July 7, 2003
Senator Richard Shelby
Chairman, Senate Committee on Banking,
Housing, and Urban Affairs
110 Hart Senate Office Building
Washington, DC 20510
Senator Paul Sarbanes
Ranking Member, Senate Committee on Banking,
Housing, and Urban Affairs
309 Hart Senate Office Building
Washington, DC, 20510
RE: Senate Banking Committee Hearing on the Accuracy of Credit Report Information and the Fair Credit Reporting Act
Dear Chairman Shelby and Ranking Member Sarbanes:
The Electronic Privacy Information Center (EPIC) submits this letter for inclusion in the hearing record for the Senate Banking Committee Hearing on the Accuracy of Credit Report Information and the Fair Credit Reporting Act. EPIC is a not-for-profit research organization based in Washington, D.C. Founded in 1994, EPIC seeks to promote personal privacy rights and expand access to government information. The Fair Credit Reporting Act (FCRA) is a primary concern of EPIC, as it sets a legislative framework of Fair Information Practices to address rights and responsibilities in the handling of personal information. We maintain a web page on FCRA online at http://www.epic.org/privacy/fcra/.
We write to call your attention to the structural problems inherent in the credit reporting industry. Consumers are at the mercy of credit reporting agencies (CRAs) and yet CRAs are focused on serving subscribers (users of credit reports), not consumers. They view consumers as cost centers and have incentives to minimize the efforts they extend to solving consumer disputes. Moreover, furnishers have little incentive to ensure that the information they provide to CRAs is accurate, and consumers have difficulty monitoring their credit reports.
We encourage the Committee to hold CRAs and furnishers to higher reinvestigation standards; create parity in access to credit reports; require subscribers to provide to consumers any reports they rely on in making adverse determinations; and give consumers a right of action against furnishers who continue to provide inaccurate information to CRAs after notice that the information is inaccurate.
CRAs receive many complaints.
Our credit reporting system has serious flaws. On average, Experian's service center has received twenty five to thirty thousand pieces of mail per day. Sometimes the figures are much higher, and the majority of the pieces of mail are actual disputes.1 Likewise, CRA call centers receive large volumes of telephone calls from consumers complaining about their credit reports on a daily basis. For example, CSC Credit Services receives 1500 to 2500 disputes per day.2
Documents obtained by EPIC under the Freedom of Information Act indicate that the number of consumer complaints to the Federal Trade Commission regarding the CRAs is increasing. In 2001, the FTC received over 8,000 complaints against the major CRAs. This number grew to over 14,000 in 2002. For the first half of this year, the FTC had already received 6,300 complaints. We have appended these FOIA documents to our letter, and have posted them online at: http://www.epic.org/privacy/fcra/ftccracomplaints.pdf
Consumers need free and complete access to their reports.
Because CRAs are the entities that generate and manage credit reports, consumers have to trust CRAs to diligently follow-up on their complaints and resolve their disputes. The ability for consumers to review the accuracy of their credit reports is inhibited by two problems. The first is that consumers must pay to access their own credit reports. Only a few states require CRAs to provide consumers with their own reports without paying fees.
Second, when consumers obtain their credit reports, they do not always receive the same information that subscribers see. This is because CRAs treat subscriber and consumer requests differently. CRAs require that subscribers submit just a few identifiers, a practice that results in the generation of a different report, possibly one that erroneously includes the information of other people (a "mixed" report). CRAs require consumers to submit much more information, which results in the generation of a more accurate report. Because subscribers and consumers are held to different standards in specifying identifiers used to generate reports, they may receive different reports.
We believe that this practice violates the FCRA, as consumers are supposed to have access to all the information communicated in the process. The Act is specific in defining a consumer report as "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness..."3 In sending a different report to a subscriber, the CRAs violate the principle that consumers should receive "any...communication" of information concerning them.
To address this problem, we recommend creating parity requirements before access is granted to credit reports. That is, subscribers should have to match more identifiers than they currently do in order to obtain a report and grant credit. Subscribers can obtain a report and grant credit with just a few identifiers, even if they do not match accurately.
A requirement to match more identifiers may lead to a decrease in identity theft. For example, in one instance, an identity thief applied for a credit card at Dillard's Department Store using her own name and address, and the victim's social security number.4 The thief's first initial and last name were the same as the victim's. Trans Union provided Dillard's with the victim's credit report because the first initial, last name, and social security number on the application matched their credit report file.5 Dillard's approved the credit card, and the thief was issued a credit card under the victims' identity. If Dillard's were required to actually match information on the application fully with information from the CRA, this incident would have been prevented.
California has adopted a sensible approach to manage this problem. California Civil Code 1785.14 requires grantors to match three categories of identifying information from the file with the individual's application. The Committee has the opportunity to strengthen this protection by requiring that four information items from the application match the report. This simple, common-sense approach is likely to deter a significant amount of identity theft.
Perverse incentives pervade the system because dispute resolution is a cost center; subscriber business is a profit center.
Ultimately, CRAs make money from their subscribers, not consumers. One former employee of Experian explained, "It is made clear that they [subscribers] pay your paycheck and don't forget it."6 To a CRA, individuals are not the customers, they are data subjects: subscribers are the real customers. As such, CRAs are motivated to cater to their subscribers. Individuals, however, are not a sufficient source of income to CRAs. As such, the consumer dispute resolution process is a cost center, and CRAs have little incentive to invest in resolving customer complaints. This problem translates into inadequate customer support. The less a CRA spends on complaint management, the lower their bottom line.
As noted above, CRAs receive vast amounts of complaints in a day. Yet, they do not provide adequate resources to handle these complaints. As a result, CRAs impose increasingly larger call handling quotas on their customer service representatives. One representative at Experian explained that when she began working at Experian, they were required to handle 62 calls per day, but within a couple of years, the quotas had increased to 100 complaint calls per day, leaving them only an average of 3-4 minutes per call.7 The quotas are strictly enforced, and representatives can lose their jobs for failing to handle an adequate number of daily calls.8 It is obvious that, in this environment, CRAs are not able to adequately address complaints. For example, representatives are specifically told not to prolong calls by asking questions of the callers, which discourages customer service representatives from taking initiative when they try to resolve customer disputes.9 For example, the following excerpt from a deposition of a CRA customer service representative is telling:
Q. So the quicker they can get the consumer off the phone, the better, regardless if they help them or not?
A. Exactly. I've seen reps transfer [consumers] to the main number. I've seen reps tell them, you know, call back or send in your proof to us and we'll dispute it that way. I mean, the reps weren't all-not everyone was willing to help.10
Because subscribers provide income to CRAs but consumers only burden the CRAs, there is a bias in favor of subscribers. This bias fosters an anti-consumer culture within CRAs, which is indoctrinated into new customer service representatives early on. In particular, during training, customer service representatives are specifically taught to mistrust consumers.11 Moreover, one customer service representative explained that Experian's call center would block an individuals' number who called too many times.12
The pressures to reduce costs, and thus reduce service to consumers, are tremendous. For example, at one time, it was common for customer service representatives to resolve disputes by having conference calls between the consumers and subscriber. However, CRAs later began telling their representatives to do separate calls. Then finally, the CRAs began telling them not to call subscribers at all, as this was both time consuming and endangered upsetting the subscribers.13
CRAs should monitor furnishers and subscribers.
To some degree, CRAs act as conduits between subscribers, furnishers, and consumers. Because of this, they are in a particularly good position to monitor subscribers and furnishers. For example, CRAs could monitor subscribers so that they can see if there are a large number of fraud cases associated with a particular subscriber. Moreover, a CRA could monitor furnishers to see who might routinely report inaccurate information. However, not all CRAs keep these kinds of metrics. CSC Credit Services, for example, does not keep these metrics.14
Factors that lead to bad data quality: CRAs are concerned more with quantity than quality.
CRAs are more concerned with amassing a large quantity of information about an individual because this is what the subscribers demand. This practice compromises data quality. For example, when retrieving information about an individual, CRA algorithms are designed to discard minor differences that occur in identifiers, such as incorrect digits in a social security number. The presumption here is that it is better to gather more information and have it be wrong then to risk excluding information. The potential resulting problem is a mixed file, where CRAs combine information from different individuals into one file. Victims of mixed files find it extremely difficult to correct this problem.
Public records present a matching problem.
Sometimes, errors occur when CRAs incorrectly copy information from public records. CRAs generally rely on sub-vendors to supply them with information from public records. These public records usually do not have uniquely identifiable information, and as a result, CRAs may attribute incorrect information to individuals.
Consumers need changes to the system to ensure accuracy.
The Committee should hold CRAs to higher reinvestigation standards in order to improve accuracy in the reporting process. The FCRA should be amended to require CRAs and furnishers to "conduct a reasonable reinvestigation to determine whether the disputed information is incomplete, inaccurate or unverifiable."
We recommend that the Committee require parity in access to reports. If subscribers and consumers were held to similar standards in requesting reports, risk of mixed reports and identity theft would be reduced.
Further, we recommend that the Committee require that subscribers provide to consumers any reports they rely on in making an adverse determination.
Chris Jay Hoofnagle
1 Deposition of Vicky Thompson 39:12-16, 40:3 (on file with EPIC).
2 Mendoza v. Experian, No. 02-2465 (S.D. Tx. 2003)(Deposition of Janice Fogleman 0094:3-7).
3 15 U.S.C. 1681a(d).
4 Erin Shoudt, Comment. Identity Theft: Victims "Cry Out" for Reform, 52 Am. U. L. Rev. 339, 346-7 (2002)(citing Andrews v. Trans Union Corp., 7 F. Supp. 2d 1056 (C. D. Cal. 1998)).
5 Id. at 347.
6 Deposition of Vicky Thompson 56:23-57:1 (on file with EPIC).
7 Id. at 20:5-11.
8 Id. at 25:16-26:2.
9 Id. at 24, 16-8.
10 Id. at 71.
11 Id. at 26:3-19.
12 Id. at 46:24-47:11.
13 Id. at 21:21-22:09.
14 Mendoza v. Experian, No. 02-2465 (S.D. Tx. 2003)(Deposition of Janice Fogleman 0097:16-21, 0098:17-20).