Letter Comment Supporting Petition for Rulemaking to Amend Identity Theft Definitions in the Fair Credit Reporting Act (Regulation V)

October 4, 2024

The Honorable Rohit Chopra

Director, Consumer Financial Protection Bureau

1700 G Street, NW

Washington, DC, 20552

In re: Petition for Rulemaking to Amend Identity Theft Definitions in the Fair Credit Reporting Act (Regulation V)

Docket ID: CFPB-2024-0037

Dear Director Chopra,

The Electronic Privacy Information Center (EPIC)[1] submits these comments in support of the petition submitted by the National Consumer Law Center (NCLC) and the Center for Survivor Agency and Justice (CSAJ) requesting that the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) open a Fair Credit Reporting Act (FCRA) rulemaking to strengthen the definition of identity theft.[2]

EPIC has submitted several letters and comments to support the CFPB’s efforts to strengthen the FCRA, including our February 2023 coalition letter regarding credit header data,[3] our July 2023 comments in response to the Bureau’s Request for Information regarding data brokers,[4] and our September 2024 comments in respond to the Bureau’s Small Business Advisory Review Panel for Consumer Reporting Rulemaking Outline of Proposals and Alternatives Under Consideration.[5] EPIC has also fought for greater transparency and oversight with respect to how companies collect, use, and disseminate personal data[6] and stricter enforcement to safeguard the rights of consumers.[7]

We applaud the Bureau for its attention to the special vulnerabilities experienced by foster youth and victims of human trafficking,[8] and we urge the CFPB to consider how it might enact similar protections for survivors of domestic violence. We note that the Federal Communications Commission (FCC) has already issued findings recognizing the obstacles that individuals and families experiencing domestic violence face to achieving financial independence.[9] We also note that Congress, in enacting the Safe Connections Act, found that: “Survivors often lack meaningful support and options when establishing independence from an abuser, including barriers such as financial insecurity.”[10] Indeed, financial independence can be a precondition for physical safety in some circumstances.[11]

We further note that requiring survivors to engage third-party organizations to verify the trauma they experienced introduces serious equity issues, as those experiencing logistical, cultural, or psychological barriers to engaging service providers would be less likely to be verified, and often those from already-marginalized communities are most likely to experience those barriers.[12] Therefore, we urge the Bureau to permit a form of self-attestation, as NCLC and CSAJ advocate.[13] Regarding police reports specifically, we note that many incidents of domestic violence go unreported to law enforcement.[14] For that reason, the CFPB should absolutely not rely on police reports as the sole method for reporting identity theft. We recommend that the Bureau follow the U.S. Department of Housing and Urban Development’s lead in administering programs in a trauma-informed way.[15]

EPIC supports the entirety of the petition submitted by NCLC and CSAJ to the CFPB to open a rulemaking to modify the definition of “identity theft” within the FCRA. The petitioners’ recommended updates to the definition of “identity theft” would better protect vulnerable individuals and communities from exploitation. As the petition demonstrates, the current definition of “identity theft” in FCRA may not encompass situations in which someone obtains consent to use identifying information through coercion, threats of violence, fraud, or when the individual is unable to consent due to youth or incapacity. NCLC and CSAJ clearly show how their proposed changes to the definition of “identity theft” could reduce coerced debt. Their proposed changes could also limit harm to elders who are the victims of fraud, youth in foster care, people with cognitive disabilities, and other vulnerable populations. Broadening the definition of “identity theft” in this manner would better enable FCRA to protect especially vulnerable consumers from avoidable harm and economic abuse.

[1] EPIC is a public interest research center in Washington, D.C., established in 1994 to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. See About Us, EPIC, https://epic.org/about/ (2024). EPIC has long advocated for privacy rights and robust safeguards to protect consumers. EPIC has previously called on the CFPB to strengthen its Fair Credit Reporting Act (FCRA) regulations, including provisions that would ensure personal data can only be collected, used, or disclosed as necessary to fulfill purposes consistent with the reasonable expectations of consumers. See, e.g., EPIC, Comments on CFPB Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16,951 (Jul. 14, 2023); cf. Consumer Reps. & EPIC, How the FTC Can Mandate Data Minimization Through a Section 5 Unfairness Rulemaking (2022), https://epic.org/wp-content/uploads/2022/01/CR_Epic_FTCDataMinimization_012522_VF.pdf.

[2] NCLC & CSAJ, Petition for Rulemaking to Amend Identity Theft Definitions in the Fair Credit Reporting Act (Regulation V), CFPB-2024-0037, https://www.regulations.gov/document/CFPB-2024-0037-0001. 

[3] Coalition Letter to CFPB Requesting Broad Consumer Financial Market Correction, Beginning with an Advisory Opinion Regarding Credit Header Data (Feb. 8, 2023), https://epic.org/wp-content/uploads/2023/02/2023-02-08-Coalition-Letter-to-CFPB.pdf.

[4] EPIC, Comments on CFPB Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16,951 (Jul. 14, 2023).

[5] EPIC, Comments on CFPB Small Business Advisory Review Panel for Consumer Reporting Rulemaking Outline of Proposals and Alternatives Under Consideration, (Oct. 30, 2023).

[6] See, e.g., Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors: Hearing Before the H. Comm. on House Admin., 117th Cong. 53 (2022), https://epic.org/documents/hearing-on-big-data-privacy-risks-and-needed-reforms-in-the-public-and-private-sectors/ (statement of Caitriona Fitzgerald, Deputy Director, EPIC); EPIC, Comments on CFPB Inquiry into Big Tech Payment Platforms, 86 Fed. Reg. 61,182 (Dec. 21, 2021), https://epic.org/documents/epic-comments-on-cfpb-inquiry-into-big-tech-payment-platforms/.   

[7] See, e.g., EPIC, Comments on CFPB Request for Information on the Equal Credit Opportunity Act and Regulation B, 85 Fed. Reg. 46600 (Oct. 2, 2020), https://epic.org/wp-content/uploads/apa/comments/EPIC-CFPB-Oct2020-AI-ML.pdf. 

[8] See, e.g., CFPB Helps Survivors Mitigate the Financial Consequences of Human Trafficking, CFPB (Jun. 23, 2022), https://www.consumerfinance.gov/about-us/newsroom/cfpb-helps-survivors-mitigate-the-financial-consequences-of-human-trafficking/; CFPB Releases Tools to Protect Foster Care Children from Credit Reporting Problems, CFPB (May 1, 2014), https://www.consumerfinance.gov/about-us/newsroom/cfpb-releases-tools-to-protect-foster-care-children-from-credit-reporting-errors/. 

[9] See, e.g., Report and Order, In the Matter of Supporting Survivors of Domestic and Sexual Violence, Lifeline and Link Up Reform Modernization, and Affordable Connectivity Program, FCC, Docket No. 22-238, 11-42, and 21-450 (Nov. 16, 2023), https://docs.fcc.gov/public/attachments/FCC-23-96A1.pdf at para 2 (noting that “[d]omestic violence remains a significant safety and public health issue that results in individual harm and societal costs” and citing statistics regarding its prevalence); id at para 3 (noting that “[p]ersonal safety and economic security are often closely tied for survivors” and that “53% [of survivors reported having] lost at least one job as a result of the abuse”).

[10] Safe Connections Act of 2022, H.R. 7132, 117th Cong. § 3(2) (2022), https://www.congress.gov/bill/117th-congress/house-bill/7132/text). The Safe Connections Act was targeted towards helping survivors of domestic and sexual violence separate from group phone plans and be able to call hotlines or shelters without alerting their abuser, but Congress’s findings regarding financial independence also applies in the context of abusers controlling intended victims through coerced debt.

[11] See, e.g., Shaina Goodman, The Difference Between Surviving and Not Surviving: Public Benefits Programs and Domestic and Sexual Violence Victims’ Economic Security, National Resource Center for Domestic Violence (NRCDV) at 7 (Jan. 2018), https://vawnet.org/sites/default/files/assets/files/2018-10/NRCDV-TheDifferenceBetweenSurvivingandNotSurviving-UpdatedOct2018_0.pdf, (“Often abusers use financial means to control their victims; many who flee abusive relationships do not have access to money of their own. This is a MAJOR reason why people, especially people with children, do not leave. Having access to receipt of benefits allows people who flee to pick up their lives faster, and feel safer faster.”).

[12] See, e.g., EPIC, Comments to In the Matter of Supporting Survivors of Domestic and Sexual Violence, Docket No. 22-238, 11-42, and 21-450 (Apr. 12, 2023), https://epic.org/documents/in-the-matter-of-supporting-survivors-of-domestic-and-sexual-violence-nprm/ at 8-9 (“Self-certification is preferable to third-party certification, which imposes barriers for survivors. Many survivors never actually seek services. This includes but is not limited to LGBTQ+, indigenous, immigrant, Asian-American, Jewish, and male survivors, as well as survivors experiencing financial insecurity. Survivors in rural areas may need to traverse three times the distance to reach the nearest supportive services program. Requiring third-party certification would predictably result in inequitable access to the Commission’s programs.”); id. at fns. 42-49 (citing to multiple journal articles). See also Reagan Greenberg, The “Particular Social Group” Requirement: How the Asylum Process is Consistently Failing LGB Applicants and How an Evidentiary Standard of “Self-Attestation” Can Remedy These Failures, 17 U. Md. L. J. of Race, Relig., Gender, and Class 147 (2017), available at: https://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi?article=1283&context=rrgc (noting importance of self-attestation for equity in the asylum process for marginalized groups, especially for queer people). Greenberg’s work is in the asylum-seeking context, but the same rationale applies here.

[13] See, e.g., NCLC & CSAJ, Petition for Rulemaking to Amend Identity Thefit Definitions in the Fair Credit Reporting Act (Regulation V), CFPB-2024-0037, https://www.regulations.gov/document/CFPB-2024-0037-0001 at 8. We agree that it is merely a clarification and not a re-interpretation to note that an FTC report “constitutes an official, valid report filed with an appropriate federal law enforcement agency under the FCRA and is sufficient to prove that a consumer is a victim of identity theft.” 

[14] The Bureau of Justice Statistics estimates that fewer than 54% of incidents of domestic violence were reported to law enforcement in 2022. https://bjs.ojp.gov/document/cv22.pdf at 6, Table 4. This represents an increase from 49% in 2021, see id., less than 42% in 2020, see Morgan, R. and Thompson, A., Criminal Victimization, 2020, Bureau of Justice Statistics, Office of Justice Programs, U.S. Department of Justice at 7, Table 4, https://bjs.ojp.gov/sites/g/files/xyckuh236/files/media/document/cv20.pdf, and less than 53% in 2019, see id.. Field staff estimate closer to 80% of incidents go unreported. See The Difference Between Surviving and Not Surviving, supra note 3, at 31 (“Victims are usually required to provide extensive documentation of their victimization. This can be problematic, as an estimated 80% of sexual violence and domestic violence incidents go unreported, for many reasons. Therefore, victims that choose not to report the violence to the legal system are at risk of not receiving benefits.”).

[15] See, e.g., HUD Expands Housing Protections for Survivors of Violence, HUD Archives: News Releases (Oct. 24, 2016), available at https://archives.hud.gov/news/2016/pr16-159.cfm; Violence Against Women Act (VAWA) Resources for Multifamily Assisted Housing, https://www.hud.gov/program_offices/housing/mfh/violence_against_women_act (last accessed Aug. 17, 2022) (see form 5382). This also applies at the state/local level where implementation of federal programs occur. See, e.g., Christine Joseph, Good Cause Waivers Can Help Protect DV Survivors with Child Support Cases, Making Justice Real: The Official Blog of the Legal Aid Society of the District of Columbia (Oct. 18, 2021), https://www.makingjusticereal.org/good-cause-waivers-can-help-protect-dv-survivors-with-child-support-cases. We encourage the CFPB to reach out to the Director on Gender-based Violence Prevention and Equity at the U.S. Department of Housing and Urban Development. Alternatively, or additionally, the Bureau could reach out to the Executive Office of the President, which has established a task force to address online harassment and abuse, with a particular emphasis on tech-facilitated gender-based violence. See Statements and Releases, Fact Sheet: Presidential Memorandum Establishing the White House Task Force to Address Online Harassment and Abuse, White House Briefing Room (June 16, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/06/16/fact-sheet-presidential-memorandum-establishing-the-white-house-task-force-to-address-online-harassment-and-abuse/.