Last year, Chris Hoofnagle, Senior Staff Attorney, Samuelson Law, Technology & Public Policy Clinic and Senior Fellow, Berkeley Center for Law and Technology, University of California-Berkeley Boalt Hall School of Law, published an article in the Harvard Journal of Law & Technology entitled "Identity Theft: Making the Known Unknowns Known." Essentially, Chris argues that we have little public information available on the extent of the problem of identity theft crimes against bank customers, either in the form of "new account fraud" (where an impostor opens an account in the victim's name) or "account takeover" (where an impostor uses an existing account, such as a credit card, to commit fraud). Although the FTC maintains information concerning reports by victims of identity theft, Chris argues that "financial institutions are in a better position [than victims of identity theft] to report information on identity theft."
Why, you might ask, is it necessary to have more detailed and accurate reports of this crime? Chris is glad that you asked.
First, it would identify the business practices most vulnerable to fraud. Second, it would help to identify the consumer protections that work and those that do not, and thus assist regulators and law enforcement agencies in allocating resources to combat the crime. Third, improved reporting would help focus public attention on the root causes of the crime. In particular, it could provide a potential counterpoint to the conclusions of some victim surveys that have relied on questionable assumptions and asserted that the fault for identity theft lies with the victims.
Finally, providing more accurate, institution-level statistics on identity theft would make the security of personal information a new product differentiator, similar to low interest rates and fee-free accounts. It would enable benchmarking of financial institutions using that factor so that consumers could tell which institutions have the highest and lowest rates of fraud. Assuming that the market is competitive, it is likely that lenders that provide the safest financial products would be rewarded with consumer loyalty. This rubric would also pressure institutions bearing the ignominious mark of having the most identity theft to adapt or to be driven from the marketplace.
Chris proposes that financial institutions be required to report three principal categories of information: (1) the number of identity theft incidents suffered or avoided; (2) the forms of identity theft attempted and the financial products targeted (e.g., mortgage loan or credit card); and (3) the amount of loss suffered or avoided.
Chris lays out a detailed argument as to why current data (including that gleaned from SARs, which is not public information in any event) is not sufficient, and why more detailed reporting by financial institutions would give regulators, law enforcement agencies and regulatory authorities a better picture of the extent of identity theft, which financial institutions appear to be more vulnerable to the crime, where bank regulatory and law enforcement efforts should be directed, and, finally, which institutions ought to be avoided by customers who are concerned about this form of crime.
I concede the validity of Chris's arguments that reporting by banks would provide more accurate data. However, I question whether consumers, as a practical reality, will alter their behavior based upon the results. I suspect that the entire issue of personal privacy is a lot like Mark Twain's observation about the weather: everyone talks about it and no one does anything about it. When I listen to speeches or read articles such as those by Professor Fred Cate of the Indiana University School of Law, that recount instances of consumers selling their personal information for Starbucks vouchers, I question whether consumers will really punish those banks that seem to be doing a poor job of meeting the challenge of identity theft.
On the other hand, I have no doubt that regulators would find a failure to take effective measures to prevent this crime to be an unsafe and unsound banking practice. Therefore, I think that more detailed reporting by banks to bank regulators (state and federal, as appropriate) would be beneficial. I'm certain that a nasty argument would break out as to whether national banks and federal thrifts should also report this information to state law enforcement authorities so that the Marc Dann's and Andy Cuomo's of the world can make political hay with it. Finally, I expect that skeptics of the current federal bank regulatory regime won't take much comfort in the prospect of relying on federal bank regulators to punish banks that are "guilty" of excessive identity theft. Many critics of the federal bank regulators will want a private right of action against banks, or at least a right of action by state attorneys general, in addition to federal enforcement.
I expect that banks, already burdened with BSA/Anti-Money Laundering reporting, and disillusioned with the apparent fruitlessness of much of the suspicious activity reporting that they currently make (recent federal regulatory protestations to the contrary notwithstanding), would fight hard against such detailed reporting requirements. Given the current credit crisis and the resulting pressure on capital and the bottom lines of many banks, the howls from the banking industry will be long and loud.
Chris also points out the difficulty of tracking "synthetic identity theft," which, we have previously noted, is becoming the identity theft crime of choice. I don't find a practical solution to the difficulties he presents, and I don't see an impetus on the part of financial institutions to voluntarily come up with such a solution. That will be a tough nut to crack.
I have a number of other issues, but lack the time at present to discuss them. I hope to get to them in future posts.
For those who might tend to brush off Chris's article as impractical "law professor posturing," they'll need to rethink any such out-of-hand dismissal. To force the hand of financial institutions, on February 26, 2008, Chris released a paper (download it here) entitled "Measuring Identity Theft at Top Banks." He used a FOIA request to the FTC to obtain data on identity theft reported by victims and, using that data, has compared the largest banks. He admits the problems with the data and with his methodologies, yet asserts that it's the best information available and an appropriate methodology to use in light of the lack of self-reporting by institutions. Among the biggest banks, HSBC, Bank of America and Wamu fair poorly, ING Bank very well.
I suppose that banks can try to ignore Professor Hoofnagle and hope that he goes away or is ignored. Then again, if gadflies like bloggers publicize his studies, and more main stream publications pick up on the results, banks may find themselves forced to start reporting more information as a matter of self defense. The "beauty part" of that result would be that Chris wouldn't have any skin in the game as to the accuracy or inaccuracy of his initial rankings using the limited information available. His ultimate goal is to force the acquisition and reporting of more accurate information so that more accurate rankings might be obtained. That being his goal, this opening salvo is quite a clever gambit.
UPDATE 03/11/08: An
anal attentive commenter has pointed out the grievous error I made in incorrectly referring to the "Indiana University School of Law" as the "University of Indiana Law School." I have corrected this misnomer and beg the forgiveness of Hoosiers everywhere.