When President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) into law late last year, bankers throughout the U.S. breathed a sigh of relief. Even with some fairly stringent new provisions, the permanent renewal of the FCRA’s preemption provisions — which curtail the ability of consumer-friendly state law to override provisions of the federal legislation — was good news for banking.
Bankers were worried, with good reason, because identity theft — and consumer outrage over identity theft — had spawned a raft of enacted and proposed state legislation aimed at protecting consumers. Some of this legislation was designed to strike at the heart of the U.S. credit infrastructure, particularly the way that creditors go about making lending decisions. Because the identity theft problem isn’t simple, the legislative remedies in play were confusing, potentially costly to the industry, and ultimately threatening to the overall credit business model in this country.
Although bankers won this round, we see many problems ahead — and anticipate continued attacks by legislators on the credit business model. Just as an example of the “dialogue” around the credit business model, Beth Givens, executive director of the Privacy Rights Clearinghouse, was recently quoted as saying “victims of identity theft are the collateral damage of this diabolical business model.” We believe that as long as identity theft continues unabated, the credit industry will continually be threatened by simplistic solutions that have all sorts of unintended consequences.
The core issue is that identity theft continues to grow, more and more people are being affected, and almost nothing is being done within the industry to prevent its continued growth. Worse, there is a real danger of throwing the baby out with the bath water — and damaging the fundamental fabric of the credit infrastructure in the United States.
This infrastructure has been, arguably, one of the great drivers of the American economic engine. Yes, it benefits banks and other creditors, but it also benefits consumers of every economic profile, as well as businesses large and small. So let’s not let the fact that it also benefits criminals lead us to cripple it unnecessarily for all in order to save it from a few.
In this paper, we discuss what we think the problem is and what bankers — and the other owners/participants in the country’s credit infrastructure — can do to actually prevent identity theft. We’ll also discuss why we think bankers can strengthen their relationships with customers by taking aggressive action, and can extend the good work they have already done on the remediation of identity theft.
Remediation programs currently in place within the industry are helping consumers deal with identity theft once they are victimized. Bankers can be proud of their work here, but it’s also very clear that these efforts don’t address prevention, which remains the core challenge at hand.
Why Pick on Credit?
Although identity theft is a many-headed monster — and thieves use stolen identities for many purposes — the gear that turns the crank for fraudsters is purely financial. Without easy access to credit — and the subsequent ready access to cash or easily fenceable goods — the enormity of the problem and the threatening regulatory “solutions” would not be keeping bankers up at night.
If the industry can prevent fraudulent access to credit, the lion’s share of identity theft would wither up and go away. Yes, identities will still be stolen in order to launder money, traffic in drugs, and commit acts of terrorism. But the identity theft will shrink, consumer outrage will fade, and law enforcement will be able concentrate on chasing the really bad guys.
How the Credit Infrastructure Enables Identity Theft
To begin, we use the term “credit infrastructure” to refer to the overall process by which credit data is reported from credit grantors to credit bureaus, stored, and then provided to prospective credit grantors on demand. This basic system grew out of a time when transmissions were batched overnight and consumers never understood how the credit granting industry, so to speak, made sausage. Yes, the system was and remains imperfect — a bit creaky around the edges — but it is still highly effective. Indeed, it is the envy of many other countries, and an all but impossible dream for poorer economies seeking to establish credit-granting regimes.
Unfortunately, the basic structure of this system has become — with the unwitting but critical assistance of the participants in the system — one of the key enablers of identity theft. The root causes are:
- Fuzzy identifiers on credit files. There is no common “credit file number” that uniquely identifies an individual’s credit file for use in retrieving the correct file for that individual. The social security number (SSN) comes close, but the use of this number is mired in controversy. The U.S. government continually says not to use this number — and countless articles admonish consumers to keep their SSN secret. The fact that there is no common credit file number for an individual is in itself astonishing. No business would design a database of constantly changing records without a unique master key. Furthermore, no business would design a database in which the master key is intentionally kept secret, or its use actively discouraged.
- Fuzzy correlation of applicant to credit file. Once the right credit file is in hand, there is no effective mechanism to directly authenticate a credit applicant as being the legitimate subject of a credit file. Applicants are loosely associated with a credit file through a process of associating pieces of data (some subset of name, address, phone, social security number) with a pre-existing credit file. What’s worse, an individual may end up having multiple credit files or, worse yet, multiple individuals may be “mapped” to a single credit file.
- Fuzzy data integrity within the credit file. Once convinced that the correct credit file is associated with the correct individual, there is no guarantee that the data in the individual’s credit file is current or even historically accurate. The credit files themselves have become “messy” over time: people move, change names, change jobs, change names again, lose their social security cards, get new social security numbers, et cetera. It is very hard for individuals to know if their credit file is accurate and very difficult to change it if it’s not.
As a result of this environment — and somewhat ironically — a genuine credit applicant and a fraudulent credit applicant do essentially the same thing when they apply for credit. They both provide assorted pieces of data about themselves, which the prospective credit grantor uses to make its credit decision.
The credit grantor tries to match up the application data with credit files and with other databases used for identity verification. Because this process is not exact, an industry has grown up around methods to help prospective credit grantors perform this match. In effect, this has become a game of probabilities — credit grantors score (sometimes literally) the “goodness” of the match between the application data and the data resident in credit files.
This reality is not the fault of the banks, the credit bureaus, or other credit grantors. The system simply grew up this way, and has — until relatively recently — worked quite well.
The problem now is that identity thieves have figured out how to game the basic structure of this system. They take advantage of the fact that you only need certain bits of information to obtain credit, that the files are messy and confusing, and that there is often no requirement to directly prove identity. These problems are not new — but until now they haven’t been worth fixing. Identity theft has changed everything — and we now must attack the problem or risk losing everything.
Industry Solutions To Prevent Identity Theft
There are many approaches to dealing with identity theft being advocated today. While some may be plausible on the surface, none of these solutions really address the core problem in a systematic way. Some examples include:
- The obscure identity. Advocates believe that identity theft could be solved if consumers were just more diligent with how they handle sensitive personal information. Using this “blame the victim” approach, consumers are told to not give their data out “unnecessarily”, and to shred documents containing their data. The premise here is that if identity thieves don’t have any of the bits and pieces of data they need to steal an identity, they can’t do it. This is a truly pathetic solution, at best it only reduces by some small degree the incidents of identity theft. These pieces of data are unfortunately already everywhere, and cannot be effectively hidden by the actions of the consumer. Furthermore, it is downright insulting for an institution to tell their customer that they must hide their data to protect themselves from a system they have no choice but to participate in.
- The vigilant consumer. Advocates believe that the financial impact of identity theft could be mitigated if consumers would just closely monitor their credit files and subscribe to “credit watch” services. The first problem with this approach is that it’s not really preventative and is only helpful once the horse is out of the barn. The second problem is the industry value proposition, which is to make consumers pay up front to find out sooner rather than later that they have been victimized. This is unattractive at many levels, and is only going to fuel additional consumer outrage with identity theft.
- Strong authentication. Advocates believe that identity theft could be reduced if credit grantors were required to make sure that the applicant is the “real” person associated with the credit file. Although this sounds good, it is currently impractical. The prospective grantor of credit has no effective way of verifying the identity of the credit applicant — because (by definition) they have no relationship with this applicant: indeed, they are trying desperately to establish one. Credit grantors are left with the task of verifying the identity of the consumer through a process of data verification — which is the very process that identity thieves are gaming. Credit grantors may try to require better forms of direct identity proof — but this is unrealistic in a world where significant volumes of credit extensions are done simply over the phone or online. A credit grantor might require physical identity documents for applications received at a branch or store, but these documents are trivially easy to forge, and the reviewer is apt to be a clerk with little aptitude for serious identity fraud detection. Not surprisingly, credit grantors are strongly resisting these proposals as simply being costly and ineffective.
- Closed file. Advocates believe that identity theft would be significantly cut if the consumer that “owns” their own credit file could shut down the file and only open it to prospective credit grantors upon the consumer’s specific request. Again, this sounds good but turns out to be problematic. The credit bureaus today — as holders of the consumer’s credit files — have no effective means to authenticate the consumer as the person to open or shut the credit file. Indeed, because multiple bureaus are involved, access control is even more problematic. And bureaus and banks alike are also worried about the prospect of identity thieves gaining control over credit files in this way.
What all of these preventative measures have in common is a belief that the credit granting infrastructure is fundamentally sound and that minor tweaks on the front end or the back end of the process are all that’s needed to nicely deal with the problem.
A Modest Proposal
We think there are over-the-horizon solutions to identity theft that draw on some of these current approaches — and add some additional elements. Here are the additional elements we’ve identified:
- Use bank authentication to give consumers online access to their credit files.
Today, a significant percentage of Americans have an authenticated, online relationship with their primary transaction bank. Technologies and standards have emerged that would make it simple for that bank to provide identity assurance on behalf of that consumer to a credit bureau (imagine logging into your credit bureau files from your current online banking service).
- Give consumers online mechanisms to view and correct their own credit files.
Rather than resisting this as a cost, credit bureaus (perhaps sharing with the banks as identity providers) could create additional revenue streams by providing these capabilities to consumers. Consumers, after all, have the highest motivation to see that their credit files are as clean, and as good, as possible. Furthermore, there is abundance evidence from multiple industries, including banking, to support the notion that customers develop high degrees of satisfaction with effective self-service. And although changing the systems to permit this would be costly, we suspect that in the long run overall system costs would be reduced with this model.
- Establish a credit file numbering system to uniquely identify the right file.
The common numbering system would be controlled by banks and used by credit bureaus. But here’s the twist: This number would not be a secret — so that the consumer feels free to tell any enterprise they do business with “this is my common credit file number.”
- Move towards “lockable” credit files controlled by consumers.
Let the “closed file” provisions described above be implemented over time — but give consumers, who are increasingly online, an easy, fast and effective ways to control the dissemination of their credit records — while at the same time being authenticated by the institutions who best support consumers in doing this.
- Give consumers the option to select a preferred credit bureau.
Longer term, the credit file system may need to change so that the credit bureaus compete for the right to hold a given consumer’s credit file, rather than having each file held at multiple bureaus. In a more consumer-centric world, this would make sense, allowing the consumer a single point of monitoring of their credit information. Obviously, this would turn the current business model of the credit bureaus upside down — but may result over time in a healthier credit infrastructure overall.
Implementing these ideas would take long-term, cooperative effort on the part of banks, credit bureaus, and other credit grantors. But the payback could be significant.
Reframing the Argument
None of this is simple, nor easy or quick to do. Reasonable people can (and will!) make forceful arguments against these approaches. But bankers must deal with the severity of the identity theft problem — and with how real the legislative threats are to their current business model.
The way the credit infrastructure works today is much more the result of happenstance than necessity. Indeed, if the credit infrastructure had not developed in this country the way it did, it is unlikely, given today’s pro-consumer privacy environment, that credit bureaus would be allowed to receive, and pass on, private consumer financial data, without that consumer’s explicit consent. Like many things in life, industry participants are far more likely to succeed if they have a realistic plan than if they just complain about how unreasonable government sanctioned mandates might be.
As you think about these elements, it may be useful to reframe the problem along these lines:
- The fraudster is the enemy; the applicant is the customer.
The industry has been used to thinking of credit reporting, at some level, as an adversarial relationship between the applicant and the credit grantor. In fact, with easy access by consumers to credit reports and credit scores, this is starting to shift. But we must accept this more openly — the real adversarial relationship is between fraudsters and the rest of the world, not between the consumer and their creditor. If banks lead the way in creating a more open and consumer-controlled view of credit files (not, of course, of the content of those files) it can strengthen the banks’ relationship with its customers.
- Credit file data should be private; credit file identifies should be public.
A consumer’s credit identifier need not and should not be secret. The data associated with that consumer’s credit identifier — now that should be secret! Of course, this means that knowing the consumer’s identifier should not be enough to provide access to the data. Authentication by the consumer should be required to gain access to data. Think of it this way: knowing the address of a house does not give you the key to unlock the front door.
The identifier needs to be public so that multiple parties can associate a variety of personal data with that identifier. Now, some privacy advocates say that having a common identifier permits undesirable data association. That’s simply naïve. The current structure demands that enterprises do extensive data manipulation and matching to try to associate these data sets. As a result, way too many enterprises know your personal data: they need it in order to figure out who you are. This argument essentially supports the inefficiencies of the current system as a means of protecting privacy. It is a false argument: in fact, the inefficiencies of the current system actually are enabling identity theft, a much greater invasion of personal privacy.
- Together, all banks win; separately, each bank loses.
By definition, banks have very strong authentication capabilities for their known customers. Because they also compete at many levels for customers, there has been, historically, a great reluctance for one bank to use its authentication capabilities to help another bank provide services to a consumer. Although understandable, this needs to change. Non-banks are effectively using banks for customer authentication (does the name PayPal ring a bell?). It is time that banks use their own technology and power to protect their customers from the monster of identity theft. Again, this can only strengthen banks’ relationship with their customers and their role as trusted and respected institutions.
Financial institutions and credit bureaus worked together to build the credit infrastructure of this country — and have created a great asset for themselves and the economy. Today, that infrastructure is being used by criminals to facilitate crime, resulting in significant losses for financial institutions, and undercutting the fundamental trust and goodwill that banks enjoy with their customers. Banks and credit bureaus must cooperate now to lock down the infrastructure and slam the door on identity thieves. It’s time to start working towards this important goal.
Initial Publication Date: May 12, 2004