Customer Identification Programs for Banks, Savings Associations
and Credit Unions
The National Consumer Law Center1 ("NCLC") submits the following comments on behalf of its
low income clients regarding the proposed rules on Customer Identification Programs
for financial institutions. NCLC makes this comment for two reasons. First,
we present comments regarding the potential effect of the proposed regulations
on addressing the serious problem to consumers of identity theft. Second, we
want to ensure that Customer Identification Programs contain a reasonable method
for new immigrants to this country to have access to basic financial services.
We believe that these distinct issues do not require contradictory results.
We share the concern about
security issues which precipitated these regulations, and our comments do not
advocate minimizing those concerns. Indeed, we are advocating stronger protections
against identity theft. However, the regulations should strike a balance between
addressing identification theft (as well as the associated security issues)
and ensuring that all consumers, including immigrants and others with limited
documentation, maintain access to financial services and products. Immigration
status should not be the basis for excluding a consumer from such services.
We are proposing that Customer Identification Programs be required to use more
stringent evaluation of existing information -- more logical verification --
which should have the effect of protecting against identity theft while not
making it more difficult for new immigrants to access banking services.
Protection Against Identity Theft.
We recognize that the motivating factor
for these regulations is Section 326 of the USA Patriot Act, which requires
regulations for reasons of national security and anti-terrorism efforts. However,
as the agencies note in the Supplementary Information, the Customer Identification
Programs required for financial institutions can also be useful in protecting
against identity theft. Unfortunately we think that the protections currently
proposed in these regulations that financial institutions would be required
to employ against identity theft are so minimal as to be basically useless.
There are a series of problems
with these proposed regulations. First, very few specific requirements are actually
imposed on financial institutions. Essentially, financial institutions are required
simply to have a program identified as a Customer Identification Program. This
program must have separate requirements for initial identification and later
verification of the identity of individuals; however, the regulatory current
proposal fails to include any specific mandates, nor does it have requirements
for notice to consumers about the program. Furthermore, the proposal relies
upon very weak record keeping requirements.
The few specific requirements in the regulations are generally vague and lacking
in meaningful demands on financial institutions. Even more alarming, the essence
of the regulations is to allow the financial institutions to follow "risk
based" procedures to authenticate identities, while the bottom line question
of whose risk is unanswered. Some assumptions on this issue can be conjectured
- accounts involving large amounts of money, either in deposits or in credit
will be subjected to a higher degree of identity authentication than smaller
accounts. One problem with this analysis is that the determination of what is
a significant amount of money is very different for a financial institution
than it is for an individual consumer. Yet, the risk of loss to an individual
consumer from identity theft can be significant, even devastating.2
We note that the definition of "account" in the regulation includes both deposit
accounts and credit accounts. Our concerns about identity theft focused mostly
on credit accounts. The consequences to consumers of identity theft from losses
to established deposit accounts is quite different from the consequences of
a person using another consumer's "identity" to establish a fraudulent credit
account. The financial institution generally bears the burden of a fraudulent
transfer from an existing deposit account.3 However, if a consumer has had a new loan taken out in the
consumer's name, the consumer has the burden of proving that the loan was not
made to them, and that they did not benefit from it. The burden and difficulty
of proving of negative is a considerable reason why consumers are suffering
so much from identity theft.
As is well known, identity theft is the "fastest growing type of crime in the
United States."4 The federal agencies regulating financial
institutions in this nation now have an unprecedented opportunity to impose
some meaningful requirements on these institutions which could significantly
reduce a substantial amount of identity theft - without considerable expense,
invasion of privacy to consumers, or even increased difficulty to new immigrants
seeking low cost banking accounts. We propose that this magic bullet can be
accomplished by adding more specific and substantive requirements for financial
institutions to verify the identity of some new customers through increased
requirements for logical verification.
First of all, the issue of "whose risk" should be specifically addressed in
the regulations. When the financial institution will suffer the loss from making
a mistake in verifying the identity, it would be appropriate to allow the institutions
more latitude in devising their own standards of identity verification. However,
when individual consumers would suffer the consequences of these mistakes the
standards should be more specific and more stringent.5
It is important to note here
that the importance of verifying the identity of a particular applicant for
an account is different depending upon whether the individual is trying to show
that he or she is actually a person who is already known to the credit system
versus a person who is establishing a new credit identity. New immigrants to
this country need to be able to establish that they really have a particular
name and live at a particular address - but they are not attempting to show
that they have an identity that is already known to the financial services system.
This is a significant distinction, because there is very little risk of identity
theft from mis-identifying a person who has no history in the financial services
system.
However, the issue of risk
is entirely different for individuals who are attempting to prove that they
are a particular person already known to the system. In other words, when an
adult person seeks to show that he or she is a person who already has a credit
report or has had bank accounts in the past, then this person should be evaluated
to determine whether they can authenticate themselves.
We are very concerned with the privacy implications of requiring or encouraging
private or public agencies to gather new information in an attempt to
verify identity. In fact, this proposal does not suggest that any new information
be gathered about individuals. Instead, we propose that the financial institutions
involved with establishing accounts be required to engage in a system of logical
verification whenever individuals apply to establish or to access accounts
in the name of a person who is already known to the financial institution system.6
A review of any of the vast amount of literature accumulating about identity
theft7 shows that not only is it the crime which is increasing
at the fastest rate, but that far and away most instances of the crime are "low-tech."
Generally, the perpetrator has access to a limited amount of information about
one or more individuals and using that data, the perpetrator applies for new
accounts in the name of the victims. A review of every one of the examples cited
in the recent GAO report on Identity Theft8 indicate that the criminals had access to a limited amount
of information about the victims - generally no more than name, address, Social
Security number, occasionally a driver's license, and possibly some existing
credit card account information.9
Identity theft has been a
persistent and growing problem in connection with credit reports due, in part,
to minimal and general accuracy standards that exist for credit reporting agencies.
As with the current proposed regulations, the FCRA requires credit reporting
agencies to "maintain reasonable procedures to assure maximum possible accuracy."
This general standard thus places the burden on the consumer when credit reporting
errors occur due to identity theft, forcing consumers to spend considerable
time and financial resources to clear their name and credit. To be effective,
the proposed regulations must have clear and meaningful standards for identification
of consumers, yet these standards need not require more documentary proof of
identity.
We do not think requiring
more documentary proof is necessarily the best way to address the diverse issues
presented. As has been noted in the Supplementary Comments, requiring documents
only works in face to face transactions -- leaving transactions over the telephone
or the Internet without equivalent degrees of protections. Documents also can
easily be forged or stolen. Furthermore, requiring more documents simply makes
it more difficult for new immigrants to gain access to banking accounts without
providing meaningful protections from identity theft because of the holes in
the system left by electronic access (telephone and Internet). Many immigrants,
especially refugees, cannot obtain such documents because they arrive from war-torn
countries with literally only the clothes on their backs. Instead, banks should
require that customers show that they know their own history, and can respond
to basic questions about themselves -- information that is available to the
financial institution from other sources, such as the credit report or the passport
issued by the foreign country. This is simply requiring logical verification
of the customer's own information.
Logical verification would
require that before an account could be established, a consumer would be required
to answer a few questions from a large and revolving list of potential questions
which requires the consumer to show that he or she knows some of the information
that the financial institution already has access to from existing and used
data bases. For example, a creditor taking an application for credit would always
access the consumer's credit report, so the consumer might be required to answer
one or more questions about other outstanding credit evident on the credit report:
name another outstanding
credit account that you have,
In addition, the consumer
might be required to show some knowledge that would be logically verifiable,
but not readily known, such as -
If the consumer has a drivers
license - what is the height listed on the drivers license.
If the consumer had moved
in the past few years - information which is apparent on the credit report
B the consumer might be required to name the city and state from which he
or she had moved.
If the customer is a new
immigrant - one might ask the immigrant the name of the city in which the
foreign document provided by the immigrant was issued, or the capital of the
nation from which the immigrant came.
If financial institutions were required to engage in a system of logical verification
of existing data before establishing an account for a person who is known to
the system, a huge percentage of identity theft would be stopped. The proposed
regulations endorse - but do not require - checks for logical consistency and
logical verification only in the limited situations where other documentary
verification of individuals is not possible.11 Certainly the initial reliance suggested on comparing
a government issued picture identification with the individual is a good first
step for identity verification, but it by no means should be the final step
when a bank is seeking to verify that a person has the identity of a person
who is known to the credit system.
We suggest that some degree
of logical verification be required whenever a customer is applying for the
first time to open a credit account with the financial institution, unless that
the financial institution is reasonably certain that this customer owns the
identity asserted. Logical verification is a relatively inexpensive, non-invasive,
but efficient method of establishing identity.
In order to prevent excluding
immigrants and others who are new to the banking system, it is important that
the level of logical verification be dependent on the risk of identity theft,
which in turn will depend on whether or not the person is known to the system.
Many immigrants, as well as other non-immigrant consumers such as young adults,
will not have credit histories available to provide information to be used for
logical verification. However, in those cases the level of verification should
be low because there is little risk of identity theft -- an identity thief is
unlikely to want to steal the credit identity of someone with no credit history.
Also note that the situation which requires the least verification - face-to-face
opening a deposit account -- is the one with which immigrants new to the financial
services system are most likely to be involved.
Having the level of logical
verification depend on whether the person is known to the system is important
because having the same level for all consumers would deter some immigrants
from accessing financial services. If the level of logical verification is the
same, a financial institution might compensate for a lack of credit history
by asking other potentially invasive questions that may needlessly alarm immigrant,
many of whom are already have a distrust of mainstream institutions.
Access for New Immigrants to Bank Accounts and Loan Programs.
We applaud the fact that the
proposed regulations permit financial institutions to use Individual Taxpayer
Identification Numbers and documents issued by foreign governments, such as
the matricula issued by Mexican consulates, in their Customer Identification
Programs. We believe it is very important that financial institutions do not
use immigration status to deny financial services, especially for deposit accounts.
We hope Treasury will encourage banks to allow immigrants to open bank accounts
with ITINs and documents such as matriculas.
_______________________________
1 The National Consumer Law Center, Inc. (NCLC) is a non-profit Massachusetts Corporation,
founded in 1969, specializing in low-income consumer issues, with an emphasis
on consumer credit. On a daily basis, NCLC provides legal and technical consulting
and assistance on consumer law issues to legal services, government, and private
attorneys representing low-income consumers across the country. NCLC has a special
project promoting the consumer rights of immigrants, including immigrant access
to bank accounts and financial services. NCLC publishes a series of sixteen
practice treatises and annual supplements on consumer credit laws, including
Fair Credit Reporting Act (4th ed. 1998), Consumer Banking and Payments Law
(2nd ed. 2002) and Cost of Credit (2nd ed. 2000), as well as bimonthly newsletters
on a range of topics related to consumer credit issues and low-income consumers.
These comments are authored by NCLC attorneys Margot Saunders and Chi Chi Wu.
2 For
example, a financial institution might make a business decision that engaging
in comprehensive identity verification procedures for new depositors of amounts
less than $1,000 is not cost effective. Yet, once this depositor has established
an account, he becomes a known customer to the financial institution, and when
two weeks later he seeks to process a loan for $10,000, the identity verification
requirements would be met because he is a known customer. Yet, if this customer
is using another person's identity, the potential consequences to the victim
of a fraudulent $10,000 loan in his name can be devastating. See ' 103.121(b)(2)(ii)
". . .A bank need not verify the information about an existing customer seeking
to open a new account, . . . if the bank previously verified the customer's
identity in accordance with procedures consistent with this section, . . ."
3 If
the loss occurred as the result of a forged check or other negotiable instrument,
the consumer would be protected under the Uniform Commercial Code. If the account
holder alleges forgery, UCC ' 3-308 requires the financial institution to recredit
the account unless the institution can prove there was not a forgery. Similarly,
if the account was accessed through an electronic device, the Electronic Fund
Transfer Act puts the onus on the financial institution to recredit the account
in the event of an unauthorized transfer, unless the financial institution can
prove fraud. 15 USC 1693g(b).
4See,
General Accounting Office, Identity Theft - Greater Awareness and Use of
Existing Data Are Needed, June, 2002 (hereinafter referred to as "GAO Report")
at 1.
5 On
the other hand, we believe that it would make more sense to place the burden
of loss from mistakes in authenticating identity for financial transactions
on financial institutions - just as is done currently in the Uniform Commercial
Code, the Electronic Fund Transfer Act and the Fair Credit Billing Act. That
way, the business risk of measuring cost versus benefit can be carried out in
a more meaningful way - the party evaluating the risk versus the cost will suffer
the consequences of a mistake in the analysis. See note 3, supra.
6 People
are "known" to the system of financial institutions through a overlapping web
of credit reporting agencies, check reporting agencies, and public and private
data bases.
10 For example, the website for ordering credit scores from Fair
Isaac, http://www.myfico.com/, uses logical
verification. When consumers order their credit scores, they are asked to answer
specific questions about a particular credit account shown on their credit report,
e.g., who is the lender that holds their mortgage and how much is the monthly
payment.
11 103.121(b)(2)(ii)(B) Non Documentary Verification.
