Skip to main content

Search

Fair Credit Reporting: 9.2.7.2.2 Scope: Application to “creditors”

In a guidance document interpreting these regulations, the FTC indicated that the red flag guidelines requirement applied not only to lenders, but other entities who could be considered “creditors” under the Equal Credit Opportunity Act (ECOA)288 including “professionals, such as lawyers or health care providers, who bill their clients after services are rendered.”289 Legislators became concerned that these businesses would be overburdened by the requirement to have red flag guidelines.

Fair Credit Reporting: 9.2.7.2.3 Requirements

Under the regulations, each creditor must “include reasonable policies and procedures” for issuing and implementing “Red Flag” guidelines regarding identity theft.296 A “Red Flag” is “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”297 Financial institutions and creditors that maintain accounts described in the regulations must “develop and implement a written Identity Theft Prevention Program . . .

Fair Credit Reporting: 9.2.7.3 Address Discrepancies

One of the warning signs of identity theft is a discrepancy between the address on the credit application and the consumer report. For example, an identity thief will use the victim’s name and Social Security number to apply for credit cards, but have the cards sent to another address (after all, it makes no sense for the thief to have the cards sent to the victim’s address).

Fair Credit Reporting: 9.2.7.4 Change-of-Address Provisions

The FCRA specifically requires the FTC, the banking regulators, the SEC, and the CFTC to issue guidelines for credit and debit card issuers322 to prevent “account-takeover” identity theft. This provision imposes special verification procedures on issuers that receive a request for an additional or a replacement card on an existing account within thirty days of receiving a change of address notice.323 Before issuing the card, the issuer must do one of the following:

Fair Credit Reporting: 9.4.1 Criminal Identity Theft Statutes

Nearly every state has explicitly criminalized identity theft, enacting a special statute to combat this particular violation that does not fit neatly into classic common law categories of offenses.343 A typical statute prohibits a person from obtaining identification information of another person and using it to obtain credit, property, or services without that person’s authorization.

Fair Credit Reporting: 9.4.2 State Civil Laws

While a right of restitution and a private cause of action against the thief satisfy a sense of justice, in all likelihood the thief will be as judgment proof as a stone, and a victim will be able to realize little real reimbursement from that source. Yet where a state statute is primarily designed to impose civil liability on the original identity thief, consumers have not succeeded in extending liability to third-party lenders or similar parties, because they have failed to meet the statutes’ scienter requirements.362

Fair Credit Reporting: 9.4.3.1 Generally

All fifty states have security freeze statutes, which were the single most effective tool to minimize the risk of identity theft.384 In 2018, Congress amended the FCRA to provide for a federal right to a security freeze.385 In doing so, Congress preempted state security freeze provisions, at least to the extent that those state provisions apply to nationwide CRAs.386 What follows is a discussion of state security laws as they applied before Septemb

Fair Credit Reporting: 9.4.3.2 Scope

A typical procedure for a state security freeze requires the consumer to submit a request by certified mail to a CRA, who then has to place the freeze within a specific time of receiving the request, often five business days.390 The agency then has a period, typically five to ten business days, in which to confirm the freeze with the consumer and to provide the consumer with some sort of personal identification number or password that the consumer can use to lift the freeze later.391

Fair Credit Reporting: 9.4.3.3 Cost of a Security Freeze

The state security freeze statutes generally regulate the fees an agency may charge. Many states that formerly charged fees lifted them in the wake of the Equifax data breach.392 Of course, the federal security freeze provision requires that they be free, and preempts any charges imposed by the nationwide CRAs.393

Fair Credit Reporting: 9.4.3.4 Exemptions; Thaws

While the freeze will generally prevent new creditors from viewing the file of the consumer who applies for the freeze, existing creditors are usually exempted from the freeze laws so that they can continue to review a customer’s file for information.400 Government agencies are also typically exempt401 but, since they are less likely to offer quick credit, they may be of less concern.

Fair Credit Reporting: 9.4.4 Child and Foster Youth Identity Theft

Children are uniquely vulnerable to identity theft. Children are attractive targets because they have no credit history, they infrequently (if ever) check their credit reports so chances of detection are low, and the impact to the victim is delayed. One study found that, out of a group of over 40,000 children, more than ten percent had someone else using their Social Security number.414

Fair Credit Reporting: 9.5.1 Overview of FCRA and State Law Claims

A hard fact of life is that many consumers find CRAs and creditors less than helpful when dealing with identity theft, and legal action or the threat of legal action is often needed. Identity theft is one of the leading reasons consumers with bad consumer reports turn to attorneys for assistance. There are many claims that should be considered in an identity theft case.

First, a number of the FACTA amendments’ identity theft provisions are privately enforceable and should be considered, including the following:

Fair Credit Reporting: 9.5.2 Claims Against the Creditor for Violation of a Duty of Care

A creditor who posts a thief’s delinquencies to the victim’s credit record may be liable for failing to use due care in opening the account. By extending credit or providing goods or services to the thief without properly verifying the thief’s identity, the creditor facilitates the conduct that leads to catastrophic consequences to the victim’s credit record.

Fair Credit Reporting: 9.6 Claims to Address When a Data Security Breach Has Put the Consumer at Risk of Identity Theft

The vast majority of states have enacted legislation to require those entities that store personal data about consumers to notify those consumers when the security of the storage system has been breached.456 These statutes may provide a cause of action for a consumer whose data have been stolen.457 Some states regulate the manner in which entities store such data; for example, New Jersey requires health insurance carriers to encrypt their computerized records that contain personal information, o

Fair Credit Reporting: 13.2.1 Overview

A number of different federal agencies are invested with authority to enforce the FCRA, depending on the type and size of the institution that is the target of enforcement, and the type of activities it conducts. The federal agencies that may have enforcement authority include the CFPB, the FTC, the federal prudential bank regulators (such as the OCC and FDIC), and other specialized agencies. In some cases, one agency will have exclusive enforcement authority relative to other federal agencies. In other cases, enforcement authority will be shared by two or more federal agencies.

Fair Credit Reporting: C.1 Introduction

The Fair Credit Reporting Act requires the Consumer Financial Protection Board (CFPB) to develop a number of model forms for credit reporting agencies, users, and furnishers to use. A table of these forms is set forth below. The authority, purpose, and legal effect of these model forms are set forth in 12 C.F.R.

Fair Credit Reporting: C.4 Summary of Consumer Identity Theft Rights

Section 1681g(d) of the FCRA requires the CFPB, in consultation with the federal banking agencies and the National Credit Union Administration, to prepare a model summary of the rights of consumers “with respect to the procedures for remedying the effects of fraud or identity theft.” Consumer reporting agencies must distribute this form to any consumer who “contacts a consumer reporting agency and expresses a belief that the consumer is a victim of fraud or identity theft.”

Fair Credit Reporting: C.5 FTC Identity Theft Affidavit

The FTC developed the ID Theft Affidavit to assist victims who dispute fraudulent debts and accounts opened by an identity thief. The FTC’s ID Theft Affidavit is intended to simplify this process. Instead of completing different forms, consumers can use the ID Theft Affidavit to alert companies when a new account was opened in the identity theft victim’s name. The company can then investigate the fraud and decide the outcome of the consumer’s claim.

Fair Credit Reporting: C.6 Notice of Furnisher Responsibilities

Section 1681e(d)(1) of the FCRA requires that consumer reporting agencies distribute to each person that regularly furnishes information to the agency or that receives information from the agency a notice of the person’s responsibilities under the FCRA. The FCRA requires the CFPB to “prescribe” the content of model notices that can be used to comply with section 1681e(d)(1).

Fair Credit Reporting: Introduction

Many consumers learn of errors in a consumer report only when a creditor or other user informs the consumer that adverse action has been based on a report. Users must also certify to the agency that the user has a permissible purpose for obtaining a consumer report. Some users, including employers, users of investigative consumer reports, users of reports containing medical information, users of prescreened lists, and resellers of credit reports, have additional obligations.