Posted on | April 8, 2008 | 1 comment
Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity 2008 by Byron Acohido and Jon Swartz, Union Square Press, Sterling Publishing Co.
Rife with Inaccuracies (Pages 88-94)
Lending is the art of hedging your bets. The basic model for doing it profitably is simple. Whenever possible, make loans only to borrowers of good repute likely to repay you as agreed, with reasonable interest. Should you choose to lend to folks who might be late with a payment-or worse, default on the loan-simply charge a higher interest rate to reflect your increased risk.
The art comes in differentiating reliable borrowers from risky ones; in short, profiling. When it comes to profiling prospective borrowers, lenders have a key accomplice: the big three credit bureaus, Equifax, Experian, and TransUnion. The big three comprise a singularly powerful and essential component of our built-for-speed credit-issuing and payments system. Together these giant data-handling companies keep close track of every loan, every installment payment, every credit application for every consumer. Each bureau maintains more than 210 million files and updates more than 4 billion pieces of data each month.
This intelligence is distilled down to individual credit reports, which form the basis for calculating interest rates and dictating repayment terms for all forms of consumer credit: bank loans, credit card accounts, auto loans, mortgages, stock portfolio margin loans-you name it. What’s more, insurance companies use credit reports to determine one’s policy premiums, landlords use them to decide whether to rent to someone, and employers sometimes use them to determine whether to hire a potential employee.
To consumers, credit reports loom as a cornerstone of financial life. Over a lifetime, your credit report will determine how much you’ll pay in interest rates and insurance premiums and could factor into where you are able to live and whether you qualify for certain jobs.
To lenders-banks, credit card companies, mortgage brokers, and others-credit reports are the magic profiling tool that enable them to hedge their bets and push out fresh credit very rapidly on a mass-market scale.
To the big three, credit reports are like flakes of gold. Each credit report issued brings in revenue ranging from 50 cents (as when delivered in bulk to large banks) to $15 (as when a report is sold to an individual consumer.) Experian reported revenues of $3.1 billion in the year 2006, Equifax reported $1.6 billion, and Hoover’s Company Reports estimated private TransUnion’s revenues at $1.2 billion.
The trouble is that credit reports are typically rife with inaccuracies. It turns out that the computer-to-computer exchange among the credit bureaus, keepers of payment behavior data, and lenders, who assign rates and terms based on that information, is quick to incorporate errors and yet highly resistant to correction.
“The goal is to try to deliver as many credit reports to lenders as possible and this requires a largely automated file identification and delivery system,” says John Ulzheimer, president of Credit.com Educational Services, which advises consumers on credit management. Ulzheimer is also a former Equifax and Fair Isaac customer service manager.
Once the credit bureaus’ automated systems add erroneous data to an individual’s credit history, it can be next to impossible to clear the inaccuracies. A 2005 survey by the U.S. Public Interest Research Group (PIRG) found that a whopping 79 percent of credit reports contained errors, and 25 percent contained mistakes serious enough to prevent the individual from obtaining credit.
The PIRG survey stands out among myriad surveys and anecdotes confirming how routinely strangers’ names, wrong addresses, payment history falsehoods, erroneous judgments, and even aberrant Social Security numbers get molded into credit reports.
Yet any consumer who attempts to get errors corrected is in for an Alice in Wonderland experience. Perseverance is a must, and a satisfactory resolution often requires assistance from the cottage industry of credit repair consultants and lawyers expert at bringing Fair Credit Reporting Act (FCRA) lawsuits against the big three. “Basically you’ve got to get a lawyer and hit them between the eyes with a two by four to get their attention,” says Richard Feferman, an Albuquerque, New Mexico-based attorney, who represents plaintiffs in FCRA lawsuits.
The bureaus typically respond to complaints by reducing each one to a two-digit code forwarded in a document called a CDV, or consumer dispute verification, to the lender. Often the CDV gets routed through a series of intermediaries working in sweatshops in third world countries. One such employee testified that the bureau she worked for received up to 8,000 CDVs per day and that each worker was required to handle one dispute every four minutes to meet quotas, says Anthony Rodriguez, staff attorney for the National Consumer Law Center.
In a 2006 FCRA lawsuit filed in New Mexico by Feferman, U.S. District Court Judge M. Christina Armijo ruled that “a rational factfinder could conclude that Equifax knew that the pointless repetition of the cursory CDV procedure by its various agents and contractors was not going to resolve Plaintiff’s dispute in a timely manner and only served to delay the matter until Plaintiff tired of the process or proceeded to litigation.”
Lenders typically respond to a CDV by referencing the document containing the error in question, and going no further, says Blair Drazic, a St. Louis-based FCRA attorney “When you apply for a loan, there’s supposed to be a paper with your name on it. They never have that. They’ll say you’re in our files as owing it [the disputed loan balance], and the investigation consists of checking the same computer that reported you to start with,” says Drazic.
Testifying before Congress in 2003, Rodriguez, the National Consumer Law Center attorney, delineated the economic incentive to perpetuate errors: “So long as the mistakes about consumers generally make the consumers appear to be a worse credit risk than they really are, rather than better, the credit industry has no incentive to improve the system, especially where the current system covers additional risk by charging more for riskier borrowers wrongfully identified as being a greater risk by the credit reporting system.”
Stuart Pratt, president and CEO of the Consumer Data Industry Association, the powerful lobbying group that represents the credit bureaus, says CDVs make the process more convenient for consumers because they can report problems at any time of the day or night. Pratt notes that under federal law, consumers who are unable to resolve errors can ask the credit bureau to include a statement about the dispute in their file. But such dispute letters are widely disregarded by lenders.
“This is all designed to save them [credit bureaus] money,” says Feferman. “They just don’t have the will to fix errors. They get the same amount for a credit report whether the credit report is accurate or not, and the costs of investigations are a drag on profits.”
Pratt insists mistakes are rare. He contends the greater good is compelling. After all, an automated, wide-ranging credit-approval system perfectly complements a card-based payments system that can process transactions in as little as 1.4 seconds. And this acceleration has been crucial to expanding consumers’ buying power. Meanwhile, revolving and nonrevolving household debt climbed 580 percent to $2.4 trillion by 2007, up from $352 billion in 1980, while the median household income of young families rose just .08 percent to $45,485 over roughly the same period, according to the Federal Reserve and U.S. Census Bureau.
That ability to extend credit to virtually everyone from teenagers to first-time business owners to any consumer desiring a new SUV or high-definition television, Pratt argues, far outweighs what he characterizes as comparatively minor glitches in the system. “Credit has been democratized,” says Pratt. “Credit has facilitated economic growth in this country and it has saved consumer money on an individual basis.” Pratt makes such statements with a practiced earnestness honed during years of defending the status quo in the halls of Congress.
But what Pratt won’t ever volunteer in public discourse is that no law or decree ever gave the credit bureaus exclusive rights to handle credit records. The bureaus simply grabbed that power. And the imperfect data-handling systems the bureaus have put in place makes no profit offering transparency to individual consumers. The credit bureaus’ data-handling systems have proved to be supremely efficient and productive at a singular task: keeping our credit-issuing and card-based payments system running full tilt.
Among those who most appreciate our credit-issuing and payments system, as is, are the identity thieves who fully grasp its weaknesses. One such rogue put Matthew and Lisa Kirkpatrick, of Portland, Oregon, through five years of hell. In February 2001, the Kirkpatricks were getting desperate because they couldn’t get a loan to finish a remodeling project to make room for their third child, who was on the way. The loan should have been a slam dunk. After all, Matthew earned a good living as a union carpenter, and the couple had always maintained a credit score of around 750, good enough to get favorable loan rates and terms.
But a couple of years earlier, a scam artist in Coeur d’Alene, Idaho, had started probing soft membranes in the credit-issuing system. Somehow the crook had gotten hold of-and renewed-Kirkpatrick’s Washington state driver’s license, though Matthew hadn’t lived in Washington for a dozen years. He also somehow obtained Kirkpatrick’s Social Security number. With those two items, the crook had all he needed to go on a low-tech crime spree.
On the Friday before the 2000 Super Bowl, the imposter opened a Wells Fargo banking account in Spokane, Washington, depositing a bad check for $5,000. Two days later, on Super Bowl Sunday, he went on a shopping spree writing checks for up to $2,000 at various Spokane retailers. When the store clerks called to verify sufficient funds to cover the check, the automated systems showed a $5,000 balance. After the checks bounced the following week, a dozen merchants were looking for Matthew Kirkpatrick to make good.
The thief wasn’t done. Over the next several months, he used Kirkpatrick’s data to open a series of cell phone accounts and obtained credit cards, which he used to stay in hotels and go on shopping sprees. He also made several trips to hospital outpatient clinics across Washington seeking treatment-and medication-for ear aches, back aches, and joint pain. None of the bills ever got paid, and each one eventually got turned over to collections. A lot of creditors were looking for Matthew Kirkpatrick.
Kirkpatrick first got wind in early 2000 that a small army of collections agents was hunting for him. He knew there had been some kind of horrible mistake, but believed the mix-up was easily correctable. In a positive frame of mind, he immediately set out to definitively prove that he was the victim of fraud.
He compiled a package of documents with police reports, letters from lenders stating he was not at fault, a copy of his signed Social Security card, a copy of his Oregon driver’s license, and a detailed cover letter summarizing the circumstances. He mailed it to Equifax in February 2001. He resent another copy of the package in March, in April, and twice more after that, the last time by registered mail, return receipt both requested and received. Each time, Equifax representatives refused to confirm receipt of the documents, much less advise Kirkpatrick of the status of his corrupted files.
“We were living in this construction zone with a new baby and growing family for two and half years,” recalls Kirkpatrick. “It was very stressful calling Equifax and saying, Ã¢â‚¬ËœWhat happened to all the police reports and all the documents I sent you?’ and them saying, Ã¢â‚¬ËœWe shredded them. We didn’t get them. We get a thousand of these every day.’
“It was stressful knowing they had this power over me and my family. And their business decision was that it was cheaper for them to deal with you in litigation, if you end up being stubborn enough to take it that far.”
The Kirkpatricks did get their day in court in January 2005. They were awarded $210,000. As he has done numerous times, Mike Baxter, the Kirkpatricks’ attorney, directed the jury’s attention to provision 1681 I(a)(2)(B) of the Fair Credit Reporting Act, which requires credit bureaus to promptly forward documentation of a dispute to the lender. That federal rule was one of the hard-won proconsumer protections hashed out in congressional subcommittee meetings between industry lobbyists and privacy advocates. It was intended to spur a process by which the creditor is compelled to evaluate the validity of dispute in a timely manner.
However, Baxter and other FCRA attorneys say the credit bureaus and lenders have long since established a practice of dispatching dispute documents into limbo. “I have never seen a credit bureau send supporting documents to the creditor; in fifteen years, I can’t recall a single instance,” says Baxter. “They never send those documents because it’s more profitable for them to not follow the law, than it is to actually follow the law, as far as I’m concerned.”
Sweeping Immunity (pages 98-102)
Credit bureaus began humbly enough more than 100 years ago. Brothers Cator and Guy Woolford launched Retail Credit Company in Atlanta in 1899 by publishing the Merchant’s Guide for a $25 annual subscription. The Woolfords gained intelligence on prospective borrowers by sending out inquisitive Welcome Wagon women with baskets of goodies-and keen powers of observation. Retail Credit endured, grew, and evolved into Equifax.
Homegrown credit bureaus proliferated steadily through the first half of the twentieth century; their number spiked in the 1950s with Frank McNamara’s introduction of the Diners Club card and Bank of America’s launch of the BankAmericard. By 1970 the number of credit bureaus in the United States peaked at more than 2,200.
As the financial industry began to apply digital technology to speed up and extend card-based payments, consolidation of the credit bureau industry became inevitable. The process of compiling credit reports needed to be centralized and accelerated to keep pace with the rising distribution of credit cards. By the end of the 1980s, five giant credit bureaus dominated the space, and by 1997 the big three controlled 90 percent of the market.
Experian emerged from the maneuvering of conglomerates TRW and Chilton Corporation and was acquired by Grand Universal Stores of the United Kingdom. Meanwhile, the credit bureau division of TransUnion, a onetime rail car- and equipment-leasing giant, landed in the portfolio of the Marmon Group, a private conglomerate that includes the Hyatt Hotel chain and is run by the Pritzkers of Chicago, one of America’s wealthiest families.
As this consolidation played out, leaders of the credit bureau industry were mindful to defuse rising concerns about inaccuracies and misleading data increasingly turning up in credit reports. In the late 1960s, Senator William Proxmire (D-WI) stepped forward as a vocal advocate for consumer privacy protection. However, in championing the Fair Credit Reporting Act of 1970, Proxmire got outmaneuvered by proindustry senators.
What began as a proconsumer proposal got twisted into a law so probusiness that one observer, Professor Arthur Miller, of the University of Michigan, described the final version as “an act to protect and immunize the credit bureaus rather than an act to protect the individual who has been abused by the credit information flow created by the bureaus.”
The FCRA of 1970 required credit bureaus to investigate complaints within a “reasonable” period of time but set no limits. It remained silent on whether lenders had a duty to supply accurate information to the bureaus. And the coup de grace for industry: it granted credit bureaus and lenders sweeping immunity from state defamation laws by which consumers could seek legal redress for bad data getting integrated into their credit histories. This represented a 180-degree divergence from Proxmire’s original intent to create federal liability while preserving state liability, says Evan Hendricks, editor and publisher of the newsletter Privacy Times and author of Credit Scores & Credit Reports: How the System Really Works, and What You Can Do.
For the next two decades, complaints about inaccuracies and the recalcitrance of bureaus and lenders to fix errors predictably mounted. Crooks figured out how to manipulate the system, and identity theft became a rising concern. By the late 1980s, consumer groups and privacy advocates began to clamor for reform. In the early 1990s attorneys general from some nineteen states won a court injunction mandating that credit bureaus improve accuracy and do a better job of investigating complaints.
Meanwhile, in the nation’s capitol, Congress, after several years of debate, finally strengthened the federal rules. Amendments to the FCRA that took effect in 1997 required credit bureaus and lenders to investigate consumer complaints within thirty days and make full credit reports available to consumers. Yet the savvy credit bureau lobbyists didn’t come away empty-handed. They scored a valued prize: preemption of state requirements calling for the meticulous handling of credit data and responsiveness to consumers’ complaints. The preemption was set to expire in 2004.
“Industry lobbyists claimed it would be too expensive to deal with fifty different state laws, but actually, most states pass very similar laws and the easiest and cheapest way to comply is to comply nationwide with the strongest one,” says Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group.
With the states’ preemption about to expire in 2003, the horse trading between lawmakers siding with privacy advocates and those lending a friendly ear to industry began anew. When the dust settled, the credit bureaus took home the trophy they most coveted: extension of the preemption that cut off states from setting data-handling rules. Consumers’ consolation prize: one free credit report per year from each of the big three bureaus.
The bureaus would soon figure out how to turn this seemingly trivial concession into a fresh source of profits. But what they did not see coming was the impact of provisions that allowed states to enact rules to mitigate identity theft. The battle lines in 2006 and 2007 would be drawn over data-breach notification laws, requiring companies to notify consumers if sensitive data is lost or stolen, and credit freeze laws that empower consumers to ban the bureaus from compiling and issuing a credit report without the consumer’s consent.
“The real reason industry doesn’t want states to protect consumers is because the states are quicker and more responsive than the Congress in passing tough laws, and more immune to their lobbying and donation excesses,” says Mierzwinski. “By the time Congress took its first identity theft baby steps in 2003, California had already invented the security [credit] freeze and seven other states had given consumers the right to a free credit report.”
As this wrangling over regulation unfolded, the credit bureaus continued issuing credit reports using essentially the same processes honed in the 1970s. The bureaus jealously guard details about how this process works. TransUnion spokesman Steve Katz cites the danger of divulging “an unintentional instruction manual” for crooks.
But criminals long ago triangulated how the bureaus verify the identities of loan applicants and decide which records to pull into a credit report. And they’ve devised countless scams that take advantage of the system’s propensity to readily accept and amalgamate close-enough data.
A prospective borrower filling out an online loan application can submit less than nine correct digits of Social Security number and just three matching letters of the first name of someone of good credit standing. Often that’s often enough to trigger the delivery of a credit report and subsequent approval for a new cell phone account or credit card, says David Szwak, a Shreveport, Louisiana-based FCRA attorney.
“The three letters of the first name don’t even have to be in the same order or sequence. Marsha and Mark would be the same person; David and Diana would be the same, as far as the credit bureaus are concerned,” says Szwak. Last-name matches aren’t necessary, he says.
One of Szwak’s clients, Cynthia Comeaux, a native of Laplace, Louisiana, now living in Dallas, had her credit history deeply entangled with that of Cindy Carr, a military wife, living in New Orleans. “Their Socials were within 7 of 9 digits, and both of them had a C and I and N in their first names, though not in the same order,” says Szwak. “They were repeatedly blended together for years; Experian never could get it unwound, had no desire to unwind it; the other two bureaus eventually fixed it.”
The bureaus also ignore the applicant’s date of birth and employment history; this makes it easy for thieves to create fraudulent new accounts by submitting a slightly tweaked name and Social Security number-or even using a dead person’s or juvenile’s personal data. Since the bureaus also accept any address submitted by a loan applicant, a crook can easily divert delivery of credit cards and billing statements into his or her own hands, says Szwak.
Perhaps most galling to consultants and attorneys who help consumers correct errors in their credit records is the fact that when a consumer requests a copy of his or her own credit report, the bureaus suddenly become sticklers for accuracy. The bureaus supply consumers with a report that includes only those loan and payment records with a perfect match of name, address, Social Security number, and date of birth, disregarding potentially fraudulent records with any of these items awry.
“When you order your own credit report, it may not contain derogatory information from someone with a similar name or Social Security number, but that data would appear on the credit report the bank or mortgage company orders, which is a huge problem,” says Mike Baxter, a Portland, Oregon-based FCRA attorney.
Consumers who go to court to get the bureaus to correct errors occasionally get big awards. Baxter was cocounsel for Judy Thomas, of Klamath Falls, Oregon, who spent six years trying to get TransUnion to correct her credit history. In 2003, a Portland, Oregon, jury ordered TransUnion to pay Thomas $5.3 million, but a federal judge later reduced the award to $1 million.
Most successful lawsuits bring only modest awards, and the vast majority of cases settle out of court for less than $25,000. Thanks to the skills of manipulative lobbyists, kid-glove treatment from regulators, and the absence of a unified constituency of aggrieved consumers, the credit bureaus remain insulated and haven’t had to change their practices much over the past three decades, says Hendricks, of Privacy Times. Nobody ever died from an error-riddled credit report. In fact, damages to consumers, such as losing sleep over credit history errors or having to pay higher interest rates, are difficult to quantify, much less prove in court.
“They’ve never been hit with tobacco-sized litigations, and the Federal Trade Commission has been very soft on the credit reporting agencies, especially in recent years,” says Hendricks. “They’ve been able to contain it all, and just write it all off as a cost of doing business as usual.”