FACTA: Verifying All Addresses Would be Costly, Issuers Say

  Financial institutions are expressing consternation over proposed federal regulations that would require credit card issuers to establish specific procedures for resolving discrepancies between an address given by a card applicant or cardholder and the address credit bureaus have on record for that individual.
  The proposed regulations are part of a suite of so-called "red flag" rules intended to detect potential identity theft.
  Yet implementation of the rules would be excessively costly, time-consuming and often superfluous, according to banks, credit card companies and others that filed testimony with the Federal Trade Commission, one of several agencies named by Congress to finalize the rules and oversee the red flag program. Some issuers also have complained about a provision in the proposals that mandates that they reconcile differences in cardholders' addresses "for the duration of the customer relationship."
  One firm that helps companies detect and prevent identity theft, ID Insight Inc., calculates that resolving address discrepancies and other red flag issues as cited in the proposed regulations could triple card issuers' costs for manually reviewing applications. At the same time, the burden of implementing the rules likely would result in an increase in the number of applications rejected for noncreditworthy reasons, according to the St. Paul, Minn.-based company.
  Virtually all organizations involved acknowledge that address discrepancy is a major tip-off to potential identity theft. That is why Congress called for issuers to resolve such inconsistencies as part of the proposed Section 315 of the Fair and Accurate Credit Transactions Act.
  "Address discrepancy is a big red flag for possible identity theft," says Ted Dreyer, senior attorney with Wolters Kluwer Financial Services, a Minneapolis-based provider of compliance and technology services that helps companies manage risk and efficiency issues. "That was a big motivator for Congress passing Section 315."
  Most discrepancies are easily explainable-an applicant has moved or the credit bureau is slow in updating an address. Yet a small percentage, perhaps 1% or less, according to ID Insight, is the result of identity thieves attempting to create separate addresses from the rightful addresses of the victims whose identities have been stolen.
  Congress passed FACTA in 2003 and asked the FTC and other agencies to draw up rules to implement the act. But the process to finalize the rules for Section 315 and other red flag regulations has taken far longer than expected.
  Frank Dorman, an FTC spokesperson, says the antitrust agency expects to release red flag rules by the end of this year. But because the process has dragged on so long already and previous pronouncements of release dates have been missed, no one really is sure when the rules will be released.
  SOME FLEXIBILITY?
  The FTC asked interested parties to submit testimony on the proposed rules last year. Much of that testimony was critical of the proposals. Yet the FTC and other agencies, including the Office of Comptroller of the Currency, the Federal Deposit Insurance Corp., the Federal Reserve Board and the National Credit Union Administration, may have relatively little flexibility in amending the rules because Congress gave the agencies little leeway.
  However, when the FDIC board on Oct. 16 granted its approval of the red flag rules, including the proposed rule on address discrepancies, it provided issuers a little wiggle room. The board said identity-theft programs may be designed "appropriate to the size and complexity of the institution."
  The red flag rules become final only after the other agencies also approve them.
  Financial institutions submitting testimony to the FTC expressed concern that the new FACTA rules would require considerable work and expense on their part.
  Visa USA agrees.
  "Contrary to the agencies' apparent intent, the red flag rules could be interpreted to require complex and sophisticated new programs to combat identity theft," Russell W. Schrader, Visa senior vice president and assistant general counsel, wrote in testimony filed with the FTC. "Visa believes that such rules are unnecessary because financial institutions already have in place extensive and effective programs that identify identity theft."
  Visa contends the agencies should permit each card issuer to implement its own risk-based policies and procedures that allow the issuer to assess the validity of a change-of-address request. They can do so "through authentication of the person making the request and other means that are in accordance with the issuer's program," Schrader wrote.
  Some organizations have gone even further in attacking the rules, saying they actually would impede the efforts of card issuers to uncover potential identity theft.
  "We believe that the proposal runs a high risk of creating an artificial, stagnant, mandatory checklist regime that will not effectively advance the goals of detecting and preventing identity theft and fraud," the American Bankers Association testified. "Unless these shortcomings are addressed, the result will be a diversion of resources from effective detection, investigation and corrective action and will necessitate wasteful expenditure on burdensome, paperwork-laden compliance exercises."
  Adam Elliott, ID Insight president, says his company found that 20% of credit card applications that initially are approved on the basis of creditworthiness have address mismatches. That means that a credit bureau has a different address on record for the applicant than the address the applicant used on the application.
  Capital One Financial Corp. notified the commission that, of the millions of credit card applications it receives each month, "20% to 30% of its requests for bureau reports generated address discrepancies."
  The great majority of such address mismatches, according to Elliott, are the result of consumers moving from one location to another and the credit bureau being slow to update the new address in its records.
  "The burden on the credit bureaus is that they have to notify the issuer that there's an address discrepancy," he says. "Then it's incumbent upon the issuer to reconcile the difference. And that's the rub."
  ID Insight uses California as a model to help predict the impact of the FACTA Section 315 proposal on address discrepancies once the rule becomes effective. California and Illinois already have laws on the books that are similar to the red flag rule proposals.
  Typically, major card issuers review about 3% of applications across the United States to resolve potential fraud issues such as address discrepancies. But in California, says Elliott, issuers must review about 20% because that is the share of applications that entail address discrepancies that require resolution.
  That 20% figure probably will prevail once Section 315 goes into effect, according to Elliott. And with such major issuers as JPMorgan Chase & Co., Capital One and Target Corp. handling as many as 10 million applications annually, the cost would run into the tens millions of dollars in human-resource and logistic and equipment expenses to resolve the address variances, according to Elliott.
  Card issuers already have adopted their own procedures for verifying the identities of new customers to comply with the U.S.A. Patriot Act, but they were not specified in that law, according to Dreyer. Many companies use automated systems, in lieu of actual physical identification, that often rely on publicly available databases to validate the identities of prospective customers, he explains. Yet it is up to the issuers how they go about trying to resolve discrepancies and which ones they investigate or ignore.
  ISSUER REVENUE
  Elliott contends there is little financial incentive, without a government stick such as Section 315, for issuers to investigate all address discrepancies they learn of from the three major credit bureaus: Equifax, TransUnion and Experian. The average good credit card account, over its lifetime, earns a card issuer $100 in revenue, according to Elliott. At the same time, the average cost of identifying an address mismatch is $20, he says.
  Card issuers, therefore, want to approve as many applications as possible, according to Elliott. The cost of rectifying losses that result from the relatively small number of identity-theft cases that might have been detected by reconciling mismatching addresses is more than compensated for by the huge number of new accounts that are routinely approved, according to Elliott.
  "They're going to approve these accounts [for new credit cards] every time," says Elliott. "You can't blame them. The 1% of fraudulent accounts are more than made up for by the scores of new accounts and applications."
  REVIEW PROCESS
  Yet under Section 315 of FACTA, the issuers would have little choice but to review the address discrepancies they are sent by the credit bureaus. The discrepancy comes when the issuer sends an application to a bureau, and the bureau says it has a different address on record for the applicant than the one that accompanied the application.
  ID Insight and other companies offering identification-verification products are likely to benefit from the proposed address-discrepancy rules. Such providers, whose portfolios were created and expanded as a result of the Patriot Act, probably will see an increase in business once card issuers are required to boost their efforts to resolve address discrepancies and respond to other red flag issues that hint at identity theft.
  Yet issuers contend requiring them to abide by the proposed Section 315 address-resolution regulations could harm their ability to continue offering credit in the same manner as they have traditionally.
  "The additional burden imposed by the agencies' expansion of the statutory obligation is likely to be enormous," Christopher T. Curtis, Capital One's associate general counsel for policy affairs, said in testimony, "with potentially serious effects on the efficiency of the American lending industry's credit-granting and credit-management functions."
  Despite the financial institutions' complaints, however, there is little possibility that the rules will be altered sufficiently to alleviate all their concerns. "One way or another, it's going to become a little more difficult for card issuers," says Dreyer. "That's the circumstance they're in right now."
  Congress appears determined to force issuers to verify all of their cardholders' addresses. Card organizations, which contend the effort is overburdensome and unnecessary, therefore face paying more to comply with regulations designed to thwart identity theft.
  (c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com