Fair Credit Reporting: 9.1.2 Impact on Victims
According to the U.S.
According to the U.S.
The FTC provides an array of resources in educating consumers about identity theft and providing informational tools for victims to combat it.
The effect of identity theft on consumers was one of the motivating factors that led to the passage of Fair and Accurate Transactions Act of 2003 (FACTA).
The FCRA defines “identity theft” as “a fraud committed or attempted using the identifying information of another person.” Regulation V further defines the term to mean “a fraud committed or attempted using the identifying information of another person without authority.”29 Regulation V defines “identifying information” to mean:30
Each nationwide CRA must prepare and submit to the CFPB an annual report summarizing consumer complaints received on identity theft or fraud alerts.42 The CFPB could use this information to produce a nationwide picture of the effect of identity theft on the accuracy and integrity of consumers’ credit files.
The FCRA provides for three varieties of alerts that consumers may add to their files with nationwide CRAs.43 These alerts differ in their initiation requirements, time periods, and demands imposed on users. However, all three alerts require the CRA receiving the alert to refer it to the other nationwide CRAs. In theory, this process allows consumers to issue the alert to all the CRAs with “one call.”
With respect to the first type of alert, the FCRA allows consumers who believe that they are or might be victimized by identity theft fraud or any other sort of fraud to require all nationwide CRAs to add a fraud alert to their files simply by calling one such CRA.56 Note that the FCRA provides consumers may seek an initial fraud alert merely upon a “good faith suspicion” that they are about to be victimized by identity theft or other fraud;57 consumers do not need to know definitively that they act
The CFPB took action against a mortgage lender that misused its access to consumer credit reports to unlawfully obtain reports in order to market student loan debt-relief services.183 It also took action against another mortgage servicer and lender who ordered consumer reports to market to existing customers without making a firm offer of credit, which is not a permissible purpose under the FCRA.184
The CFPB has brought actions against users of consumer reports for failing to provide adverse action notices or otherwise comply with section 1681m.191 In one instance, the CFPB alleged that, as a matter of company policy, 1st Alliance denied credit to thousands of consumers based on information in a consumer report or in response to an application, but did not give the consumers an adverse action notice as required under FCRA and ECOA.192 In another case, the CFPB found that between October 201
In addition to bringing cases for violations of the FCRA, the FTC filed several amicus briefs in support of consumer FCRA claims.
In 1996, Congress provided for criminal enforcement of two of the FCRA’s provisions.
As mentioned earlier,246 private citizens may not sue furnishers of information for damages resulting from a failure to provide accurate or complete information to CRAs as required by the Act.247 Instead, only public officials or federal or state agencies are permitted to enforce these and other furnisher requirements.248 State officials have authority to seek damages on behalf of state residents for violations of paragraphs (1) through (3) of sect
In addition to the substantive limitations on state enforcement authority, discussed above, the FCRA imposes procedural requirements and limitations on state officials.
Nothing in the FCRA’s provision on state enforcement shall prevent the chief law enforcement officer of a state from exercising the powers to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence in connection with any FCRA enforcement action brought by the state.260
States have worked together to obtain significant reforms in credit reporting practices on a few occasions. In the early 1990s, following widespread dissatisfaction with the accuracy of information in credit reports and apparent systematic FCRA compliance difficulties, several state attorneys general brought enforcement actions against Equifax, TRW Inc.
Of the four varieties of common law invasion of privacy, public disclosure of private facts has the most potential to constrict the flow of personal financial information. However, it is not particularly well suited to keeping financial information private.
Like the tort of public disclosure of private facts, the tort of intrusion can also apply to the discovery of financial information.62 The tort, also sometimes called “intrusion into seclusion” or “unreasonable intrusion,” creates liability for the intentional intrusion upon another person’s solitude, seclusion, or private affairs in a manner that would be highly offensive to a reasonable person.63 Generally, the intrusion need not be physical; this tort can lead to liability for the unauthorized pr
The tort of appropriation at first glance appears to be suitable for addressing identity theft.
Title V of the Gramm-Leach-Bliley Act (the GLBA)89 addresses financial institutions’ use of consumers’ “nonpublic personal information.”90 That term is defined to mean any personally identifiable financial information that is provided by the consumer to the financial institution;91 results from any transaction with the consumer or service performed for the consumer; or is otherwise obtained by the financial institution, but which is not “publicly availab
Prior to the Dodd-Frank Act amendments, the FTC and banking regulators had all issued GLBA regulations that were substantially similar to one another.95 The FTC’s authority to issue the regulations survived a challenge brought by TransUnion, one of the three major CRAs.96 As for agency enforcement actions, the FTC has publicly taken enforcement action under the GLBA,97 and the FRB has taken “formal” enforcement action.
The GLBA applies to “financial institutions.” Whether an entity is a “financial institution” is determined by whether it engages in “financial activities” as that term is defined by the Bank Company Holding Act of 1956.112 That Act describes five different categories of financial activities that cover lending, insuring, financial advising, issuing or selling asset pool instruments, and underwriting securities.113 Under Regulation P, a more restricted definition applies to those entities subject
The GLBA protects both “customers” and “consumers.” All customers are consumers, but not all consumers are customers. Customers and consumers are equally protected by the opt-out and nondisclosure provisions of the GLBA and Regulation P.119 The difference is only relevant to whether the institution must provide an initial privacy notice and annual privacy notices to the individual, and turns on the individual’s particular relationship with the financial institution.
The GLBA does not prevent financial institutions from revealing any information that they get from consumers; the only information restricted by the Act is “nonpublic personal information.” Nonpublic personal information is deemed to be personally identifiable financial information that is not publicly available.126 The Act does not define “personally identifiable financial information”; nonetheless, the FTC’s authority to define the term, and to define the term broadly, has been upheld.127 Pres
Though not expressly labeled as an exception, a key feature of the GLBA is that disclosures to an institution’s own affiliate are completely unrestricted by the Act and Regulation P.141 An affiliate is “any company that controls, is controlled by, or is under common control with another company.”142 Thus, private consumer information may flow freely throughout a company’s extended family.