Privacy Groups Urge Federal Reserve Board to Protect Consumers from Identity Theft and Stolen Convenience Checks
Posted: March 28, 2005
Submitted to the Federal Reserve Board by
Privacy Rights Clearinghouse
Electronic Privacy Information Center
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
RE: Comments -- Open-End (Revolving) Credit Rules – Docket No. R-1217
Dear Secretary Johnson:
The Privacy Rights Clearinghouse (PRC) appreciates the opportunity to comment on the Federal Reserve Board’s (Board) advanced notice of proposed rulemaking (ANPR) to modify Regulation Z which implements the Truth in Lending Act (TILA).1 The PRC is joined by the Electronic Privacy Information Center, CALPIRG and USPIRG in submitting these comments. All are nonprofit consumer advocacy organizations with a long history in advocating for individuals’ privacy rights. Additional information about these groups is provided in the footnote. Contact information is provided at the end of these comments.
As the Board is well aware, identity theft is the fastest growing crime in America. The Federal Trade Commission (FTC) estimates that identity theft claims nearly 10 million victims annually, costing millions to consumers and business alike. 2 In addition, the FTC reported in February 2005 that identity theft topped the agency’s list of consumer complaints for the fifth year in a row, accounting for 39% of complaints received by the agency in 2004.3
Significantly, a high percentage of identity theft complaints involve fraudulent use of open-end (revolving) credit products, particularly credit cards. Unsolicited credit products such as convenience checks and activated cards sent through the mail create opportunities for theft. For this reason, we limit our comments here to questions posed by the Board that have broad implications for victims of identity theft.
Q45. Have consumers experienced problems with convenience checks relating to unauthorized use or merchant disputes, for example? Should the Board consider extending any of TILA's protections for credit card transactions to other extensions on credit card accounts and, in particular, convenience checks?
Identity theft is the number one topic about which consumers contact the PRC. We respond to approximately 60-100 consumer telephone and e-mail inquiries each week. Many of these inquires come from known identity theft victims while others contact us with general concerns about how to protect sensitive information that could be used to commit fraud.
We have received several complaints from victims who were able to trace the fraud to unauthorized use of convenience checks. We have received many more calls from consumers seeking advice on how to protect themselves against unauthorized use of convenience checks.
We do not believe the limited number of actual victims we have heard from proves that misuse of convenience checks is not a consumer protection issue. Most victims simply do not know how the thief obtained their personal information. And, once a fraudulent transaction appears in a credit card account, the consumer would generally have no way of distinguishing, from the statement itself, a theft that resulted from unauthorized use of a convenience check or misappropriation of the account number.
The most important thing for the Board to consider is that convenience checks create a heightened risk for identity theft and create a tempting opportunity for thieves, particularly those that gain access to consumer information by stealing mail. This is because convenience checks:
- Come unsolicited.
- Do not come at predictable cycles so that consumers can watch for checks in the mail and take action if the check does not arrive.
- Do not require activation.
- Give consumers no opportunity to opt-out of receiving the checks as with pre-approved credit card offers.
- Include information necessary to not only cash a single check but to establish still other accounts in the victims’ name.
[Clarification 4/21/05: Previous phrase should instead read: Include information necessary to not only cash a single check but, when combined with other personal information, to establish still other accounts in the victim's name.]
Instances of obtaining mail for the purpose of identity fraud are all too common. For example, in San Diego alone, instances of identity theft by stealing mail have made the news in just the last month. In one case, it was a letter carrier who stole pre-approved credit card offers, bank statements, and other information to support his drug habit.4 In another widely reported case in the San Diego area, a couple was sentenced to prison terms for stealing mail from rural mail boxes. Convenience checks, in the hands of such thieves, would be even easier to use than having a credit card account number. With a convenience check, there would be no need to make a counterfeit card, change an address, or create a new account. The thief could simply sign the name on the face of the check and present it to any merchant.
We strongly urge the Board to amend the TILA’s rule to give consumers the same protections for convenience checks as with other credit card transactions. Currently, convenience checks are not covered by the TILA because convenience checks do not meet the definition to be considered under the rule, that is the checks are only used once and not “from time to time” as to qualify as a credit card transactions.
This distinction is much too narrow because the end result is always the same: Consumers assume debt on their credit card and the debt appears on the account like any purchase made with the card itself. Given the growing number of credit transactions solicited in this way, the definition of from “time to time” is not in step with the current practices of the credit industry.
Furthermore, although each convenience check can only be used once, convenience checks often come in packets of three or more checks. In addition, a credit card issuer that offers credit through convenience checks generally does so from “time to time,” not on a one-time basis with only one opportunity for the consumer to use only a single convenience check during the entire life of the account.
Q46. Should the Board consider revising Regulation Z to allow creditors to issue additional credit cards on an existing account at any time, even when there is no renewal or substitution of a previously issued card? If so, what conditions or limitations should apply? For example, should the Board require that the additional cards be sent unactivated? If activation is required, should the Board allow issuers to use alternative security measures in lieu of activation, such as providing advance written notice to consumers that additional cards will be sent?
The Board should not allow creditors to send any “live” credit product through the mail unless the product has been specifically requested by the consumer. Additional credit cards sent without the consumer’s knowledge carry much the same risks as convenience checks. The Board should require that all such credit products be activated by the recipient before becoming usable. Given the epidemic of identity theft and the interception of mail as a primary method to commit this fraud, sending unsolicited credit products that require no advance notice and no activation is among the most irresponsible business practices imaginable.
Consumers are persistently given a series of “tips” from government, consumer organizations such as the PRC, and business itself about how to protect against identity theft. However, none of these self-help steps can guard against identity theft if businesses provide the opportunity for the thief to operate.
Congress, in enacting the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), recognized the important role good business practices can play in curtailing the instances of identity theft. FACT Act provisions to enhance business accountability includes Red Flag guidelines (Fact Act §114), Accuracy and Integrity Guidelines (FACT Act §312(a)), and Reconciling Addresses (FACT Act § 315). The Board and other banking regulators will soon propose regulations to improve business practices that could lead to identity theft. New FACT Act protections, like changes to the TILA, have the potential for establishing comprehensive guidelines and rules to prevent identity theft.
As the Board deliberates changes to the TILA regulations, it should consider the overall need to address the roots of identity theft. Ultimately, more cautious business practices will serve consumer as well as business interests.
Again, we appreciate the opportunity to provide comments on the Board’s ANPR.
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
3100 – 5th Ave., Suite B
San Diego, CA 92103
Phone: (619) 298-3396
Chris Hoofnagle, Director EPIC West
Electronic Privacy Information Center
944 Market St. Suite 709
San Francisco, CA 94102
Phone: (415) 981-6400
Jennette Gayer, Consumer Advocate
3435 Wilshire Blvd Suite 380
Los Angeles, CA 90010
Phone: 213-251-3680 x333
Ed Mierzwinski, Consumer Program Director
218 D St. SE
Washington DC 20003
Phone: 202 546-9707 x314
1. The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels. Since 1992, the PRC has been a leader in educating consumers and promoting strong measures on both the state and federal level to combat identity theft.
The Electronic Privacy Information Center is a not-for-profit research center based in Washington, DC. Founded in 1994, EPIC focuses on the protection of privacy and the First Amendment.
CALPIRG is a statewide nonprofit and non-partisan group that has stood up for California's consumers for the past 30 years.
U.S. Public Interest Research Group (USPIRG) was created by the state PIRGs in 1983 to act as watchdog for the public interest in our nation's capital, much as PIRGs have worked to safeguard the public interest in state capitals since 1971.
2. Identity Theft Survey Report, September, 2003, www.ftc.gov/os/2003/09/synovatereport.pdf
3. FTC Releases Top 10 Consumer Complaint Categories for 2004, February 1, 2005, www.ftc.gov/opa/2005/02/top102005.htm
4. Man traded mail for drugs, DA says, by J. Harry Jones, San Diego Union Tribune, February 23, 2005, www.signonsandiego.com/news/metro/20050223-9999-7m23mail.html
5. Couple get prison for 6 years in mail thefts, by J. Harry Jones, San Diego Union Tribune, February 26, 2005, www.signonsandiego.com/news/northcounty/20050226-9999-1mi26ids.html