Skip to main content

Search

Fair Credit Reporting: 9.2.7.2.3 Requirements

Under the regulations, each creditor must “include reasonable policies and procedures” for issuing and implementing “Red Flag” guidelines regarding identity theft.296 A “Red Flag” is “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”297 Financial institutions and creditors that maintain accounts described in the regulations must “develop and implement a written Identity Theft Prevention Program . . .

Fair Credit Reporting: 9.2.7.3 Address Discrepancies

One of the warning signs of identity theft is a discrepancy between the address on the credit application and the consumer report. For example, an identity thief will use the victim’s name and Social Security number to apply for credit cards, but have the cards sent to another address (after all, it makes no sense for the thief to have the cards sent to the victim’s address).

Fair Credit Reporting: 9.2.7.4 Change-of-Address Provisions

The FCRA specifically requires the FTC, the banking regulators, the SEC, and the CFTC to issue guidelines for credit and debit card issuers322 to prevent “account-takeover” identity theft. This provision imposes special verification procedures on issuers that receive a request for an additional or a replacement card on an existing account within thirty days of receiving a change of address notice.323 Before issuing the card, the issuer must do one of the following:

Fair Credit Reporting: 9.4.1 Criminal Identity Theft Statutes

Nearly every state has explicitly criminalized identity theft, enacting a special statute to combat this particular violation that does not fit neatly into classic common law categories of offenses.343 A typical statute prohibits a person from obtaining identification information of another person and using it to obtain credit, property, or services without that person’s authorization.

Fair Credit Reporting: 9.4.2 State Civil Laws

While a right of restitution and a private cause of action against the thief satisfy a sense of justice, in all likelihood the thief will be as judgment proof as a stone, and a victim will be able to realize little real reimbursement from that source. Yet where a state statute is primarily designed to impose civil liability on the original identity thief, consumers have not succeeded in extending liability to third-party lenders or similar parties, because they have failed to meet the statutes’ scienter requirements.362

Fair Credit Reporting: 9.4.3.1 Generally

All fifty states have security freeze statutes, which were the single most effective tool to minimize the risk of identity theft.384 In 2018, Congress amended the FCRA to provide for a federal right to a security freeze.385 In doing so, Congress preempted state security freeze provisions, at least to the extent that those state provisions apply to nationwide CRAs.386 What follows is a discussion of state security laws as they applied before Septemb

Fair Credit Reporting: 9.4.3.2 Scope

A typical procedure for a state security freeze requires the consumer to submit a request by certified mail to a CRA, who then has to place the freeze within a specific time of receiving the request, often five business days.390 The agency then has a period, typically five to ten business days, in which to confirm the freeze with the consumer and to provide the consumer with some sort of personal identification number or password that the consumer can use to lift the freeze later.391

Fair Credit Reporting: 9.4.3.3 Cost of a Security Freeze

The state security freeze statutes generally regulate the fees an agency may charge. Many states that formerly charged fees lifted them in the wake of the Equifax data breach.392 Of course, the federal security freeze provision requires that they be free, and preempts any charges imposed by the nationwide CRAs.393

Fair Credit Reporting: 9.4.3.4 Exemptions; Thaws

While the freeze will generally prevent new creditors from viewing the file of the consumer who applies for the freeze, existing creditors are usually exempted from the freeze laws so that they can continue to review a customer’s file for information.400 Government agencies are also typically exempt401 but, since they are less likely to offer quick credit, they may be of less concern.

Fair Credit Reporting: 9.4.4 Child and Foster Youth Identity Theft

Children are uniquely vulnerable to identity theft. Children are attractive targets because they have no credit history, they infrequently (if ever) check their credit reports so chances of detection are low, and the impact to the victim is delayed. One study found that, out of a group of over 40,000 children, more than ten percent had someone else using their Social Security number.414

Fair Credit Reporting: 9.5.1 Overview of FCRA and State Law Claims

A hard fact of life is that many consumers find CRAs and creditors less than helpful when dealing with identity theft, and legal action or the threat of legal action is often needed. Identity theft is one of the leading reasons consumers with bad consumer reports turn to attorneys for assistance. There are many claims that should be considered in an identity theft case.

First, a number of the FACTA amendments’ identity theft provisions are privately enforceable and should be considered, including the following:

Fair Credit Reporting: 9.5.2 Claims Against the Creditor for Violation of a Duty of Care

A creditor who posts a thief’s delinquencies to the victim’s credit record may be liable for failing to use due care in opening the account. By extending credit or providing goods or services to the thief without properly verifying the thief’s identity, the creditor facilitates the conduct that leads to catastrophic consequences to the victim’s credit record.

Fair Credit Reporting: 9.6 Claims to Address When a Data Security Breach Has Put the Consumer at Risk of Identity Theft

The vast majority of states have enacted legislation to require those entities that store personal data about consumers to notify those consumers when the security of the storage system has been breached.456 These statutes may provide a cause of action for a consumer whose data have been stolen.457 Some states regulate the manner in which entities store such data; for example, New Jersey requires health insurance carriers to encrypt their computerized records that contain personal information, o

Fair Credit Reporting: 13.2.1 Overview

A number of different federal agencies are invested with authority to enforce the FCRA, depending on the type and size of the institution that is the target of enforcement, and the type of activities it conducts. The federal agencies that may have enforcement authority include the CFPB, the FTC, the federal prudential bank regulators (such as the OCC and FDIC), and other specialized agencies. In some cases, one agency will have exclusive enforcement authority relative to other federal agencies. In other cases, enforcement authority will be shared by two or more federal agencies.

Fair Credit Reporting: 16.1 Introduction

A credit score is a number compiled from a consumer’s file at a consumer reporting agency (CRA), sometimes in conjunction with information obtained from a credit application or other sources. Credit scores are used as a factor, sometimes the sole factor, in determining whether to grant credit to a consumer. The credit score may be the single most influential, critical piece of information associated with a consumer’s file at a CRA.

Fair Credit Reporting: 16.2.2.3 Custom Versus Generic Scores

Historically, most credit scoring systems were custom models built for a particular lender or user. These models were developed using data in the lender’s own customer files. The factors in the model and the weights assigned to each factor were derived from the characteristics of the lender’s customer base, and the lender’s experience with each customer.30

Fair Credit Reporting: 16.2.2.4 Specialty Scores

Some credit scoring models are designed for specific purposes or for specific industries.33 For example, FICO offers a specialty score for automobile finance34 and a risk assessment scores for utility providers.35 Indeed, FICO alone has forty-nine different scoring models,36 with twenty-eight of them used most often, discussed in more detail at

Fair Credit Reporting: 16.2.2.5 Credit Application Scores

Credit application scores combine credit history information with information derived from an application for a particular type of credit.55 This information may include employment history, income, loan collateral, debt-to-income ratio and cash reserves. Credit application scores are often used for automobile loan and mortgage applications.

Fair Credit Reporting: 16.2.3.1 FCRA Definition

The Fair Credit Reporting Act defines a credit score as:

[A] numerical value or a categorization derived from a statistical tool or modeling system used by a person who makes or arranges a loan to predict the likelihood of certain credit behaviors, including default (and the numerical value or the categorization derived from such analysis may be referred to as a “risk predictor” or “risk score”).60