PRIVACY TIMES EDITOR: EVAN HENDRICKS Testimony of Evan Hendricks, Editor/Publisher Privacy Times www.privacytimes.com Before The House Committee On Financial Services Mr. Chairman, thank you for the opportunity to testify before the Subcommittee. My name is Evan Hendricks, Editor & Publisher of Privacy Times, a Washington newsletter since 1981. For the past 23 years, I have studied, reported on and published on a wide range of privacy issues, including credit, medical, employment, Internet, communications and government records. I have authored books about privacy and the Freedom of Information Act. I have served as an expert witness in Fair Credit Reporting Act and identity theft litigation, and as an expert consultant for government agencies and corporations. I was closely involved in the six-year process that resulted in the 1996 Amendments to the Fair Credit Reporting Act. An important lesson to be drawn from that exercise is that the best way to improve our national credit reporting system is to strengthen protections for consumers. The more power that consumers have to maintain reasonable control over their credit reports, the better the chances for improving their accuracy and ensuring they will be used fairly and only for permissible purposes. The 1996 Amendments aimed to address several problems, including chronic inaccuracy, non-responsiveness and inadequate reinvestigations by consumer reporting agencies (CRAs) and furnishers, the reinsertion of previously deleted data and the impermissible use of credit reports. Congress recognized that the evolution of a reporting system that became more national and scope and more automated also necessitated a legal evolution that would further empower consumers to be the guardians of their own data. Congress has always recognized that the States play an important role in advancing consumer protection, both through enforcement and innovative legislation. The record is clear that credit report inaccuracy, inadequate reinvestigations, CRA and furnisher non-responsiveness, reinsertion and impermissible use persist to this day as serious problems that are damaging to consumers and the credit reporting system itself. Moreover, our laws for protecting the privacy of financial data not covered by the FCRA are woefully inadequate. Thus, it is imperative that Congress further strengthens the FCRA and national financial privacy laws, and gives the States more freedom to act in ways that are consistent with the overall national goal of protecting consumer privacy. The unfortunate reality under the current system for many consumers who are victims of inaccurate credit reports and/or identity theft is that they can only force CRAS and furnishers to truly reinvestigate and correct errors by filing a lawsuit. I have seen cases in which consumers followed all the normal procedures to get errors corrected, only to find that inaccurate information was "verified" as reported, or previously deleted information was reinserted. In these cases, the procedures of CRAs and furnishers were simply unable to achieve accuracy. As I will detail in this statement, the market forces (i.e., the high volume of disputes and cost of personnel) has created a regime that is tolerating significant, and probably unacceptable, levels of inaccuracy. For those consumers, this creates a corresponding chain of damages. It also raises serious questions about the accuracy and integrity of the data in the national credit reporting system. In fact, the CRAs, as a matter of policy, give priority treatment for people that have filed suit or have threatened to sue. In my opinion, CRAs have calculated that it costs less to fend off the occasional lawsuit than to invest the resources necessary to prevent the problems that caused credit report inaccuracies to become the leading cause of complaints to the FTC in 1991-93. The CRAS are probably correct. Filing suit under the FCRA is a daunting and arduous task, due to the enormous discovery challenges and defense litigation tactics. There is only a small community of plaintiffs' attorneys that specialize in the area. I have spoken with consumers that could not on their own find an attorney to represent them. The 1996 Amendments attempted to preclude the need for litigation by specifying a higher standard of care for CRAS, furnishers and users of credit reports. We need to recognize the reality that the Amendments have not achieved their goal and that in too many instances consumers who want to protect their good name must sue. Considering that CRAs keep records on some 190 million Americans, we also must recognize that we will never be able to build a bureaucracy big enough to enforce Americans' right to credit report accuracy and privacy. Therefore, it is necessary to "popularize" enforcement by strengthening individuals' authority to protect their own rights. We discovered in 1970 that the advent of a national credit reporting system posed significant threats to privacy and fairness, and we enacted the FCRA. In the early 1990s, we discovered that the statute was not adequate to protect privacy and encourage accuracy, and enacted the FCRA Amendments in 1996. Today, the evidence is compelling that the current law is still inadequate and must be strengthened, and that the States have played and will continue to play an important role in protecting consumers and improving the system. CRA Methods Can Cause Inaccuracy A fundamental problem with inaccuracy is that it can cause the unjust denial of credit. In several of the cases in which I have served as an expert witness, CRAs have mismerged data about two different consumers because their algorithms tolerate what's known as "partial matches." If you are an unlucky consumer who gets on the wrong side of a CRA's algorithms, your life can become a nightmare. First, a brief description of how the database systems of the three major CRAs operate. The credit grantors (furnishers) regularly send the CRAS millions of bits of data on consumers' payment histories. The CRAS store this information in a massive database that includes information on virtually all American adult users of credit. When a consumer applies for credit, the credit grantor (subscriber) relays to the CRA identifying data from the consumer's credit application, at a minimum, name and address, often the SSN, and sometimes date of birth. Applying this identifying or "indicative" data, the CRA's algorithm then decides which information in the database relates to or "matches" that consumer, and then "returns" to the credit grantor (subscriber) a consumer credit report consisting of these data. The algorithm has a list of factors it considers when deciding which data in the database apply to which consumers. The first factor is geographic region. Another key factor is the SSN. First name and last name are separate factors. From the CRA's point of view, an important goal is to provide the credit grantor with all data it has about the consumer and to ensure that nothing is missed. Therefore, TU seeks to maximize disclosure of any possible information that might relate to consumer about whom a subscriber inquires. To accomplish this, the algorithm is designed to accommodate such errors as transposed digits within SSNs, misspellings, nick names and changed last names (women who marry), by accepting "partial matches" of SSNs and first names, and in some circumstances, assigning less importance to last names. In my opinion, the manner in which CRA's systems tolerate partial matches has been a primary cause of mixed files and other inaccuracies, and has been readily exploited by identity thieves. For example, the testimony in the case of Judy Thomas, a resident of Klamath Falls, Oregon, was that Thomas' SSN was only one digit different than that of Judith Upton, of Stevens, Washington. This, probably coupled with partial matches on first name, caused CRA's algorithm to assume that the one-digit difference was a clerical error and that Thomas and Upton were the same person, with one SSN. Many of Upton's derogatory trade lines were improperly merged on to Thomas' credit report, causing delays in obtaining a mortgage and other hassles and distress. In the case of Myra Coleman, of Mississippi, Maria Gaytan, of California, applied for credit using Ms. Coleman's SSN, creating an exact match of the SSN. This exact match allowed CRA's algorithm to tolerate major and obvious differences in last name, address, City, State and date-of-birth. Gaytan's derogatory trade lines then polluted Coleman's credit report. Then there is the case of Carol Fleischer, who was improperly merged with Carolyn Cassidy. In 1991, when she applied for credit, the CRA's algorithm saw there was another "Carolyn" (albeit Cassidy) living in Michigan (albeit Highland, instead of Ann Arbor) and an SSN with only one digit difference. This caused Cassidy's negative trade lines to be merged into Ms. Fleischer's credit report, which was then returned to the credit grantor to which Ms. Fleischer had applied for credit. But in 1997, Ms. Cassidy apparently put Ms. Fleischer's SSN on Cassidy's credit applications. Again, the exact SSN match, coupled with a partial match in the first name and market area, allowed the CRA algorithm to tolerate obvious differences in several other data fields. In sum, instead of using the SSN as a tool for inaccuracy, in these situations, the CRA converts the SSN into a tool for inaccuracy. In certain circumstances, some CRA algorithms tolerate a partial SSN match of 7 out of 9 digits. In my opinion, this is inconsistent with separate consent agreements between the CRAS and either the State Attorneys General or FTC to use "Full Identifying Information," defined as "full last and first name; middle initial; full street address; zip code; year of birth any generational designation; and social security number." Inadequate Reinvestigation, Major Volume It can be very problematic for consumers when a CRA improperly mixes their data with someone else. But it can be extremely maddening when the CRA then fails to "unmix" it after errors are disputed. Every independent study of the credit reporting system has found significant levels of inaccuracy. This includes the most recent studies from the Consumer Federation of America and the Federal Reserve Board, and a succession of studies by the U.S. Public Interest Research Group and Consumers Union ranging back to 1990. ✰ In my opinion, another indication of inaccuracy is the large volume of disputes received by the CRAS. The estimates are that CRAS receive from anywhere between 5,000 to 25,000 consumer disputes per day, with 7,000-10,000 being the more typical range. CRA dispute handlers are expected to handle between 10-12 consumer disputes per hour. Because each consumer dispute averages three disputed items, this means the CRA employee only has a few minutes to handle each disputed item (36 disputed items, divided by 60 minutes = 1.66 minutes) (What we do not know at this point is what percentage of disputes are driven by credit repair clinics, which typically attempt to flood the system.) Credit grantors have seen a jump in dispute volume as well. For instance, in October 2001, Capital One received about 1,000 disputes per day, according to a company official. By May 2002, it had grown to 2,000 disputes per day. The official said the number of disputes has now grown to 4,000 per day. To deal with this volume, the CRAs and furnishers have set up an automated system for exchanging messages when consumers dispute inaccuracies in their credit reports. For example, a consumer writes to the CRA to dispute inaccurate information in his or her credit report. The consumer's letter provides detail of the errors. Supporting documentation is attached. But rather than forward this information to the furnisher, the CRA typically reduces the consumer's dispute to a two-digit code (usually meaning "Not Mine") and sends it to the furnisher. The furnisher typically will only check to see if the information it previously furnished is the same information it has on file. If it is the same, then the furnisher "verifies" the previously furnished information. In other words, market forces, i.e., the high volume of disputes and the cost of human resources, have prompted the financial services industry to cut corners when it comes to FCRA reinvestigations. This process is particularly maddening for consumers who are victims of mixed files and/or identity theft. For instance, when Judy Thomas disputed information generated by Judith Upton, the furnishers "verified" the information because they previously had reported the same information about Judith Upton. Of course, this is a huge breakdown in how the system is supposed to work. In the 1996 Amendments, Congress specifically required CRAS to "forward all relevant information" concerning a consumer dispute to the furnishers. All parties were required to conduct reinvestigations. This two-dimensional message exchange does not amount to a true reinvestigation. (My Webster's New Collegiate Dictionary defines "investigate" as "to observe or study by close examination and systematic inquiry." One of the definitions of "systematic" is "marked by thoroughness and regularity.") The testimony before this Subcommittee last week by Leonard Bennett, a Virginia consumer attorney, provides great detail as to the defects in this process. The bottom line is that the current "reinvestigation" process engaged in by CRAS and credit grantors is not designed to find the truth. Like Mr. Bennett, I quote from a deposition of the Capital One employee responsible for consumer disputes, who was being questioned by Michigan attorney Ian Lyngklip. |