legal to sell that information, or it's
historically been legal to sell that information. And it is sent out, and sold,
and repackaged by information brokers. I'll use that term. And I don't mean that
in the same phrase that I'm using in regard to these criminals I'm talking
about. And it's repackaged in a number of different ways.
I'll give you
an example. And I wish I had brought one with me today. But it's the example I
used, in part, over at the Pentagon.
It is repackaged in one instance
into a product called Faces of the Nation. And by simply providing two pieces of
matching information to the credit header, whether it be a name and address,
name and social security number, any two pieces -- birthdate -- it will spit
back to you a product that will include all of the biographical data maintained
by the credit reporting agency, sometimes including employment information,
sometimes including mother's maiden name, which as we all know is an access
point for many security systems around the country. And it will have
information, incredibly enough, about neighbors, their names, addresses and
phone numbers. So that the potential privacy aspects, if you will, starts to
spider out to others who weren't even involved in the initial investigation,
other public records. And all of this is legal.
All of this is public
record information compiled into one report by means of beginning with the
credit header-- boating information, automobiles, DMV information, telephone
information, professional license information.
A typical report, one
that I pulled on a high ranking officer in the military, ran to about 17 pages.
It includes information about relatives. In fact, that's one way you can track
relatives of an individual. So in the hands of a stalker, and in the hands of
others, it's very potentially dangerous.
At the same time, it does have
many potentially good uses. And I used it as a private investigator for many
years for what I would hope to be valid reasons. The problem is there seems to
be more and more people like we see on the Internet, just selling it, literally
where you just fill in blanks on the screen, and get it back within a minute or
two, or certainly within a day. And with that level of access, there seems to be
that even the informal checks and balances that existed between the private
investigative, and the credit reporting and the information broker agencies have
evaporated.
And remember, it's not only available to U.S. citizens, but
anyone around the world. So the barriers are no longer there.
And I have
been talking for several years now, and appearing before many committees on the
Hill here, that there need to be further restrictions to the credit header in
compliance with the FCRA, which I think still give the opportunities to lawful
investigators by restricting the access to those who might do harm to others.
REP. HOOLEY: So do you think the social security number should be
eliminated from the header?
MR. DOUGLAS: I was afraid you'd remember
that you asked that question.
REP. HOOLEY: I did remember.
MR.
DOUGLAS: It's a very complex issue; it really is. And I get asked that every
time I'm up here, usually phrased more as, should we do away with the social
security number altogether.
Yes. I would say in open access to social
security numbers, I think at this point we have crossed the line, and you have
to restrict it because it is the starting point to all information contained in
these massive databases, both maintained within the government, but even more so
today, in the private sector.
I mean, companies like Axion, Micro
Strategy, right here in the D.C. suburbs, this is how they're making their
living, is compiling all this information. On the one hand, it's driving the
information age. And I believe it's really responsible for leading the economy
the way that it has been going for many years. We are an information society,
and we lead the world in that area. But the other side, we need to balance that
with who's going to have access and under what circumstances. And I would tend
to lean towards restricting it under the FCRA.
REP. HOOLEY: Thank you.
Shon, thank you very much for being here today, and taking your time to
come out and testify in front of the committee. You did a great job.
I'd
like to also introduce Joleen (sp), who's in the audience, who came with Shon.
Thank you for coming.
Shon, one of the things this bill requires is
that, if fraud has been committed, that you notify the credit bureaus; they put
a fraud alert in, which means that you may ask them if anybody's looking for my
credit. You put a fraud alert in. If you're going to give anybody credit, you
have to call me at home.
Did you put a fraud alert on your credit
report?
MR. BOULDEN: Yes, I did.
REP. HOOLEY: When they gave
credit to other people -- obviously, if you've got 12 different people using
your social security number. Did you ever get a call?
MR. BOULDEN: No,
not once.
REP. HOOLEY: Not once.
MR. BOULDEN: I put the fraud
alert on, and a couple months later I had checked back with the credit bureau,
and one of the representatives had told me that there were more names on -- the
names had been removed. Now there are new names on my credit report.
REP. HOOLEY: So even though they had removed names, they now were adding
new names because other people were still using it?
MR. BOULDEN: Yes.
Creditors were still applying that information.
REP. HOOLEY: Even though
there was a fraud alert on it?
MR. BOULDEN: Yes.
REP. HOOLEY: Do
you have a credit card?
MR. BOULDEN: No, I don't.
REP. HOOLEY:
Can you get a credit card?
MR. BOULDEN: No. I tried to get a secured
credit card through U.S. Bank, which takes money out of your own account. And
they wouldn't give me a secured credit card.
REP. HOOLEY: So how do you
do sort of, I guess what I think of as normal things. I mean, if I'm going on a
vacation, I call and I reserve a hotel, or rental car, or airplane tickets via a
credit card. I know we used to do these without credit cards, but nowadays
that's how you reserve most hotel rooms.
How do you do reserve a hotel
room?
MR. BOULDEN: I don't. When I go on vacation, I just try to find a
room and pay cash.
REP. HOOLEY: Okay. So you really can't make it ahead
of time then?
MR. BOULDEN: Yeah.
REP. HOOLEY: So you're really
at a disadvantage. And if you wanted to take out a student loan? Can you get a
student loan so you can go to school?
MR. BOULDEN: I don't think so. Any
kind of credit I've tried to apply for, even a Meier & Frank card, which in
high school, my friends were getting Meier & Frank cards. And they were
trying to build their credit and start there. And I'd gone there, and they
denied me. I didn't know why. That was about when I was 18 years old. And I
really didn't know anything about how credit worked, or how the credit bureaus
worked, and all that kind of stuff.
REP. HOOLEY: You've had an
education?
MR. BOULDEN: What's that?
REP. HOOLEY: I said, you've
had an education.
MR. BOULDEN: Yeah.
REP. HOOLEY: Maybe not the
kind of education you wanted, however.
MR. BOULDEN: Yeah, I do know a
lot about the situation now, and have talked to other people about it.
REP. HOOLEY: How long had this been going on before you found out about
it?
MR. BOULDEN: All the fraud?
REP. HOOLEY: Yeah.
MR.
BOULDEN: I think the earliest case might have been 1996 or '97. I think the
individual -- somehow my social security number worked for them. Maybe because
I'd never established any kind of credit.
REP. HOOLEY: So they were
using it before you had even established credit?
MR. BOULDEN: Yes.
REP. HOOLEY: Thank you, again, for coming and talking about what
happened to you.
And I can't imagine anything, Mr. Chair, more
frustrating than to be caught in this situation where somebody just starting out
with trying to build their life and build a good credit rating, how awful this
must be. Thank you.
REP. LEACH: And I want to thank you for suggesting
that Shon be a witness.
For the record -- because I just think putting a
personality behind something is important -- how old are you, Shon?
MR.
BOULDEN: Twenty-two.
REP. LEACH: And do you have a job?
MR.
BOULDEN: I was working for a guitar store for two years, and then it went out of
business last month.
REP. LEACH: Okay. So you would be an employee of a
tire store?
MR. BOULDEN: Yes.
REP. LEACH: And are you going on
to college at all? Are you going to junior college?
MR. BOULDEN:
Community college, yeah. It's kind of tough for me right now because I'm paying
for all my college myself right now. And I can't get credit to --
REP.
LEACH: Understood.
MR. BOULDEN: -- pay for that kind of stuff. It's a
little hard. I'm trying to make an effort to get that done. This is probably the
first thing that I'm trying to fix in my life right now, is my credit and this
situation.
REP. LEACH: Let me just thank you again. And also really
underscore how appreciative I am of Ms. Hooley and her efforts in this area, as
well as her bringing you out here, or suggesting that you come out here. Thank
you.
MR. BOULDEN: Thank you, Mr. Chairman.
REP. LEACH: One last
question for you, Mr. Douglas. Maybe it was to hurried, but I didn't get the
subtleties of the new issue, to me at least, of how telephone companies become
so easily involved. And can you show an example?
Let's say, you have a
dishonest intent in mind against an individual. How would you start with the
telephone company? What would be the process you'd go through?
MR.
DOUGLAS: Historically, phone record information has been for sale, and it's been
accessed through the same pretext methods that we discussed two years ago
against financial institutions. With the advent of GLB and some of the attention
that's come to past, the criminals that are doing this are finding it's easier
to start to gather the pieces of biographical data they need to assume the
identity of the subject that they want to impersonate with the financial
institution via the phone company's own databases.
And so, we have two
situations here. One, historically, the phone company was involved as a piece of
financial pretext because one of the most common methods used can be against the
consumer them self. And it will start like this.
The information broker
will call the phone company impersonating the subject of the investigation. And
by just having the phone number, even the name and address, and giving some
excuses as to why they need some information -- there's a problem with their
phone bill, they need to make a change on the account -- they convince the phone
company to open up their database to look at their computer screen, and confirm
or pass on information.
And it's done as a con. If you know a few pieces
of information, you normally can convince an operator on the other end, or a
customer service representative that you're that person, and sometimes posing
relatively crafty questions, or sometimes not. Just saying, "Gee, what are you
showing me there for that second phone number in the house?" "My wife just got
us an unlisted number. I've lost track of it. What has she got on that second
line?" Because they already are convinced in their mind that you are who you are
posing to be, they just start reading anything off the screen.
And I
think the chairman's aware, as I finished up my testimony this weekend, I found
a case right in your home state, on the Des Moines Register, of a woman who is
now suing MCI because her ex- husband/stalker was calling the phone company, and
not even trying to impersonate her, but just claiming -- some of this is a
little bit of assumption from the article, knowing how these things work -- to
still be her husband, and have a rightful knowledge to the information, even
though this woman kept calling the phone company and putting them on alert that
she was being stalked by this man, and her friends were. And under subpoena the
phone records showed a warning on the account not to give out account
information.
How it ends up being part of the financial pretext is, once
they've gathered enough information about the account with the phone company,
they will then call the consumer and pose as a representative of the phone
company, "Gee, Congressman Leach, your phone bill's overdue. We don't want to
shut it off. Did you pay the bill?"
"Well, of course I did."
"Can you go get me your check book, and let's check your information
against what we might have on this end, so we can double check. We don't want to
put your credit in jeopardy with the company or put your account in jeopardy
with the company."
So you immediately rush off because you want to prove
you paid the bill. You get your check book. And they say, "Well, gee, what check
number was that? We'll check it against our database. Maybe it got lost in the
shuffle."
Being a trusting person, you give out the check number. "And
how much was the check for? Let's match it against your balance."
"Well,
I paid $94.92 here."
"Oh, that matches up, Congressman
Leach. All right, for the last track, just read me those numbers across the
bottom of the check there."
"Okay." And that's the routing number,
that's your account number, and that's the check number encoded in the numbers
at the bottom of the check.
Now, the information broker has all of your
account information, can call your institution and pose as you because they've
got your biographical data, they've got your account number. They even know
about what check number you're at, based on when you wrote that check to the
company. So if asked for a check number, you say, "Well, I don't have it with
me, and I'm right around check 1043," with a fairly safe guess that they've done
that. And you're starting to ring true now to them.
Now you can get the
exact balance in the account, and start looking at what other information that
bank may hold. We just saw the merger announcement of Chase and I'm forgetting
who else right now. But with these conglomerates who are out there, and, quite
frankly, with GLB opening up other areas, once you're in, you're in. And now if
you convince somebody, whatever they've got access to on that screen becomes
fair game. So I hope that's helpful.
Now the final piece of that puzzle
is we have advertisements over here of seminars -- secret seminars -- being held
around the country by a woman by the name of Michele Ma Yontif (sp), is how she
bills herself, teaching supposedly private investigators, information brokers,
and -- does this ring a bell from two years ago -- the law enforcement.
Now, I'm not here to say that law enforcement's attending these. But the
door appears to be open; maybe somebody ought to go. And if they don't want to
go to that trouble, I have the materials. I penetrated it myself, and I've got
the materials that they're handing out. And you'll note some of their own quotes
in the advertisements refer to, "With so many of our tools of the trade being
taken from us by recent privacy laws, this is a must-attend seminar. No
recording of any kind will be permitted, extensive security measures." They use
metal detectors on people coming in to be sure there are no recording devices
coming in. And she'll show you how to skip, trace and locate like never before
by using the telecom as a database.
And in some of those several
thousand pieces of information that I've categorized and put away over the
years, there's a lot of traffic about these seminars, one of which took place in
your home state just within the last month. There's one in Los Angeles. And as
of this morning, I saw six more that are planned over the next three months
around the country, where 100 to 200 private investigators and information
brokers are attending at a time. And they're being taught the lingo, the
workings. I have a glossary book that runs to over a thousand entries of
terminology used within the telephone companies. So why? So when you call them
you know how to sound like you work within the phone company.
REP.
LEACH: Well, it used to be said that, the old communist party of the United
States was, "No one could get the right number on it because most of the people
that attended the meetings were FBI agents." And I hope this next seminar has
someone from the FTC and the Secret Service.
MR. DOUGLAS: Can I make one
final point?
REP. LEACH: Yeah, go ahead.
MR. DOUGLAS: Especially
with particular reference to Shon.
Over the last two years, Mr.
Chairman, I've spoken to a number of groups around the country. And I've gotten
in the habit of making it personal for them in many ways. And one of the
questions I always ask is -- and we could almost do it here, I bet -- how many
people in the room have either been the victim of identity theft or knows
somebody, either a relative or friend, who has? And invariably, around 50
percent of the hands go up.
We know that the statistics are running
upwards at 500,000 cases a year -- these are government statistics, not Rob
Douglas statistics -- at an average loss of $17,000 per case.
Do the math.
And what I've also taken to saying is, if this were the
situation, and it was a medical problem, it would be considered the plague. And
yet, we really don't see much going on to address this at a law enforcement
level.
I listened to the Secret Service this morning talk about
organized crime. It's clear that organized crime is involved in this. And
$100,000 thresholds at U.S. attorneys offices are laughable.
It's ridiculous. And those numbers could be reached by aggregation if they did a
little digging, because these aren't just one guy going and dumpster diving.
These are teams of professionals doing this, and with little scratching you
would find the $100,000 threshold me through aggregation of the
case. You could use RICO (sp), or you could use other organized crime statutes.
I don't mean to take up the chairman's time. It's just that I get a
little frustrated.
REP. LEACH: Well, I appreciate that. And I think the
notion of RICO ought to be reviewed in this context.
I'll just conclude
with, two years ago, you were on a panel, and one of your other panelists was
someone who participated in disreputable practices. And what he was really
saying is, we are particularly to society despite our laws because of the nature
of Americans. He didn't say it this way, but that's what he meant. That is,
Americans are very trusting. And so, a nice voice calls up a bank interior
person, and they believe them. And he gave the example. He'd call up a bank. He
said he never failed, ever, to get information. That's a very strong statement--
never failed.
And he gave the example of a bank. The guy said, "Well,
what's your mother's maiden name?" They apparently had this on record. He said,
"Well, it's Smith." And the person on the other end of the line says, "No, it is
not."
And he says, "What do you have down there?" And they say, "Well,
we can't tell you." And he goes into this fake offense and says, "You've messed
up my records again. I'm going to call the president. You know it's Smith, and I
know it's Smith. I'm calling your president."
And they said, "Well,
we'll change it." And so they change it to Smith. They give out the information.
Then the real person calls and they say, "What's your mother's maiden name?" and
they give Jones. "No, it isn't." They've already changed it on behalf of the
first guy.ericans are a trusting breed. And so, one of our problems is, how do
you do deal with a dilemma with the massive trust of the American populist? I
mean, it's not the fault of banks. It's not the fault of -- I mean, it's not an
institutional fault; it's a human nature circumstance of this country. And so,
what do we do to limit it at an absolute minimum?
Now it's federal law
-- not state law, it's federal law -- that one would think that the law
enforcement people in the United States would make this an extraordinarily high
priority.
MR. DOUGLAS: One would think.
REP. LEACH: And if we do
the math that you just suggested, and cut it by a tenth, on the assumption that
that might be invalid, it is still extraordinary, absolutely extraordinary.
And it was does to people. My guess is, for every Shon that's really
fought the system, there are a dozen that don't even fight, and don't know what
to do, and are just beleaguered. And just live a beleaguered life, and might
even feel guilty about it. It's almost as if the innocent become the guilt
infected. Could possibly Shon left a wallet somewhere at some time in his life?
And so, is he at fault? And obviously, he isn't.
I happen to think I'm
the most susceptible person in the world because my wife can't remember where
she puts her purse. I take that back. I want that exited from the record here.
(Laughter.)
But I appreciate very much your testimony, and I
thank you very much.
MR. DOUGLAS: Thank you.
Our final panel
consist of Richard H. Harvey, Jr., who's vice president of Chevy Chase Bank, one
of the truly respected banks in the Nation's Capitol, on behalf of the American
Bankers Association; Mr. Stuart K. Pratt, who's vice president of the Associated
Credit Bureaus, Inc., Mr. Ronald S. Plesser, who is coordinator of the
Individual Reference Services Group; Ms. Janine Benner, Consumer Associate of
the California Public Interest Research Group; and Mr. Bruce H. Hulme, who's
president of Special Investigations, Inc., on behalf of the National Council of
Investigation and Security Services.
And we will begin with Mr. Plesser.
MR. PLESSER: Mr. Chairman, thank you so much for calling on me first.
Privacy is a very popular issue these days, and there's a conference up at the
Shoreham that I'm suppose to be at and give a presentation at 2:30. So if I
leave a little early, I hope you understand that.
The Individual
Reference Services Group is delighted to be here. Bob Glass (sp) of Lexus Nexus
represented the Individual Reference Services Group two or three years ago in
your hearings, where I think he came up, and we very much supported the
chairman's legislation on pretext interviewing and the abuses in the system. We
very much support the efforts that were referred to before, to eliminate the
abuses of the system. But in eliminating the abuses of the system, I think it is
very important not to eliminate the benefits of the system. And it's that
balance that I think we'd like to work with you and continue to work with you.
The RSG represents leading information industry companies, including
major credit reporting agencies that provide commercial information services to
help verify the identity of or locate individuals. Customers use Individual
Reference Services for a variety of purposes. They include finding witnesses,
heirs, pension beneficiaries, hidden assets. Indeed, regulations issued by
several federal agencies require the use of these types of services.
For
example, if you're going to wind up a pension fund, you have to look up services
to find anybody who is entitled to money under that fund; tracking down missing
and exploited children, finding dead- beat dads. Let me stop at dead-beat dads.
It was brought up before, and I think it really focuses a critical issue.
The Individual Reference Service Group opposes, and has opposed, in
regulation, in self-regulation, and would support appropriate regulation that
would limit the display or sale of social security numbers to the public. We
don't think it belongs on the Internet. We think we've had a good role in
keeping it off the Internet. But that's not to say that there isn't uses of the
social security number, indeed including those that come from credit header
reports.
Typically in a dead-beat dad situation, the spouse will know
the social security number. So companies like Lexus, or other companies that
provide this information, will never display the social security number. What
they will do though is, if the person making the inquiry comes in with a social
security number, then they will identify the current address and name of the
person that they have. This allows, for example, in dead-beat dads about a 50
percent find rate to be increased up to a 95 percent find rate.
We think
this is the way to balance the interest, allow social security numbers to be
used to make sure that we're using and finding the right person, but never let
it be displayed or disclosed to the public. It's also used to locate blood, bone
and organ donors and verifying the identities of contributors to political
campaigns.
Each of the companies that belong to the RSG has adopted
self- regulatory principles governing the dissemination and use of personal
data. The RSG developed these principles in 1997 in conjunction with the Federal
Trade Commission. And although it was not mentioned this morning, the Federal
Trade Commission in December of 1997 issued a very extensive report on look-up
services, and said because of the self-regulatory activity, they did not see the
need for legislation at that time. And I'm not sure that I know of anything that
has changed that. I think they're responding to requests here. But clearly as
recently as '97 -- and there's no reason to change -- they supported the
industry's activities, and thought they were positive in controlling the use of
credit header information.
When this committee adopted the Fair Credit
Reporting Act amendment in 1996, they tasked the Federal Reserve Board, who was
looking at Individual Reference Services and these look-up lists and services to
find if they led to identity theft, which seems to be the undercurrent of the
question here. In fact, they found no evidence. And I want to be very careful. I
think they said that they were concerned about it. But they said there was no
evidence, absolutely no evidence, that the look-up services created or led to
identity theft.
I think the case that we like to make is that these
services, which allow financial institutions and others to make sure they know
who they are dealing with, and to locate the people that they need to deal with,
avoids identity theft. In fact, the Secret Service, who was here this morning,
and many federal agencies use the identity services -- the look-up services --
to make sure that they can locate and identify the right people. We believe the
customers we work with, I don't think they will support the proposition; that it
decreases identity theft rather than increases it.
As part of these
principles, companies commit, among other things, to restrict their distribution
of non-public information through appropriate safeguards. One such safeguard
prohibits the display of social security numbers and dates of birth in
individual reference service products distributed to the general public, and for
products distributed to professional and commercial users.
So if you're
a lawyer, and you have Lexus Nexus or Westlaw, or one of the services, and you
want to locate an individual, you can get the credit header report, but you will
never get the full social security number nor the full date of birth. That was
before Gramm- Leach-Bliley, and hopefully will survive Gramm-Leach-Bliley,
depending on how the regulations are interpreted. The RSG does have litigation
in terms of the interpretation of Gramm-Leach-Bliley by the FTC, not challenging
the legislation, but challenging the regulations.
The products offered
by the Individual Reference Services are used in the fight against identity
theft, where verifying individuals' identity is crucial. Bank, credit card
companies, and other types of credit institutions, as well as gas, electric,
telephone, utility companies, and government agencies distributing public
entitlement programs, are all increasingly becoming plagued by frauds who use an
existing person's identity to illegally extract products, services and monies.
We think the look-up services, as well as the credit reporting services, help to
eliminate those frauds, not increase them.
I want to conclude quickly in
just saying that H.R. 4311 would directly affect Individual Reference Services.
Primarily, it would cut off most of the information coming through credit
headers. Again, I think there are two points here. And perhaps, if Mr. Douglas
was called back, maybe if we refined a question, he might answer it slightly
different; I'm not sure. But we support the idea that credit header information
should not be displayed or sold to the general public. And to the extent that
there's legislation that this committee is working on that goes to that end, I
think my members would be helpful in support of the effort. However, at the same
time, we need to be able to use the social security number to make sure that we
are dealing with the right person, we're not confusing people, and that we do
have a means of verifying identity.
So we look forward to working with
this committee on this process. And thank you very much for having me this
afternoon, and the courtesy of letting me go first.
REP. LEACH: Thank
you for your testimony. And you may leave at any point that you so desire.
We'll now turn to Mr. Harvey, who is the vice president of Chevy Chase
Bank. And we welcome your testimony, sir.
Without objection, all full
statements will be placed in the record. If you wish to summarize or proceed in
any manner you see fit, you're welcome to.
REP. HOOLEY: Mr. Chair, just
a real quick question. Mr. Plesser is not going to be here for questions; is
that correct?
REP. LEACH: I think it's only fair that the other
panelists be allowed -- if you had one quick question.
MR. PLESSER: I
certainly will be happy to answer any question your office has on the record,
but whatever the chairman would like.
REP. LEACH: I will say, this is a
fairly informal hearing. And because you've got a position slightly different
than Ms. Hooley's, why don't I --
REP. HOOLEY: Just one quick question.
REP. LEACH: Please, go ahead.
REP. HOOLEY: You talk about your
need for social security numbers for making sure you're dealing with the right
person, and these are legitimate purposes.
My question is, why can't you
use their address and date of birth to verify that you're dealing with it? Why
do you need to use social security numbers, and not some of those other
identifiers, like date of birth, address and so forth?
MR. PLESSER:
Well, date of birth, as a result of the Transunion case by the FTC -- which is
now under appeal. But their later pronouncement, the month and year of birth
would not be included in the credit header information. So we're losing both
elements, number one.
Number two. I think it's all a level of quality.
No one is going to come up to you and say the sky is falling on either element.
But certainly, the social security number, particularly when somebody has it to
begin with -- an ex-employer, an ex-spouse -- and can go forward with it, it
becomes a very positive way of identifying the right person.
Often an
ex-spouse, or if you're looking for a witness, you don't know the address.
If you knew the address, you wouldn't be using a look-up service. I
mean, look-up services are basically use to find current addresses. So if you
had that, you wouldn't need it. You have the name, but often names -- I'm Ronald
L. Plesser.
If I decided to beat child support payments -- which I'm not
interested in doing and happily married with two kids. But if I did, maybe I'd
change my name to Richard Plesser, or it'd become R. Plesser, or it would become
Reginald Plesser. It would become some derivative that I could probably kind of
work into my record that would be hard to find me.
My name is a little
bit unique. But if there's somebody with a Smith, Jones, Jenkins or other name
that's a little bit more common, I think the social security number is a very
critical element to make sure you're dealing with the right person.
REP.
HOOLEY: Thank you, Mr. Chair, for your courtesy.
REP. LEACH: Mr. Harvey,
we're to you.
MR. HARVEY: Thank you, Mr. Chairman.
I would like
to thank you, Mr. Chairman, for holding this hearing. Your leadership has been
instrumental in passing critical legislation on identity theft, and particularly
on pretext calling over the last few years. These strong laws, which ABA
strongly supported, make it a federal crime to obtain customer information by
false pretenses, or to use stolen identity information.
While we
appreciate the continuing concern of members of Congress on this issue, we
believe that these changes are so significant that no new legislation is
necessary at this time. Rather, the primary focus needs to be on enforcement of
these laws.
At ABA, we've developed a number of measures to provide
identity theft information to our customers. The first is an identity theft
communications kit. This kit contains materials to help banks educate their
customers on how to prevent identity theft, and how to resolve cases of those
individuals who have become victims of identity theft.
I've included in
my written statement several consumer steps from this kit. We encourage you, Mr.
Chairman, and your colleagues, to use these documents in your own communications
with your constituents to tell them how to protect themselves from identity
theft.
REP. LEACH: If the gentleman will withhold for a second. Let me
instruct the staff that we ought to have their kit on our Internet too. That
would be very helpful.
Please, go ahead.
MR. HARVEY: Again, we
would encourage you, Mr. Chairman, and your colleagues to use these documents in
your own communications with your constituents to tell them how to protect
themselves from identity theft, and what to do if they should ever become a
victim of such crime. The greater the awareness of the American public on this
issue, the greater the hope that this crime can be prevented.
The second
is a training manual for spotting and avoiding pretext calls. This manual,
developed with the assistance of Rod Douglas, is designed to train bank
employees about common pretext methods, and how to recognize, deal with, and
stop suspected cases. ABA has also provided to members a consumer privacy
training video to help educate bank employees.
The ABA has been involved
in other outreach programs as well, including media tours and a video news
release on preventing identity theft. These programs have reached audiences
totalling well over 60 million people.
Mr. Chairman, banks have every
interest in finding workable methods to preventing this crime as the losses
banks suffer in these cases are staggering. In fact, $3 out of
every $4 lost by a community bank to check fraud was due to
some form of identity theft. The news laws enacted over the last two years are
sufficient to punish criminals who benefit from stealing another's identity.
While we certainly appreciate the spirit in which H.R. 4311 is offered, we
believe that additional legislation is not needed to prosecute pretext and
identity theft criminals at this time.
Credit cards and other financial
institutions have security measures in place, such as confirmation of identity
before a credit card can be activated, that are best suited for their particular
circumstances. Unfortunately, criminals are always trying to outsmart my
industry, and any mandated requirements will only be temporarily effective as
these criminals find ways around the new rules. When that happens, all that is
left is added expenses for regulatory compliance for the card issuers, drawing
funds away from more effective solutions and raising the cost of credit to our
customers.
Mr. Chairman, I appreciate the opportunity to appear before
this committee to discuss this important subject. I look forward to answering
any questions you or the committee may have.
REP. LEACH: We have little
less than eight minutes on a vote, and I think it would be unfair for you to
start before that, Mr. Pratt. And so, I will recess and come back after the
vote.
But I did want to just underscore one point of Mr. Harvey's, and
I'm looking for the testimony; I wasn't following it.
You said
$3 out of $4 lost. In what context?
MR. HARVEY: That's based upon an ABA survey that was in 1998.
REP. LEACH: I'm sorry, but $3 out of
$4 of what?
MR. HARVEY: Of check fraud.
REP.
LEACH: Of check fraud?
MR. HARVEY: Yes, sir.
REP. LEACH: Was
identity theft.
MR. HARVEY: Absolutely.
REP. LEACH: Do you have
any sense what the total magnitude of that is?
MR. HARVEY: We don't have
any particular numbers that we can really point to, but we're continuing to
research that.
REP. LEACH: So what you're asserting to the committee
that is so extraordinary, that we're looking at something that's not only a
robbery of bank information; it is a robbery of the bank itself. And that is a
very serious thing.
MR. HARVEY: Absolutely.
REP. LEACH: And
again, why I stress this is, we have a long history in this country of
disproportionate and appropriate concern for bank robberies. This is another
technique of bank robbery that, in my view, has gotten less law enforcement
attention than any other technique of bank robbery. And all I'm saying is that
the statistics you're placing on the table are very stunning. And that does not
necessarily mean that any new legislative approach is wise or unwise. It simply
means that attention to compliance with the current law is very important, and
that there are techniques available, and that the lack of assertiveness is
self-apparent.
MR. HARVEY: We agree with you, Mr. Chairman. In fact,
that's why it's so important for us to pursue this from an enforcement
standpoint. Everyone loses through identity theft. And the banks are suffering
tremendous losses in the area of check fraud and other fraud as a result of
this. We think the laws are in place; we'd just like to see them enforced
vigorously.
REP. LEACH: Well, thank you, Mr. Harvey.
Let me say,
we will recess pending the vote. To my understanding, it should be a shorter
recess than the last recess. It's probably about 20 minutes.
REP. LEACH:
The committee will reconvene.
Our next witness is Mr. Stuart K. Pratt,
who's vice president of the Associated Credit Bureaus, Inc.
Mr. Pratt.
MR. PRATT: Mr. Chairman, thank you very much for your invitation for us
to be a part of your hearing today. In fact, this is one of those issues that we
have been very concerned about for a number of years here within our trade
association as well.
My principal reason for being here today, it's
always in part, is to try and inform and explain what our industry; and in fact,
it's also in part to hear what others have to say about the issue. And we always
end up at the end of this experience walking back from this experience with some
new information for our own members.
So I guess my first commitment to
you is that we will visit with the young victim who is here today to learn more
about his specific experience, how it worked, why it occurred the way that it
did. And it gives us a chance to look back and see if we have systemic problems
that could be fixed.
For us, this is all about fixing the issue, not
just resisting progress. The best indication of that, Mr. Chairman, is the
initiatives we released earlier this year. And in fact, many of these will be on
line during this quarter. These initiatives were our first effort to look at and
compartmentalize the issue of identity theft into various portions.
For
example, we have the prevention element, law enforcement. How can we create a
real deterrent that ensures that when people think about perpetrating this
crime, that they really understand there's going to be a consequence, you're
going to go to jail. That's not the whole solution, but we think that a very
important part of this is that there's a real, robust deterrent effect out there
in the marketplace. And there's really two types of efforts that Congress has
taken to, I think, add to the arsenal the right elements, at least on its face.
One is the pretexting effort that you've undertaken here in this
committee and passed in this committee. Pretexting is a risk that exposes our
own industry to the type of crime that we're concerned about today. And the
other issue's, of course, the passage, or the other effort was the passage of
the Identity Theft Assumption and Deterrence Act of 1998, which established a
federal crime.
And consistent with some questions Mr. LaFalce raised
earlier, our industry does a lot of work in the states as well as here in
Congress. And we work with many of the states. I think we have over 30 states
now that have a crime statute at the state level. And it's our commitment to you
we will continue to work with states. And we have been meeting with attorneys
general even during the summer period to encourage the passage of additional
crime statutes that will ensure that every state has an actionable point, if you
will.
On the enforcement area, we're also in conversations with the U.S.
postal inspectors and other law enforcement. One of the key questions, again, I
think that Mr. LaFalce and you yourself were very on point with, and that is,
it's a newer crime, and so it's not out there in the general law enforcement
marketplace. Every officer out there doesn't really know whether or not this is
a crime, doesn't know what crime statute to go to. It isn't an easy case. And
so, I think that there's some efforts that the private sector can help
undertake, and help to underwrite, to ensure that law enforcement is educated
about the tools, even the FTC's database, which does allow aggregation of the
amount of the crime that's occurring in any particular area. So I think that
these are some good efforts that are going forward.
Our initiatives
focused on another component of the crime, specifically the area of victim
assistance. After the crime has been perpetrated, I think there's several
questions-- Where do I go? How do I fix my situation? And in fact, we had a
chance to meet with the ABA prior to the final product that they produced. And
it's a good product. It's the kind of thing -- in fact, the FTC has produced
some excellent materials on how do you go about beginning to extricate yourself
from this situation.
And it is a different type of crime. It is
different from credit card fraud in it's original form. It isn't just a matter
of whether I'm out $50, or whether I call and cancel a card and
get another one. It is longitudinal; it's time consuming. The question for us is
how to reduce that. Our initiatives are our way of beginning to do that.
For example, even on a credit history, we'll look at the inquiry section
of a file. And where a consumer says, "You know, I don't recognize that company.
I don't know that I did business with that lender," we'll email a transmission
back to that lender to make sure that they're aware that they may be at risk.
They may have opened up a fraudulent credit account of some sort. This gives us,
and the lender, and the consumer all a chance to fix it faster. And that's
really I think elemental to all of this, is how do we fix it faster.
Another example which I think addresses some of the issues here is the
longitudinal effect of the crime. We actually hired a former attorney general to
work with us on this project. And one of the issues, with the interviews with
victims and interviews with our own consumer relations personnel, was that we
discovered consumers are seeing it happen again, and again, and again over time.
And this is extraordinarily frustrating. And unlike being able to lock the doors
on my house, I can't necessarily know what's happening with my credit history
after it's been brought whole.
One of our initiatives addresses that.
We'll re-investigate, and you're going to look at your file, and we'll pull it
together under the Fair Credit Reporting Act duties that we have. And there's
your file back together, and we think we've taken care of at least the initial
round of the crime.
But we are committing ourselves to building better
products that will then monitor activity on that file so that over a period of
time, three months more, we'll be able to tell that consumer, we've seen some
additional file activity on your file. Would you like another copy of your file?
Would you like an 800 number to call somebody? Would you like to talk to
somebody? This goes beyond the law, but actually I think it's fairly common
sense. That gives everybody a chance to stay in touch with each other to make
sure that the credit history that's been brought whole, remains whole.
It's a two-fold benefit. For us, it assures that we have a consumer
who's satisfied. And it also assures that we have banks who are confident in the
products we produce for safety, and soundness, and risk management, and all of
those things that we do.
So for us, it's a practical assessment. There's
other elements to this. And I visit with some of your staff, and of course, many
of you up there as well. And we appreciate the fact that you gave us some time
to visit about some of these.
This is just our first round. We have more
work this month. We have more announcements we'll be making before the end of
this year. And our whole goal here is to try to demonstrate that we're a
progressive industry. We're willing to take responsibility, and to try to do
things better, and to identify systems, procedures and so on.
For
example -- it seems very practical -- but just hosting a quarterly conference
call with our fraud unit personnel allows us to cross-pollinate everything from
just different patterns of the crime, to also potentially identifying better
procedures for serving consumers-- standardizing a document, for example, that
might be used to validate that the consumer's been a victim.
I want to
mention that in particular in the bill. In our formal statement we've run
through various sections of the bill and tried to describe where our initiatives
have a nexus with the proposal and the legislation. But the idea of some sort of
validating document is still important to us. If there's a way to do that, we
think it ought to be done as well. We don't know yet what that way is; is it a
police report?
I was encouraged by some of the way the bill was
structured though. It talked about various items that might be part of the
validating process. And I think we're on the right track with that sort of
thing. So I appreciate the fact that that was an element of the total package
that you put together in this initial proposal.
We have tried to educate
our customers as well. We sent out 200,000 of this brochure, which is used for
employees as well, which discussed practical steps, such as you don't throw
credit reports in dumpsters. We don't think that would be self-evident. But, of
course, when a business is closing out, they might do that very thing. But this
is the kind of effort that we're undertaking to make sure credit histories don't
get into the wrong hands.
We have also hired, and have now funded, an
outside certification authority, and are putting all of our outside access -- in
other words, if there's a terminal, we want that terminal to shut down within a
short period of time so somebody can't go and browse through credit histories,
and try to pull data, and perpetrate the crime of identity theft. So this is a
certification program that Grant Thornton is working with us on and that we have
asked them to develop. So this is another part of our effort to do the right
thing, and to make sure that we're taking preventative steps.
Our
members also partner with our customers. A lot of what we do is in partnership
with the customer. They're the ones who help us decide what products make sense.
We have new risk management products that look at applications to try to decide
even minor differences in how an application is filled out. In total, it should
give the lender a red flag.
For example, a perpetrator of identity theft
may not know that Stuart Pratt's address -- my street name is Hilbrooke.
Hilbrooke could be one word; it could be two words. In fact, it's one word with
an "e" on the end. But there might be minor discrepancies throughout an
application which in and of themselves don't like much. But if you added them
together, and you're able to cross-check against identifying data, you might be
able to say, you know, this is just enough that we better flag that. And let our
lender know that they need to cross-check that applicant before they open up
that line of credit. Obviously, stopping it before it starts makes a lot of
sense.
In closing, we urge you to give us an opportunity to build the
kind of fraud prevention products that we are producing today. And it does tie
in with header data and with social security numbers. It's a controversial
issue. It's important to us. We want to explain the reasons why we would like to
be able to use it in limited context. We want to put controls on it.
Similar to what Mr. Plesser said, the Associated Credit Bureaus also
believes that there's no reason for social security numbers just to be there in
the general public for display, that they should be sold to individuals. And our
members do not sell social security numbers and lists of that sort to
individuals out in the general public in any fashion.
So our commitment
to you is to continue to stay engaged on this process, to be progressive, and do
this in the context of this committee process. So we appreciate very much the
chance to be here.
REP. LEACH: Thank you very much, Mr. Pratt.
Ms. Benner.
MS. BENNER: Good afternoon, Chairman Leach,
Representative Hooley. Thank you very much for giving me the opportunity to
speak with you today. I'm here with CALPIRG, the California Public Interest
Research Group. And I'm also representing U.S. PIRG and the Privacy Rights
Clearinghouse in San Diego.
Today we've heard statistics about the
severity of the crime of identity theft, how many people it affects each year,
and how much this crime has cost our economy. I'm here to talk to you about the
human cost of identity theft.
There's much more to this crime than
financial damage, as we've heard today. And unfortunately, Mr. Boulden's case is
not unique. CALPIRG and the Privacy Rights Clearinghouse has been helping
victims for years through advocacy, free guides, hotlines, monthly support group
meetings. And we've communicated with thousands of victims.
We hear new
unique and horrifying experiences every single day. And last year, the two
groups surveyed the number of victims who contacted our organizations for help
in recent years. We produced a report titled, Nowhere to Turn: Victims Speak Out
on Identity Theft. It's available on our website. And I'd also be happy to make
copies of it for anybody who wants it.
We basically did a survey of all
these victims. And from the data compiled from the responses, we were able to
quantify some startling and staggering statistics. We were able to show that
cases like Mr. Boulden's, and the others that we've heard today, are not unique.
And in fact, these types of experiences have happened to many people.
We
found that victims said they spent an average of 175 hours and
$808 in out-of-pocket costs to fix problems stemming from
identity theft. The fraudulent charges made on the victim's new and existing
accounts was $18,000. And in addition to lost time and money,
42 percent of the victims responding to our survey reported long-term negative
impacts on their credit reports; and 36 percent were denied credit or a loan due
to the fraud. And despite the placement of a fraud alert on their credit
reports, almost half of the respondents' financial fraud reoccurred, meaning
that creditors continued to grant credit to the imposter even after the crime
was known.
And then one last appalling fact is that 12 percent of the
respondents noted as a related problem that there was a criminal investigation
of them, or a warrant for their arrest issued due to the identity theft.
Although the fraud committed against the victims totaled as much as
$200,000 in one case, the common theme was that stress,
emotional trauma, lost time and damaged credit applications, not the financial
aspects of the crime, were the most difficult problems. One woman from Nevada
told us, "This is an extremely excruciating and violating experience. Clearly,
the most difficult obstacle I have ever dealt with."
How are we going to
stop this crime and minimize its effects? We've already tried consumer
education. We've produced pamphlets, fax sheet after fax sheet, and identity
theft continues to escalate. The public is aware of this issue. The
responsibility to prevent identity theft can no longer be placed solely on the
consumer. We advise consumers to guard their information carefully, and even to
buy technology, such as shredders, to destroy old records that may contain bank
accounts or social security numbers. But as long as financial institutions and
credit bureaus continue to be reckless with consumers' information, there's
little that individuals can do to prevent identity theft.
Identity
thieves are obviously the main criminals here, but banks and creditors are
sometimes accomplices in the crime. Enforcement is definitely critical, but we
need more effective laws to enforce in this case. Law enforcement, government,
and the credit industry have failed to address the root causes of identity
theft, and alleviate the problems facing its victims.
The financial
industry has the ability to take simple steps to prevent identity theft
happening to thousands of people each year. As consumers, we trust them with an
increasingly valuable commodity-- our personal financial information. They have
the responsibility to guard that information as carefully as we do.
The
bill before the committee, H.R. 4311, would encourage the industry to take these
important steps to check identity theft and to provide help for its victims.
First of all, it provides credit bureaus to provide a free credit report
annually on request so that consumers can detect identity theft early and fix
any false information.
Secondly, it closes what's called the credit
header loophole, which allows credit bureaus to sell demographic information
found in a consumer's credit report, including their social security number, to
companies and websites that are often used by thieves and stalkers.
Voluntary standards, while we appreciate the efforts, have not halted
the sale of social security numbers of the Web. Privacy advocate, Beth Givens,
recently was able to purchase her own social security number from the website
called dosbreakbail.com (sp) for $20. It contained recently
updated information.
The bill also improves change of address
notification, requiring creditors to send notice of a change of address or new
credit to the old address. This would alert consumers in the beginning stages of
the theft.
Most consumers we found don't even find out about the crime
until over a year after it happens.
Finally, the bill requires fraud
alert flags which alert potential creditors that the consumer's been a victim of
fraud. It would also prevent the issuance of credit on any account with a fraud
flag unless the creditor confirms the identity of the consumer, and that the
consumer has actually authorized the issuance of credit.
These are
simple, logical steps that the credit and financial industry can take so that
fewer people will be forced to go through the problems, the unpleasant, and even
terrifying experiences faced by victims.
We thank Representative Hooley
for introducing the bill, and Chairman Leach for calling this meeting. Thank you
very much.
REP. LEACH: Thank you very much, Ms. Benner.
Mr.
Hulme.
MR. HULME: Good afternoon, Mr. Chairman, Ms. Hooley. Thank you
for having me here.
I am president of Special Investigations,
Incorporated in New York City, and I'm appearing today on behalf of the National
Council of Investigation and Security Services. And I'm also chairman of the
Associated Licensed Detectives of New York State.
In the formal
presentation, there are some comments regarding New York State law regarding
some privacy issues there, and some regulatory matters that affect private
investigators, which we'd like you to look at because a number of states have
similar things.
What I'm going to discuss briefly here are those aspects
that have a real world significant effect on Americans, and it's a little bit of
a different take, particularly as it regards credit header information. Identity
theft is not new, and it wasn't invented with the Internet. We've been battling
it for years. Perhaps a little bit of pro bono for Shon might have helped too.
And maybe we can still help him out.
Identity theft also has been going
on through low-tech means-- the dumpster diving, picking up the garbage,
stealing charge accounts. You probably have a better chance of getting ripped
off by identity theft going into the wrong bar or at the wrong restaurant, and
having the waiter keep a copy of the charge slip or what have you.
Congress should resist the temptation to choose only one avenue by which
some criminals may gain some information by denying those tools, such as credit
header information, to those of us who are out there also investigating cases,
and also investigating the very cases, now and then, of identity theft.
Almost every aspect of this bill we agree with and we wholeheartedly
support. Basically, there are two major things. We have concerns over the aspect
regarding credit headers being eliminated, and having the same provisions for
obtaining a credit header report come under the same provisions for getting a
whole credit report.
And I believe that earlier Congresswoman Biggert
asked the question of the FTC witness. And her answer was, it would be
legitimate purposes to obtain the credit report. The way this bill will end up,
there would be no real legitimate purpose for getting a header report at all.
I'd like to just go into a few anecdotes from the opposite perspective.
Credit helpers help determine the correct identity of individuals we are
seeking. They help us by leading us to the correct individual verified by the
social security number, the past addresses, and the like. One case, however --
in San Francisco an investigator reports, very recently, working for a
successful business owner who started getting statements in the mail saying he
owed tens of thousands of dollars on computers and other purchases. He'd
realized somebody hijacked his identity. And he went to the San Francisco
Police. And this could have happened really, after listening today, anywhere in
the United States.
The San Francisco Police took the report and said
basically they weren't going to do anything. And they referred him to the Secret
Service. The Secret Service said we have a threshold of
$100,000 in that jurisdiction. He's now up to about
$80,000 as of now, so nothing happened there.
He did
hire a private investigator, and he does have some resources. He had an inkling
suspicion that basically it was probably a former employee that might have been
doing this. And the bottom line is, utilizing credit header information and a
lot of other aspects, they zeroed in on this guy. They haven't caught him, but
at any rate this person has at least three names he's been using, and three
definite social security numbers, and plus one transposed social security
numbers -- which probably really is one of the three, so it could be three or
four -- and different dates of birth on file.
So here we have the
threshold aspect that's a problem, and it's not going to work.
Another
example of how credit headers can be used effectively. In Tennessee a show dog
breeder -- and we attached lists of a few anecdotes, but I'm just using my other
anecdote. She was being basically cyber stalked and threatened by email from an
unknown harasser. She was terrified because she had no idea what the subject
looked like. She was often exposed in public arenas at these various dog shows.
The police couldn't really help her without any identification.
She did
go to an investigator. The investigator used a credit header and other sources,
including criminal checks. And she went back to the police and basically
identified the guy. They got the mug shot. And if nothing else, there's a mug
shot that was made available to the potential victim, so she at least knows what
to keep an eye out for.
I testified in 1997 at the Federal Trade
Commission workshop regarding the individual reference services that Mr. Plesser
earlier made reference to. When you get a chance, if you could take a look at
this or have the staff study it. I think all the pros and cons regarding the
availability of credit headers are in here. There's reasons why they probably
should be closed; there's very good reasons why they should remain open. And I
think the easiest thing is, let's have some strong -- number one -- enforcement
for the improper use of this information that is bandied about. And let's put in
some tight controls on the people that do have access, and I feel that should
have access. And I feel licensed private investigators and others, including now
and then legitimate journalists, attorneys, insurance companies, what have you,
also ought to have the actions. So limited, hopefully from our standpoint, to a
person that has legitimate need. The Commerce Appropriation Bill, Section
1150(a) of that measure permits only appropriate entities access to the measure.
Maybe that could be referred to.
The next problem with us is Section 8
of the bill, individual reference service definition, is really too broad. That
defines an individual reference service provider, to include not only credit
bureaus and data banks, but anyone who gathers information. It would require
providers to open their files to consumers. And that makes sense with credit
bureaus, but it doesn't make sense when somebody's investigating possible crimes
in the workplace or sensitive investigations.
I note that this committee
right now in unrelated legislation, in H.R. 3408, is attempting to correct some
deficiencies in the Fair Credit Reporting Act, one of which requires employers
to give unedited, unredacted, investigative reports to employees when taking
adverse action against them. Well, Section 8 of this present bill, 4311, goes
further than that. It would require investigators upon request to provide not
only the report given to the employer, but the entire investigative file.
That disclosure would have a chilling effect and create a climate of
fear among any potential witnesses or victims. So I think it's important that
somehow that be rectified. The only way I can see it is, the literal
interpretation, the way the bill is drafted, would include people like me and
others right into that category. And if we're in that category as being viewed
as a IRSP, we're sunk.
I might also throw out that the self-regulatory
organizations, such as the Index Bureau and the National Association of
Securities Dealers, all of their files, the manner in which they do business,
the manner in which they assemble collect and what have you, they'd fall under
this same category.
Now, you also asked us to make some comments on the
Gramm-Leach- Bliley provisions on pretexting.
I've listened to what
everybody has to say. I take some issue with some aspect of it. And that would
be the outlawing of pretexting of a criminal. I have no position against at all
outlawing the pretexting of a bank in any manner. But I don't think that should
apply to a criminal. And we do have a situation where if you're going to allow
-- we've outlawed pretexting of a criminal that often has actually stolen our
client's money. And I don't think a bank should become a safe haven for our
client's money.
Under the law, we can use a pretext to get child
support. Now, it would seem to me either outlaw all pretexting or if you're
going to allow pretexting for child support, then extend it to spousal support.
REP. LEACH: Withhold for just a second.
MR. HULME: Sure.
REP. LEACH: It's a little more careful than that.
MR. HULME:
Okay.
REP. LEACH: Pretexting is allowed for child support when there's a
court order of two kinds. One is a court order in favor of a party. The second
is a court order authorizing the pretexting. And that double court order is a
very powerful constraint. It's an extremely limited exception. And it can only
be done under the authorization of a court.
MR. HULME: All right. And I
personally know of nobody that's never gotten a court order, that second order
you're talking about. So I don't know what the status is as an investigator, and
I've been in the business 40 years, the manner in which they're now doing it. I
do know, as an investigator on some very involved crimes, I will walk into a
bank with my file and sit down, and exchange information, and try to get
information, usually to the bank's benefit, and definitely to my client's
benefit.
The other aspect I suppose is the insurance fraud aspect on
pretexting. The greatest fraud these days that's emerging is fraud against the
elderly. So if we're going to expand any type of pretexting with court orders or
otherwise, maybe it should extend to all fault, I don't know, or no pretexting.
Now one of our frustrations -- and I agree with Mr. Douglas
wholeheartedly on this -- is that our members we feel are complying with the
requirements of the law. I would like everybody to comply with the requirements
of the law. I see all these advertisements, everything that was up here earlier.
I mean, they were all over the place.
And I also don't think the FTC is
doing necessarily what they should. I was astonished to hear -- I believe I
heard it as $33 million civil judgment regarding an identity
thing out in California. I have a feeling that's probably the pornography case.
And it sounds to me like a $33 million judgment on charging
accounts for services that weren't rendered is out and out theft, and is a
criminal activity. And it's a problem that's got to be addressed. There's got to
be criminal sanctions.
In my written testimony, there are a number of
sanctions. We go for throwing the book on everything-- scourgement (sp) of
profits, criminal sanctions, and even include it with this bill. But we feel
that if you want to close up credit headers, that's going to be a tool that has
a greater detrimental effect on consumers.
That's basically it. Thank
you for my remarks.
REP. LEACH: Well, thank you very much. And let me
just say in conclusion to your testimony, you represent the most prestigious and
most reputable organization in your field. And your testimony's very
appreciated. And I think one always makes a mistake when one hears testimony of
a given type of activity, to apply it to everybody. And I'm personally very
appreciative that there is such an association as yours that is concerned for
standards.
MR. HULME: Thank you.
REP. LEACH: In thinking this
through, particularly the magnitude of the problem, I want to turn to Mr. Harvey
and Mr. Pratt for a second.
One reason one has congressional hearings is
to bring attention to issues and to review the possibility of change in statute,
and to bring attention to the issues to executive branch agencies. But it
strikes me that your associations ought to be working more closely with law
enforcement than I think has been the case. That is, to the degree that these
statistics are anywhere near the mark, it's astonishing to me that the American
Bankers and the various banking agencies throughout the country aren't all over
the United States Department of Justice, the state attorneys general, demanding
attention be brought to this. Because absent law enforcement and the laws that
exist, there's a natural tendency to seek other laws that might become more
comprehensive in other kinds of ways.
And so, I would make the strongest
possible recommendation that the American Bankers Association, and other banking
organizations at all levels, develop a task force of how they coordinate with
law enforcement. And I think it's self-evident that the exact same applies to
credit bureaus. As credit bureaus hear of problems, I think it is in your strong
vested interest to try to get law enforcement orchestrated.
It's pretty
clear that this is a low priority for American law enforcement. And so, one of
the great questions is, if this as pervasive a crime as it appears to be, if
it's growing as it appears to be growing, if the new technologies make the crime
more potentially acceptable, and if Americans for some reason think that because
there's no gun involved, it's not as serious as if there is a gun involved --
which has an element of self-evident truth, but still disguises the fact that
very devastating consequences can follow -- I think everybody's got to get
orchestrated in a new kind of way.
Now, all of you have referenced
material-- Mr. Hulme, Ms. Benner, Mr. Pratt and Mr. Harvey. And I would like to
ask at the end of the hearing that you provide us all of this, and I will try to
put them in the record. And without objection, by the way, any full statements
of all of you will be in the record as well.
And I think each of you
have taken individual approaches that strike me as all being helpful, and that
we're all going to have to be looking at. But I do think that one of the absence
of this is the fire being led under law enforcement itself, at many different
levels.
For example, reference was made earlier today to the state of
Massachusetts. The Massachusetts attorney general office was approached a few
years back. And the first person they approached did nothing; it sat for over a
year. And then someone got a little bit interested. And then it really peaked
their interest, and all of a sudden Massachusetts became very interested in a
very active -- one person in the state attorney general's office took kind of a
special responsibility. And I'm tempted to say that one might have a national
strategy, that the ABA, for example, might ask will one person be designated in
every state attorney general's office to look into this issue or take
accountability for it, so you pin-point some accountability. But I think we have
a real problem here.
Ms. Benner has made a very interesting point
because it fits the testimony. But you're the first person that I know that has
a kind of larger picture of looking at larger numbers, of statistics that, among
other things, say that the people affected come to conclude that the dollar
amount is a small consequence compared to the other losses-- the violations,
every other effect. And that is certainly the picture of a medical doctor who
appeared before us, and an individual who worked in a tire store.
And
so, what it says is, that the entire spectrum of the American face gets
affected. It isn't necessarily the highest income person or necessarily the
lowest income person; it's just a real American.
And I think it's very
interesting from your perspective. And you see it as an institution that's
probably more concerned with social activism in America than anybody that's
testified on this sort of issue. And I think your testimony is particularly
helpful and meaningful in looking at this. And I'm very appreciative you've come
across this great land to testify.
Anyway, I want to thank Mr. Hulme for
coming from New York. And I want to express my great respect for his association
and judgment, and Ms. Benner.
And Mr. Pratt, I appreciate very much the
attitude in which you have described things.
And Mr. Harvey, your
testimony was very strong. So thank you.
Ms. Hooley.
REP.
HOOLEY: Thank you, Mr. Chair.
I also would like to thank all of you for
testifying. It's always helpful to know what works and what doesn't work,
particularly Mr. Hulme, where you specified what you thought would work, and
what you thought wouldn't work. That was really helpful.
I just have
some very quick questions to ask I think all of you.
Mr. Harvey, I'm
going to start with you.
One thing the bill attempts to do is combat a
technique used by identity thieves, whereby they change their address so the
victim doesn't get her bills for a few months. And if they like me and lead busy
lives -- I mean, I wouldn't know whether I received a bill or not until somebody
probably called the collection service or I got several other bills in the mail.
But to prevent this from happening in mail generally, the post office
now sends confirmation back to the original address to ask if the person really
changed their address. And as a result, the post office has reported significant
drops in mail fraud. And it seems to me almost a full proof way of making sure
the person who requested that change of address is the person whose address is
actually being changed.
So why is this a problem for your members?
MR. HARVEY: Well, ma'am, I'm not familiar with the post office study,
although I do have some personal experience that I can share with you.
It's pretty easy to go into the post office and make a change of
address. If I'm a criminal seeking to steal someone's identity, I'll go into the
post office, and I'll just fill out a change of address form.
REP.
HOOLEY: Yeah, but the post office now -- if you turned in a change of address
form, they now confirm that with both your old address and your new address, so
it's sent back to you.
MR. HARVEY: Even if they do that -- and actually
I've just done this. My step-son went off to college. There was no confirmation
at the old address. They changed the address for me. There was absolutely no
problems with it. And at least based on my experience, I think at least this
provision would not be something that would be as helpful as we might otherwise
think it would be.
Financial institutions are establishing various
security measures. Those security measures are based upon what we're actually
seeing happening as far as fraud is concerned. As soon as a measure like this is
established as a mandate, the criminals are made aware of it. And as soon as
they've made aware of it, they'll find some other way to get around it. Then
we've got to dedicate resources to continuing to comply with this particular
law; and yet, the criminal have found a way around it.
And that's what
we consistently see. Every time you start out doing something one way as a
security measure, clever criminals are going to try and find a way around it.
Our concern is that unless we have the flexibility that's necessary to dedicate
our resources, based upon the kinds of fraud that we see, that we'll be locked
into dedicating those resources in a manner that won't yield the kind of
benefits that our customers need, as well as the financial institutions.
REP. HOOLEY: Yeah. And I'm just saying the post office has been very
successful in reducing mail fraud by doing this. And so, it was a question of
might you not want to try this, at least to see if it works.
Again,
fortunately, not all thieves are clever. Today we've talked a lot about,
certainly some of these are in well organized organizations that are selling it
on the Internet, it may be that groups are getting into this; but a lot of this
is done on an individual basis where that's what they decide to do. So it's not
always organized in their effect of doing this.
One of the other things
I guess is, I agree with your statements that we need to make sure that the
criminals are punished, and that we probably need to do more with law
enforcement in this area. And I agree wholeheartedly with you. However, I don't
think that's going to be the only thing that prevents this crime from happening.
All we have to do is look at our own states where we've built a lot of prisons,
we've filled them up, and that particular piece hasn't necessarily reduced
crime. It usually takes some prevention piece as well.
So my question
is, is it unreasonable for Congress to demand that the industry take some
minimal steps to prevent the crime from happening in the first place? Is that an
unreasonable request?
MR. HARVEY: No, ma'am, it's not that it's
unreasonable at all. As a matter of fact, financial institutions are doing just
that. We are working very diligently at trying to develop preventive measures.
Some of the things that I pointed out, for example, and some of the things that
we have in our ABA financial privacy tool box and identity theft communications
kits are just that. They point out preventative measures.
I guess what
needs to be understood is this. First of all, financial institutions have every
interest in preventing ID theft. We lose a lot of money to fraud. But secondly,
there needs to be the education. Our customers need to be educated, our
employees need to be trained and educated, and that's what we're doing. The ABA
has provided very good and detailed materials, with the assistance of the likes
of panelists before, Rob Douglas. And we have those things. And different
institutions are looking at these as recommendations for ways that they can
develop measures for prevention.
I really think it's prevention, it's
providing the kind of assistance once a person's identity has been stolen, and
it's also prosecution. I think we can't have one without the other in order for
us to be effective. I know that customers are getting information, but I still
think the free flow of that information to individuals who are identity thieves
is occurring at an alarming rate.
I guess it goes back to what the
chairman was mentioning earlier today, and that is the fact that the American
public is pretty free in giving out that kind of information. Once we get that
information, and it's presented to a financial institution, it's extremely
difficult, if that information, for example -- in many instances it's freely
given to the individual because the individual who's giving that information
doesn't know any better. They don't know that it's going to be used for some
illicit purpose.
But once we get that information presented to us in the
form of a loan application, we have obligations under federal law to process
that application. What we do is we build in security measures to try and
ascertain whether or not we are dealing with the individual that we are supposed
to be dealing with. But it's extremely complicated, and institutions need to
have the flexibility to develop their own security measures to deal with their
particular concerns.
REP. HOOLEY: Mr. Pratt, I have a couple of
questions. First of all, Mr. Pratt, let me thank you for giving your card to
Shon. That was very nice of you. I appreciate that.
I just have some
questions.
How do credit bureaus assure they have the correct address on
file? For example, consumers when they change address, they'll fill out all
these little forms, or send little cards in, or change it with the post office.
They certainly don't call you when they move, I'm assuming.
So how many
new accounts need to be opened, or how much information do you need to get for
you to change your files? And how do you verify that those accounts aren't
fraudulent?
MR. PRATT: Well, it's a desperately important question.
It has to do with file accuracy, which is a duty that we have under the
current Fair Credit Reporting Act. And it has to do with preventing fraud, and
making sure, again, that we produce a product that's of value to Mr. Harvey, for
example, and also nets benefits for consumers.
Context. We have it in
the testimony as well, but just for the sake of viewers sitting here thinking
about this. There's 42 million addresses that are changing every year; 3 million
last names changed due to marriage and divorce; 6 million probably vacation
homes. And you've seen all of this. And I try to walk through this just to make
sure that we understand that an address changing in and of itself isn't
automatically a red flag. It can be an indication of something happening. It
could be separation pending divorce. It could be my son moving out of my house
and moving on in life, and that sort of thing.
We're generally dependent
on an accuracy standard that also extends to our customer as well. In other
words, the data furnishers who provide data to us, they receive the change of
address; they change it in the account. They on the next cycle of reporting to
the credit bureau will report that new address.
Our systems manage
multiple addresses at the same time. Many of us may have a bank card that's
being paid at our work address because we use it principally for work, and then
we have other cards going home. So at any given time, there's a large
population. And they have at least two, if not three, live addresses, all of
which are accurate and correct. So definitely we're in a situation of being
dependent on maintaining accuracy in partnership with the customers that we work
with.
Now, we also have access to some tools. I'm going to go back and
verify this before I make a commitment to this. But I have this with our data
furnishers. We do cross-checking against various data sources. For example, a
social security number that comes in and is currently active; there are ranges
of numbers that are not active according to the Social Security Administration.
That obviously gives us a clue that something is wrong. We can't have access on
the other side though for many good reasons. We don't have access to the
administration number to verify that in fact this is a real number. We just know
it's not a live, active number, and that's a cue. That would be one way for us
to verify.
If that address is the only address that comes in, and all
the others remain cycle after cycle being reported, that address probably is
never used as a searchable element. It sits there for a period of time, and then
it disappears; it's eliminated. But we do not have a direct consumer
verification, as you point out. It's a system that starts with our customers and
works in tandem with us.
REP. HOOLEY: One of the things as I became
involved in this issue -- and it happened because I did a series of workshops on
credit and how to protect your credit ratings -- this issue came up, and I
certainly have learned a lot in this whole process.
TRW had reported
huge increases of ID fraud through 1997. Are credit bureaus still keeping these
records, and will they be reporting those soon?
MR. PRATT: I think that
was actually information that was provided to the GAO. Is that the same data
that I think we're referring to? I think it was Transunion data. But at any
rate, that showed you from the beginning of the establishment of their fraud
unit to I think '98 what had happened with the escalation in total phone calls.
What isn't absolutely evident is, what part of that was, I lost my wallet, which
is a valid call, by the way. We'll put a fraud alert on a file if a consumer
says preventatively, I've lost my wallet, or somebody broke into my home, or
I've misplaced a credit card. Those are valid reasons for loading a security
alert on the file. That alert may stay on a shorter period of time or a longer
period of time, depending on choices the consumer makes with us. But that's an
element of those phone calls.
So that wasn't in its entirety just --
there was also account takeover, i.e., skimming, for example, is another type of
credit card fraud, where somebody can have a belt skimmer, and they can simply
swipe your card, give your card back to in a restaurant, for example. And then
they have your account information off that magnetic strip date on the card.
That's another form of fraud that's accounted for in those fraud units.
In fact, I've asked our members just prior to this hearing. And we're
looking into what type of data we have today with regard to the size of the
issue.
I just want to emphasize, it's a definitional question to though.
I guess the most important thing to say is, big or small, it's big enough that
it needs intention. I guess that's the most important point.
REP.
HOOLEY: But I just thought it was interesting. It seemed to me somebody was
keeping track, and then --
MR. PRATT: Well, we keep track in terms of --
we can't validate differently than a creditor whether this is absolute correct
every time. What we can do is we can --
REP. HOOLEY: But it certainly
gives you a ballpark though, which is helpful.
MR. PRATT: -- we can
guess. "You sure look like you've been a victim. We're going to take some
proactive steps here." That would be the best we could do until we advise them
to go to their creditors, and then we have disputes processes and these sorts of
things under the Fair Credit Reporting Act.
REP. HOOLEY: Mr. Pratt, you
talked in your testimony about in the next few months having something that will
be up and running that can verify those discrepancies in people's files.
MR. PRATT: When we looked at this issue, one of the questions we tried
to ask was, why is it that consumers say it happens again and again. And, of
course, by the way, that in turn means more consumer relations phone calls. But
these aren't necessarily the good ones. Now the consumer's extraordinarily
frustrated; this is the second time I've called you, this is the third time I've
called you.
We said, what can we do longitudinally to stay with that
consumer? So when that security alert goes on the file, when we take them out of
pre-screened offers of credit, for example -- which is another step we can take;
and it certainly is a right consumers have under the 1996 amendments to the Fair
Credit Reporting Act -- when we send them their file and so on, and we bring it
whole, we decided that gave us an opportunity to say, let's go beyond the law,
let's use a principle, let's just look at activity on the file.
And by
the way, we want to be cautious about what we tell you about what triggers might
trigger a notice to the consumer. The last thing we want to do is explain to the
criminals how you can avoid triggering the credit bureau notification. But trust
me, there are some triggers.
REP. HOOLEY: But you're looking at doing
this --
MR. PRATT: Absolutely.
REP. HOOLEY: -- and it will be on
line or whatever.
MR. PRATT: This quarter, the end of this year.
REP. HOOLEY: Soon.
MR. PRATT: Yes, soon.
REP. HOOLEY: Is
this going to cost the consumers money?
MR. PRATT: No.
REP.
HOOLEY: So this will help everyone, but they won't have to pay
$13.95 or --
MR. PRATT: No. Somebody who's been a
victim -- that was one of the issues here. If we're a steward of their
information -- and I think that's an important kind of mind-set to have when you
think about the kind of information we have -- we said, what can we do to stay
in touch with that consumer who's been a victim, or thinks they've been a
victim, and stick with it? And try to establish a line of communication that
extends beyond what the law requires.
The law says, okay, your job is
done; you've corrected the file. But it could be new information coming in from,
if you will, the other victim, the creditor victim who has underwritten more
fraud. And so, the creditor victim's reporting unbeknownst to them more
information. Well, this gives us a chance to stay in touch with that consumer
over that period of time.
We're going to have to pilot test. We'll have
to see what kinds of triggers work. This does go in synch with some of our
concerns about how rigidly the law prescribes something that we do because we
may discover certain triggers work, other triggers work, and that sort of thing.
REP. HOOLEY: When you put fraud flags on the file, do creditors have to
change their practices when they see that? Is it required that they do something
with their fraud alert?
MR. PRATT: Well, the fraud alert that we
transmit -- I'm going to circle around your question. We obviously can't impose
as private industry the practice on our customers. We view the fraud alert as
part of the partnership with our customers. By the way, in our initiatives on
the fraud alert, one of the observations we got from Beth and others was, "Boy,
these aren't working as well as they should." And we said, why is that? What are
we doing?
Well, there's, first of all, three major systems in this
country. So we've asked ourselves, and we've answered the question, can we
standardize, for example, the text message? First of all, it makes it easier for
all customers who need to identify and take the action the consumer requests. So
if Mr. Harvey's bank receives a text message saying, please don't grant credit,
call this number, Mr. Harvey then, along with the application, can make
decisions about how to process that.
On our end of it, that also makes
it better for those larger institutions who have a third party data processor
because there's this spiffy term "normalizing." There's normalizing of credit
data. So they may pull several files, and normalize them means bring them
together. In that process, we want to make sure the security alert doesn't get
lost. So that's another way of trying to make it more effective.
We also
are going to include an alpha numeric sequence right there in the text message
so that we can tell a creditor, if you have a highly automated system, you can
look for this sequence which will trigger and tell you, this is a fraud alert
associated with identity theft. And that's another way for us to try and make
the security alert more effective.
The goal we have is to make sure that
Mr. Harvey's bank has the target to look for. And so, he doesn't have to look
for three targets or two targets. And we believe that will make those security
alerts more effective than they are today.
REP. HOOLEY: Will they get
that fraud alert when they're just pulling up the score as opposed to the whole
credit report?
MR. PRATT: Excellent question. And the answer is yes.
REP. HOOLEY: Okay. But right now that doesn't happen?
MR. PRATT:
No, that's the practice today. That's a mythology. I've heard out in the
marketplace that we do not transmit with scores. But because we use a field --
we actually use a field that the FCRA requires that we have in place. It's a
field, meaning a section of your database, if you will. The field is a statement
field that must go with every single credit file, no matter how it's issued. We
would view a score as a type of consumer report. It's a very limited consumer
report, but it is a consumer report. And we would transmit that message along
with --
REP. HOOLEY: But they get it with a report, with the score, with
--
MR. PRATT: With a highly codified version, with the full printed
version.
REP. HOOLEY: Help me understand. I may not be asking the right
person this question.
Why is it then when I talk to person after person
who's been a victim of identity theft -- and Shon was another example -- where
the credit alerts are ignored, or they're giving credit. I mean, if the person
says, I want a fraud alert put on my credit report; and I say, I want you to
call me before the person gives any credit to anybody else, how come those are
ignored? I mean, what do we need to do to make sure that those aren't ignored?
MR. PRATT: Well, I think that what we need to do -- and it's similar to
the whole pretexting issue and ID theft issue -- we need to make sure that our
banking customers and our telecom customers understand what to look for, and to
give them the best single target to look for. I think if we can issue a release
this year -- and Richard's probably the fellow that would receive this. And we'd
say, Richard, you should look for this. This is how we're going to do it,
whether it's the Experian system, or the Transunion system, or the Equifax
system. And then he has a better chance to say, I'm going to do this with my
people internally. This is how we're going to look at the file.
But
we've also talked to some lenders who've said, can't you make it more obvious to
us, for example, when somebody asks for an increase in credit? So they pull a
consumer report at that point -- a credit report -- to evaluate whether or not
you should get an increase. And we've learned in those cases we need to work
with banks.
When we deliver that, we don't have control over how that
message has been presented on the screen to the consumer service person, but in
talking with some of our customers they've said, "Aha, I see it." So I can
program my system to make that more obvious, popping up on the screen as a more
obvious message to my consumer service people so that they don't automatically
just process an increase in credit because they were successful pulling a credit
history.
There's no silver bullet in this type of crime; that's the
great struggle. It's a layering of efforts that I think are going to make this
an effective undertaking, and I think the urging of the chairman, to make sure
that we have the right task force for law enforcement. In fact, we think there's
some other areas where we probably need to look at a more coordinated effort as
well.
REP. LEACH: Ms. Hooley, can we --
REP. HOOLEY: Yes.
REP. LEACH: Is that all right? I want to give Steve a chance, and then
if we can come back.
Mr. LaTourette.
REP. LaTOURETTE: Thank you,
Mr. Chairman. And I'll be pretty brief.
There's just an article in the
Cleveland Plain Dealer. It doesn't have anything to do specifically with this.
But there was a guy in federal prison that was successful at going to one of the
finer banks in Cleveland and buying a Mercedes, and then he went out and bought
an SUV. And they only caught him when he was attempting to buy three trucks. And
the loan officer at the bank remembered that the reason he was in federal prison
was he'd tighted $110,000 in checks a couple years ago.
And the problem that they described was that sometimes the credit
application's taken at the car dealership. And then when he goes to the bank for
financing there isn't always an interfacing and a communication of all of the
facts necessary before there's a decision to grant credit. And it came as a big
surprise to people that a fellow in federal prison was able to buy some cars
that I probably couldn't buy. I'm not in federal prison yet.
I wanted to
just talk to you about a couple of things though, Mr. Pratt. First of all, you
were describing to Ms. Hooley the additional flag that you're going to put on to
better stay in contact with those who have been identified as fraud victims. Are
you also working on a program to be proactive with those who have yet to be
victims of fraud?
The reason I asked you that question is, when Mr.
Harvey was talking to Ms. Hooley about the change of address -- I understand a
lot of people have different addresses, a lot of people move, a lot of people
get divorced, but the case that brought this matter to my attention is, you had
a family that lived in the same house for 20 years, and all of a sudden you had
6 change of addresses in 6 months.
You had a family who for 20 years had
every year 1.5 credit inquiries, and then there were 60 hits within a 4-month
period.
Now, my question is, is your technology without legislation,
such as Ms. Hooley has devised -- is your technology and your industry moving to
a situation where you're going to be -- that looks fishy to me; that a couple
that never has moved all of a sudden has moved six times. If nothing else, it
looks like the customer went nuts, and they've gone on a shopping spree.
MR. PRATT: I guess the short answer is, this next step gives us a much
better understanding of what the undertaking would be to try and administer a
program for 180 million credit files, where 2 billion elements of information
are being loaded on a monthly basis. So I only say that we're probably managing
some of the largest and most complicated private sector databases globally
today. And so the challenge is to look for the unusual pattern.
But I
think your point is well taken. I don't see how I could argue with the idea of
continuing our work to say, how can we continue to use software and technology
to in a preventative way look at the larger population. I just can't answer
specifically how that would work at this time.
REP. LaTOURETTE: No, I
understand that. But that's why a provision of this particular bill says that
somebody should have an obligation to ask if you've really moved and you're
really the person that's involved in the credit application. And I understand
Mr. Harvey's observation that it's onerous, and it might cost some money, and so
forth and so on. But one way -- until you get your computers to sort of key in
on events like that, that would be suspicious and really aid and abet the thief
-- might be to do it the old-fashioned way, and reach out and touch the customer
and say, is that really you who moved. And then we can figure out the technology
and let that catch up later.
Mr. Harvey, one of the criticisms that I
get when I go to town meetings, especially with senior citizens, relative to the
financial service industry, are all the credit card applications unsolicited
that they receive in the mail. And I think Mr. Hulme described them as dumpster
divers.
We did a project in conjunction with sweepstakes mailings in my
district, where we asked senior citizens to save their mail for 30 days so that
we could catch those who prey upon seniors and invite them to enter contests,
and convince them that if they only buy that extra copy of outdoor lights,
they're going to be a millionaire, pretty directly.
But one of the
things we found as they collected their mail was, there's a lot of unsolicited
credit card applications. And there are some who suggest that this increase,
this sharp rise in identity theft is facilitated by people receiving these
things that they haven't asked for at their home with personal identifiable
information, and they toss it in the garbage.
I'd be interested to know
the position that either your bank or the ABA has on that particular observation
and criticism.
MR. HARVEY: Well, with respect to the kind of
solicitations that are going out, certainly financial institutions want to be
able to provide the kind of advertisement and solicitation of its services that
it thinks that customers are going to be interested in.
It's very
difficult sometimes to actually know which group of people are going to take you
up on a particular offer. You will see more and more financial institutions --
credit card issuers -- sending out solicitations because they're not able to
determine with any kind of certainty who will take advantage of the offer and
who won't take advantage of those offers.
Whether or not it facilitates
this crime, yeah, it certainly does. But I think there's a communication that
needs to go out to the public. And that is, there are still ways to handle those
types of solicitations. There are ways to cut off those type of solicitations. I
can assure you that no financial institution wants to send out these
solicitations to anyone that they didn't think would be interested. But you can
shut off those solicitations. You can contact a direct marketing firm that's out
there, and you could actually call them on the telephone you're not interested
in receiving mail solicitations.
REP. LaTOURETTE: You talked about
education in your testimony, and I want to go back and touch on that, I think
education of the public. You also talked about education of your employees at
the financial institution.
Again, when I was growing up and got my first
credit card, my mom taught me that when I was done with it and I got a new one,
I was suppose to take a pair of scissors and slice it. Is that what you and the
ABA would recommend if I get an offer -- like I always get -- that I've been
pre-approved for a $10,000 credit card from the XYZ bank, and I
don't choose to take the XYZ bank up on that particular offer? What should I do
with that? What should the consumer do with that solicitation?
MR.
HARVEY: You should shred it. You should shred that solicitation because it
certainly is something that the dumpster divers are looking at. They're going
in, and they're trying to find out information about you, for various reasons.
REP. LaTOURETTE: And back to your employees for just a minute. My
understanding of one of the ways that the pretext callers are successful in
getting information is that they repeatedly will call a bank until they find
somebody that gives them the information.
Can you tell me what your bank
is doing to educate its employees to deal with that situation?
MR.
HARVEY: Certainly. Some of the things that we're doing are the things that are
also included in the tool box. And we've also included it in our testimony. Some
of those things include, for example, making sure that we have policies and
procedures in place to question very carefully, always paying attention to being
customer service advocates, but questioning very carefully those who call in; to
be consistent in the types of questions that we ask them, and to be leery about
answers that don't seem to be responsive to those questions.
REP.
LaTOURETTE: Is there a chain of command at the bank that -- again, the same
question I was asking Mr. Pratt -- when something doesn't smell right, something
doesn't look right, there is a procedure in place that the customer service
representative can turn to someone else that is more expert or better trained
than this?
MR. HARVEY: Absolutely. As a matter of fact, it's one of the
recommendations that the ABA has presented. And that is, if there is something
that doesn't exactly sound right, or if you're getting some resistance from the
caller, that you bump that call up to a supervisor who has more experience in
this area.
REP. LaTOURETTE: I thank you, and I thank the chair.
REP. LEACH: Thank you. We have a vote on the floor. Is all right to end,
or do you want to come back? All right.
Well, let me thank you all very
much. I'd like to ask unanimous consent to place in the record a statement by
America's Financial Services Association, the Consumer Bankers Association, and
the National Retail Federation. Without objection, we'll do that. I also would
like to ask if my staff would come and collect some documents you have, and that
we will potentially place them in the record too if their length is appropriate.
Let me thank you all for your testimony. I think it's been very helpful.
And I think that whenever legislation of this nature is introduced, the thrust
might be reasonable, but there also might be reasons for refinement. All of you,
your testimony is very much appreciated.
Thank you very much. The
committee's adjourned.
END
LOAD-DATE: September
16, 2000 
