As you may have read, I recently lost my wallet. There's a good chance it was stolen. Inside my wallet were my driver license, several credit cards and, unfortunately, my social security card, which was only in my wallet because I was starting a new job the next morning and would need it to prove my citizenship.
Naturally, the first thing I did was call my banks and cancel my credit cards. I then used Debix to file a fraud alert with all three credit reporting agencies.
Last week I got a letter purporting to be from Equifax informing me that they would not place a fraud alert on my account until I sent them copies of several additional documents proving my identity and current address. There are a few problems with this:
- I have no way of knowing if the letter is actually from Equifax. Anyone who knows that I lost my wallet could also have guessed that I would file a fraud alert, and could have sent this letter in an attempt to trick me into giving them sensitive information. It's unlikely, but it's a possibility.
- The letter insists that I send proof of my current address, but the address it lists is actually my previous address, since I just moved. I can't prove that I live at my previous address, because I don't live there anymore, and if I provide proof of my current address, Equifax won't accept it because they don't know my current address.
- I have already provided Equifax, via Debix, with my full name, social security number, date of birth, and my past few addresses. This is more than enough information for them to positively identify me.
According to the Fair Credit Reporting Act, Equifax seems to be on shaky ground here:
§ 605A. Identity theft prevention; fraud alerts and active duty alerts [15 U.S.C. §1681c-1]
(a) One-call Fraud Alerts
(1) Initial alerts. Upon the direct request of a consumer, or an individual acting on behalf of or as a personal representative of a consumer, who asserts in good faith a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft, a consumer reporting agency described in section 603(p) that maintains a file on the consumer and has received appropriate proof of the identity of the requester shall--
(A) include a fraud alert in the file of that consumer, and also provide that alert along with any credit score generated in using that file, for a period of not less than 90 days, beginning on the date of such request, unless the consumer or such representative requests that such fraud alert be removed before the end of such period, and the agency has received appropriate proof of the identity of the requester for such purpose; and
(B) refer the information regarding the fraud alert under this paragraph to each of the other consumer reporting agencies described in section 603(p), in accordance with procedures developed under section 621(f).
When Debix contacted Equifax, they were acting on my behalf, they asserted in good faith that I had a suspicion that I would become a victim of fraud, and they provided Equifax with more than enough identifying information for Equifax to positively identify my credit record.
Unfortunately, the FCRA doesn't actually define what constitutes appropriate proof of identity. However, since the other two credit agencies accepted my filing and activated fraud alerts, that would seem to imply that they thought I provided enough proof.
Why are Equifax's requirements more stringent? How does this protect consumers in any way? Their strictness doesn't provide any additional protection for consumers. What kind of identity thief would actually want to activate a fraud alert? And even if they did, what good would it do them?
The identity thief would get a phone call the next time I tried to open a line of credit and they would be able to allow or deny the creation of that account. If they allowed it, they'd derive no additional benefit (since they already have my identity). If they denied it, I would instantly know that something was wrong and could contact the credit agency to get things sorted out.
The only thing Equifax's refusal does is cause me more inconvenience and increase the risk that an identity thief will be able to get away with committing fraud using my identity while I'm trying to figure out how I can possibly give Equifax more proof than I already have.